File name: | b.exe |
Full analysis: | https://app.any.run/tasks/22e22b98-76e1-4bdb-874f-8ddd06f99785 |
Verdict: | Malicious activity |
Analysis date: | June 16, 2019, 13:25:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 937425C7B8034EC4562656BF06172C55 |
SHA1: | 895DEB1A959FEAC461BF40FA55AA054539D73D67 |
SHA256: | 1FC3C655112DB3FEBD4D8087105EEC1AF6A346AB960F027FBC7419D1CAB23AB0 |
SSDEEP: | 196608:JYE0SCI4rbECIwBbiL4c7NrIYaK+GutOHpDRw0nptlVOmpdEMSrsF:JYn/8ChpvnGutMpDDnpnVVpSfrsF |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
ProductVersion: | 2014.0.5.17762 |
---|---|
ProductName: | 按键小精灵 |
OriginalFileName: | MyMacro.exe |
LegalCopyright: | Copyright (C) 2001 - 2017 |
InternalName: | MyMacro.exe |
FileVersion: | 2014.0.5.17762 |
FileDescription: | 按键小精灵 |
CompanyName: | 按键小精灵 (C) 2001 - 2017 |
CharacterSet: | Unicode |
LanguageCode: | Chinese (Simplified) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Windows NT 32-bit |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 2014.0.5.17762 |
FileVersionNumber: | 2014.0.5.17762 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x1610a7 |
UninitializedDataSize: | - |
InitializedDataSize: | 1075712 |
CodeSize: | 2342400 |
LinkerVersion: | 10 |
PEType: | PE32 |
TimeStamp: | 2017:09:08 07:34:43+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 08-Sep-2017 05:34:43 |
Detected languages: |
|
TLS Callbacks: | 1 callback(s) detected. |
CompanyName: | 按键小精灵 (C) 2001 - 2017 |
FileDescription: | 按键小精灵 |
FileVersion: | 2014.0.5.17762 |
InternalName: | MyMacro.exe |
LegalCopyright: | Copyright (C) 2001 - 2017 |
OriginalFilename: | MyMacro.exe |
ProductName: | 按键小精灵 |
ProductVersion: | 2014.0.5.17762 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000128 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 08-Sep-2017 05:34:43 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0023BD9A | 0x0023BE00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.61731 |
.rdata | 0x0023D000 | 0x0007C808 | 0x0007CA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.16889 |
.data | 0x002BA000 | 0x00016284 | 0x0000C600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.05743 |
.tls | 0x002D1000 | 0x00000002 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x002D2000 | 0x00039A5C | 0x00039C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.31609 |
.reloc | 0x0030C000 | 0x00043B80 | 0x00043C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 5.103 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.05194 | 866 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 4.382 | 67624 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
3 | 4.73086 | 21640 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
4 | 4.61991 | 16936 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
5 | 4.96807 | 9640 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
6 | 5.0163 | 4264 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
7 | 5.99663 | 256 | Latin 1 / Western European | Chinese - PRC | RT_STRING |
8 | 6.489 | 1092 | Latin 1 / Western European | Chinese - PRC | RT_STRING |
9 | 5.37819 | 1128 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
10 | 5.21586 | 1128 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
ADVAPI32.dll |
COMCTL32.dll |
COMDLG32.dll |
GDI32.dll |
IMM32.dll |
KERNEL32.dll |
MSIMG32.dll |
OLEACC.dll |
OLEAUT32.dll |
SHELL32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2752 | "C:\Users\admin\Desktop\b.exe" | C:\Users\admin\Desktop\b.exe | — | explorer.exe |
User: admin Company: 按键小精灵 (C) 2001 - 2017 Integrity Level: MEDIUM Description: 按键小精灵 Exit code: 3221226540 Version: 2014.0.5.17762 | ||||
900 | "C:\Users\admin\Desktop\b.exe" | C:\Users\admin\Desktop\b.exe | explorer.exe | |
User: admin Company: 按键小精灵 (C) 2001 - 2017 Integrity Level: HIGH Description: 按键小精灵 Version: 2014.0.5.17762 | ||||
3232 | "C:\Windows\System32\PING.EXE" www.baidu.com -n 2 | C:\Windows\System32\PING.EXE | — | b.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3916 | --host_id 3 --verify_key O_9arsKyUkoM --product "C:\Users\admin\Desktop\b.exe" --version 2014.05.17762 | C:\Users\admin\AppData\Roaming\MyMacro\Runner.exe | b.exe | |
User: admin Company: 福建创意嘉和软件有限公司(C)2001-2016 Integrity Level: HIGH Description: 脚本执行器 Version: 1.0.0.17762 | ||||
3756 | "C:\Windows\System32\PING.EXE" www.baidu.com -n 2 | C:\Windows\System32\PING.EXE | — | b.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3168 | C:\Users\admin\AppData\Roaming\MyMacro\binding.exe | C:\Users\admin\AppData\Roaming\MyMacro\binding.exe | — | b.exe |
User: admin Company: 福建创意嘉和软件有限公司(C)2001-2017 Integrity Level: HIGH Description: extratool Exit code: 2 Version: 1.0.0.1 | ||||
3336 | "C:\Windows\System32\PING.EXE" www.baidu.com -n 2 | C:\Windows\System32\PING.EXE | — | b.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
900 | b.exe | C:\Users\admin\AppData\Local\Temp\adcon\mm\tmpad.xml | — | |
MD5:— | SHA256:— | |||
900 | b.exe | C:\Users\admin\AppData\Local\Temp\plugin.zip | — | |
MD5:— | SHA256:— | |||
900 | b.exe | C:\Users\admin\AppData\Local\Temp\mymacro.zip | — | |
MD5:— | SHA256:— | |||
900 | b.exe | C:\Users\admin\AppData\Local\Temp\RKey.zip | — | |
MD5:— | SHA256:— | |||
900 | b.exe | C:\Users\admin\AppData\Local\Temp\Runner.zip | — | |
MD5:— | SHA256:— | |||
900 | b.exe | C:\Users\admin\AppData\Local\Temp\MT.zip | — | |
MD5:— | SHA256:— | |||
900 | b.exe | C:\Users\admin\AppData\Local\Temp\ad-mymacro9.xml.tmp | — | |
MD5:— | SHA256:— | |||
3916 | Runner.exe | C:\Users\admin\AppData\Local\Temp\8911749.tmp | — | |
MD5:— | SHA256:— | |||
900 | b.exe | \Device\HarddiskVolume2\ProgramData\boost_interprocess\97D3AC3C4424D501F242F8FE4624D501 | — | |
MD5:— | SHA256:— | |||
900 | b.exe | C:\ProgramData\boost_interprocess\_NG75TgBS48w | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
900 | b.exe | GET | — | 42.236.74.213:80 | http://img.users.51.la/321019.asp | CN | — | — | whitelisted |
900 | b.exe | POST | 200 | 117.27.139.134:80 | http://soft.anjian.com/Include/BuildPage/ExitAdXJL.shtml | CN | text | 134 b | malicious |
900 | b.exe | POST | 200 | 117.27.139.134:80 | http://soft.anjian.com/Interface/BindingPC/BindingUsing.aspx | CN | text | 714 b | malicious |
900 | b.exe | POST | 500 | 117.27.139.134:80 | http://soft.anjian.com/Interface/GetIP.aspx | CN | html | 7.19 Kb | malicious |
900 | b.exe | GET | — | 42.236.74.213:80 | http://img.users.51.la/321019.asp | CN | — | — | whitelisted |
900 | b.exe | GET | 200 | 103.235.46.191:80 | http://hm.baidu.com/hm.js?9f7c90c4f314eb12aa0ed7c4b4d9d002 | HK | text | 11.6 Kb | whitelisted |
900 | b.exe | POST | 200 | 117.27.139.134:80 | http://soft.anjian.com/Interface/BindingPC/BindingUpdate.aspx | CN | text | 186 b | malicious |
900 | b.exe | GET | 200 | 103.235.46.191:80 | http://hm.baidu.com/h.js?82d5c049236934007371777578c30be1 | HK | text | 32.4 Kb | whitelisted |
900 | b.exe | GET | 200 | 117.27.139.134:80 | http://soft.anjian.com/V2014V2/Config/ad-mymacro.xml | CN | binary | 3.91 Kb | malicious |
900 | b.exe | GET | 200 | 117.27.139.134:80 | http://ad.vrbrothers.com/qmacro/ad-mymacro8-b.htm | CN | html | 1.55 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
900 | b.exe | 42.236.74.213:80 | img.users.51.la | CHINA UNICOM China169 Backbone | CN | unknown |
900 | b.exe | 117.27.139.134:80 | soft.anjian.com | Fuzhou | CN | malicious |
— | — | 165.160.13.20:80 | s.csbew.com | Corporation Service Company | US | malicious |
900 | b.exe | 111.202.114.153:80 | log.hm.baidu.com | China Unicom Beijing Province Network | CN | unknown |
900 | b.exe | 103.235.46.191:80 | hm.baidu.com | Beijing Baidu Netcom Science and Technology Co., Ltd. | HK | suspicious |
Domain | IP | Reputation |
---|---|---|
soft.anjian.com |
| malicious |
down.vrbrothers.com |
| malicious |
www.baidu.com |
| whitelisted |
hi.vrbrothers.com |
| malicious |
ad.vrbrothers.com |
| malicious |
hm.baidu.com |
| whitelisted |
s.csbew.com |
| malicious |
img.users.51.la |
| unknown |
log.hm.baidu.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
900 | b.exe | A Network Trojan was detected | ET MALWARE User-Agent (Mozilla/4.0 (compatible)) |
900 | b.exe | A Network Trojan was detected | MALWARE [PTsecurity] Backdoor.Win32.Hupigon.dudu Checkin |
900 | b.exe | A Network Trojan was detected | ET MALWARE User-Agent (Mozilla/4.0 (compatible)) |
900 | b.exe | A Network Trojan was detected | ET MALWARE User-Agent (Mozilla/4.0 (compatible)) |
900 | b.exe | A Network Trojan was detected | ET MALWARE User-Agent (Mozilla/4.0 (compatible)) |
Process | Message |
---|---|
b.exe | g_szDataPath: C:\Users\admin\AppData\Roaming\MyMacro\RKey.dat
|
b.exe | g_hEventFlag: 4d0, g_hEvent_CodeInfo: 4f8
|
b.exe | g_pCodeFlag: 2460000, g_pCodeInfo: 25e0000
|