File name: | spirit-fortnite-injector.zip.exe |
Full analysis: | https://app.any.run/tasks/f9284864-2c1e-4206-b177-c7056778abd3 |
Verdict: | Malicious activity |
Analysis date: | September 30, 2020, 09:45:56 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 9C9AF6B2DFB3E933119A685D582F94EE |
SHA1: | FCF85BA8AFE81AF446D48CA70111E50A640B1ED9 |
SHA256: | 29F8C587D0F8A5B0D3B235C193D70E93B45905ED0B5F7EFE4E78094800A0BF32 |
SSDEEP: | 98304:fG5QgrvI6QpOkvjKg0afvdCuJRy85EMijZu6:fG5bvvQIkmpa9F3VuMyZd |
.exe | | | InstallShield setup (36.8) |
---|---|---|
.exe | | | Win32 Executable MS Visual C++ (generic) (26.6) |
.exe | | | Win64 Executable (generic) (23.6) |
.dll | | | Win32 Dynamic Link Library (generic) (5.6) |
.exe | | | Win32 Executable (generic) (3.8) |
ProductName: | CherryPlayer_Web's Installer |
---|---|
OriginalFileName: | - |
LegalCopyright: | CherryPlayer_Web |
InternalName: | - |
FileDescription: | Software Installation |
CompanyName: | CherryPlayer_Web |
ProductVersion: | 1.2.0.3088 |
FileVersion: | 1.2.0.3088 |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Windows NT 32-bit |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.2.0.3088 |
FileVersionNumber: | 1.2.0.3088 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x148d4 |
UninitializedDataSize: | - |
InitializedDataSize: | 344064 |
CodeSize: | 104448 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2011:04:18 20:54:06+02:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1700 | "C:\Users\admin\AppData\Local\Temp\spirit-fortnite-injector.zip.exe" | C:\Users\admin\AppData\Local\Temp\spirit-fortnite-injector.zip.exe | — | explorer.exe |
User: admin Company: CherryPlayer_Web Integrity Level: MEDIUM Description: Software Installation Exit code: 3221226540 Version: 1.2.0.3088 | ||||
2728 | "C:\Users\admin\AppData\Local\Temp\spirit-fortnite-injector.zip.exe" | C:\Users\admin\AppData\Local\Temp\spirit-fortnite-injector.zip.exe | explorer.exe | |
User: admin Company: CherryPlayer_Web Integrity Level: HIGH Description: Software Installation Version: 1.2.0.3088 | ||||
2180 | .\installer.exe | C:\Users\admin\AppData\Local\Temp\7zS8AADDD8B\installer.exe | spirit-fortnite-injector.zip.exe | |
User: admin Company: adaware Integrity Level: HIGH Description: Software Installation Version: 1.2.0.3088 | ||||
1292 | "C:\Users\admin\AppData\Local\Temp\7zS8AADDD8B\GenericSetup.exe" C:\Users\admin\AppData\Local\Temp\7zS8AADDD8B\GenericSetup.exe | C:\Users\admin\AppData\Local\Temp\7zS8AADDD8B\GenericSetup.exe | installer.exe | |
User: admin Integrity Level: HIGH Description: Software Installation Version: 1.2.0.3088 | ||||
2144 | "C:\Windows\system32\taskmgr.exe" /4 | C:\Windows\system32\taskmgr.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Task Manager Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2728 | spirit-fortnite-injector.zip.exe | C:\Users\admin\AppData\Local\Temp\7zS8AADDD8B\Resources\InstallingPage.html | html | |
MD5:46B742D55D344D388451FFEC50600366 | SHA256:3885709A6AE6AA359CC2B5DF930D97FCD25F6BF1E973EB3BFEE9A4199BA779D3 | |||
2728 | spirit-fortnite-injector.zip.exe | C:\Users\admin\AppData\Local\Temp\7zS8AADDD8B\GenericSetup.exe | executable | |
MD5:CC7F3C2AEC42DB29F5EC9A22AC08585E | SHA256:E91391F1F53FE5E0C6575570B09F6D1B10D0BB855B5C1B65F13743185E39A9EC | |||
2728 | spirit-fortnite-injector.zip.exe | C:\Users\admin\AppData\Local\Temp\7zS8AADDD8B\Resources\FinishPage.html | html | |
MD5:6EEF560F70E4DD79B823C888E7C38E57 | SHA256:B25DBD7FA802FD2CEB1800EB8CD2BDE205CB7AAB5B56C4C054725F92C888591B | |||
2728 | spirit-fortnite-injector.zip.exe | C:\Users\admin\AppData\Local\Temp\7zS8AADDD8B\Resources\style.css | text | |
MD5:4C8C0D2041A52FF69A71A1462D492CB6 | SHA256:F184542E422AFEA9F3C2C2CA589E1427467BE22A039D0C31D8FD95F1AAB49E49 | |||
2728 | spirit-fortnite-injector.zip.exe | C:\Users\admin\AppData\Local\Temp\7zS8AADDD8B\Resources\OfferPage.html | html | |
MD5:53A4925B3382E7DB8472D92A67BA94F4 | SHA256:19180A9E414034A059503F88E385D4C9372576E56F0222F8D3A60024DBD8A7C8 | |||
2728 | spirit-fortnite-injector.zip.exe | C:\Users\admin\AppData\Local\Temp\7zS8AADDD8B\Resources\images\logo.png | image | |
MD5:9F356CF9731F525512942204C0A6F0E3 | SHA256:39C62621CBC3376595850DF2658DB2ECB64FF156C6B213A1799AD6F20D13BA14 | |||
2728 | spirit-fortnite-injector.zip.exe | C:\Users\admin\AppData\Local\Temp\7zS8AADDD8B\Resources\WelcomePage.html | html | |
MD5:05EC0B98E13AA9C2290D43BA3544FEF2 | SHA256:574A1BB37654813EBDC73EE8C0696069CDAC80CAC7D975FC40FA6B5252406402 | |||
2728 | spirit-fortnite-injector.zip.exe | C:\Users\admin\AppData\Local\Temp\7zS8AADDD8B\Resources\images\cherry-player-logo.png | image | |
MD5:15F948325152E7C99D900EE4DADE93EA | SHA256:C7004BF44810058E1F3ABDFD01B3881E9B945C05DD10660EEBE8C215519D4D3B | |||
2728 | spirit-fortnite-injector.zip.exe | C:\Users\admin\AppData\Local\Temp\7zS8AADDD8B\Resources\tis\EventHandler.tis | text | |
MD5:E40D7878D88D2D55119E2D28A994653E | SHA256:2DBB0A6C28F1A4C199B3090AA17147BD4F784458B0663BCB75E18C17090101B7 | |||
2728 | spirit-fortnite-injector.zip.exe | C:\Users\admin\AppData\Local\Temp\7zS8AADDD8B\Resources\tis\ViewStateLoader.tis | text | |
MD5:CFA267DB7E3295C099F9AE454FD23331 | SHA256:5EA24E0CB28EA1F50CC2BEEF1EB0C1B9BA2A5099B63F66F2A4EE2ED60CFE30FD |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2180 | installer.exe | POST | 200 | 104.18.88.101:80 | http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart | US | text | 29 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1292 | GenericSetup.exe | 104.16.235.79:443 | h2oapi.adaware.com | Cloudflare Inc | US | shared |
1292 | GenericSetup.exe | 104.16.236.79:443 | h2oapi.adaware.com | Cloudflare Inc | US | shared |
2180 | installer.exe | 104.18.88.101:80 | flow.lavasoft.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
h2oapi.adaware.com |
| malicious |
flow.lavasoft.com |
| whitelisted |
dns.msftncsi.com |
| shared |
sos.adaware.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2180 | installer.exe | A Network Trojan was detected | ET MALWARE Lavasoft PUA/Adware Client Install |
Process | Message |
---|---|
GenericSetup.exe | at sciter:init-script.tis
|
GenericSetup.exe | at sciter:init-script.tis
|
GenericSetup.exe | |
GenericSetup.exe | |
GenericSetup.exe | file:resources/tis/TranslateOfferTemplate.tis(82) : warning :'async' does not contain any 'await'
|