analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

oracle-weblogic-zeroday.html

Full analysis: https://app.any.run/tasks/51838955-0ba6-454c-bb72-2829decb0323
Verdict: Malicious activity
Analysis date: April 25, 2019, 19:18:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/html
File info: HTML document, UTF-8 Unicode text, with very long lines, with CRLF, CR, LF line terminators
MD5:

0DC8115C7A819E69F1C8D46E592E70BA

SHA1:

132E049AD8C2C718F5A5B787F49954E81311DF9B

SHA256:

49D97D86EA700563300A1997E7233EF0A1E4240386DF7ADA3617B0E28C2661AC

SSDEEP:

1536:3Asiwp/Fuppfy0F2wgYbkgoOSjP/cLo/LbVAw2lV/bF12mp:2wBFspq+FgYUjXcLo/LbVAw2lV/bF1vp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2588)

    • Creates files in the user directory

      • iexplore.exe (PID: 2188)
      • iexplore.exe (PID: 2812)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 1936)

    • Application launched itself

      • iexplore.exe (PID: 2588)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2188)
      • iexplore.exe (PID: 2812)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2812)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 2812)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2588)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2588)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2588)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.htm/html | HyperText Markup Language with DOCTYPE (80.6)
.html | HyperText Markup Language (19.3)

EXIF

HTML

viewport: width=device-width, initial-scale=1, maximum-scale=1
Title: Zero-day vulnerability in Oracle WebLogic yet to be patchedSecurity Affairs
HTTPEquivXUACompatible: IE=edge
Description: Security experts are warning of a dangerous zero-day remote code vulnerability that affects the Oracle WebLogic service platform.
twitterCard: summary
twitterDescription: Security experts are warning of a dangerous zero-day remote code vulnerability that affects the Oracle WebLogic service platform.
twitterTitle: Zero-day vulnerability in Oracle WebLogic yet to be patched
twitterSite: @securityaffairs
twitterImage: https://securityaffairs.co/wordpress/wp-content/uploads/2019/04/Weblogic-zeroday-2.png
twitterCreator: @securityaffairs
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
4
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe no specs iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2588"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\oracle-weblogic-zeroday.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2188"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2588 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2812"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2588 CREDAT:203009C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1936C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
Total events
642
Read events
521
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
92
Unknown types
13

Dropped files

PID
Process
Filename
Type
2588iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2588iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2588iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF5FB0DC3026D3B3FC.TMP
MD5:
SHA256:
2588iexplore.exeC:\Users\admin\AppData\Local\Temp\StructuredQuery.logtext
MD5:22DF4B4A99B854374B4B3E7981C54239
SHA256:862A0D93327C658649C06BCA2F876F1AAEC32AE095C419416CC6E6D3EAF45D5D
2812iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:EE8C0FE53FA0B719A5B243E4597C529D
SHA256:7EE86749688E6D0D3E4D96F409DA85417169BE75261F44224E8DB9AEEAB24439
2812iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1C2GGUN1\flexslider[1].csstext
MD5:DD4C11A6C70BED24DED363A14389C900
SHA256:759949FB0FFAA47EB3755D704ADFEE7BE3AB4FD3D3FA2F37381CA6EA8B9506B1
2812iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\134RKHN3\css[2].txttext
MD5:DF8BB2EC5C879B4EA4516669114FDFCF
SHA256:FC8BAF0FB1E4616210C3F9655D7E2CB2E4071B9A44B664D1F8E8942757D7D21A
2588iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{FBF51756-678E-11E9-A370-5254004A04AF}.datbinary
MD5:7522DF3C90D1B9FF463383C59D5CE5E1
SHA256:C4CA75C65B3874B540A3EC3D9C32EEE2F2A3316F2E31E390B6FBFB02702BB109
2812iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UZNR6XRK\custom[1].csstext
MD5:89C2098768EA0D8115CEC383A1B40A57
SHA256:E89BBC7723C5114F9CF138C6019BBCA4E4F5E13F6B9FEBAA38C92C4C3584A964
2812iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UZNR6XRK\css[1].txttext
MD5:09A7F2F7FF5DAEFA1B79B91DD1CA9193
SHA256:C403DB22BF7A894B691E1A32A932BF16965D7C5CB912B859154DCCC9F02D94B4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
43
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2812
iexplore.exe
GET
200
172.217.22.106:80
http://fonts.googleapis.com/css?family=Lato%3A400%2C700%2C400italic%2C700italic&ver=16c90ef0abf6cd9c95284f2b86953fb4
US
text
155 b
whitelisted
2812
iexplore.exe
GET
200
172.217.22.106:80
http://fonts.googleapis.com/css?family=Playfair+Display%3A400%2C700%2C400italic&subset=latin%2Ccyrillic-ext%2Cgreek-ext%2Ccyrillic&ver=16c90ef0abf6cd9c95284f2b86953fb4
US
text
180 b
whitelisted
2812
iexplore.exe
GET
200
172.217.22.106:80
http://fonts.googleapis.com/css?family=Oswald%3A400%2C700%2C400italic&subset=latin%2Ccyrillic-ext%2Cgreek-ext%2Ccyrillic&ver=16c90ef0abf6cd9c95284f2b86953fb4
US
text
159 b
whitelisted
2812
iexplore.exe
GET
200
172.217.22.106:80
http://fonts.googleapis.com/css?family=Roboto+Condensed%3A400italic%2C700italic%2C400%2C700&subset=latin%2Ccyrillic-ext%2Cgreek-ext%2Cgreek%2Ccyrillic%2Clatin-ext%2Cvietnamese&ver=16c90ef0abf6cd9c95284f2b86953fb4
US
text
179 b
whitelisted
2588
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2812
iexplore.exe
172.217.22.106:80
fonts.googleapis.com
Google Inc.
US
whitelisted
2812
iexplore.exe
217.160.0.146:443
securityaffairs.co
1&1 Internet SE
DE
malicious
2588
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
4
System
209.197.3.15:139
maxcdn.bootstrapcdn.com
Highwinds Network Group, Inc.
US
whitelisted
2812
iexplore.exe
209.197.3.15:443
maxcdn.bootstrapcdn.com
Highwinds Network Group, Inc.
US
whitelisted
4
System
209.197.3.15:445
maxcdn.bootstrapcdn.com
Highwinds Network Group, Inc.
US
whitelisted
2812
iexplore.exe
31.13.90.36:443
www.facebook.com
Facebook, Inc.
IE
whitelisted
2812
iexplore.exe
185.60.216.19:443
connect.facebook.net
Facebook, Inc.
IE
whitelisted
2812
iexplore.exe
104.109.70.8:443
ws.sharethis.com
Akamai International B.V.
NL
whitelisted
2812
iexplore.exe
23.62.140.165:443
contextual.media.net
Akamai Technologies, Inc.
NL
whitelisted

DNS requests

Domain
IP
Reputation
maxcdn.bootstrapcdn.com
  • 209.197.3.15
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
securityaffairs.co
  • 217.160.0.146
whitelisted
fonts.googleapis.com
  • 172.217.22.106
whitelisted
ws.sharethis.com
  • 104.109.70.8
shared
platform-api.sharethis.com
  • 104.109.70.8
whitelisted
connect.facebook.net
  • 185.60.216.19
whitelisted
platform.twitter.com
  • 93.184.220.66
whitelisted
www.facebook.com
  • 31.13.90.36
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
oracle-weblogic-zeroday.html