download: | oracle-weblogic-zeroday.html |
Full analysis: | https://app.any.run/tasks/51838955-0ba6-454c-bb72-2829decb0323 |
Verdict: | Malicious activity |
Analysis date: | April 25, 2019, 19:18:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/html |
File info: | HTML document, UTF-8 Unicode text, with very long lines, with CRLF, CR, LF line terminators |
MD5: | 0DC8115C7A819E69F1C8D46E592E70BA |
SHA1: | 132E049AD8C2C718F5A5B787F49954E81311DF9B |
SHA256: | 49D97D86EA700563300A1997E7233EF0A1E4240386DF7ADA3617B0E28C2661AC |
SSDEEP: | 1536:3Asiwp/Fuppfy0F2wgYbkgoOSjP/cLo/LbVAw2lV/bF12mp:2wBFspq+FgYUjXcLo/LbVAw2lV/bF1vp |
.htm/html | | | HyperText Markup Language with DOCTYPE (80.6) |
---|---|---|
.html | | | HyperText Markup Language (19.3) |
viewport: | width=device-width, initial-scale=1, maximum-scale=1 |
---|---|
Title: | Zero-day vulnerability in Oracle WebLogic yet to be patchedSecurity Affairs |
HTTPEquivXUACompatible: | IE=edge |
Description: | Security experts are warning of a dangerous zero-day remote code vulnerability that affects the Oracle WebLogic service platform. |
twitterCard: | summary |
twitterDescription: | Security experts are warning of a dangerous zero-day remote code vulnerability that affects the Oracle WebLogic service platform. |
twitterTitle: | Zero-day vulnerability in Oracle WebLogic yet to be patched |
twitterSite: | @securityaffairs |
twitterImage: | https://securityaffairs.co/wordpress/wp-content/uploads/2019/04/Weblogic-zeroday-2.png |
twitterCreator: | @securityaffairs |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2588 | "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\oracle-weblogic-zeroday.html | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2188 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2588 CREDAT:79873 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2812 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2588 CREDAT:203009 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
1936 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Version: 26,0,0,131 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2588 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2588 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2588 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF5FB0DC3026D3B3FC.TMP | — | |
MD5:— | SHA256:— | |||
2588 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\StructuredQuery.log | text | |
MD5:22DF4B4A99B854374B4B3E7981C54239 | SHA256:862A0D93327C658649C06BCA2F876F1AAEC32AE095C419416CC6E6D3EAF45D5D | |||
2812 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:EE8C0FE53FA0B719A5B243E4597C529D | SHA256:7EE86749688E6D0D3E4D96F409DA85417169BE75261F44224E8DB9AEEAB24439 | |||
2812 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1C2GGUN1\flexslider[1].css | text | |
MD5:DD4C11A6C70BED24DED363A14389C900 | SHA256:759949FB0FFAA47EB3755D704ADFEE7BE3AB4FD3D3FA2F37381CA6EA8B9506B1 | |||
2812 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\134RKHN3\css[2].txt | text | |
MD5:DF8BB2EC5C879B4EA4516669114FDFCF | SHA256:FC8BAF0FB1E4616210C3F9655D7E2CB2E4071B9A44B664D1F8E8942757D7D21A | |||
2588 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{FBF51756-678E-11E9-A370-5254004A04AF}.dat | binary | |
MD5:7522DF3C90D1B9FF463383C59D5CE5E1 | SHA256:C4CA75C65B3874B540A3EC3D9C32EEE2F2A3316F2E31E390B6FBFB02702BB109 | |||
2812 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UZNR6XRK\custom[1].css | text | |
MD5:89C2098768EA0D8115CEC383A1B40A57 | SHA256:E89BBC7723C5114F9CF138C6019BBCA4E4F5E13F6B9FEBAA38C92C4C3584A964 | |||
2812 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UZNR6XRK\css[1].txt | text | |
MD5:09A7F2F7FF5DAEFA1B79B91DD1CA9193 | SHA256:C403DB22BF7A894B691E1A32A932BF16965D7C5CB912B859154DCCC9F02D94B4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2812 | iexplore.exe | GET | 200 | 172.217.22.106:80 | http://fonts.googleapis.com/css?family=Lato%3A400%2C700%2C400italic%2C700italic&ver=16c90ef0abf6cd9c95284f2b86953fb4 | US | text | 155 b | whitelisted |
2812 | iexplore.exe | GET | 200 | 172.217.22.106:80 | http://fonts.googleapis.com/css?family=Playfair+Display%3A400%2C700%2C400italic&subset=latin%2Ccyrillic-ext%2Cgreek-ext%2Ccyrillic&ver=16c90ef0abf6cd9c95284f2b86953fb4 | US | text | 180 b | whitelisted |
2812 | iexplore.exe | GET | 200 | 172.217.22.106:80 | http://fonts.googleapis.com/css?family=Oswald%3A400%2C700%2C400italic&subset=latin%2Ccyrillic-ext%2Cgreek-ext%2Ccyrillic&ver=16c90ef0abf6cd9c95284f2b86953fb4 | US | text | 159 b | whitelisted |
2812 | iexplore.exe | GET | 200 | 172.217.22.106:80 | http://fonts.googleapis.com/css?family=Roboto+Condensed%3A400italic%2C700italic%2C400%2C700&subset=latin%2Ccyrillic-ext%2Cgreek-ext%2Cgreek%2Ccyrillic%2Clatin-ext%2Cvietnamese&ver=16c90ef0abf6cd9c95284f2b86953fb4 | US | text | 179 b | whitelisted |
2588 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2812 | iexplore.exe | 172.217.22.106:80 | fonts.googleapis.com | Google Inc. | US | whitelisted |
2812 | iexplore.exe | 217.160.0.146:443 | securityaffairs.co | 1&1 Internet SE | DE | malicious |
2588 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
4 | System | 209.197.3.15:139 | maxcdn.bootstrapcdn.com | Highwinds Network Group, Inc. | US | whitelisted |
2812 | iexplore.exe | 209.197.3.15:443 | maxcdn.bootstrapcdn.com | Highwinds Network Group, Inc. | US | whitelisted |
4 | System | 209.197.3.15:445 | maxcdn.bootstrapcdn.com | Highwinds Network Group, Inc. | US | whitelisted |
2812 | iexplore.exe | 31.13.90.36:443 | www.facebook.com | Facebook, Inc. | IE | whitelisted |
2812 | iexplore.exe | 185.60.216.19:443 | connect.facebook.net | Facebook, Inc. | IE | whitelisted |
2812 | iexplore.exe | 104.109.70.8:443 | ws.sharethis.com | Akamai International B.V. | NL | whitelisted |
2812 | iexplore.exe | 23.62.140.165:443 | contextual.media.net | Akamai Technologies, Inc. | NL | whitelisted |
Domain | IP | Reputation |
---|---|---|
maxcdn.bootstrapcdn.com |
| whitelisted |
www.bing.com |
| whitelisted |
dns.msftncsi.com |
| shared |
securityaffairs.co |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
ws.sharethis.com |
| shared |
platform-api.sharethis.com |
| whitelisted |
connect.facebook.net |
| whitelisted |
platform.twitter.com |
| whitelisted |
www.facebook.com |
| whitelisted |