Malware analysis http://rfooznjne.Kenia283.xyz/index Malicious activity

Add for printing

URL:	http://rfooznjne.Kenia283.xyz/index
Full analysis:	https://app.any.run/tasks/92fbbe75-a418-4885-9f9a-42a00735cc53
Verdict:	Malicious activity
Analysis date:	September 11, 2019, 10:54:44
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:	9D177573F8CE1D5A332C6BE6FDDF7C32
SHA1:	5419FA4DBBB8BDCC28052F749821BFDF02544326
SHA256:	509AF02775C637014033D7EB0C24A2F7924E0472640FC6C31BE6726D58516F87
SSDEEP:	3:N1KMWKjwtUpcun:CMNjwUn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executed via COM
  - FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3212)
INFO
- Creates files in the user directory
  - iexplore.exe (PID: 3796)
  - iexplore.exe (PID: 3512)
  - FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3212)
- Changes internet zones settings
  - iexplore.exe (PID: 3512)
- Application launched itself
  - iexplore.exe (PID: 3512)
- Reads internet explorer settings
  - iexplore.exe (PID: 3796)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 3796)
- Reads settings of System Certificates
  - iexplore.exe (PID: 3796)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3512	"C:\Program Files\Internet Explorer\iexplore.exe" -nohome	C:\Program Files\Internet Explorer\iexplore.exe		explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
3796	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3512 CREDAT:71937	C:\Program Files\Internet Explorer\iexplore.exe		iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
3212	C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding	C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe	—	svchost.exe
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Version: 26,0,0,131

Add for printing

Total events

510

Read events

404

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3512	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico		—
		MD5:—	SHA256:—
3512	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico		—
		MD5:—	SHA256:—
3796	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat		dat
		MD5:1538ED343AA26AE9B6FF5F51F68677F8	SHA256:DA711F6E62B827AD49FB3A439373A76EBAF7DB84E4906ACD18DA55B1DCE9E8CF
3796	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\97O6ZJQJ\sl[1].html		html
		MD5:715BB5E9F5EE151815DEB883B72CDCDB	SHA256:2B22B94E389050709721B83C993ED12EE302FC44C64BEA17565F1B2AE0779251
3796	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W6RUTJF3\intlTelInput[1].css		text
		MD5:CC092C0538578055EE37DDB1891E5CC4	SHA256:69554F8CF1DA962923CECFEAC3A6AE9CBAE7D001219D96E3D81112E9F490DBA9
3512	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\sl[1].html		html
		MD5:715BB5E9F5EE151815DEB883B72CDCDB	SHA256:2B22B94E389050709721B83C993ED12EE302FC44C64BEA17565F1B2AE0779251
3512	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@gladwin933[1].txt		text
		MD5:C1085F1D91A99C70976737D32E9215C7	SHA256:65655DAF807441C6820CC5C19C16C74E9739BEAFE69F0F7F6FDCF1792037EC65
3796	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat		dat
		MD5:2A00336EDB249D3F3FE4BEA3CEC19FEF	SHA256:CA1C2878DA93C130A6D67B556F677DBA182274C2718B90C4CEDA7D08FE9A0162
3796	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt		text
		MD5:AE0F6ECB12018D41E03AA47840897F47	SHA256:2044640508540FEC2470B7F4BB9D0B16AE66DA79D9FD23D76AB58BE0DF551AEB
3796	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat		dat
		MD5:141AED1A087308A4B2F3FCB6C54B636C	SHA256:C748B694168AF0D7E0AD42D670BBB98CDAED27547DF1F96A7BDEF0358C232FB8

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3796	iexplore.exe	GET	302	47.254.173.118:80	http://rfooznjne.kenia283.xyz/index	US	—	—	suspicious
3796	iexplore.exe	GET	302	104.24.114.83:80	http://vip.diguqadi.xyz/tracker?s_id=7&aff_id=225	US	—	—	suspicious
3512	iexplore.exe	GET	302	47.254.173.118:80	http://isaura310.xyz/favicon.ico	US	—	—	suspicious
3512	iexplore.exe	GET	302	47.254.173.118:80	http://gladwin933.xyz/index	US	—	—	suspicious
3796	iexplore.exe	GET	200	47.254.173.118:80	http://isaura310.xyz/sl.html	US	html	132 b	suspicious
3796	iexplore.exe	GET	—	104.24.114.83:80	http://ru.infinity-appl.vip.diguqadi.xyz/css/css_1.css	US	—	—	suspicious
3796	iexplore.exe	GET	200	104.24.114.83:80	http://ru.infinity-appl.vip.diguqadi.xyz/css/style.css	US	text	1.59 Kb	suspicious
3796	iexplore.exe	GET	200	104.24.114.83:80	http://ru.infinity-appl.vip.diguqadi.xyz/slick.eot-	US	html	7.67 Kb	suspicious
3796	iexplore.exe	GET	200	104.24.114.83:80	http://ru.infinity-appl.vip.diguqadi.xyz/Bebas_regular.eot-	US	html	7.67 Kb	suspicious
3796	iexplore.exe	GET	200	104.24.114.83:80	http://ru.infinity-appl.vip.diguqadi.xyz/css/css.css	US	text	1.28 Kb	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3512	iexplore.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
3796	iexplore.exe	195.181.175.10:80	cdn.sendpulse.com	Datacamp Limited	DE	suspicious
3512	iexplore.exe	47.254.173.118:80	rfooznjne.kenia283.xyz	Alibaba (China) Technology Co., Ltd.	US	malicious
3796	iexplore.exe	47.254.173.118:80	rfooznjne.kenia283.xyz	Alibaba (China) Technology Co., Ltd.	US	malicious
3796	iexplore.exe	104.24.114.83:80	vip.diguqadi.xyz	Cloudflare Inc	US	shared
3796	iexplore.exe	87.250.251.119:443	mc.yandex.ru	YANDEX LLC	RU	whitelisted
3512	iexplore.exe	104.24.114.83:80	vip.diguqadi.xyz	Cloudflare Inc	US	shared

DNS requests

Domain	IP	Reputation
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
rfooznjne.kenia283.xyz	47.254.173.118	suspicious
isaura310.xyz	47.254.173.118	suspicious
vip.diguqadi.xyz	104.24.114.83 104.24.115.83	suspicious
ru.infinity-appl.vip.diguqadi.xyz	104.24.114.83 104.24.115.83	suspicious
gladwin933.xyz	47.254.173.118	suspicious
cdn.sendpulse.com	195.181.175.10	whitelisted
mc.yandex.ru	87.250.251.119 77.88.21.119 87.250.250.119 93.158.134.119	whitelisted

Threats

PID	Process	Class	Message
3796	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
3796	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
3796	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
3512	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
3796	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
3796	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
3796	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
3796	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
3796	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
3512	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain

Add for printing

No debug info

General Info

http://rfooznjne.Kenia283.xyz/index

9D177573F8CE1D5A332C6BE6FDDF7C32

5419FA4DBBB8BDCC28052F749821BFDF02544326

509AF02775C637014033D7EB0C24A2F7924E0472640FC6C31BE6726D58516F87

3:N1KMWKjwtUpcun:CMNjwUn

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executed via COM

INFO

Creates files in the user directory

Changes internet zones settings

Application launched itself

Reads internet explorer settings

Reads Internet Cache Settings

Reads settings of System Certificates

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings