| File name: | LeapFrogConnectSetup_MyPals.exe |
| Full analysis: | https://app.any.run/tasks/cc2ee951-dee5-4f4f-8173-9bd5337111ad |
| Verdict: | Malicious activity |
| Analysis date: | December 25, 2023, 23:04:45 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | AC18B200EC0070D96A45E6400E040CBD |
| SHA1: | F713B56CDB1D34E7025526335AB009DDB3EF8B66 |
| SHA256: | 5620E1330B0D3CA7598D48230DE20F3462E86BA919A40CCEAE293EE1ADCE6BF2 |
| SSDEEP: | 98304:0znqtIeGnN3jzfOy8wB0Cr5G13rGr7P3yPKlcyB5w/kfHH8ykbpA/YnxmZVRRRRv:2rWrGH4EKEK1FuepqL |
MALICIOUS
Creates a writable file in the system directory
- msiexec.exe (PID: 1804)
SUSPICIOUS
Reads the Windows owner or organization settings
- msiexec.exe (PID: 1804)
Reads settings of System Certificates
- LeapFrogConnectSetup_MyPals.exe (PID: 2268)
- LeapFrogConnect.exe (PID: 2760)
Uses ICACLS.EXE to modify access control lists
- LeapFrogConnectSetup_MyPals.exe (PID: 2268)
Uses TASKKILL.EXE to kill process
- LeapFrogConnectSetup_MyPals.exe (PID: 2268)
Reads the Internet Settings
- LeapFrogConnect.exe (PID: 2760)
- control.exe (PID: 2028)
- rundll32.exe (PID: 3956)
Checks for Java to be installed
- LeapFrogConnect.exe (PID: 2760)
Uses RUNDLL32.EXE to load library
- control.exe (PID: 2028)
Reads Microsoft Outlook installation path
- rundll32.exe (PID: 3956)
INFO
Drops the executable file immediately after the start
- LeapFrogConnectSetup_MyPals.exe (PID: 2268)
- msiexec.exe (PID: 1804)
- msiexec.exe (PID: 2572)
- WiseCustomCalla.exe (PID: 2428)
Reads the computer name
- msiexec.exe (PID: 1804)
- msiexec.exe (PID: 2340)
- LeapFrogConnectSetup_MyPals.exe (PID: 2268)
- CommandService.exe (PID: 1748)
- msiexec.exe (PID: 2572)
- Monitor.exe (PID: 984)
- LeapFrogConnect.exe (PID: 2760)
Reads the machine GUID from the registry
- msiexec.exe (PID: 1804)
- msiexec.exe (PID: 2340)
- LeapFrogConnectSetup_MyPals.exe (PID: 2268)
- msiexec.exe (PID: 2572)
- Monitor.exe (PID: 984)
- LeapFrogConnect.exe (PID: 2760)
Application launched itself
- msiexec.exe (PID: 1804)
- msedge.exe (PID: 2860)
- msedge.exe (PID: 3212)
Checks supported languages
- msiexec.exe (PID: 2340)
- LeapFrogConnectSetup_MyPals.exe (PID: 2268)
- msiexec.exe (PID: 1804)
- CommandService.exe (PID: 1748)
- msiexec.exe (PID: 2572)
- WiseCustomCalla.exe (PID: 2428)
- LeapFrogConnect.exe (PID: 2760)
- Monitor.exe (PID: 984)
Create files in a temporary directory
- msiexec.exe (PID: 1804)
- LeapFrogConnectSetup_MyPals.exe (PID: 2268)
- WiseCustomCalla.exe (PID: 2428)
- LeapFrogConnect.exe (PID: 2760)
- Monitor.exe (PID: 984)
Process drops legitimate windows executable
- msiexec.exe (PID: 1804)
Creates files in the program directory
- LeapFrogConnectSetup_MyPals.exe (PID: 2268)
- LeapFrogConnect.exe (PID: 2760)
- Monitor.exe (PID: 984)
Executes as Windows Service
- CommandService.exe (PID: 1748)
Manual execution by a user
- WINWORD.EXE (PID: 2100)
- msedge.exe (PID: 3212)
- control.exe (PID: 2028)
- powershell.exe (PID: 2580)
- powershell.exe (PID: 2508)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2018:06:29 02:08:01+02:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 10 |
| CodeSize: | 8184320 |
| InitializedDataSize: | 6117376 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x5e9331 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 9.0.7.0 |
| ProductVersionNumber: | 9.0.7.0 |
| FileFlagsMask: | 0x0017 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | LeapFrog Enterprises, Inc. |
| FileDescription: | Sniffer Application |
| FileVersion: | 9,0,7,0 |
| InternalName: | Sniffer |
| LegalCopyright: | ©2008 – 2018 LeapFrog Enterprises, Inc. All rights reserved. |
| OriginalFileName: | Sniffer.exe |
| ProductName: | Sniffer Application |
| ProductVersion: | 9,0,7,0 |
Total processes
86
Monitored processes
39
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 668 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3632 --field-trial-handle=1236,i,13539298431662500854,1905407503122928827,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 712 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 --field-trial-handle=1236,i,13539298431662500854,1905407503122928827,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 984 | Monitor LaunchedByUPCShell | C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe | — | LeapFrogConnect.exe | |||||||||||
User: admin Company: LeapFrog Enterprises, Inc. Integrity Level: HIGH Description: Monitor Application Exit code: 0 Version: 9,0,14,0 Modules
| |||||||||||||||
| 1056 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3596 --field-trial-handle=1236,i,13539298431662500854,1905407503122928827,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1576 | taskkill /f /im Monitor.exe /im LeapFrogConnect.exe | C:\Windows\System32\taskkill.exe | — | LeapFrogConnectSetup_MyPals.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1644 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1552 --field-trial-handle=1236,i,13539298431662500854,1905407503122928827,131072 /prefetch:3 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | msedge.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1748 | "C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe" | C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe | — | services.exe | |||||||||||
User: SYSTEM Company: LeapFrog Enterprises, Inc. Integrity Level: SYSTEM Description: CommandService Application Exit code: 0 Version: 9,0,14,0 Modules
| |||||||||||||||
| 1804 | C:\Windows\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1864 | cacls "C:\ProgramData/Leapfrog/LeapFrog Connect" /E /T /C /G Users:C | C:\Windows\System32\cacls.exe | — | LeapFrogConnectSetup_MyPals.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Control ACLs Program Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2016 | cacls "C:\ProgramData/Leapfrog/LeapFrog Connect" /E /T /C /G Users:C | C:\Windows\System32\cacls.exe | — | LeapFrogConnectSetup_MyPals.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Control ACLs Program Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
13 849
Read events
13 499
Write events
190
Delete events
160
Modification events
| (PID) Process: | (1804) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs |
| Operation: | write | Name: | C:\Windows\system32\atl100.dll |
Value: 1 | |||
| (PID) Process: | (1804) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs |
| Operation: | write | Name: | C:\Windows\system32\msvcr100.dll |
Value: 2 | |||
| (PID) Process: | (1804) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs |
| Operation: | write | Name: | C:\Windows\system32\msvcp100.dll |
Value: 2 | |||
| (PID) Process: | (1804) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings |
| Operation: | write | Name: | StringCacheGeneration |
Value: 386 | |||
| (PID) Process: | (1804) msiexec.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\182\52C64B7E |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1804) msiexec.exe | Key: | HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\182 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2268) LeapFrogConnectSetup_MyPals.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | GlobalAssocChangedCounter |
Value: 115 | |||
| (PID) Process: | (1804) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts |
| Operation: | delete value | Name: | C:\Config.Msi\ec87f.rbs |
Value: 31078278 | |||
| (PID) Process: | (1804) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1804) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
64
Suspicious files
198
Text files
231
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2268 | LeapFrogConnectSetup_MyPals.exe | C:\ProgramData\Leapfrog\LeapFrog Connect\DownloadCache\Installer\8177c677da6500a521395d78d612cfe7.dat | — | |
MD5:— | SHA256:— | |||
| 2268 | LeapFrogConnectSetup_MyPals.exe | C:\ProgramData\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.msi | — | |
MD5:— | SHA256:— | |||
| 1804 | msiexec.exe | C:\Windows\Installer\ec87c.msi | — | |
MD5:— | SHA256:— | |||
| 2268 | LeapFrogConnectSetup_MyPals.exe | C:\ProgramData\Leapfrog\LeapFrog Connect\log\Sniffer_231225_2304.log | text | |
MD5:8DE1C3C9D0EC7ED611ACB97EBA4652AC | SHA256:AFF5395A3F0DEA76C42BFC1827F11F69C4B133EA13DDDC5BED30F13F664A3A76 | |||
| 2268 | LeapFrogConnectSetup_MyPals.exe | C:\ProgramData\Leapfrog\LeapFrog Connect\DownloadCache\Installer\ddc2abd48a416cfd2944ba036b464403.dat | executable | |
MD5:36AC9154DC167EBAD2F7F3C265879EB1 | SHA256:64214282406024F9D96D28B4EA363BCDAB4781C7904B5BD8A3D7DC1710263875 | |||
| 2268 | LeapFrogConnectSetup_MyPals.exe | C:\ProgramData\Leapfrog\LeapFrog Connect\Updates\LfConnect.xml | xml | |
MD5:4B946EA012C0E9041B85342F11A277A1 | SHA256:59F8F35C780D6305EFC3FE5CB041193E1CE273FC7C1BEB426BCF6B2629662314 | |||
| 1804 | msiexec.exe | C:\Windows\Installer\MSIC995.tmp | executable | |
MD5:1784F93D75B7BB91D6D0F8B58DC4C8A5 | SHA256:12E19E33CAC72FC0BC613DE6B971075596DF231EC52C063711EDFF4672DA530C | |||
| 2268 | LeapFrogConnectSetup_MyPals.exe | C:\ProgramData\Leapfrog\LeapFrog Connect\DownloadCache\Installer\2542c265007cbe43f896577b48a634a6.dat | xml | |
MD5:4B946EA012C0E9041B85342F11A277A1 | SHA256:59F8F35C780D6305EFC3FE5CB041193E1CE273FC7C1BEB426BCF6B2629662314 | |||
| 2268 | LeapFrogConnectSetup_MyPals.exe | C:\ProgramData\Leapfrog\LeapFrog Connect\Updates\MyPalsPlugin.msi | executable | |
MD5:36AC9154DC167EBAD2F7F3C265879EB1 | SHA256:64214282406024F9D96D28B4EA363BCDAB4781C7904B5BD8A3D7DC1710263875 | |||
| 1804 | msiexec.exe | C:\Windows\Installer\MSICD7F.tmp | binary | |
MD5:13A9210E8DB2D4EB788AC31164E69089 | SHA256:201066865D583BB64E3FE0CE36DC90E5DCC480B77C747AFD8A05D830135AE1F8 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
70
DNS requests
38
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2268 | LeapFrogConnectSetup_MyPals.exe | HEAD | 404 | 18.65.39.9:80 | http://lfcdownload.leapfrog.com/leapfrogconnect/tracking/installation?Origin=ScoutStatic&Version=9.0.14.20230&newComponents=Shell,MyPal&updateComponents=&installedComponents=&OS=Microsoft_Windows_7_,_32-bit_Service_Pack_1(build_7601)&UPCShellLocale=en_US | unknown | — | — | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2268 | LeapFrogConnectSetup_MyPals.exe | 18.65.39.9:443 | lfcdownload.leapfrog.com | AMAZON-02 | US | unknown |
2268 | LeapFrogConnectSetup_MyPals.exe | 18.65.39.9:80 | lfcdownload.leapfrog.com | AMAZON-02 | US | unknown |
2760 | LeapFrogConnect.exe | 18.65.39.9:443 | lfcdownload.leapfrog.com | AMAZON-02 | US | unknown |
2760 | LeapFrogConnect.exe | 149.97.185.82:80 | www.leapfrog.com | EQUINIX-EC-SV | US | unknown |
2760 | LeapFrogConnect.exe | 50.112.90.223:443 | secservices.leapfrog.com | AMAZON-02 | US | unknown |
2760 | LeapFrogConnect.exe | 52.222.139.64:443 | digitalcontent.leapfrog.com | AMAZON-02 | US | unknown |
3212 | msedge.exe | 239.255.255.250:1900 | — | — | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
lfcdownload.leapfrog.com |
| unknown |
www.leapfrog.com |
| unknown |
secservices.leapfrog.com |
| unknown |
digitalcontent.leapfrog.com |
| unknown |
config.edge.skype.com |
| unknown |
nav-edge.smartscreen.microsoft.com |
| unknown |
store.leapfrog.com |
| unknown |
edge.microsoft.com |
| unknown |
data-edge.smartscreen.microsoft.com |
| unknown |
shared.leapfrog.com |
| unknown |
Threats
1 ETPRO signatures available at the full report
Process | Message |
|---|---|
LeapFrogConnectSetup_MyPals.exe | Unspecified-- [AbtQtBridge.h:68 @abtQtBridge::loadPlugins] Path of AbtQt.dll: C:/Users/admin/AppData/Local/Temp/AbtQt.dll
|
LeapFrogConnectSetup_MyPals.exe | Unspecified-- [AbtQtBridge.h:67 @abtQtBridge::loadPlugins] ***************** start: Mon Dec 25 23:04:57 2023
|
LeapFrogConnectSetup_MyPals.exe | Unspecified-- [AbtQtBridge.h:41 @abtQtBridge::abtQtBridge] Can't loading AbtQt.dll
|
LeapFrogConnectSetup_MyPals.exe | Unspecified-- [AbtQtBridge.h:70 @abtQtBridge::loadPlugins] AbtQt.dll doesn't exist.
|
msiexec.exe | UpgradeCheck: Begin...
|
msiexec.exe | UpgradeCheck: ...End
|