File name:

itunes.exe

Full analysis: https://app.any.run/tasks/0ed07c59-74dc-4892-ac88-6732168193e7
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: December 08, 2021, 08:27:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

31D065B375A67E89C67C32639F1FB734

SHA1:

0B23B844D47F535BA0DFAF5442EAA2DFC0C9ECF6

SHA256:

5A051334603FCAFAAE9294059BA08B0989B7F8B14B9F543B9EF80FD04E305667

SSDEEP:

49152:o6XlQuW2nqGOaPS/EQu216k4wsSYdyiUMBvl:o6XlQunnqGOaPSs2FtsSGyiUMBvl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to CnC server

      • itunes.exe (PID: 2324)

  • SUSPICIOUS

    • Reads the computer name

      • itunes.exe (PID: 2324)

    • Checks supported languages

      • itunes.exe (PID: 2324)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (46.3)
.exe | Win64 Executable (generic) (41)
.exe | Win32 Executable (generic) (6.6)
.exe | Generic Win/DOS Executable (2.9)
.exe | DOS Executable Generic (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1970:01:19 19:33:36+01:00
PEType: PE32
LinkerVersion: 8
CodeSize: 778240
InitializedDataSize: 839680
UninitializedDataSize: -
EntryPoint: 0x8d772
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2021.4.27.727
ProductVersionNumber: 9.3.0.614
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Kingsoft Corporation
FileDescription: Kingsoft Security - 安装程序
FileVersion: 2021,04,02,614
InternalName: KInstallTool
LegalCopyright: Copyright (C) 1998-2021 Kingsoft Corporation
OriginalFileName: -
ProductName: Kingsoft Internet Security
ProductVersion: 9,3,0,614

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 19-Jan-1970 18:33:36
Detected languages:
  • Chinese - PRC
  • English - United States
Debug artifacts:
  • e:\KINGSOFT_DUBA\Build\Build_Src\kisengine_git\kisengine_git\product\win32\dbginfo\kinstuiofficial.pdb
CompanyName: Kingsoft Corporation
FileDescription: Kingsoft Security - 安装程序
FileVersion: 2021,04,02,614
InternalName: KInstallTool
LegalCopyright: Copyright (C) 1998-2021 Kingsoft Corporation
OriginalFilename: -
ProductName: Kingsoft Internet Security
ProductVersion: 9,3,0,614

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 19-Jan-1970 18:33:36
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000BDC6C
0x000BE000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.65002
.rdata
0x000BF000
0x000276AE
0x00028000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.8545
.data
0x000E7000
0x0000B940
0x00007000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.35651
.rsrc
0x000F3000
0x0009D718
0x0009E000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.8241

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.253
1054
Latin 1 / Western European
English - United States
RT_MANIFEST
2
6.44522
38056
Latin 1 / Western European
Chinese - PRC
RT_ICON
3
6.56924
9640
Latin 1 / Western European
Chinese - PRC
RT_ICON
4
6.61484
4264
Latin 1 / Western European
Chinese - PRC
RT_ICON
5
4.67813
1128
Latin 1 / Western European
Chinese - PRC
RT_ICON
8
5.91519
1064
Latin 1 / Western European
Chinese - PRC
PNG
9
5.94687
1074
Latin 1 / Western European
Chinese - PRC
PNG
10
6.01791
1101
Latin 1 / Western European
Chinese - PRC
PNG
11
7.95835
7439
Latin 1 / Western European
Chinese - PRC
PNG
12
7.00442
482
Latin 1 / Western European
Chinese - PRC
PNG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
MSIMG32.dll
OLEAUT32.dll
PSAPI.DLL
RASAPI32.dll
SHELL32.dll
SHLWAPI.dll
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start itunes.exe itunes.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2324"C:\Users\admin\AppData\Local\Temp\itunes.exe" C:\Users\admin\AppData\Local\Temp\itunes.exe
Explorer.EXE
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
Kingsoft Security - ????
Exit code:
0
Version:
2021,04,02,614
Modules
Images
c:\users\admin\appdata\local\temp\itunes.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3636"C:\Users\admin\AppData\Local\Temp\itunes.exe" C:\Users\admin\AppData\Local\Temp\itunes.exeExplorer.EXE
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
MEDIUM
Description:
Kingsoft Security - ????
Exit code:
3221226540
Version:
2021,04,02,614
Modules
Images
c:\users\admin\appdata\local\temp\itunes.exe
c:\windows\system32\ntdll.dll
Total events
272
Read events
263
Write events
9
Delete events
0

Modification events

(PID) Process:(2324) itunes.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
Operation:writeName:idex
Value:
84385339aaa17be75f0568dfff1d3b10
(PID) Process:(2324) itunes.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
Operation:writeName:idno
Value:
1
(PID) Process:(2324) itunes.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}
Operation:writeName:did
Value:
06CB9194B3BE6EA77B21283B43F73E3A
Executable files
0
Suspicious files
2
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
2324itunes.exeC:\Users\admin\AppData\Local\Temp\kinst.logtext
MD5:
SHA256:
2324itunes.exeC:\Users\admin\AppData\Local\Temp\install_res\6002.xmlhtml
MD5:CC6EBE34BA916F34C2F86B81668EB408
SHA256:FD6503C687FA61481F1CE232872DA629C6111ACF161F1DB603AB390D0ED19A7E
2324itunes.exeC:\Users\admin\AppData\Local\Temp\install_res\110.pngimage
MD5:020AE4ED917D5F84277384CAB39E56B0
SHA256:DC35117220A1A6959FFC2125DBD3A40452F88FFCA94B2A69CCBD9CF58380FDD9
2324itunes.exeC:\Users\admin\AppData\Local\Temp\install_res\installconfig.initext
MD5:02BFE155BB2B83AC64682B76EB3CD0E2
SHA256:421B79C19C3BCD255967FD3A52FE956F4AE3C09DBA93136EA1BF2C324DF9BD4D
2324itunes.exeC:\Users\admin\AppData\Local\Temp\install_res\6000.xmltext
MD5:B1C00F67FE681FFF27F80A020D4D8CD9
SHA256:7C37E942CE92FC48457FC6D484E8ED788DA7B8B23689C0ED4601D26B0F629336
2324itunes.exeC:\Users\admin\AppData\Local\Temp\install_res\qqpcmgr.dattext
MD5:7047C3E30C4AF2AFEF37C429C3C120B3
SHA256:D67C686A98C6FAEE91B5E038B7F2A91B45FE04E91581435DD510628CD5DB68E5
2324itunes.exeC:\Users\admin\AppData\Local\Temp\install_res\soft.icoimage
MD5:FD13166798FC7ABDFC53B34C49078CA0
SHA256:E9DCBA62C4431601A4713DAB1C0CE7B37FC8E02F190F5998D76021149F0C71C4
2324itunes.exeC:\Users\admin\AppData\Local\Temp\install_res\6001.xmltext
MD5:DDD4F1FF38FFCA263FE5C9FAEBDC9C53
SHA256:FBCDD885EF26676E3DF334535D9A928BA9D1060D15B8E75C15263A93B2E54C43
2324itunes.exeC:\Users\admin\AppData\Local\Temp\install_res\100.pngimage
MD5:A64D7F2A825F5547182E9E3EE25B4544
SHA256:E78B678846C177786E70E29D5111359D4AFF20D9AC5935FAD2BE87B17D7F9FC9
2324itunes.exeC:\Users\admin\AppData\Local\Temp\install_res\evade.datbinary
MD5:8B77DDD2DE8752360E2389DB3DEEE8C7
SHA256:83AF7B8063148304275F2D81FFE17C48E35DC2A167F8782A90093710F0B39225
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
21
DNS requests
9
Threats
22

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2324
itunes.exe
GET
218.12.76.150:80
http://2398.35go.net/defend/o1/jcqgx.ini
CN
whitelisted
2324
itunes.exe
HEAD
404
218.91.230.152:80
http://dubacdn.cmcmcdn.com/sem/installer/ald_39.png
CN
malicious
2324
itunes.exe
HEAD
200
101.226.28.201:80
http://config.i.duba.net/aldconfig/qqpcmgr.dat
CN
whitelisted
2324
itunes.exe
POST
119.29.49.207:80
http://infoc0.duba.net/c/
CN
whitelisted
2324
itunes.exe
POST
200
119.29.49.207:80
http://infoc0.duba.net/c/
CN
binary
43 b
whitelisted
2324
itunes.exe
POST
200
119.29.49.207:80
http://infoc0.duba.net/c/
CN
binary
43 b
whitelisted
2324
itunes.exe
POST
200
111.230.127.157:80
http://weather2db.cmcm.com/ip/cityid
CN
binary
60 b
suspicious
2324
itunes.exe
POST
200
119.29.49.207:80
http://infoc0.duba.net/c/
CN
binary
43 b
whitelisted
2324
itunes.exe
GET
200
101.226.28.201:80
http://config.i.duba.net/aldconfig/qqpcmgr.dat
CN
text
1.17 Kb
whitelisted
2324
itunes.exe
POST
200
119.29.49.207:80
http://infoc0.duba.net/c/
CN
binary
43 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2324
itunes.exe
218.12.76.150:80
2398.35go.net
CHINA UNICOM China169 Backbone
CN
malicious
2324
itunes.exe
119.29.49.207:80
infoc0.duba.net
Shenzhen Tencent Computer Systems Company Limited
CN
malicious
2324
itunes.exe
101.226.28.201:80
config.i.duba.net
China Telecom (Group)
CN
unknown
2324
itunes.exe
111.230.127.157:80
weather2db.cmcm.com
Shenzhen Tencent Computer Systems Company Limited
CN
unknown
2324
itunes.exe
218.91.230.152:80
dubacdn.cmcmcdn.com
No.31,Jin-rong Street
CN
suspicious
2324
itunes.exe
218.12.76.151:80
2398.35go.net
CHINA UNICOM China169 Backbone
CN
malicious

DNS requests

Domain
IP
Reputation
2398.35go.net
  • 218.12.76.150
  • 218.12.76.151
  • 120.52.95.242
  • 120.52.95.243
whitelisted
infoc0.duba.net
  • 119.29.49.207
whitelisted
config.i.duba.net
  • 101.226.28.201
  • 101.89.125.241
  • 101.226.28.202
  • 101.89.125.242
  • 101.226.28.205
  • 101.226.28.204
  • 101.226.28.203
whitelisted
weather2db.cmcm.com
  • 111.230.127.157
suspicious
dubacdn.cmcmcdn.com
  • 218.91.230.152
  • 218.91.230.151
  • 218.91.230.37
  • 218.91.230.167
malicious
soft-dl.v78q.com
  • 218.12.76.151
  • 218.12.76.150
  • 120.52.95.243
  • 120.52.95.242
malicious

Threats

PID
Process
Class
Message
2324
itunes.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2324
itunes.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2324
itunes.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2324
itunes.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2324
itunes.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2324
itunes.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2324
itunes.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2324
itunes.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2324
itunes.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
2324
itunes.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
itunes.exe