analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://cartoonclassic.github.io/

Full analysis: https://app.any.run/tasks/2a01720b-4329-4e8a-9d56-c78d14250b6d
Verdict: Malicious activity
Analysis date: October 04, 2022, 21:48:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

08F305F57CBDC8085E2DC2EA3BC737DA

SHA1:

85E0E97EAD5E4412CFED424D3C8D2AF9455E5991

SHA256:

69300EC5A9F576AC4DAEBB217045CB8FDB3C39E2516D0C933C63CF81CB73A082

SSDEEP:

3:N8ZXRKQyJ+:2CP+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3932)
    • Checks supported languages

      • WinRAR.exe (PID: 3760)
    • Reads the computer name

      • WinRAR.exe (PID: 3760)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 3932)
      • iexplore.exe (PID: 3408)
    • Reads the computer name

      • iexplore.exe (PID: 3408)
      • iexplore.exe (PID: 3932)
    • Application launched itself

      • iexplore.exe (PID: 3408)
    • Changes internet zones settings

      • iexplore.exe (PID: 3408)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3932)
      • iexplore.exe (PID: 3408)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3932)
      • iexplore.exe (PID: 3408)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3408)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3408)
    • Creates files in the user directory

      • iexplore.exe (PID: 3408)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3408)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe winrar.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3408"C:\Program Files\Internet Explorer\iexplore.exe" "https://cartoonclassic.github.io/"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3932"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3408 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3760"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Cartoon_Classic.zip"C:\Program Files\WinRAR\WinRAR.exeiexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Total events
18 146
Read events
18 005
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
19
Text files
31
Unknown types
20

Dropped files

PID
Process
Filename
Type
3932iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04binary
MD5:6954B6BC327E46B7B68B191B900DB8F6
SHA256:EB72A1D307C2B35680187CE7A49D4C13571775D518F5CDEB803F115CA90BF318
3932iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:8D0B18ACDB128088CD477B70EB24769B
SHA256:1604E28CFD2B93BB422911155840C3437838662434CB4A35F0309A04939F239B
3932iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\8T3ZOYN8.htmhtml
MD5:8BEC7EC4957FCBC619FE00D85C8C0DFE
SHA256:9DD6F0AEDB54B1C3BF82DF60FC4142F444D32F9D230D6BE371FEEC3B390D43A3
3932iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04der
MD5:E1817D34D647D15C961327938AA58C4A
SHA256:CA2D2DB19D9A688484F592397EBC22270DC2B6F653C583B8DFDF27CFF24E0E07
3932iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:60F72F3E456577F5FD99B388C1555521
SHA256:AC423DCF417EA83F67CDA7A7372A56DE60738D15AA03D43621D44EE5D16C6946
3932iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\style[1].csstext
MD5:B5C7C31A0F1B1C246B69AA975B3B72BC
SHA256:18DBC40CD5631C5B85E900B08D56337A073AE2E6947CBF727BA4C6F31241EB50
3932iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_043C840D28CDD26D33370C4C34146D79der
MD5:E5E83AC13AAFAA8905EB522C4521A72F
SHA256:F01155BF27FBD113A7E78ED2DBE9710BB0352F1CA5AF71220D8C51EEAE730DD5
3932iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAbinary
MD5:2FB7D02308DCF34A8242412C6CA62D63
SHA256:E940D4709C0E1C6D90CBFD7C1B2DB89AA852B809D493B39DC90308CA370BD48B
3932iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:13963B4534C78600BEB9CC16B23E8766
SHA256:301CEB272F6460966CC12E1E371BE2EC5E24EF8AD10430A01CE9DC1FF04F736F
3932iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\main[1].jstext
MD5:5582E03D8BF450FB797C97D9813AE3F5
SHA256:72CA60625E69835E96CA9A27F89F6130111447259ADB1C7E7CCB58C6BB7865D9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
58
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3408
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.78 Kb
whitelisted
3408
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3408
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D
US
der
471 b
whitelisted
3932
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEA0ijpIftfb6cA%2FVTEnYrfQ%3D
US
der
279 b
whitelisted
3932
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?57491bc46836ccb5
US
compressed
4.70 Kb
whitelisted
3932
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f8fa4bb561dbb3e8
US
compressed
4.70 Kb
whitelisted
3932
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
3932
iexplore.exe
GET
200
142.250.184.195:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
3932
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
3932
iexplore.exe
GET
200
142.250.184.195:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3408
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3932
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
whitelisted
3932
iexplore.exe
142.250.185.131:443
fonts.gstatic.com
GOOGLE
US
whitelisted
3932
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
3932
iexplore.exe
185.199.108.153:443
cartoonclassic.github.io
FASTLY
US
shared
3408
iexplore.exe
162.159.128.232:443
media.discordapp.net
CLOUDFLARENET
shared
3408
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
3932
iexplore.exe
142.250.186.42:443
fonts.googleapis.com
GOOGLE
US
whitelisted
3932
iexplore.exe
104.17.24.14:443
cdnjs.cloudflare.com
CLOUDFLARENET
suspicious
3932
iexplore.exe
104.16.87.20:443
cdn.jsdelivr.net
CLOUDFLARENET
shared

DNS requests

Domain
IP
Reputation
cartoonclassic.github.io
  • 185.199.108.153
  • 185.199.109.153
  • 185.199.110.153
  • 185.199.111.153
malicious
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
cdnjs.cloudflare.com
  • 104.17.24.14
  • 104.17.25.14
whitelisted
media.discordapp.net
  • 162.159.128.232
  • 162.159.130.232
  • 162.159.134.232
  • 162.159.129.232
  • 162.159.133.232
whitelisted
code.iconify.design
  • 172.64.103.24
  • 172.64.102.24
suspicious
cdn.jsdelivr.net
  • 104.16.87.20
  • 104.16.86.20
  • 104.16.88.20
  • 104.16.89.20
  • 104.16.85.20
whitelisted
fonts.googleapis.com
  • 142.250.186.42
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
3932
iexplore.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
3932
iexplore.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
3932
iexplore.exe
Generic Protocol Command Decode
SURICATA STREAM ESTABLISHED invalid ack
3932
iexplore.exe
Generic Protocol Command Decode
SURICATA STREAM Packet with invalid ack
3932
iexplore.exe
Generic Protocol Command Decode
SURICATA STREAM ESTABLISHED packet out of window
3932
iexplore.exe
Generic Protocol Command Decode
SURICATA STREAM ESTABLISHED packet out of window
3932
iexplore.exe
Generic Protocol Command Decode
SURICATA STREAM ESTABLISHED invalid ack
3932
iexplore.exe
Generic Protocol Command Decode
SURICATA STREAM Packet with invalid ack
3932
iexplore.exe
Generic Protocol Command Decode
SURICATA STREAM ESTABLISHED packet out of window
No debug info