analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://www.mediafire.com/file/eqx7276mg3sed15/James+Skype+Tool+v5.3+Clean+Copy.zip

Full analysis: https://app.any.run/tasks/5d3f0258-72f0-4aa8-9862-7dad6a6a8218
Verdict: Malicious activity
Analysis date: June 16, 2019, 12:03:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

8980FC7F81558BE7E0FD36EC536A170B

SHA1:

5E256922D00689E6DC1921E0395B236A256543C7

SHA256:

69E0CCDBACA9B64B17AD5106FE9C9C4053860AE77E3C44C20F99B1078DCAAB3D

SSDEEP:

3:N8DSLw3eGUoxdSCE8kGEIAAVAVe+dEV6kV:2OLw3eG6dnGWwAVXKV6kV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • James Reborns Skype Tool v 5.3.exe (PID: 1492)
      • SearchProtocolHost.exe (PID: 296)
      • James Reborns Skype Tool v 5.3.exe (PID: 932)
    • Application was dropped or rewritten from another process

      • James Reborns Skype Tool v 5.3.vshost.exe (PID: 2536)
  • SUSPICIOUS

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3568)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3672)
    • Creates files in the user directory

      • notepad++.exe (PID: 2360)
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3316)
    • Changes internet zones settings

      • iexplore.exe (PID: 3316)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3316)
    • Application was crashed

      • James Reborns Skype Tool v 5.3.exe (PID: 1492)
      • James Reborns Skype Tool v 5.3.vshost.exe (PID: 2536)
      • James Reborns Skype Tool v 5.3.exe (PID: 932)
    • Manual execution by user

      • James Reborns Skype Tool v 5.3.vshost.exe (PID: 2536)
      • James Reborns Skype Tool v 5.3.exe (PID: 1492)
      • James Reborns Skype Tool v 5.3.exe (PID: 932)
      • notepad++.exe (PID: 2360)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3316)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2532)
    • Creates files in the user directory

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3568)
      • iexplore.exe (PID: 2532)
      • iexplore.exe (PID: 3316)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3316)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2532)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
10
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs winrar.exe searchprotocolhost.exe no specs james reborns skype tool v 5.3.exe james reborns skype tool v 5.3.vshost.exe james reborns skype tool v 5.3.exe notepad++.exe gup.exe

Process information

PID
CMD
Path
Indicators
Parent process
3316"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2532"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3316 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3568C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
3672"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VH2RFAUI\James_Skype_Tool_v5.3_Clean_Copy[1].zip"C:\Program Files\WinRAR\WinRAR.exe
iexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
296"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
1492"C:\Users\admin\Desktop\New folder\James Reborns Skype Tool v 5.3.exe" C:\Users\admin\Desktop\New folder\James Reborns Skype Tool v 5.3.exe
explorer.exe
User:
admin
Company:
James Creations
Integrity Level:
MEDIUM
Description:
James Reborns Skype Tool v 5.3
Exit code:
3762504530
Version:
5.3.0.0
2536"C:\Users\admin\Desktop\New folder\James Reborns Skype Tool v 5.3.vshost.exe" C:\Users\admin\Desktop\New folder\James Reborns Skype Tool v 5.3.vshost.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
vshost32.exe
Exit code:
3762504530
Version:
14.0.23107.0
932"C:\Users\admin\Desktop\New folder\James Reborns Skype Tool v 5.3.exe" C:\Users\admin\Desktop\New folder\James Reborns Skype Tool v 5.3.exe
explorer.exe
User:
admin
Company:
James Creations
Integrity Level:
MEDIUM
Description:
James Reborns Skype Tool v 5.3
Exit code:
3762504530
Version:
5.3.0.0
2360"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\New folder\James Reborns Skype Tool v 5.3.exe"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
1728"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
Total events
1 581
Read events
1 492
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
0
Text files
42
Unknown types
5

Dropped files

PID
Process
Filename
Type
3316iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
3316iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2532iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@mediafire[2].txt
MD5:
SHA256:
2532iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3L0F9Y3Y\James+Skype+Tool+v5.3+Clean+Copy[1].zip
MD5:
SHA256:
2532iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:D103D27D15A89BD37D8324C25723C3BE
SHA256:8109EEC0CEACC91354528DD927DCB75F442C68AE3501B120D97A1DD54DA13ABA
2532iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VH2RFAUI\gtm[1].jstext
MD5:CFB47D101E25019DADA5AD62D61246DA
SHA256:B79598628680AB7F04DFB08DDF37CCFACF56CA90CF626817AB1E285537C0BCA3
2532iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:4D5ADD51989CA76602F5512702D52A84
SHA256:4036FB72DE43F1B18BD458B1A9F78E3C8AF5A46288D7938CD76084E2E0244CBA
2532iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@mediafire[1].txttext
MD5:8F06D600776DCB6B0630B9B3016C33D4
SHA256:D7955EE96EB3225092B28C95C821DF407B523BA018BFE92C5E4B2D7C0154496D
2532iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3L0F9Y3Y\js[1]text
MD5:6ECDDEEB7E126E0DA630B44B06CD9E12
SHA256:810BE48AE13D5B0B352C9228873074DE63D46A016E2C53481C13D41B18535BF7
2532iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3L0F9Y3Y\James+Skype+Tool+v5.3+Clean+Copy[1].htmhtml
MD5:0780DB9716C5F89239DD4553E6148E53
SHA256:A34ED0220D69E4D4357DE67BC86CA3056A0C8B57BB392140EBD2A99D6E6A775C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
26
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.20.189.204:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
3316
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2532
iexplore.exe
172.217.23.142:443
translate.google.com
Google Inc.
US
whitelisted
3316
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2532
iexplore.exe
172.217.18.14:443
www.google-analytics.com
Google Inc.
US
whitelisted
2532
iexplore.exe
172.217.22.106:443
translate.googleapis.com
Google Inc.
US
whitelisted
2532
iexplore.exe
216.58.207.72:443
www.googletagmanager.com
Google Inc.
US
whitelisted
2532
iexplore.exe
104.19.194.29:443
www.mediafire.com
Cloudflare Inc
US
shared
2532
iexplore.exe
35.190.74.157:443
desiredirt.com
Google Inc.
US
unknown
2532
iexplore.exe
104.19.195.29:443
www.mediafire.com
Cloudflare Inc
US
shared
2532
iexplore.exe
172.217.22.34:443
www.googletagservices.com
Google Inc.
US
whitelisted
2532
iexplore.exe
104.19.215.37:443
cdn.otnolatrnup.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.mediafire.com
  • 104.19.194.29
  • 104.19.195.29
shared
www.googletagmanager.com
  • 216.58.207.72
whitelisted
www.googletagservices.com
  • 172.217.22.34
whitelisted
www.google-analytics.com
  • 172.217.18.14
whitelisted
desiredirt.com
  • 35.190.74.157
unknown
static.mediafire.com
  • 104.19.195.29
  • 104.19.194.29
shared
translate.google.com
  • 172.217.23.142
whitelisted
cdn.otnolatrnup.com
  • 104.19.215.37
  • 104.19.214.37
whitelisted
translate.googleapis.com
  • 172.217.22.106
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093