File name: | pack_4.0.3.2.exe156781.exe |
Full analysis: | https://app.any.run/tasks/d35df135-63af-4f7d-9625-561fdecfd1ac |
Verdict: | Malicious activity |
Analysis date: | November 14, 2018, 06:57:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive |
MD5: | 701DEB0E55A9DD272718D6462D1C9C1D |
SHA1: | FD15CD1114AFA7EF0246A0206FB6F8B154BD2DDC |
SHA256: | 6C13AEBA4DF9F50504CD23DE17FC030E2E71F11BA021A6CFBE6A9AFF596E7A30 |
SSDEEP: | 196608:JexfxG/9AmlWTOanutV4Uu5v+G1TDXb8GDExYmqaHmIaHoV:sfxG/9AmlWTbqxul+G1xDExYmqaHmVIV |
.exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (14.2) |
.exe | | | Win32 Executable (generic) (9.7) |
.exe | | | Generic Win/DOS Executable (4.3) |
.exe | | | DOS Executable Generic (4.3) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5 |
ImageVersion: | - |
OSVersion: | 5 |
EntryPoint: | 0xb480 |
UninitializedDataSize: | - |
InitializedDataSize: | 200704 |
CodeSize: | 72192 |
LinkerVersion: | 9 |
PEType: | PE32 |
TimeStamp: | 2011:05:28 18:04:29+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 28-May-2011 16:04:29 |
Detected languages: |
|
Debug artifacts: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000E8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 28-May-2011 16:04:29 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00011998 | 0x00011A00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.55849 |
.rdata | 0x00013000 | 0x00001C15 | 0x00001E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.86387 |
.data | 0x00015000 | 0x0000FF2C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.51849 |
.CRT | 0x00025000 | 0x00000010 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.213101 |
.rsrc | 0x00026000 | 0x0002EDFC | 0x0002EE00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.08154 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.20816 | 1464 | Latin 1 / Western European | Chinese - PRC | RT_MANIFEST |
2 | 4.27436 | 304 | Latin 1 / Western European | Process Default Language | RT_ICON |
3 | 2.61281 | 176 | Latin 1 / Western European | Process Default Language | RT_ICON |
4 | 3.82212 | 1640 | Latin 1 / Western European | Process Default Language | RT_ICON |
5 | 4.06838 | 744 | Latin 1 / Western European | Process Default Language | RT_ICON |
6 | 3.61776 | 296 | Latin 1 / Western European | Process Default Language | RT_ICON |
7 | 5.31352 | 226 | Latin 1 / Western European | Chinese - PRC | RT_STRING |
8 | 5.71488 | 368 | Latin 1 / Western European | Chinese - PRC | RT_STRING |
9 | 5.51373 | 216 | Latin 1 / Western European | Chinese - PRC | RT_STRING |
10 | 4.70177 | 502 | Latin 1 / Western European | Chinese - PRC | RT_STRING |
ADVAPI32.dll |
COMCTL32.dll |
COMDLG32.dll |
GDI32.dll |
KERNEL32.dll |
OLEAUT32.dll |
SHELL32.dll |
SHLWAPI.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2820 | "C:\Users\admin\AppData\Local\Temp\pack_4.0.3.2.exe156781.exe" | C:\Users\admin\AppData\Local\Temp\pack_4.0.3.2.exe156781.exe | explorer.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
1336 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\JSKP.exe" /S /D | C:\Users\admin\AppData\Local\Temp\RarSFX0\JSKP.exe | — | pack_4.0.3.2.exe156781.exe |
User: admin Company: 诺诺网 Integrity Level: MEDIUM Description: 极速开票 Exit code: 3221226540 Version: 4.0.3.2 | ||||
2240 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\JSKP.exe" /S /D | C:\Users\admin\AppData\Local\Temp\RarSFX0\JSKP.exe | pack_4.0.3.2.exe156781.exe | |
User: admin Company: 诺诺网 Integrity Level: HIGH Description: 极速开票 Exit code: 0 Version: 4.0.3.2 | ||||
2652 | "C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\JSKPAutoSetup.exe" SW_SHOWNORMAL | C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\JSKPAutoSetup.exe | — | JSKP.exe |
User: admin Company: 诺诺网 Integrity Level: HIGH Description: 极速开票插件 Exit code: 0 Version: 1.0.0.1 | ||||
3244 | "C:\Users\admin\AppData\Local\Temp\nsxC06E.tmp\nsCB8B.tmp" "C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\OpenFastAssist.exe" "-install" | C:\Users\admin\AppData\Local\Temp\nsxC06E.tmp\nsCB8B.tmp | — | JSKP.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
124 | "C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\OpenFastAssist.exe" "-install" | C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\OpenFastAssist.exe | — | nsCB8B.tmp |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
2760 | "C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\OpenFastAssist.exe" | C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\OpenFastAssist.exe | — | services.exe |
User: SYSTEM Integrity Level: SYSTEM | ||||
3524 | "C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\¼«ËÙ¿ªÆ±.exe" SW_SHOWNORMAL | C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\¼«ËÙ¿ªÆ±.exe | JSKP.exe | |
User: admin Company: 浙江爱信诺航天信息公司 Integrity Level: HIGH Description: 更新软件 Exit code: 0 Version: 1.0.0.1 | ||||
2672 | "C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\update_bak.exe" | C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\update_bak.exe | ¼«ËÙ¿ªÆ±.exe | |
User: admin Company: 诺诺网 Integrity Level: HIGH Description: 极速开票更新软件 Exit code: 0 Version: 4, 0, 0, 0 | ||||
1148 | "C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\FastInvoice.exe" -UpdateIgnore | C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\FastInvoice.exe | update_bak.exe | |
User: admin Company: 诺诺网 Integrity Level: HIGH Description: 快速填写发票软件 Version: 4, 0, 3, 2 |
(PID) Process: | (2820) pack_4.0.3.2.exe156781.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2820) pack_4.0.3.2.exe156781.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2240) JSKP.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\¼«ËÙ¿ªÆ±.exe |
Operation: | write | Name: | |
Value: C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\¼«ËÙ¿ªÆ±.exe | |||
(PID) Process: | (2240) JSKP.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\¼«ËÙ¿ªÆ±.exe |
Operation: | write | Name: | Path |
Value: C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ± | |||
(PID) Process: | (2240) JSKP.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\¼«ËÙ¿ªÆ±.exe |
Operation: | write | Name: | Version |
Value: 4.0.3.2 | |||
(PID) Process: | (2240) JSKP.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\BackData1.exe |
Operation: | write | Name: | UpdateFlag |
Value: 0 | |||
(PID) Process: | (2240) JSKP.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¼«ËÙ¿ªÆ± |
Operation: | write | Name: | DisplayName |
Value: ¼«ËÙ¿ªÆ± 4.0.3.2 | |||
(PID) Process: | (2240) JSKP.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¼«ËÙ¿ªÆ± |
Operation: | write | Name: | UninstallString |
Value: C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\uninst.exe | |||
(PID) Process: | (2240) JSKP.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¼«ËÙ¿ªÆ± |
Operation: | write | Name: | DisplayIcon |
Value: C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\¼«ËÙ¿ªÆ±.exe | |||
(PID) Process: | (2240) JSKP.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¼«ËÙ¿ªÆ± |
Operation: | write | Name: | DisplayVersion |
Value: 4.0.3.2 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2240 | JSKP.exe | C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\¸üÐÂ˵Ã÷.exe | executable | |
MD5:03D1C402BE47613F73F872C4916E86AC | SHA256:E5982771A48DE1791C31353D6444C873921D4F9AA9BC4FC2FEBC2CEC13755BAB | |||
2240 | JSKP.exe | C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\ver.config | ini | |
MD5:0F98098C72D58ACBCF622A9544120BE6 | SHA256:2432922D88957501140B3A39A64B9AA903DFAA9FFA7A533E84C5DDDC64619552 | |||
2240 | JSKP.exe | C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\update_bak.exe | executable | |
MD5:0F1DD5C597EE393801E42E040D05F782 | SHA256:B0F05191F7F2DB409549139689DE66D4B1B51EA8E3DD783494099AFA422BC7EA | |||
2240 | JSKP.exe | C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\¼«ËÙ¿ªÆ±.exe | executable | |
MD5:A927A1B7F86830BE70534A0D12776394 | SHA256:0BBB57275CC28F94578FCDBF887ED3DD652CA50B49E22EBA2EC009D48E7A2C7C | |||
2240 | JSKP.exe | C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\sqlite3.dll | executable | |
MD5:6D3C28D6C21D7318FCD6E77C1554FEF2 | SHA256:60B5BB4A98B60983EA434B00C320F064C0F78F4FFC9C5E2851C382A191460587 | |||
2240 | JSKP.exe | C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\FastInvoiceAssist.exe | executable | |
MD5:6B8475556F35A0E81FADD041E2BB7CA9 | SHA256:9ED948B804F5C5FE6B7D522DF30D2C10A8CEAE0563E2159221503B92A57BC805 | |||
2240 | JSKP.exe | C:\Users\admin\AppData\Local\Temp\nsxC06E.tmp\KillProcDLL.dll | executable | |
MD5:99F345CF51B6C3C317D20A81ACB11012 | SHA256:C2689BA1F66066AFCE85CA6457ECD36370BE0FE351C58422E45EFD0948655C93 | |||
2820 | pack_4.0.3.2.exe156781.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\JSKP.exe | executable | |
MD5:752EF7294C409A3851DBFC91273E78FB | SHA256:31B9F3EDFE4AB5BB9E03CB16CD74EDB0A2EBCE4E1678A93FB0BF9217515EE1D6 | |||
2240 | JSKP.exe | C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\NetModule.dll | executable | |
MD5:AD3032A2DF92CAF311A10541EC47DB4F | SHA256:AC407B4A362A84BDA670F2F347DBB05009718CBD36362F89F0CF3A16D8A1EB0C | |||
2240 | JSKP.exe | C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\utility.dll | executable | |
MD5:DBE48925C8132F53AB04D33563B1A147 | SHA256:D0A361838A9DB4C30A0166A6CBD1C7AB493B9F054540AA11A0D6208402F95EEC |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3524 | ¼«ËÙ¿ªÆ±.exe | GET | — | 115.231.99.106:80 | http://update.jss.com.cn/interfaceCtr/version.do?version=4.0.3.2&type=19&orgcode= | CN | — | — | suspicious |
1148 | FastInvoice.exe | POST | — | 115.231.99.106:80 | http://jslog.jss.com.cn/helper/v2/logs | CN | — | — | suspicious |
— | — | POST | — | 115.231.99.106:80 | http://jslog.jss.com.cn/helper/v2/logs | CN | — | — | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1148 | FastInvoice.exe | 115.231.99.106:80 | update.jss.com.cn | No.31,Jin-rong Street | CN | suspicious |
3524 | ¼«ËÙ¿ªÆ±.exe | 115.231.99.106:80 | update.jss.com.cn | No.31,Jin-rong Street | CN | suspicious |
2672 | update_bak.exe | 119.37.197.245:8228 | — | No.31,Jin-rong Street | CN | unknown |
— | — | 115.231.99.106:80 | update.jss.com.cn | No.31,Jin-rong Street | CN | suspicious |
Domain | IP | Reputation |
---|---|---|
update.jss.com.cn |
| suspicious |
jslog.jss.com.cn |
| suspicious |