analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

pack_4.0.3.2.exe156781.exe

Full analysis: https://app.any.run/tasks/d35df135-63af-4f7d-9625-561fdecfd1ac
Verdict: Malicious activity
Analysis date: November 14, 2018, 06:57:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
MD5:

701DEB0E55A9DD272718D6462D1C9C1D

SHA1:

FD15CD1114AFA7EF0246A0206FB6F8B154BD2DDC

SHA256:

6C13AEBA4DF9F50504CD23DE17FC030E2E71F11BA021A6CFBE6A9AFF596E7A30

SSDEEP:

196608:JexfxG/9AmlWTOanutV4Uu5v+G1TDXb8GDExYmqaHmIaHoV:sfxG/9AmlWTbqxul+G1xDExYmqaHmVIV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • JSKP.exe (PID: 2240)
      • FastInvoice.exe (PID: 1148)
      • update_bak.exe (PID: 2672)
      • ¼«ËÙ¿ªÆ±.exe (PID: 3524)
    • Application was dropped or rewritten from another process

      • JSKP.exe (PID: 1336)
      • ¼«ËÙ¿ªÆ±.exe (PID: 3524)
      • JSKP.exe (PID: 2240)
      • OpenFastAssist.exe (PID: 124)
      • JSKPAutoSetup.exe (PID: 2652)
      • FastInvoice.exe (PID: 1148)
      • OpenFastAssist.exe (PID: 2760)
      • nsCB8B.tmp (PID: 3244)
      • update_bak.exe (PID: 2672)
    • Changes the autorun value in the registry

      • FastInvoice.exe (PID: 1148)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • pack_4.0.3.2.exe156781.exe (PID: 2820)
      • JSKP.exe (PID: 2240)
    • Starts application with an unusual extension

      • JSKP.exe (PID: 2240)
    • Creates or modifies windows services

      • OpenFastAssist.exe (PID: 124)
    • Creates a software uninstall entry

      • JSKP.exe (PID: 2240)
    • Creates files in the user directory

      • JSKP.exe (PID: 2240)
      • FastInvoice.exe (PID: 1148)
    • Creates files in the program directory

      • JSKP.exe (PID: 2240)
      • ¼«ËÙ¿ªÆ±.exe (PID: 3524)
      • FastInvoice.exe (PID: 1148)
    • Creates files in the Windows directory

      • FastInvoice.exe (PID: 1148)
    • Connects to unusual port

      • update_bak.exe (PID: 2672)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0xb480
UninitializedDataSize: -
InitializedDataSize: 200704
CodeSize: 72192
LinkerVersion: 9
PEType: PE32
TimeStamp: 2011:05:28 18:04:29+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 28-May-2011 16:04:29
Detected languages:
  • Chinese - PRC
  • Process Default Language
Debug artifacts:
  • d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 28-May-2011 16:04:29
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00011998
0x00011A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.55849
.rdata
0x00013000
0x00001C15
0x00001E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.86387
.data
0x00015000
0x0000FF2C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.51849
.CRT
0x00025000
0x00000010
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.213101
.rsrc
0x00026000
0x0002EDFC
0x0002EE00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.08154

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.20816
1464
Latin 1 / Western European
Chinese - PRC
RT_MANIFEST
2
4.27436
304
Latin 1 / Western European
Process Default Language
RT_ICON
3
2.61281
176
Latin 1 / Western European
Process Default Language
RT_ICON
4
3.82212
1640
Latin 1 / Western European
Process Default Language
RT_ICON
5
4.06838
744
Latin 1 / Western European
Process Default Language
RT_ICON
6
3.61776
296
Latin 1 / Western European
Process Default Language
RT_ICON
7
5.31352
226
Latin 1 / Western European
Chinese - PRC
RT_STRING
8
5.71488
368
Latin 1 / Western European
Chinese - PRC
RT_STRING
9
5.51373
216
Latin 1 / Western European
Chinese - PRC
RT_STRING
10
4.70177
502
Latin 1 / Western European
Chinese - PRC
RT_STRING

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
ole32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
10
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start pack_4.0.3.2.exe156781.exe jskp.exe no specs jskp.exe jskpautosetup.exe no specs nscb8b.tmp no specs openfastassist.exe no specs openfastassist.exe no specs ¼«ëù¿ªæ±.exe update_bak.exe fastinvoice.exe

Process information

PID
CMD
Path
Indicators
Parent process
2820"C:\Users\admin\AppData\Local\Temp\pack_4.0.3.2.exe156781.exe" C:\Users\admin\AppData\Local\Temp\pack_4.0.3.2.exe156781.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1336"C:\Users\admin\AppData\Local\Temp\RarSFX0\JSKP.exe" /S /DC:\Users\admin\AppData\Local\Temp\RarSFX0\JSKP.exepack_4.0.3.2.exe156781.exe
User:
admin
Company:
诺诺网
Integrity Level:
MEDIUM
Description:
极速开票
Exit code:
3221226540
Version:
4.0.3.2
2240"C:\Users\admin\AppData\Local\Temp\RarSFX0\JSKP.exe" /S /DC:\Users\admin\AppData\Local\Temp\RarSFX0\JSKP.exe
pack_4.0.3.2.exe156781.exe
User:
admin
Company:
诺诺网
Integrity Level:
HIGH
Description:
极速开票
Exit code:
0
Version:
4.0.3.2
2652"C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\JSKPAutoSetup.exe" SW_SHOWNORMALC:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\JSKPAutoSetup.exeJSKP.exe
User:
admin
Company:
诺诺网
Integrity Level:
HIGH
Description:
极速开票插件
Exit code:
0
Version:
1.0.0.1
3244"C:\Users\admin\AppData\Local\Temp\nsxC06E.tmp\nsCB8B.tmp" "C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\OpenFastAssist.exe" "-install"C:\Users\admin\AppData\Local\Temp\nsxC06E.tmp\nsCB8B.tmpJSKP.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
124"C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\OpenFastAssist.exe" "-install"C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\OpenFastAssist.exensCB8B.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
2760"C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\OpenFastAssist.exe"C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\OpenFastAssist.exeservices.exe
User:
SYSTEM
Integrity Level:
SYSTEM
3524"C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\¼«ËÙ¿ªÆ±.exe" SW_SHOWNORMALC:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\¼«ËÙ¿ªÆ±.exe
JSKP.exe
User:
admin
Company:
浙江爱信诺航天信息公司
Integrity Level:
HIGH
Description:
更新软件
Exit code:
0
Version:
1.0.0.1
2672"C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\update_bak.exe" C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\update_bak.exe
¼«ËÙ¿ªÆ±.exe
User:
admin
Company:
诺诺网
Integrity Level:
HIGH
Description:
极速开票更新软件
Exit code:
0
Version:
4, 0, 0, 0
1148"C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\FastInvoice.exe" -UpdateIgnore C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\FastInvoice.exe
update_bak.exe
User:
admin
Company:
诺诺网
Integrity Level:
HIGH
Description:
快速填写发票软件
Version:
4, 0, 3, 2
Total events
949
Read events
905
Write events
44
Delete events
0

Modification events

(PID) Process:(2820) pack_4.0.3.2.exe156781.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2820) pack_4.0.3.2.exe156781.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2240) JSKP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\¼«ËÙ¿ªÆ±.exe
Operation:writeName:
Value:
C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\¼«ËÙ¿ªÆ±.exe
(PID) Process:(2240) JSKP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\¼«ËÙ¿ªÆ±.exe
Operation:writeName:Path
Value:
C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±
(PID) Process:(2240) JSKP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\¼«ËÙ¿ªÆ±.exe
Operation:writeName:Version
Value:
4.0.3.2
(PID) Process:(2240) JSKP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\BackData1.exe
Operation:writeName:UpdateFlag
Value:
0
(PID) Process:(2240) JSKP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¼«ËÙ¿ªÆ±
Operation:writeName:DisplayName
Value:
¼«ËÙ¿ªÆ± 4.0.3.2
(PID) Process:(2240) JSKP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¼«ËÙ¿ªÆ±
Operation:writeName:UninstallString
Value:
C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\uninst.exe
(PID) Process:(2240) JSKP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¼«ËÙ¿ªÆ±
Operation:writeName:DisplayIcon
Value:
C:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\¼«ËÙ¿ªÆ±.exe
(PID) Process:(2240) JSKP.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¼«ËÙ¿ªÆ±
Operation:writeName:DisplayVersion
Value:
4.0.3.2
Executable files
45
Suspicious files
0
Text files
44
Unknown types
4

Dropped files

PID
Process
Filename
Type
2240JSKP.exeC:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\¸üÐÂ˵Ã÷.exeexecutable
MD5:03D1C402BE47613F73F872C4916E86AC
SHA256:E5982771A48DE1791C31353D6444C873921D4F9AA9BC4FC2FEBC2CEC13755BAB
2240JSKP.exeC:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\ver.configini
MD5:0F98098C72D58ACBCF622A9544120BE6
SHA256:2432922D88957501140B3A39A64B9AA903DFAA9FFA7A533E84C5DDDC64619552
2240JSKP.exeC:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\update_bak.exeexecutable
MD5:0F1DD5C597EE393801E42E040D05F782
SHA256:B0F05191F7F2DB409549139689DE66D4B1B51EA8E3DD783494099AFA422BC7EA
2240JSKP.exeC:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\¼«ËÙ¿ªÆ±.exeexecutable
MD5:A927A1B7F86830BE70534A0D12776394
SHA256:0BBB57275CC28F94578FCDBF887ED3DD652CA50B49E22EBA2EC009D48E7A2C7C
2240JSKP.exeC:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\sqlite3.dllexecutable
MD5:6D3C28D6C21D7318FCD6E77C1554FEF2
SHA256:60B5BB4A98B60983EA434B00C320F064C0F78F4FFC9C5E2851C382A191460587
2240JSKP.exeC:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\FastInvoiceAssist.exeexecutable
MD5:6B8475556F35A0E81FADD041E2BB7CA9
SHA256:9ED948B804F5C5FE6B7D522DF30D2C10A8CEAE0563E2159221503B92A57BC805
2240JSKP.exeC:\Users\admin\AppData\Local\Temp\nsxC06E.tmp\KillProcDLL.dllexecutable
MD5:99F345CF51B6C3C317D20A81ACB11012
SHA256:C2689BA1F66066AFCE85CA6457ECD36370BE0FE351C58422E45EFD0948655C93
2820pack_4.0.3.2.exe156781.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\JSKP.exeexecutable
MD5:752EF7294C409A3851DBFC91273E78FB
SHA256:31B9F3EDFE4AB5BB9E03CB16CD74EDB0A2EBCE4E1678A93FB0BF9217515EE1D6
2240JSKP.exeC:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\NetModule.dllexecutable
MD5:AD3032A2DF92CAF311A10541EC47DB4F
SHA256:AC407B4A362A84BDA670F2F347DBB05009718CBD36362F89F0CF3A16D8A1EB0C
2240JSKP.exeC:\Program Files\ŵŵ\¼«ËÙ¿ªÆ±\utility.dllexecutable
MD5:DBE48925C8132F53AB04D33563B1A147
SHA256:D0A361838A9DB4C30A0166A6CBD1C7AB493B9F054540AA11A0D6208402F95EEC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3524
¼«ËÙ¿ªÆ±.exe
GET
115.231.99.106:80
http://update.jss.com.cn/interfaceCtr/version.do?version=4.0.3.2&type=19&orgcode=
CN
suspicious
1148
FastInvoice.exe
POST
115.231.99.106:80
http://jslog.jss.com.cn/helper/v2/logs
CN
suspicious
POST
115.231.99.106:80
http://jslog.jss.com.cn/helper/v2/logs
CN
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1148
FastInvoice.exe
115.231.99.106:80
update.jss.com.cn
No.31,Jin-rong Street
CN
suspicious
3524
¼«ËÙ¿ªÆ±.exe
115.231.99.106:80
update.jss.com.cn
No.31,Jin-rong Street
CN
suspicious
2672
update_bak.exe
119.37.197.245:8228
No.31,Jin-rong Street
CN
unknown
115.231.99.106:80
update.jss.com.cn
No.31,Jin-rong Street
CN
suspicious

DNS requests

Domain
IP
Reputation
update.jss.com.cn
  • 115.231.99.106
suspicious
jslog.jss.com.cn
  • 115.231.99.106
suspicious

Threats

No threats detected
No debug info