URL: | http://oxydating.com/hey.jpg |
Full analysis: | https://app.any.run/tasks/98f6d2dd-47ee-4774-8f26-dc3260b46009 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | January 23, 2019, 01:58:27 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 37666AD131505C8AC2F95CDB469E7CA5 |
SHA1: | D12C07A31875603276E150A8D62CB1E5CA600E2D |
SHA256: | 74AFA01D21D8620EF84FFDA5588FC6F28FFA3E1A886FB21C5AE2C4B679F8847E |
SSDEEP: | 3:N1KRdcyPAcC:CKcC |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2852 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3184 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2852 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3128 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | explorer.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 61.0.2 | ||||
3000 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3128.0.467269999\866895968" -childID 1 -isForBrowser -prefsHandle 1340 -prefsLen 8309 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3128 "\\.\pipe\gecko-crash-server-pipe.3128" 1448 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 61.0.2 | ||||
4036 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3128.6.1765630474\1016307212" -childID 2 -isForBrowser -prefsHandle 2268 -prefsLen 11442 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3128 "\\.\pipe\gecko-crash-server-pipe.3128" 2284 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 61.0.2 | ||||
3412 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3128.12.1735676772\160794687" -childID 3 -isForBrowser -prefsHandle 2980 -prefsLen 11808 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3128 "\\.\pipe\gecko-crash-server-pipe.3128" 2996 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 61.0.2 | ||||
3988 | "C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/87c9afb0-af11-4def-a9e7-1a4c0f91577a/main/Firefox/61.0.2/release/20180807170231?v=4 C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\saved-telemetry-pings\87c9afb0-af11-4def-a9e7-1a4c0f91577a | C:\Program Files\Mozilla Firefox\pingsender.exe | firefox.exe | |
User: admin Company: Mozilla Foundation Integrity Level: MEDIUM Exit code: 0 Version: 61.0.2 | ||||
4008 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 3221225547 Version: 68.0.3440.106 | ||||
2920 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x6e1c00b0,0x6e1c00c0,0x6e1c00cc | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 | ||||
2612 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3144 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 68.0.3440.106 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2852 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2852 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3128 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | — | |
MD5:— | SHA256:— | |||
3128 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | — | |
MD5:— | SHA256:— | |||
3128 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | — | |
MD5:— | SHA256:— | |||
3128 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm | — | |
MD5:— | SHA256:— | |||
3184 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019012320190124\index.dat | dat | |
MD5:F0338FFE1775BF63657ECABFD03F968C | SHA256:15E6275104463A91644B92E2BD7F21AFF5497A501F34A16BF5D1E69113267B1B | |||
3184 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\hey[1].jpg | executable | |
MD5:D3ADAF4FA38CC925EC66B567E558175A | SHA256:3D46B43F785FCBE5C04E08B8E0E4990D8EA604F9BE0026D40D5DEB7720E6BD3B | |||
3128 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js | text | |
MD5:6A28847E114DCAAA84D9B43AAF47DAD3 | SHA256:2E323411C79DEC9E49C44EBB4CC74934B1ED9F45137CF4C8EEBF77BE7AF656E7 | |||
3128 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\doomed\14595 | binary | |
MD5:2B47F318FDCFABF9B88818D1F266B6CA | SHA256:552E9205F11D8BED37E6D3C068CD7393893CACAE4F21D922E895FB26B3191A54 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3184 | iexplore.exe | GET | 200 | 195.201.241.182:80 | http://oxydating.com/hey.jpg | RU | executable | 1.48 Mb | malicious |
4008 | chrome.exe | GET | 301 | 195.201.241.182:80 | http://oxydating.com/ | RU | — | — | malicious |
2852 | iexplore.exe | GET | 302 | 195.201.241.182:80 | http://oxydating.com/favicon.ico | RU | html | 223 b | malicious |
3128 | firefox.exe | GET | 302 | 195.201.241.182:80 | http://oxydating.com/favicon.ico | RU | html | 223 b | malicious |
3552 | hey.jpg.exe | GET | 403 | 104.16.19.96:80 | http://whatismyipaddress.com/ | US | text | 100 b | shared |
3128 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
4008 | chrome.exe | GET | 200 | 91.199.212.52:80 | http://crt.comodoca.com/COMODOECCAddTrustCA.crt | GB | der | 980 b | whitelisted |
3128 | firefox.exe | GET | 200 | 195.201.241.182:80 | http://oxydating.com/hey.jpg | RU | executable | 934 Kb | malicious |
4008 | chrome.exe | GET | 302 | 195.201.241.182:80 | http://oxydating.com/favicon.ico | RU | html | 223 b | malicious |
3552 | hey.jpg.exe | GET | 403 | 104.16.19.96:80 | http://whatismyipaddress.com/ | US | text | 100 b | shared |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2852 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2852 | iexplore.exe | 103.82.241.30:443 | www.faujuladnan.com | PT. EXABYTES NETWORK INDONESIA | ID | unknown |
3184 | iexplore.exe | 195.201.241.182:80 | oxydating.com | Awanti Ltd. | RU | suspicious |
2852 | iexplore.exe | 195.201.241.182:80 | oxydating.com | Awanti Ltd. | RU | suspicious |
3128 | firefox.exe | 2.16.186.112:80 | detectportal.firefox.com | Akamai International B.V. | — | whitelisted |
3128 | firefox.exe | 52.27.184.151:443 | search.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3128 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3128 | firefox.exe | 195.201.241.182:80 | oxydating.com | Awanti Ltd. | RU | suspicious |
3128 | firefox.exe | 52.18.148.152:443 | location.services.mozilla.com | Amazon.com, Inc. | IE | unknown |
3128 | firefox.exe | 172.217.16.206:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
oxydating.com |
| malicious |
www.faujuladnan.com |
| unknown |
detectportal.firefox.com |
| whitelisted |
a1089.dscd.akamai.net |
| whitelisted |
search.services.mozilla.com |
| whitelisted |
search.r53-2.services.mozilla.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
tiles.services.mozilla.com |
| whitelisted |
tiles.r53-2.services.mozilla.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3184 | iexplore.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious behavior, PE instead image from server |
3184 | iexplore.exe | Misc activity | SUSPICIOUS [PTsecurity] PE as Image Content type mismatch |
3184 | iexplore.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious Base64 from server instead image |
3128 | firefox.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious behavior, PE instead image from server |
3128 | firefox.exe | Misc activity | SUSPICIOUS [PTsecurity] PE as Image Content type mismatch |
4008 | chrome.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious behavior, PE instead image from server |
4008 | chrome.exe | Misc activity | SUSPICIOUS [PTsecurity] PE as Image Content type mismatch |
4008 | chrome.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious Base64 from server instead image |
3552 | hey.jpg.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 112 |
3552 | hey.jpg.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 173 |