analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://oxydating.com/hey.jpg

Full analysis: https://app.any.run/tasks/98f6d2dd-47ee-4774-8f26-dc3260b46009
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 23, 2019, 01:58:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
ransomware
troldesh
shade
evasion
trojan
Indicators:
MD5:

37666AD131505C8AC2F95CDB469E7CA5

SHA1:

D12C07A31875603276E150A8D62CB1E5CA600E2D

SHA256:

74AFA01D21D8620EF84FFDA5588FC6F28FFA3E1A886FB21C5AE2C4B679F8847E

SSDEEP:

3:N1KRdcyPAcC:CKcC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3184)
      • firefox.exe (PID: 3128)
      • chrome.exe (PID: 4008)

    • TROLDESH was detected

      • hey.jpg.exe (PID: 3552)

    • Application was dropped or rewritten from another process

      • hey.jpg.exe (PID: 3552)
      • hey.jpg.exe (PID: 2960)

    • Changes the autorun value in the registry

      • hey.jpg.exe (PID: 3552)

    • Deletes shadow copies

      • hey.jpg.exe (PID: 3552)

    • Runs app for hidden code execution

      • hey.jpg.exe (PID: 3552)

    • Dropped file may contain instructions of ransomware

      • hey.jpg.exe (PID: 3552)

    • Actions looks like stealing of personal data

      • hey.jpg.exe (PID: 3552)

    • Modifies files in Chrome extension folder

      • hey.jpg.exe (PID: 3552)

  • SUSPICIOUS

    • Starts Internet Explorer

      • explorer.exe (PID: 284)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3184)
      • chrome.exe (PID: 4008)
      • hey.jpg.exe (PID: 3552)

    • Creates files in the program directory

      • hey.jpg.exe (PID: 3552)

    • Connects to unusual port

      • hey.jpg.exe (PID: 3552)

    • Checks for external IP

      • hey.jpg.exe (PID: 3552)

    • Reads Internet Cache Settings

      • explorer.exe (PID: 284)

    • Creates files in the user directory

      • hey.jpg.exe (PID: 3552)
      • explorer.exe (PID: 284)

    • Starts CMD.EXE for commands execution

      • hey.jpg.exe (PID: 3552)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3300)

    • Creates files like Ransomware instruction

      • hey.jpg.exe (PID: 3552)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3184)
      • iexplore.exe (PID: 2852)
      • chrome.exe (PID: 4008)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3184)

    • Changes internet zones settings

      • iexplore.exe (PID: 2852)

    • Application launched itself

      • iexplore.exe (PID: 2852)
      • firefox.exe (PID: 3128)
      • chrome.exe (PID: 4008)

    • Reads CPU info

      • firefox.exe (PID: 3000)
      • firefox.exe (PID: 3128)
      • firefox.exe (PID: 3412)
      • firefox.exe (PID: 4036)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2852)
      • pingsender.exe (PID: 3988)
      • chrome.exe (PID: 4008)
      • explorer.exe (PID: 284)

    • Creates files in the user directory

      • firefox.exe (PID: 3128)
      • chrome.exe (PID: 4008)
      • iexplore.exe (PID: 2852)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2852)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2852)
      • chrome.exe (PID: 4008)

    • Dropped object may contain URL to Tor Browser

      • hey.jpg.exe (PID: 3552)

    • Dropped object may contain Bitcoin addresses

      • hey.jpg.exe (PID: 3552)

    • Dropped object may contain TOR URL's

      • hey.jpg.exe (PID: 3552)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
78
Monitored processes
30
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe firefox.exe firefox.exe firefox.exe firefox.exe pingsender.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs explorer.exe #TROLDESH hey.jpg.exe chrome.exe no specs chrome.exe no specs hey.jpg.exe chrome.exe no specs chrome.exe no specs vssadmin.exe no specs vssadmin.exe vssvc.exe no specs cmd.exe no specs chcp.com no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2852"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3184"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2852 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3128"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
61.0.2
3000"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3128.0.467269999\866895968" -childID 1 -isForBrowser -prefsHandle 1340 -prefsLen 8309 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3128 "\\.\pipe\gecko-crash-server-pipe.3128" 1448 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
61.0.2
4036"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3128.6.1765630474\1016307212" -childID 2 -isForBrowser -prefsHandle 2268 -prefsLen 11442 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3128 "\\.\pipe\gecko-crash-server-pipe.3128" 2284 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
61.0.2
3412"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3128.12.1735676772\160794687" -childID 3 -isForBrowser -prefsHandle 2980 -prefsLen 11808 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3128 "\\.\pipe\gecko-crash-server-pipe.3128" 2996 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
61.0.2
3988"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/87c9afb0-af11-4def-a9e7-1a4c0f91577a/main/Firefox/61.0.2/release/20180807170231?v=4 C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\saved-telemetry-pings\87c9afb0-af11-4def-a9e7-1a4c0f91577aC:\Program Files\Mozilla Firefox\pingsender.exe
firefox.exe
User:
admin
Company:
Mozilla Foundation
Integrity Level:
MEDIUM
Exit code:
0
Version:
61.0.2
4008"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
68.0.3440.106
2920"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x6e1c00b0,0x6e1c00c0,0x6e1c00ccC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
2612"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3144 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Total events
6 222
Read events
5 868
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
1 250
Text files
181
Unknown types
72

Dropped files

PID
Process
Filename
Type
2852iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2852iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3128firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
3128firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
3128firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
3128firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
MD5:
SHA256:
3184iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019012320190124\index.datdat
MD5:F0338FFE1775BF63657ECABFD03F968C
SHA256:15E6275104463A91644B92E2BD7F21AFF5497A501F34A16BF5D1E69113267B1B
3184iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\hey[1].jpgexecutable
MD5:D3ADAF4FA38CC925EC66B567E558175A
SHA256:3D46B43F785FCBE5C04E08B8E0E4990D8EA604F9BE0026D40D5DEB7720E6BD3B
3128firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:6A28847E114DCAAA84D9B43AAF47DAD3
SHA256:2E323411C79DEC9E49C44EBB4CC74934B1ED9F45137CF4C8EEBF77BE7AF656E7
3128firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\doomed\14595binary
MD5:2B47F318FDCFABF9B88818D1F266B6CA
SHA256:552E9205F11D8BED37E6D3C068CD7393893CACAE4F21D922E895FB26B3191A54
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
263
DNS requests
88
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3184
iexplore.exe
GET
200
195.201.241.182:80
http://oxydating.com/hey.jpg
RU
executable
1.48 Mb
malicious
4008
chrome.exe
GET
301
195.201.241.182:80
http://oxydating.com/
RU
malicious
2852
iexplore.exe
GET
302
195.201.241.182:80
http://oxydating.com/favicon.ico
RU
html
223 b
malicious
3128
firefox.exe
GET
302
195.201.241.182:80
http://oxydating.com/favicon.ico
RU
html
223 b
malicious
3552
hey.jpg.exe
GET
403
104.16.19.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
3128
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
4008
chrome.exe
GET
200
91.199.212.52:80
http://crt.comodoca.com/COMODOECCAddTrustCA.crt
GB
der
980 b
whitelisted
3128
firefox.exe
GET
200
195.201.241.182:80
http://oxydating.com/hey.jpg
RU
executable
934 Kb
malicious
4008
chrome.exe
GET
302
195.201.241.182:80
http://oxydating.com/favicon.ico
RU
html
223 b
malicious
3552
hey.jpg.exe
GET
403
104.16.19.96:80
http://whatismyipaddress.com/
US
text
100 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2852
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2852
iexplore.exe
103.82.241.30:443
www.faujuladnan.com
PT. EXABYTES NETWORK INDONESIA
ID
unknown
3184
iexplore.exe
195.201.241.182:80
oxydating.com
Awanti Ltd.
RU
suspicious
2852
iexplore.exe
195.201.241.182:80
oxydating.com
Awanti Ltd.
RU
suspicious
3128
firefox.exe
2.16.186.112:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
3128
firefox.exe
52.27.184.151:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
3128
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3128
firefox.exe
195.201.241.182:80
oxydating.com
Awanti Ltd.
RU
suspicious
3128
firefox.exe
52.18.148.152:443
location.services.mozilla.com
Amazon.com, Inc.
IE
unknown
3128
firefox.exe
172.217.16.206:80
ocsp.pki.goog
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
oxydating.com
  • 195.201.241.182
malicious
www.faujuladnan.com
  • 103.82.241.30
unknown
detectportal.firefox.com
  • 2.16.186.112
  • 2.16.186.50
whitelisted
a1089.dscd.akamai.net
  • 2.16.186.50
  • 2.16.186.112
whitelisted
search.services.mozilla.com
  • 52.27.184.151
  • 34.216.89.123
  • 52.89.32.107
whitelisted
search.r53-2.services.mozilla.com
  • 52.89.32.107
  • 34.216.89.123
  • 52.27.184.151
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
tiles.services.mozilla.com
  • 52.43.40.243
  • 34.214.85.136
  • 54.187.46.234
  • 34.216.156.21
  • 34.215.13.51
  • 52.41.78.152
  • 34.208.7.98
  • 34.209.108.219
whitelisted
tiles.r53-2.services.mozilla.com
  • 34.209.108.219
  • 34.208.7.98
  • 52.41.78.152
  • 34.215.13.51
  • 34.216.156.21
  • 54.187.46.234
  • 34.214.85.136
  • 52.43.40.243
whitelisted

Threats

PID
Process
Class
Message
3184
iexplore.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious behavior, PE instead image from server
3184
iexplore.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
3184
iexplore.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious Base64 from server instead image
3128
firefox.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious behavior, PE instead image from server
3128
firefox.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
4008
chrome.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious behavior, PE instead image from server
4008
chrome.exe
Misc activity
SUSPICIOUS [PTsecurity] PE as Image Content type mismatch
4008
chrome.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious Base64 from server instead image
3552
hey.jpg.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 112
3552
hey.jpg.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 173
24 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://oxydating.com/hey.jpg