analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

news

Full analysis: https://app.any.run/tasks/99a4e41c-98a0-4145-9011-8f5d549636a8
Verdict: Malicious activity
Analysis date: September 19, 2019, 10:57:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/html
File info: HTML document, ASCII text
MD5:

DED16EBD69E557A3C30BA4E43DD8D830

SHA1:

59D175B6D1F219817053409DF7439DF249CDD38F

SHA256:

79DD60FA6789276CB59AFD3902D2B941279CF8CC78086BD580640123CF01CFC4

SSDEEP:

3:qVvzL6HjJMzVJu+1v3pY/1SPmkMLdufGESMY9bCtFcR0b:qFzLOMRJVxC1SsdaTS/C3cGb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 3184)
  • INFO

    • Manual execution by user

      • chrome.exe (PID: 3184)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3572)
    • Creates files in the user directory

      • iexplore.exe (PID: 3572)
      • iexplore.exe (PID: 3536)
    • Changes internet zones settings

      • iexplore.exe (PID: 3536)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3980)
      • iexplore.exe (PID: 3572)
    • Application launched itself

      • iexplore.exe (PID: 3536)
      • chrome.exe (PID: 3184)
    • Reads the hosts file

      • chrome.exe (PID: 3184)
      • chrome.exe (PID: 3360)
    • Reads settings of System Certificates

      • chrome.exe (PID: 3360)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)

EXIF

HTML

Refresh: 0;URL=http://vip.jajahysi.xyz/tracker?s_id=7&aff_id=225
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
66
Monitored processes
31
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe no specs iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3536"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\news.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3980"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3536 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3572"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3536 CREDAT:137473C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3184"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
1576"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6db8a9d0,0x6db8a9e0,0x6db8a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3600"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3220 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2936"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1008,13157351838011381463,7026393837328916064,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=1717927948088397814 --mojo-platform-channel-handle=1020 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
3360"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1008,13157351838011381463,7026393837328916064,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=6190272554003277221 --mojo-platform-channel-handle=1620 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
4024"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1008,13157351838011381463,7026393837328916064,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7209460083969562994 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2220 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2840"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1008,13157351838011381463,7026393837328916064,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=11928348301412865309 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2456 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
1 113
Read events
942
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
24
Text files
169
Unknown types
13

Dropped files

PID
Process
Filename
Type
3536iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
3536iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3184chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old
MD5:
SHA256:
3184chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old
MD5:
SHA256:
3184chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF16aa1f.TMP
MD5:
SHA256:
3572iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:A155E8A0DD71E76AF9B65477C3092978
SHA256:84BE7BE4F2D9BE5497E09E542C5A7E18C9C2759DDF50E2687F59000500E7B808
3980iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019091920190920\index.datdat
MD5:3F42B5FDB7012580483093FAA2631191
SHA256:B80691AFA707238DDABE8B71C7606C9E9E0A62085FD1EA13FC98738EB6392B9F
3184chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\0d57eca8-75c2-4bf6-8bf8-abd4529a1315.tmp
MD5:
SHA256:
3572iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@jajahysi[1].txttext
MD5:EDFCC1CB348B7D7C6656DC8A4DDDD846
SHA256:1A762065C68FF54B329CC3A0A66EFDF3E99443BE7F887E092DDB5DCF82B69BDF
3184chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000020.dbtmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
57
TCP/UDP connections
46
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3572
iexplore.exe
GET
302
104.28.5.157:80
http://vip.jajahysi.xyz/tracker?s_id=7&aff_id=225
US
suspicious
3572
iexplore.exe
GET
200
104.28.4.157:80
http://prl.jajahysi.xyz/prelands/870/img/momnz.jpg
US
image
121 Kb
suspicious
3572
iexplore.exe
GET
200
104.28.4.157:80
http://prl.jajahysi.xyz/prelands/870/img/day2_de_bitcoin.png
US
image
10.6 Kb
suspicious
3572
iexplore.exe
GET
200
104.28.4.157:80
http://prl.jajahysi.xyz/prelands/870/img/day3_de_bitcoin.png
US
image
10.6 Kb
suspicious
3572
iexplore.exe
GET
200
104.28.4.157:80
http://prl.jajahysi.xyz/prelands/870/img/cheak.gif
US
image
2.00 Kb
suspicious
3360
chrome.exe
GET
47.254.173.118:80
http://maria374.xyz/favicon.ico
US
suspicious
3360
chrome.exe
GET
47.254.173.118:80
http://ivi.nick028.xyz/news
US
suspicious
3360
chrome.exe
GET
302
104.28.4.157:80
http://vip.jajahysi.xyz/tracker?s_id=7&aff_id=225
US
suspicious
3572
iexplore.exe
GET
200
104.28.4.157:80
http://prl.jajahysi.xyz/prelands/870/img/adrian_de1.png
US
image
199 Kb
suspicious
3572
iexplore.exe
GET
200
104.28.4.157:80
http://prl.jajahysi.xyz/prelands/870/img/bittrader-step1.png
US
image
1.74 Mb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3360
chrome.exe
216.58.207.42:443
fonts.googleapis.com
Google Inc.
US
whitelisted
3572
iexplore.exe
104.28.5.157:80
vip.jajahysi.xyz
Cloudflare Inc
US
shared
3572
iexplore.exe
104.28.4.157:80
vip.jajahysi.xyz
Cloudflare Inc
US
shared
3360
chrome.exe
172.217.22.45:443
accounts.google.com
Google Inc.
US
whitelisted
3360
chrome.exe
216.58.205.227:443
www.google.com.ua
Google Inc.
US
whitelisted
3360
chrome.exe
172.217.16.131:443
fonts.gstatic.com
Google Inc.
US
whitelisted
3360
chrome.exe
172.217.21.195:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3360
chrome.exe
172.217.22.67:443
www.gstatic.com
Google Inc.
US
whitelisted
3360
chrome.exe
47.254.173.118:80
ivi.nick028.xyz
Alibaba (China) Technology Co., Ltd.
US
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
vip.jajahysi.xyz
  • 104.28.5.157
  • 104.28.4.157
suspicious
prl.jajahysi.xyz
  • 104.28.4.157
  • 104.28.5.157
suspicious
clientservices.googleapis.com
  • 172.217.21.195
whitelisted
accounts.google.com
  • 172.217.22.45
shared
www.google.com.ua
  • 216.58.205.227
whitelisted
fonts.googleapis.com
  • 216.58.207.42
whitelisted
www.gstatic.com
  • 172.217.22.67
whitelisted
fonts.gstatic.com
  • 172.217.16.131
whitelisted
ivi.nick028.xyz
  • 47.254.173.118
suspicious

Threats

PID
Process
Class
Message
3572
iexplore.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
3572
iexplore.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
3572
iexplore.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
3572
iexplore.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
3572
iexplore.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
3572
iexplore.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
3572
iexplore.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
3572
iexplore.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
3572
iexplore.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
3572
iexplore.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
No debug info