analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Skyjack.zip

Full analysis: https://app.any.run/tasks/54a4bec5-b58d-4f69-826d-04b693ad54e2
Verdict: Malicious activity
Analysis date: September 11, 2019, 01:19:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

E289FDFC2568497A18C3972624B54A77

SHA1:

FBAB326D258D803ABA6708358DE812488925F941

SHA256:

827AEDFE4401255C30B6573D6990D07A3BBFE2DAAE5E8D8D09C155186D91647C

SSDEEP:

384:B2CjMNPv21TwZ6gtMCUlAU5lhHOxJS+w9OHM+tLqfaD06FfSOXu6fy:BFM21TO6MaljvHOxMrGpB5tFfSO+ey

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • AutoUpdateUSB.exe (PID: 3012)
      • SkyjackManualSystem.exe (PID: 3352)
      • b2e.exe (PID: 2628)
      • AutoUpdateUSB.exe (PID: 3460)
  • SUSPICIOUS

    • Application launched itself

      • WinRAR.exe (PID: 2884)
    • Executable content was dropped or overwritten

      • SkyjackManualSystem.exe (PID: 3352)
      • WinRAR.exe (PID: 3608)
    • Starts CMD.EXE for commands execution

      • b2e.exe (PID: 2628)
  • INFO

    • Manual execution by user

      • SkyjackManualSystem.exe (PID: 3352)
      • explorer.exe (PID: 3496)
    • Application was crashed

      • AutoUpdateUSB.exe (PID: 3460)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:09:10 18:57:07
ZipCRC: 0x5ca96194
ZipCompressedSize: 14851
ZipUncompressedSize: 37888
ZipFileName: SkyjackManualSystem.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
9
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs winrar.exe explorer.exe no specs skyjackmanualsystem.exe b2e.exe no specs cmd.exe no specs autoupdateusb.exe no specs autoupdateusb.exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2884"C:\Program Files\WinRAR\WinRAR.exe" "C:\Skyjack.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3608"C:\Program Files\WinRAR\WinRAR.exe" -elevate2884C:\Program Files\WinRAR\WinRAR.exe
WinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
HIGH
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3496"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3352"C:\SkyjackManualSystem.exe" C:\SkyjackManualSystem.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
8851
2628"C:\Users\admin\AppData\Local\Temp\FB7B.tmp\b2e.exe" C:\Users\admin\AppData\Local\Temp\FB7B.tmp\b2e.exe C:\ "C:\SkyjackManualSystem.exe" C:\Users\admin\AppData\Local\Temp\FB7B.tmp\b2e.exeSkyjackManualSystem.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
560cmd /c ""C:\Users\admin\AppData\Local\Temp\FD50.tmp\batfile.bat" "C:\Windows\system32\cmd.exeb2e.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3012"C:\UpdateUSB\AutoUpdateUSB.exe" C:\UpdateUSB\AutoUpdateUSB.execmd.exe
User:
admin
Company:
Linamar Corporation
Integrity Level:
MEDIUM
Description:
AutoUpdateUSB
Exit code:
3221226540
Version:
1.0.0.0
3460"C:\UpdateUSB\AutoUpdateUSB.exe" C:\UpdateUSB\AutoUpdateUSB.exe
cmd.exe
User:
admin
Company:
Linamar Corporation
Integrity Level:
HIGH
Description:
AutoUpdateUSB
Version:
1.0.0.0
2200cmd /c ""C:\Users\admin\AppData\Local\Temp\selfdel0.bat" "C:\Windows\system32\cmd.exeb2e.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
765
Read events
722
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2628b2e.exeC:\Users\admin\AppData\Local\Temp\selfdel0.bat
MD5:
SHA256:
3608WinRAR.exeC:\SkyjackManualSystem.exeexecutable
MD5:189C0458DBCD521E327FCB92D808541F
SHA256:19186F2926FEA8310A181102C27898F54712B13DE471DE0D4C780A7E34788565
3352SkyjackManualSystem.exeC:\Users\admin\AppData\Local\Temp\FB7B.tmp\b2e.exeexecutable
MD5:9E695749B855B6161976D8076399B309
SHA256:31E2A8F9155FC9A6BDB3EB31632D54601C6F3F41FC158418458F486CBDD9AB9E
3608WinRAR.exeC:\UpdateUSB\AutoUpdateUSB.exeexecutable
MD5:CD291E38D98726AF11A6F3B2B613BFBB
SHA256:1C751FE5F72BDF063059EB26EA1F2BC243F61CDE8C040E74CFFA38BA8AF0610D
2628b2e.exeC:\Users\admin\AppData\Local\Temp\FD50.tmp\batfile.battext
MD5:752C4F4852843AA528E5576D9A3A7449
SHA256:6F84BFBFA5CB42CC1333D13414493C303F1E816ADC9888E553B46CD0EED9895D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info