Malware analysis index.html Malicious activity | ANY.RUN

Add for printing

download:	index.html
Full analysis:	https://app.any.run/tasks/8d2c1b25-b497-4201-8237-99b80f7c6065
Verdict:	Malicious activity
Analysis date:	January 22, 2019, 20:10:12
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	opendir
Indicators:
MIME:	text/html
File info:	HTML document, UTF-8 Unicode text, with very long lines
MD5:	AA654BAF5EB1B4BAD4B5A8048DB69D1F
SHA1:	9499A2E43AE3C53FBEBBA20CFAA76DE014748863
SHA256:	828F431DAD7D631B8D5FA4AC17635D28FD19C98429513EECC2D5B1E6D9E1969E
SSDEEP:	384:zi7KhgESoVBD8csZQ3RM3xbemLxXucfIk99heL3VzVc9v:ziYSogct3wImQOIk9SzNqv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
No suspicious indicators.
INFO
- Reads Internet Cache Settings
  - iexplore.exe (PID: 3240)
  - iexplore.exe (PID: 2352)
  - iexplore.exe (PID: 2956)
- Changes internet zones settings
  - iexplore.exe (PID: 2956)
- Reads internet explorer settings
  - iexplore.exe (PID: 3240)
  - iexplore.exe (PID: 2352)
- Application launched itself
  - iexplore.exe (PID: 2956)
- Creates files in the user directory
  - iexplore.exe (PID: 2352)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.html	\|	HyperText Markup Language (100)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Parent process
2956	"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\index.html	C:\Program Files\Internet Explorer\iexplore.exe	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
3240	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2956 CREDAT:79873	C:\Program Files\Internet Explorer\iexplore.exe	iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
2352	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2956 CREDAT:137473	C:\Program Files\Internet Explorer\iexplore.exe	iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

569

Read events

485

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2956	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\favicon[1].ico		—
		MD5:—	SHA256:—
2956	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico		—
		MD5:—	SHA256:—
2352	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\CA22E9OJ.txt		—
		MD5:—	SHA256:—
2956	iexplore.exe	C:\Users\admin\AppData\Local\Temp\~DFD19A4BCEF10E5985.TMP		—
		MD5:—	SHA256:—
2352	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\CAG9GTV7.htm		html
		MD5:3EA52E6CC5B2C76631A22B99F8F16467	SHA256:BFB82CCF72F5FBDAD8EE9B286C982F936393034A318EAC8426F77AA7870506A6
2352	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\caf[1].js		text
		MD5:021CACDD1B1D56A9F8D104B94014F681	SHA256:817FA87F9D69F8A0778C3B83D21EAD325179AF758B024B4F73F0057BEEEECEE9
3240	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\jquery-1.4.2.min[1].js		text
		MD5:0D658C3F0A7EFAA05A6FCEE9758231B3	SHA256:E186F74C971A978C1DAF20BB51A1B71BCB075D8D09D678EE1D12665C136B1487
3240	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\caf[1].js		text
		MD5:B8AB1A8ABCCD6F19D8410422168EFD03	SHA256:50F61B5C0583A0F0BD4D9BADA1C25AB798D56430E2A3E41369EF8B796C1E7E4E
2352	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@easycracks[1].txt		text
		MD5:D80E50DDBC8394E98821A9F3D455C256	SHA256:B88E03CB988EED855B0F953883F52B46C20AA81276FF154C9AED920B86A21C38
3240	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019012220190123\index.dat		dat
		MD5:D6CCC8CDBD0A603AE07A4A453DD465D5	SHA256:2DA16CCE7D0530AD06E83711270DEF0C1F522D7D000F03352D5261E857345014

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3240	iexplore.exe	GET	—	67.225.218.50:80	http://parking.parklogic.com/page/enhance.js?pcId=2&domain=easycracks.net	US	—	—	suspicious
2352	iexplore.exe	GET	200	72.52.4.90:80	http://ww1.easycracks.net/search/tsc.php?200=MjgyNDU2MDE1&21=ODkuMjQ5LjczLjE3&681=MTU0ODE4NzgzMTVmMjIxMGE0N2Q1NmMxMzlkYmIxYWI5MzgxZWIwZjgz&crc=3606d9b387c286d20d8db870dde046bba116c7f3&cv=1	US	—	—	malicious
2352	iexplore.exe	GET	200	72.52.4.90:80	http://ww1.easycracks.net//?gtnjs=1	US	html	7.85 Kb	malicious
2352	iexplore.exe	GET	200	216.58.210.4:80	http://www.google.com/adsense/domains/caf.js	US	text	52.5 Kb	whitelisted
2352	iexplore.exe	GET	200	67.225.218.50:80	http://parking.parklogic.com/page/enhance.js?pcId=2&domain=easycracks.net	US	html	2.17 Kb	suspicious
3240	iexplore.exe	GET	200	216.58.210.4:80	http://www.google.com/adsense/domains/caf.js	US	text	52.5 Kb	whitelisted
2352	iexplore.exe	GET	200	72.52.4.90:80	http://ww1.easycracks.net/log/jserr.php?msg=Access+is+denied.%0D%0A&file=https%3A%2F%2Fscript.ioam.de%2Fiam.js&line=228	US	compressed	7.85 Kb	malicious
3240	iexplore.exe	GET	200	205.234.175.175:80	http://img.sedoparking.com/js/jquery-1.4.2.min.js	US	text	26.1 Kb	whitelisted
2352	iexplore.exe	GET	200	205.234.175.175:80	http://img.sedoparking.com/templates/brick_gfx/common/logo_white.png	US	image	2.18 Kb	whitelisted
2352	iexplore.exe	GET	200	205.234.175.175:80	http://img.sedoparking.com/js/jquery-1.4.2.min.js	US	text	26.1 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3240	iexplore.exe	216.58.210.4:80	www.google.com	Google Inc.	US	whitelisted
2956	iexplore.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
3240	iexplore.exe	205.234.175.175:80	img.sedoparking.com	CacheNetworks, Inc.	US	suspicious
3240	iexplore.exe	67.225.218.50:80	parking.parklogic.com	Liquid Web, L.L.C	US	malicious
2352	iexplore.exe	205.234.175.175:80	img.sedoparking.com	CacheNetworks, Inc.	US	suspicious
2352	iexplore.exe	216.58.210.4:80	www.google.com	Google Inc.	US	whitelisted
2352	iexplore.exe	72.52.4.90:80	ww1.easycracks.net	Akamai Technologies, Inc.	US	whitelisted
2352	iexplore.exe	91.215.100.39:443	script.ioam.de	INFOnline GmbH	DE	unknown
2352	iexplore.exe	67.225.218.50:80	parking.parklogic.com	Liquid Web, L.L.C	US	malicious

DNS requests

Domain	IP	Reputation
img.sedoparking.com	205.234.175.175	whitelisted
parking.parklogic.com	67.225.218.50	suspicious
www.google.com	216.58.210.4	whitelisted
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
ww1.easycracks.net	72.52.4.90	malicious
script.ioam.de	91.215.100.39 91.215.103.64	whitelisted

Threats

PID	Process	Class	Message
2352	iexplore.exe	A Network Trojan was detected	SC TROJAN Malicious behaviour by LNK/Agent.CH
2352	iexplore.exe	A Network Trojan was detected	SC TROJAN Malicious behaviour by LNK/Agent.CH
2352	iexplore.exe	A Network Trojan was detected	SC BAD_UNKNOWN Trojan Unknown JS
2352	iexplore.exe	A Network Trojan was detected	SC TROJAN Malicious behaviour by LNK/Agent.CH

Add for printing

No debug info

General Info

index.html

AA654BAF5EB1B4BAD4B5A8048DB69D1F

9499A2E43AE3C53FBEBBA20CFAA76DE014748863

828F431DAD7D631B8D5FA4AC17635D28FD19C98429513EECC2D5B1E6D9E1969E

384:zi7KhgESoVBD8csZQ3RM3xbemLxXucfIk99heL3VzVc9v:ziYSogct3wImQOIk9SzNqv

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

INFO

Reads Internet Cache Settings

Changes internet zones settings

Reads internet explorer settings

Application launched itself

Creates files in the user directory

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings