analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

infected.zip

Full analysis: https://app.any.run/tasks/93228488-85e7-4725-87b6-eb9677b1d0f2
Verdict: Malicious activity
Analysis date: February 11, 2019, 10:10:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
installcore
pup
addrop
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

0176354AFD84A1F7EB1653A1528C25BE

SHA1:

753CED9CFB88385A32F38552DD4C475B11DBD3AF

SHA256:

92582E3305FBDC2FB9E0F261118D47DE269484D122538CB9F9E5E387ACA94842

SSDEEP:

49152:RAGGJoL9xgvLdRrKxZE93Ig7NXg8l2ouetiOrz/tcF:RUJU9xgzdRrKxZYv7NQ8lOehtM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • JavaSetup_0896841932.exe (PID: 2476)
      • JavaSetup_0896841932.exe (PID: 3728)
    • INSTALLCORE was detected

      • JavaSetup_0896841932.exe (PID: 3728)
    • Connects to CnC server

      • JavaSetup_0896841932.exe (PID: 3728)
  • SUSPICIOUS

    • Reads Environment values

      • JavaSetup_0896841932.exe (PID: 3728)
    • Application launched itself

      • JavaSetup_0896841932.exe (PID: 2476)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2984)
      • JavaSetup_0896841932.exe (PID: 3728)
    • Reads internet explorer settings

      • JavaSetup_0896841932.exe (PID: 3728)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: JavaSetup_0896841932.exe
ZipUncompressedSize: 2478622
ZipCompressedSize: 2453001
ZipCRC: 0x0b4ac002
ZipModifyDate: 2019:02:11 10:07:24
ZipCompression: Unknown (99)
ZipBitFlag: 0x0003
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe javasetup_0896841932.exe no specs #INSTALLCORE javasetup_0896841932.exe

Process information

PID
CMD
Path
Indicators
Parent process
2984"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\infected.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2476"C:\Users\admin\Desktop\JavaSetup_0896841932.exe" C:\Users\admin\Desktop\JavaSetup_0896841932.exeexplorer.exe
User:
admin
Company:
Rosot
Integrity Level:
MEDIUM
Description:
Hefefedele Setup
Exit code:
0
Version:
3728"C:\Users\admin\Desktop\JavaSetup_0896841932.exe" /RSF /ppn:YyhwYgxaFRAiP211FM5W /mnlC:\Users\admin\Desktop\JavaSetup_0896841932.exe
JavaSetup_0896841932.exe
User:
admin
Company:
Rosot
Integrity Level:
HIGH
Description:
Hefefedele Setup
Version:
Total events
992
Read events
934
Write events
58
Delete events
0

Modification events

(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2984) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\infected.zip
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(2984) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
Executable files
2
Suspicious files
3
Text files
78
Unknown types
1

Dropped files

PID
Process
Filename
Type
3728JavaSetup_0896841932.exeC:\Users\admin\AppData\Local\Temp\0024B43D.log
MD5:
SHA256:
2984WinRAR.exeC:\Users\admin\Desktop\JavaSetup_0896841932.exeexecutable
MD5:8D293B2903F23C149FBE02DAD15009BC
SHA256:5DC087DB22AE1EBADCB5B65675F2132691353471CC17A6CF94102DB4D0CBF75A
3728JavaSetup_0896841932.exeC:\Users\admin\AppData\Local\Temp\inH240543762259\css\main.csstext
MD5:2DBA8638120788C9E3AF6D447181B2F1
SHA256:8089C6915B14118C19498CBCE306220CF009EAFFFADB6818FA130DFE6128F8A8
3728JavaSetup_0896841932.exeC:\Users\admin\AppData\Local\Temp\inH240543762259\css\main.scsstext
MD5:809FF7028B1952FDAEDE53E407A7DF93
SHA256:DE6C3DD2BE22340B3E95E14AE7FF6611CFACD7B9A7B134F536254C48FD3C5DF6
3728JavaSetup_0896841932.exeC:\Users\admin\AppData\Local\Temp\inH240543762259\css\swAgent.csstext
MD5:2543E3AF757C7D7C8A26C7CF57795F60
SHA256:C38892A06C8F50C6386ED794AF4F1EA3E1897AD5F0C7E19594D9EA7B20CFB3F1
3728JavaSetup_0896841932.exeC:\Users\admin\AppData\Local\Temp\inH240543762259\csshover3.htchtml
MD5:52FA0DA50BF4B27EE625C80D36C67941
SHA256:E37E99DDFC73AC7BA774E23736B2EF429D9A0CB8C906453C75B14C029BDD5493
3728JavaSetup_0896841932.exeC:\Users\admin\AppData\Local\Temp\inH240543762259\css\ie6_main.scsstext
MD5:D10348D17ADF8A90670696728F54562D
SHA256:E8A3D15CF32009B01B9145B6E62FF6CAA9C2981F81CE063578C73C7ADFF08DFC
3728JavaSetup_0896841932.exeC:\Users\admin\AppData\Local\Temp\inH240543762259\form.bmp.Maskbinary
MD5:D2FC989F9C2043CD32332EC0FAD69C70
SHA256:27DD029405CBFB0C3BF8BAC517BE5DB9AA83E981B1DC2BD5C5D6C549FA514101
3728JavaSetup_0896841932.exeC:\Users\admin\AppData\Local\Temp\inH240543762259\css\helpers\_backgrounds.scsstext
MD5:6092A3768F84CFBC6E5C52301F5B63EA
SHA256:8A22A3285F3C7D82AA1A4273BDD62729DA241723507C1ECD5D2FD0A24C12E23B
3728JavaSetup_0896841932.exeC:\Users\admin\AppData\Local\Temp\inH240543762259\css\helpers\_lists.scsstext
MD5:BDA575F11636073D71B86B89C94C6E42
SHA256:B15B8DB0368E31991FBE43C121409484562E20FB9599B5B3828E3093217DE163
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
8
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3728
JavaSetup_0896841932.exe
POST
200
52.214.73.247:80
http://www2.tepat-teku.com/
IE
malicious
3728
JavaSetup_0896841932.exe
GET
200
95.211.184.67:80
http://cdn.tepat-teku.com/app/softjug/java_32.png
NL
image
1.83 Kb
malicious
3728
JavaSetup_0896841932.exe
POST
200
52.214.73.247:80
http://www2.tepat-teku.com/
IE
malicious
3728
JavaSetup_0896841932.exe
GET
209.95.37.242:80
http://cdnus.laboratoryconecpttoday.com/app/softjug/javaSetup.exe
US
malicious
3728
JavaSetup_0896841932.exe
GET
209.95.37.242:80
http://cdnus.laboratoryconecpttoday.com/app/softjug/javaSetup.exe
US
malicious
3728
JavaSetup_0896841932.exe
HEAD
209.95.37.242:80
http://cdnus.laboratoryconecpttoday.com/app/softjug/javaSetup.exe
US
malicious
3728
JavaSetup_0896841932.exe
POST
200
52.212.157.66:80
http://cloud.tepat-teku.com/?nocowo=0
IE
text
2.17 Kb
malicious
3728
JavaSetup_0896841932.exe
POST
52.214.236.246:80
http://server.tepat-teku.com/
IE
malicious
3728
JavaSetup_0896841932.exe
POST
200
52.214.236.246:80
http://secure.tepat-teku.com/
IE
binary
513 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3728
JavaSetup_0896841932.exe
52.214.73.247:80
www2.tepat-teku.com
Amazon.com, Inc.
IE
malicious
3728
JavaSetup_0896841932.exe
209.95.37.242:80
cdnus.laboratoryconecpttoday.com
WestHost, Inc.
US
suspicious
3728
JavaSetup_0896841932.exe
95.211.184.67:80
cdn.tepat-teku.com
LeaseWeb Netherlands B.V.
NL
malicious
3728
JavaSetup_0896841932.exe
52.214.236.246:80
server.tepat-teku.com
Amazon.com, Inc.
IE
malicious
3728
JavaSetup_0896841932.exe
52.212.157.66:80
cloud.tepat-teku.com
Amazon.com, Inc.
IE
malicious

DNS requests

Domain
IP
Reputation
www2.tepat-teku.com
  • 52.214.73.247
  • 54.194.149.175
malicious
cloud.tepat-teku.com
  • 52.212.157.66
  • 52.209.116.64
  • 34.251.155.7
malicious
cdn.tepat-teku.com
  • 95.211.184.67
malicious
server.tepat-teku.com
  • 52.214.236.246
  • 52.31.54.204
  • 52.31.245.195
malicious
cdnus.laboratoryconecpttoday.com
  • 209.95.37.242
malicious
secure.tepat-teku.com
  • 52.214.236.246
  • 52.31.245.195
  • 52.31.54.204
malicious

Threats

PID
Process
Class
Message
3728
JavaSetup_0896841932.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M2
3728
JavaSetup_0896841932.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1
3728
JavaSetup_0896841932.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M4
3728
JavaSetup_0896841932.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3728
JavaSetup_0896841932.exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M3
2 ETPRO signatures available at the full report
No debug info