analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

02322339_2

Full analysis: https://app.any.run/tasks/08e9b64e-6f98-47b5-a2dc-b8b008ad3112
Verdict: Malicious activity
Analysis date: November 30, 2020, 01:05:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

27527EAE13155667B4DFF4F5CE8868F4

SHA1:

EB8200DEFD9CAC2087AED54EAF875F4184F9C7FB

SHA256:

9CD541BC6FB15931AED14CF8EC3E2FD797D27B9F53BEE069E3DB500394A300D4

SSDEEP:

98304:a8tNw4DU2IIfn5P3NMdtRt0yYvI1hnf4icH:9waUcf5P3NMvsxEhfc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • 02322339_2.exe (PID: 2844)

    • Loads dropped or rewritten executable

      • 02322339_2.exe (PID: 2844)
      • cjzg.exe (PID: 3552)

  • SUSPICIOUS

    • Creates a software uninstall entry

      • 02322339_2.exe (PID: 2844)

    • Creates files in the user directory

      • 02322339_2.exe (PID: 2844)

    • Drops a file that was compiled in debug mode

      • 02322339_2.exe (PID: 2844)

    • Executable content was dropped or overwritten

      • 02322339_2.exe (PID: 2844)

    • Drops a file with a compile date too recent

      • 02322339_2.exe (PID: 2844)

    • Changes IE settings (feature browser emulation)

      • 02322339_2.exe (PID: 2844)
      • cjzg.exe (PID: 3552)

    • Starts itself from another location

      • 02322339_2.exe (PID: 2844)

    • Reads internet explorer settings

      • cjzg.exe (PID: 3552)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:06:08 13:09:44+02:00
PEType: PE32
LinkerVersion: 14.16
CodeSize: 937472
InitializedDataSize: 2706432
UninitializedDataSize: -
EntryPoint: 0xa05fa
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 2.2.30.608
ProductVersionNumber: 2.2.30.608
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileDescription: 游戏微端
FileVersion: 2.2.30.608
InternalName: LiteGameBox2_externel
LegalCopyright: 版权所有 (C) 2008-2020 www.ludashi.com
OriginalFileName: LiteGameBox2
ProductName: 游戏微端
ProductVersion: 2.2.30.608
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start 02322339_2.exe cjzg.exe

Process information

PID
CMD
Path
Indicators
Parent process
2844"C:\Users\admin\AppData\Local\Temp\02322339_2.exe" C:\Users\admin\AppData\Local\Temp\02322339_2.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
游戏微端
Exit code:
0
Version:
2.2.30.608
3552"C:\Users\admin\AppData\Roaming\LiteGameBox_cjzg\cjzg.exe" C:\Users\admin\AppData\Roaming\LiteGameBox_cjzg\cjzg.exe
02322339_2.exe
User:
admin
Integrity Level:
MEDIUM
Description:
游戏微端
Version:
2.2.30.608
Total events
562
Read events
507
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
7
Text files
30
Unknown types
5

Dropped files

PID
Process
Filename
Type
3552cjzg.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\main[1].csstext
MD5:20E9FAE94ECC9AFCA5DF709C77779FD9
SHA256:F24041D254364DB93BDC9F89AB91B69FB9D7C407D597BEFD8411520AA94C49B3
284402322339_2.exeC:\Users\admin\AppData\Local\Temp\LiteGameBox_cjzg\cjzg.uicompressed
MD5:B3609F08A6396D2D04708659C3765BEA
SHA256:085ED74CF4FB045232D1A92E61E2545BD267E2A34AD1A78FA52FCEC68D5116D1
3552cjzg.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\upload[1].jpgimage
MD5:D90610CD6A6E62E838859A55F03FEBCA
SHA256:B2D3976CEBD782DF2ABDF828D4BC151D50256E0A017C4D49FF592D2E1A749AE7
284402322339_2.exeC:\Users\admin\AppData\Roaming\LiteGameBox_cjzg\cjzg.exeexecutable
MD5:27527EAE13155667B4DFF4F5CE8868F4
SHA256:9CD541BC6FB15931AED14CF8EC3E2FD797D27B9F53BEE069E3DB500394A300D4
284402322339_2.exeC:\Users\admin\AppData\Roaming\LiteGameBox_cjzg\cjzg.jsontext
MD5:9228D77AE29BFE676B3622E6907BDFDD
SHA256:282C5F1C33FF6540C216AC5F3C7A6C91004A39ED3914D0ED7DFC113F5910D2EB
284402322339_2.exeC:\Users\admin\Desktop\裁决战歌.lnklnk
MD5:DF0B3EB05C64398C3A3865B90AE7B88F
SHA256:8C667CD56205ABE3B9DA79DADCE6091D4D3BE2E4D9E2EB734B305F330FC01CE7
284402322339_2.exeC:\Users\admin\AppData\Roaming\LiteGameBox_cjzg\cjzg.uicompressed
MD5:B3609F08A6396D2D04708659C3765BEA
SHA256:085ED74CF4FB045232D1A92E61E2545BD267E2A34AD1A78FA52FCEC68D5116D1
284402322339_2.exeC:\Users\admin\AppData\Roaming\LiteGameBox_cjzg\裁决战歌.lnklnk
MD5:CE27E52A3BD261A6A32BE5016E55D30B
SHA256:C8AE319157F1FA6B2F45CDE678DF31A60697D66151D0B6593C375FD04D5C006D
284402322339_2.exeC:\Users\admin\AppData\Roaming\LiteGameBox_cjzg\cjzg.icoimage
MD5:D457462B6F5E9B765B9CF81DE0A5BC0A
SHA256:7C4F9503B42021B6F17FA48ED7819911C3062BC41849AD50314A20368387B265
3552cjzg.exeC:\Users\admin\AppData\Local\Temp\LiteGameBox2Run_cjzg\cjzg.uicompressed
MD5:B3609F08A6396D2D04708659C3765BEA
SHA256:085ED74CF4FB045232D1A92E61E2545BD267E2A34AD1A78FA52FCEC68D5116D1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
9
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3552
cjzg.exe
GET
200
101.226.26.228:80
http://cdn-file.ludashi.com/wan/micro/cjzg/assets_lds/main.css?t=202006121
CN
text
2.36 Kb
suspicious
3552
cjzg.exe
GET
200
101.226.26.228:80
http://cdn-file.ludashi.com/wan/micro/cjzg/assets_lds/input_reg_act.png?t=20191021
CN
image
1.45 Kb
suspicious
3552
cjzg.exe
GET
200
139.129.105.182:80
http://wan.ludashi.com/micro/cjzg/index_lds.html?channel=mnds&from=mnds_wd_cjzg
CN
html
3.04 Kb
unknown
3552
cjzg.exe
GET
200
101.226.26.228:80
http://cdn-file.ludashi.com/wan/micro/cjzg/assets_lds/third_qq.png?t=20191021
CN
image
4.09 Kb
suspicious
3552
cjzg.exe
GET
200
101.226.26.228:80
http://cdn-file.ludashi.com/wan/micro/cjzg/assets_lds/log_btn.png?t=20191021
CN
image
61.2 Kb
suspicious
3552
cjzg.exe
GET
200
101.226.26.228:80
http://cdn-file.ludashi.com/wan/micro/cjzg/assets_lds/bg.png?t=20200105
CN
image
149 Kb
suspicious
3552
cjzg.exe
GET
200
101.226.26.228:80
http://cdn-file.ludashi.com/wan/micro/cjzg/assets_lds/upload.jpg
CN
image
37.0 Kb
suspicious
3552
cjzg.exe
GET
200
101.226.26.228:80
http://cdn-file.ludashi.com/wan/micro/cjzg/assets_lds/nav.png
CN
image
16.5 Kb
suspicious
3552
cjzg.exe
GET
200
101.226.26.228:80
http://cdn-file.ludashi.com/wan/micro/cjzg/assets_lds/input_reg_code.png?t=20191021
CN
image
1.79 Kb
suspicious
3552
cjzg.exe
GET
200
101.226.26.228:80
http://cdn-file.ludashi.com/wan/micro/cjzg/assets_lds/third_weixin.png?t=20191021
CN
image
4.81 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3552
cjzg.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3552
cjzg.exe
139.129.105.182:80
wan.ludashi.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
3552
cjzg.exe
120.27.82.56:80
i.ludashi.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
3552
cjzg.exe
180.163.121.216:80
cdn-wan.ludashi.com
China Telecom (Group)
CN
unknown
3552
cjzg.exe
101.226.26.228:80
cdn-file.ludashi.com
China Telecom (Group)
CN
unknown
3552
cjzg.exe
101.226.26.230:443
cdn-file.ludashi.com
China Telecom (Group)
CN
unknown

DNS requests

Domain
IP
Reputation
wan.ludashi.com
  • 139.129.105.182
unknown
cdn-file.ludashi.com
  • 101.226.26.228
  • 101.226.26.233
  • 101.226.26.229
  • 101.226.26.227
  • 101.226.26.230
  • 101.226.26.226
  • 101.226.26.232
  • 101.226.26.231
suspicious
cdn-wan.ludashi.com
  • 180.163.121.216
  • 101.226.26.175
  • 101.227.0.230
  • 114.80.24.212
  • 180.163.121.217
  • 101.226.26.176
  • 101.227.0.231
  • 114.80.24.213
  • 180.163.121.218
  • 101.226.26.177
  • 101.227.0.232
  • 114.80.24.206
  • 180.163.121.219
  • 101.226.26.178
  • 101.227.0.233
  • 114.80.24.207
suspicious
cdn-ssl-wan.ludashi.com
  • 101.226.26.230
  • 101.226.26.229
  • 101.226.26.228
  • 101.226.26.233
  • 101.226.26.227
  • 101.226.26.226
  • 101.226.26.231
  • 101.226.26.232
malicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted
status.rapidssl.com
  • 93.184.220.29
shared
i.ludashi.com
  • 120.27.82.56
unknown
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
02322339_2