File name:

小苹果活动助手V1.26猴岛版.exe

Full analysis: https://app.any.run/tasks/aa3b7b27-c8ce-44fc-ab0c-48b8c6f0b2fa
Verdict: Suspicious activity
Analysis date: October 11, 2018, 01:53:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7A9E72C9B9CD964D6F8A6C25AA371159

SHA1:

794541995DD8B7799629DE73C1F9654EAA85EFF4

SHA256:

9FC358200276C6504E1D9853CE3DEA23BF4596549A5BF506D7C5D3E3425A6C02

SSDEEP:

24576:Hf7V2T75slAfHlLzq3BmQrJaLQZTGi07wZLFeHdAq:Hf7q7AAdLleaST00feKq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads internet explorer settings

      • 小苹果活动助手V1.26猴岛版.exe (PID: 3000)

    • Connects to unusual port

      • 小苹果活动助手V1.26猴岛版.exe (PID: 3000)

    • Creates files in the user directory

      • 小苹果活动助手V1.26猴岛版.exe (PID: 3000)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:02:17 15:23:57+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 2002944
InitializedDataSize: 905216
UninitializedDataSize: -
EntryPoint: 0x330001
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.2.6.0
ProductVersionNumber: 1.2.6.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 1.2.6.0
FileDescription: 小苹果活动助手-自动领取游戏道具!
ProductName: 小苹果活动助手
ProductVersion: 1.2.6.0
CompanyName: 大空白
LegalCopyright: 123xpg.com 版权所有
Comments: 小苹果活动助手官网:www.123xpg.com

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 17-Feb-2018 14:23:57
Detected languages:
  • Chinese - PRC
FileVersion: 1.2.6.0
FileDescription: 小苹果活动助手-自动领取游戏道具!
ProductName: 小苹果活动助手
ProductVersion: 1.2.6.0
CompanyName: 大空白
LegalCopyright: 123xpg.com 版权所有
Comments: 小苹果活动助手官网:www.123xpg.com

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000120

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 17-Feb-2018 14:23:57
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x001E9000
0x0007B200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99946
.rdata
0x001EA000
0x0008F000
0x0005C000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99926
.data
0x00279000
0x00098000
0x00009600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99126
.rsrc
0x00311000
0x0001F000
0x00003600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.0788
.aspack
0x00330000
0x0001A000
0x0001A000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.32565
.adata
0x0034A000
0x00001000
0x00000000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.96414
628
Latin 1 / Western European
Chinese - PRC
RT_VERSION
2
2.18858
296
Latin 1 / Western European
Chinese - PRC
RT_ICON
3
4.11223
67624
Latin 1 / Western European
UNKNOWN
RT_ICON
4
4.23138
16936
Latin 1 / Western European
UNKNOWN
RT_ICON
5
4.26326
9640
Latin 1 / Western European
UNKNOWN
RT_ICON
6
4.49181
4264
Latin 1 / Western European
UNKNOWN
RT_ICON
7
4.73792
1128
Latin 1 / Western European
UNKNOWN
RT_ICON
127
0.816689
12
Latin 1 / Western European
Chinese - PRC
RT_MENU
150
2.10096
152
Latin 1 / Western European
Chinese - PRC
RT_DIALOG
286
1.42682
378
Latin 1 / Western European
Chinese - PRC
RT_DIALOG

Imports

advapi32.dll
avifil32.dll
comctl32.dll
comdlg32.dll
gdi32.dll
kernel32.dll
msvfw32.dll
ole32.dll
oleaut32.dll
oledlg.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
1
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 小苹果活动助手v1.26猴岛版.exe

Process information

PID
CMD
Path
Indicators
Parent process
3000"C:\Users\admin\Desktop\小苹果活动助手V1.26猴岛版.exe" C:\Users\admin\Desktop\小苹果活动助手V1.26猴岛版.exe
explorer.exe
User:
admin
Company:
大空白
Integrity Level:
MEDIUM
Description:
小苹果活动助手-自动领取游戏道具!
Exit code:
0
Version:
1.2.6.0
Modules
Images
c:\users\admin\desktop\小苹果活动助手v1.26猴岛版.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
Total events
112
Read events
83
Write events
29
Delete events
0

Modification events

(PID) Process:(3000) 小苹果活动助手V1.26猴岛版.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Multimedia\DrawDib
Operation:writeName:vga.drv 1280x720x32(BGR 0)
Value:
31,31,31,31
(PID) Process:(3000) 小苹果活动助手V1.26猴岛版.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\???????V1_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3000) 小苹果活动助手V1.26猴岛版.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\???????V1_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3000) 小苹果活动助手V1.26猴岛版.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\???????V1_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3000) 小苹果活动助手V1.26猴岛版.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\???????V1_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3000) 小苹果活动助手V1.26猴岛版.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\???????V1_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3000) 小苹果活动助手V1.26猴岛版.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\???????V1_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3000) 小苹果活动助手V1.26猴岛版.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\???????V1_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3000) 小苹果活动助手V1.26猴岛版.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\???????V1_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3000) 小苹果活动助手V1.26猴岛版.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\???????V1_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
Executable files
0
Suspicious files
0
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
3000小苹果活动助手V1.26猴岛版.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@123xpg[1].txttext
MD5:01BEFFABBD3C07CF49F34AB361EC0316
SHA256:B9147D10B3ABB62A2579AEA510CDC62C43EF792204FC1E579B8E48D2D2695A3F
3000小苹果活动助手V1.26猴岛版.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\pc[1].htmhtml
MD5:8F1550E0A2988AF732E905C37B872A6C
SHA256:C056CC3D9AB9F0AB8FC07035EDC8EFA0691A8E481D5C5266DA4E72290A5DD246
3000小苹果活动助手V1.26猴岛版.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\stat[1].phptext
MD5:56AC3F1FE31C16EDB7B01671A5E2D20D
SHA256:375BA0DF9F83BB53B5460DA391C41BEB1B804E89366B21852354BC80F4446B0F
3000小苹果活动助手V1.26猴岛版.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@www.123xpg[1].txttext
MD5:BDFAF315CCC97192F09C5D6C3B9D1370
SHA256:F55386AC86A4665852431060B623E186F5C064659709B97F9B9AB2C3735BDFEF
3000小苹果活动助手V1.26猴岛版.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@123xpg[2].txttext
MD5:07C10A0CB6B352944B725B04AD51597A
SHA256:B07202D925459F4AB1DCEDE9C5139EC0371530AA854F6E0E14BB39038506FDCA
3000小苹果活动助手V1.26猴岛版.exeC:\Users\admin\Desktop\123xpg.initext
MD5:A7C0629242724085FEAD3162DDAA6A49
SHA256:A6EDD676CB9BDD5A16994206953CA9546CD64987E5B58ADCBA5CA459BBDF1F55
3000小苹果活动助手V1.26猴岛版.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\core[1].phphtml
MD5:F3D080EE536E5B04901B1A01E2486A65
SHA256:55FACE95428E5A30D3B3FE9B5DE94E73D0BD7D6ACFD94A4F713B3086C8081A0D
3000小苹果活动助手V1.26猴岛版.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\stat[1].htmtext
MD5:444BCB3A3FCF8389296C49467F27E1D6
SHA256:2689367B205C16CE32ED4200942B8B8B1E262DFC70D9BC9FBC77C49699A4F1DF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
14
DNS requests
7
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3000
小苹果活动助手V1.26猴岛版.exe
GET
200
103.214.143.177:3322
http://103.214.143.177:3322/cfxpg.css
HK
text
44.0 Kb
unknown
3000
小苹果活动助手V1.26猴岛版.exe
GET
404
122.114.124.88:80
http://122.114.124.88/cfxpg.css
CN
html
315 b
unknown
3000
小苹果活动助手V1.26猴岛版.exe
GET
404
122.114.124.88:80
http://122.114.124.88/ver.css
CN
html
315 b
unknown
3000
小苹果活动助手V1.26猴岛版.exe
GET
302
162.159.229.73:80
http://www.123xpg.com/pc.html
unknown
html
214 b
shared
3000
小苹果活动助手V1.26猴岛版.exe
GET
200
103.214.143.177:3322
http://103.214.143.177:3322/ver.css
HK
text
26.1 Kb
unknown
3000
小苹果活动助手V1.26猴岛版.exe
GET
200
60.14.127.18:80
http://i1.fuimg.com/594172/4c9756556c36b8a0.jpg
CN
image
59.9 Kb
malicious
3000
小苹果活动助手V1.26猴岛版.exe
GET
200
218.92.218.42:80
http://i2.tiimg.com/594172/9e3698e1b540a573.png
CN
image
31.8 Kb
malicious
3000
小苹果活动助手V1.26猴岛版.exe
GET
200
60.14.127.18:80
http://i1.fuimg.com/594172/27c0d0975f0f9f93.jpg
CN
image
66.5 Kb
malicious
3000
小苹果活动助手V1.26猴岛版.exe
GET
200
195.27.31.223:80
http://ww4.sinaimg.cn/large/0060lm7Tly1fkmq6y5mwqj304q0370t6.jpg
DE
image
25.7 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3000
小苹果活动助手V1.26猴岛版.exe
103.214.143.177:3322
Shanghai Anchang Network Security Technology Co.,Ltd.
HK
unknown
3000
小苹果活动助手V1.26猴岛版.exe
117.21.173.211:3322
No.31,Jin-rong Street
CN
unknown
3000
小苹果活动助手V1.26猴岛版.exe
162.159.229.73:80
www.123xpg.com
Cloudflare Inc
shared
3000
小苹果活动助手V1.26猴岛版.exe
122.114.124.88:80
CHINA UNICOM China169 Backbone
CN
unknown
3000
小苹果活动助手V1.26猴岛版.exe
162.159.229.73:443
www.123xpg.com
Cloudflare Inc
shared
3000
小苹果活动助手V1.26猴岛版.exe
218.92.218.42:80
i2.tiimg.com
No.31,Jin-rong Street
CN
unknown
3000
小苹果活动助手V1.26猴岛版.exe
60.14.127.18:80
i2.tiimg.com
CHINA UNICOM China169 Backbone
CN
suspicious
3000
小苹果活动助手V1.26猴岛版.exe
195.27.31.223:80
ww4.sinaimg.cn
CW Vodafone Group PLC
DE
malicious
3000
小苹果活动助手V1.26猴岛版.exe
122.228.95.178:443
s95.cnzz.com
CHINANET Sichuan province Chengdu MAN network
CN
unknown
3000
小苹果活动助手V1.26猴岛版.exe
203.119.206.97:443
z4.cnzz.com
CN
unknown

DNS requests

Domain
IP
Reputation
www.123xpg.com
  • 162.159.229.73
  • 162.159.228.73
unknown
i2.tiimg.com
  • 218.92.218.42
  • 60.14.127.18
  • 122.156.230.46
  • 58.222.19.164
  • 60.14.127.20
  • 221.12.160.213
  • 60.174.156.149
  • 60.174.156.130
  • 60.174.156.131
  • 219.146.10.131
  • 101.69.113.245
  • 101.69.113.246
malicious
i1.fuimg.com
  • 60.14.127.18
  • 122.156.230.46
  • 58.222.19.164
  • 60.14.127.20
  • 221.12.160.213
  • 60.174.156.149
  • 60.174.156.130
  • 60.174.156.131
  • 219.146.10.131
  • 101.69.113.245
  • 101.69.113.246
  • 218.92.218.42
malicious
s95.cnzz.com
  • 122.228.95.178
  • 122.228.7.250
whitelisted
ww4.sinaimg.cn
  • 195.27.31.223
  • 195.27.31.224
  • 195.27.31.225
  • 195.27.31.226
  • 195.27.31.253
  • 195.27.31.213
  • 195.27.31.221
  • 195.27.31.222
whitelisted
z4.cnzz.com
  • 203.119.206.97
whitelisted
c.cnzz.com
  • 122.228.7.250
  • 122.228.95.178
whitelisted

Threats

PID
Process
Class
Message
3000
小苹果活动助手V1.26猴岛版.exe
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
3000
小苹果活动助手V1.26猴岛版.exe
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
小苹果活动助手V1.26猴岛版.exe