Malware analysis eSbC Malicious activity | ANY.RUN

Add for printing

download:	eSbC
Full analysis:	https://app.any.run/tasks/0fff8c51-1cc4-42d4-92f4-505db36a97af
Verdict:	Malicious activity
Analysis date:	November 14, 2018, 09:42:41
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	adware
Indicators:
MIME:	text/html
File info:	HTML document, ASCII text, with very long lines
MD5:	295C0F84AFF027D2AE29C06ECB8856D4
SHA1:	71EA31A7F8707B06A45342414CF78F4F72154CD5
SHA256:	A5C6654DC9E54A6CB385F5697E922B996DFC0AB31301E6D428880F6396BD1F3D
SSDEEP:	12:kxVkMqIx3bxrGn1eIVseSpZMZSyqxe6jl1IRdg3YDRRQIhI:kHkMqc3Rotjexeql1ILvRRdhI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
No suspicious indicators.
INFO
- Application launched itself
  - iexplore.exe (PID: 3628)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 1452)
  - iexplore.exe (PID: 2584)
- Reads internet explorer settings
  - iexplore.exe (PID: 2584)
  - iexplore.exe (PID: 1452)
- Changes internet zones settings
  - iexplore.exe (PID: 3628)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.html	\|	HyperText Markup Language (100)

EXIF

HTML

Refresh:	5; url=http://ww9.lmwhtfy.com/
Title:	Loading

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3628	"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\Downloads\eSbC.html	C:\Program Files\Internet Explorer\iexplore.exe		explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
1452	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3628 CREDAT:79873	C:\Program Files\Internet Explorer\iexplore.exe	—	iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
2584	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3628 CREDAT:137473	C:\Program Files\Internet Explorer\iexplore.exe		iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

530

Read events

446

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3628	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico		—
		MD5:—	SHA256:—
3628	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico		—
		MD5:—	SHA256:—
3628	iexplore.exe	C:\Users\admin\AppData\Local\Temp\~DF2DF8D4E3D9EAA6B2.TMP		—
		MD5:—	SHA256:—
2584	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\findbetterresults_com[1].txt		—
		MD5:—	SHA256:—
2584	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012018111420181115\index.dat		dat
		MD5:4024F6B1E0E7578D2DA7E3BA2AA62519	SHA256:69610DFE8C3BB75AA259FF43E11DAE71031000336E718FD1329FEE7D554493BA
3628	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{AA6CB74E-E7F1-11E8-9C83-5254004AAD11}.dat		binary
		MD5:1D3092BA18461D8D04796EFE42AE58FF	SHA256:2643E1CC27D0D53F02DA2ED3B709713DDFCC079F0558E92B9239E536571CAA68
2584	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\min[1].js		text
		MD5:5563332AD6AF63C9C94CEF15761BE544	SHA256:4EFEC11A42893D4DF0249174CBE5AFAE24A5734F5DED35C5E84C56BF9F473EC2
2584	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\findbetterresults_com[1].htm		html
		MD5:F8DBFD551043913454B08AB76D45A667	SHA256:5BA6AD4EF990DF8AB06DAE5C1507EB8A8F10FDF131C276412E2C94AAA2764BBE
1452	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018111420181115\index.dat		dat
		MD5:AA9F8D280D9C4ACF2161816EB572CFC7	SHA256:1F711D2BC2F5E0997CF0429D6BBB31D4491E556ED4AC72CAB58834D74A70B8F4
3628	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[2].png		image
		MD5:9FB559A691078558E77D6848202F6541	SHA256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2584	iexplore.exe	GET	302	185.53.179.29:80	http://ww9.lmwhtfy.com/	DE	—	—	malicious
2584	iexplore.exe	GET	200	208.91.196.46:80	http://findbetterresults.com/?dn=lmwhtfy.com&pid=9PO755G95	VG	html	6.22 Kb	malicious
2584	iexplore.exe	GET	200	2.16.186.64:80	http://i4.cdn-image.com/__media__/js/min.js?v2.2	unknown	text	2.97 Kb	whitelisted
2584	iexplore.exe	GET	—	2.16.186.64:80	http://i1.cdn-image.com/__media__/pics/12471/libgh.png	unknown	—	—	whitelisted
2584	iexplore.exe	GET	200	2.16.186.64:80	http://i1.cdn-image.com/__media__/pics/12471/kwbg.jpg	unknown	image	36.3 Kb	whitelisted
2584	iexplore.exe	GET	200	2.16.186.64:80	http://i1.cdn-image.com/__media__/pics/12471/bodybg.png	unknown	image	94.9 Kb	whitelisted
2584	iexplore.exe	GET	200	208.91.196.46:80	http://findbetterresults.com/px.js?ch=1	VG	text	346 b	malicious
2584	iexplore.exe	GET	200	2.16.186.64:80	http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?	unknown	eot	33.8 Kb	whitelisted
2584	iexplore.exe	GET	200	208.91.196.46:80	http://findbetterresults.com/px.js?ch=2	VG	text	346 b	malicious
2584	iexplore.exe	GET	200	208.91.196.46:80	http://findbetterresults.com/sk-logabpstatus.php?a=cTVzSEgxZXBudzgzN1BuUUhzS3lCMVNWK04wOGNuQzQzcW95MC9ycnQ5L3RtMFpPTjJ4RFpuREdGN0txejRSYWpZQ1J4VXJhZi85ckREeENQTEZCdXZKL093MWZpM1lWb1Q0OXNRVlJldEU9&b=false	VG	text	346 b	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3628	iexplore.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
2584	iexplore.exe	2.16.186.106:80	i4.cdn-image.com	Akamai International B.V.	—	whitelisted
2584	iexplore.exe	2.16.186.64:80	i4.cdn-image.com	Akamai International B.V.	—	whitelisted
3628	iexplore.exe	208.91.196.46:80	findbetterresults.com	Confluence Networks Inc	VG	malicious
2584	iexplore.exe	208.91.196.46:80	findbetterresults.com	Confluence Networks Inc	VG	malicious
2584	iexplore.exe	185.53.179.29:80	ww9.lmwhtfy.com	Team Internet AG	DE	malicious

DNS requests

Domain	IP	Reputation
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
ww9.lmwhtfy.com	185.53.179.29	malicious
findbetterresults.com	208.91.196.46	malicious
i4.cdn-image.com	2.16.186.64 2.16.186.106	whitelisted
i2.cdn-image.com	2.16.186.106 2.16.186.64	whitelisted
i1.cdn-image.com	2.16.186.64 2.16.186.106	whitelisted
i3.cdn-image.com	2.16.186.106 2.16.186.64	whitelisted

Threats

PID	Process	Class	Message
2584	iexplore.exe	Misc activity	ADWARE [PTsecurity] InstantAccess

Add for printing

No debug info

General Info

eSbC

295C0F84AFF027D2AE29C06ECB8856D4

71EA31A7F8707B06A45342414CF78F4F72154CD5

A5C6654DC9E54A6CB385F5697E922B996DFC0AB31301E6D428880F6396BD1F3D

12:kxVkMqIx3bxrGn1eIVseSpZMZSyqxe6jl1IRdg3YDRRQIhI:kHkMqc3Rotjexeql1ILvRRdhI

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

INFO

Application launched itself

Reads Internet Cache Settings

Reads internet explorer settings

Changes internet zones settings

Malware configuration

Static information

TRiD

EXIF

HTML

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings