URL: | http://www.duba.net |
Full analysis: | https://app.any.run/tasks/338fe9d7-2681-4539-a480-82cb266e9a39 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | July 11, 2019, 13:11:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 6E73D0B98F3574D03128E73EE0538E82 |
SHA1: | C882E2CAAEA320C93907311F32CA3F34373339FC |
SHA256: | AE6194CED5A24D8F2A4AFF473B6BBCD41048AAC4A0C837550148EE17214BA0B8 |
SSDEEP: | 3:N1KJS4xIR:Cc4+R |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3500 | "C:\Program Files\Mozilla Firefox\firefox.exe" http://www.duba.net | C:\Program Files\Mozilla Firefox\firefox.exe | explorer.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 67.0.4 Modules
| |||||||||||||||
2828 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3500.0.1780051164\727074752" -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3500 "\\.\pipe\gecko-crash-server-pipe.3500" 1168 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 67.0.4 Modules
| |||||||||||||||
2348 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3500.3.229431990\1352599677" -childID 1 -isForBrowser -prefsHandle 1696 -prefMapHandle 1644 -prefsLen 1 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3500 "\\.\pipe\gecko-crash-server-pipe.3500" 1744 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 67.0.4 Modules
| |||||||||||||||
2532 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3500.13.932386161\1500555204" -childID 2 -isForBrowser -prefsHandle 2788 -prefMapHandle 2792 -prefsLen 5842 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3500 "\\.\pipe\gecko-crash-server-pipe.3500" 2820 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 67.0.4 Modules
| |||||||||||||||
3268 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3500.20.946313061\331668112" -childID 3 -isForBrowser -prefsHandle 3624 -prefMapHandle 3632 -prefsLen 6604 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3500 "\\.\pipe\gecko-crash-server-pipe.3500" 3644 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 67.0.4 Modules
| |||||||||||||||
2564 | "C:\Users\admin\Downloads\kinst_150_1_20170912.exe" | C:\Users\admin\Downloads\kinst_150_1_20170912.exe | — | explorer.exe | |||||||||||
User: admin Company: Kingsoft Corporation Integrity Level: MEDIUM Description: Kingsoft Install Tool Exit code: 3221226540 Version: 2017,08,29,18953 Modules
| |||||||||||||||
1316 | "C:\Users\admin\Downloads\kinst_150_1_20170912.exe" | C:\Users\admin\Downloads\kinst_150_1_20170912.exe | explorer.exe | ||||||||||||
User: admin Company: Kingsoft Corporation Integrity Level: HIGH Description: Kingsoft Install Tool Exit code: 0 Version: 2017,08,29,18953 Modules
| |||||||||||||||
1768 | "C:\Users\admin\AppData\Local\Temp\duba_100_50.exe" /rcmdfromkinst /rcmdSceneId=2 /rcmdSoftId=0 /rcmdcheck=1 /rcmdreason="NoRcmdItem" /rcmdCid=0 /rcmdTid=0 /rcmdCanRcmd=0 /autoinstall ##silence=0&installpath="C:\Program Files\kingsoft\kingsoft antivirus\"&hwnd=201e2&tid1=100 tid2=50 tod1=100 tod2=51 | C:\Users\admin\AppData\Local\Temp\duba_100_50.exe | kinst_150_1_20170912.exe | ||||||||||||
User: admin Company: Kingsoft Corporation Integrity Level: HIGH Description: 安装程序 Exit code: 1 Version: 2019,06,20,22255 Modules
| |||||||||||||||
308 | "c:\program files\kingsoft\kingsoft antivirus\kxetray.exe" /autorun /kislive /devmgr /install | c:\program files\kingsoft\kingsoft antivirus\kxetray.exe | duba_100_50.exe | ||||||||||||
User: admin Company: Kingsoft Corporation Integrity Level: HIGH Description: 金山毒霸 Version: 2019,07,05,22317 Modules
| |||||||||||||||
2448 | "c:\program files\kingsoft\kingsoft antivirus\kavlog2.exe" -install | c:\program files\kingsoft\kingsoft antivirus\kavlog2.exe | duba_100_50.exe | ||||||||||||
User: admin Company: Kingsoft Corporation Integrity Level: HIGH Description: KXEngine KeventLog3 Exit code: 0 Version: 2018,06,14,20609 Modules
|
(PID) Process: | (3500) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Browser |
Value: 0000000000000000 | |||
(PID) Process: | (3500) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (3500) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 4600000077000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
(PID) Process: | (124) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count |
Operation: | write | Name: | 308046O0NS4N39PO |
Value: 000000000100000003000000742E0000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFFF03E474BA9E1D40100000000 | |||
(PID) Process: | (124) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count |
Operation: | write | Name: | HRZR_PGYFRFFVBA |
Value: 000000000F0000000E00000075FC0300040000000400000029E900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D0000000000000000000100000064666C7464666C7400000000400000000459CA76C306012500000000000000000100000000000000000000000000000000000000E803000000000000FFFFFFFF000000000000000008B7540254E7D90105000000FFFFFFFFAC54CA76000000003853F6023052F602D0E7D9013DA9727500000000FBFFFF7FF4E7D901987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000005DF440321DF440305DF4403000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B000000530000005300000000000000000007000A008F030000A487D8760800000064025300E72FF9769487D8763F030000CC045300000053000200D4001D7E010011000000B8455600B045560030C4F402FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901040000000400000029E900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D0000000000000000000100000064666C7464666C7400000000400000000459CA76C306012500000000000000000100000000000000000000000000000000000000E803000000000000FFFFFFFF000000000000000008B7540254E7D90105000000FFFFFFFFAC54CA76000000003853F6023052F602D0E7D9013DA9727500000000FBFFFF7FF4E7D901987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000005DF440321DF440305DF4403000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B000000530000005300000000000000000007000A008F030000A487D8760800000064025300E72FF9769487D8763F030000CC045300000053000200D4001D7E010011000000B8455600B045560030C4F402FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901040000000400000029E900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D0000000000000000000100000064666C7464666C7400000000400000000459CA76C306012500000000000000000100000000000000000000000000000000000000E803000000000000FFFFFFFF000000000000000008B7540254E7D90105000000FFFFFFFFAC54CA76000000003853F6023052F602D0E7D9013DA9727500000000FBFFFF7FF4E7D901987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000005DF440321DF440305DF4403000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B000000530000005300000000000000000007000A008F030000A487D8760800000064025300E72FF9769487D8763F030000CC045300000053000200D4001D7E010011000000B8455600B045560030C4F402FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901 | |||
(PID) Process: | (3500) firefox.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (3500) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (3500) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (124) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
Operation: | write | Name: | NodeSlots |
Value: 02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202 | |||
(PID) Process: | (124) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
Operation: | write | Name: | MRUListEx |
Value: 0100000002000000000000000700000006000000030000000500000004000000FFFFFFFF |
PID | Process | Filename | Type | |
---|---|---|---|---|
3500 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
3500 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | — | |
MD5:— | SHA256:— | |||
3500 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pluginreg.dat.tmp | — | |
MD5:— | SHA256:— | |||
3500 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | — | |
MD5:— | SHA256:— | |||
3500 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | — | |
MD5:— | SHA256:— | |||
3500 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm | — | |
MD5:— | SHA256:— | |||
3500 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm | — | |
MD5:— | SHA256:— | |||
3500 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp | — | |
MD5:— | SHA256:— | |||
848 | svchost.exe | C:\Windows\appcompat\programs\RecentFileCache.bcf | txt | |
MD5:89B163A5751B417E52EE9ABE1034EDD2 | SHA256:00D1E1123575F8BBE9ECDE0146CF42470A8AE00FE7A60AAC09A44E71092A16EB | |||
3500 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js | text | |
MD5:D65B2BD591A1D6CC666241E6EEF1AFE7 | SHA256:1B94F69A3BF3CB9F7349FE274CA82166C22D675F9B043B19F2770D044AE9BD16 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3500 | firefox.exe | GET | 200 | 202.173.15.148:80 | http://kxlogo.knet.cn/seallogo.dll?sn=e12042311010018602307708&size=0 | CN | — | — | unknown |
3500 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3500 | firefox.exe | GET | 200 | 36.99.227.229:80 | http://dh1.cmcmcdn.com/duba/5/a/1/3/0/5a13045f60ead4b4b955d756d3b0e922.png | CN | image | 182 Kb | malicious |
3500 | firefox.exe | GET | 200 | 103.235.46.191:80 | http://hm.baidu.com/hm.js?7b344617dc861558bc02241018ca7977 | HK | text | 11.5 Kb | whitelisted |
3500 | firefox.exe | GET | 200 | 218.24.18.58:80 | http://www.duba.net/css/indexS.css?v=20190531 | CN | text | 4.63 Kb | malicious |
3500 | firefox.exe | GET | 200 | 218.24.18.58:80 | http://www.duba.net/ | CN | html | 3.81 Kb | malicious |
3500 | firefox.exe | GET | 200 | 218.24.18.58:80 | http://www.duba.net/js/jss/jquery-1.11.2.min.js | CN | text | 93.6 Kb | malicious |
3500 | firefox.exe | POST | 200 | 172.217.18.3:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 471 b | whitelisted |
3500 | firefox.exe | GET | 200 | 218.24.18.58:80 | http://www.duba.net/js/jss/jquery.js | CN | text | 70.3 Kb | malicious |
3500 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3500 | firefox.exe | 34.251.59.153:443 | location.services.mozilla.com | Amazon.com, Inc. | IE | unknown |
3500 | firefox.exe | 36.99.227.230:80 | dh1.cmcmcdn.com | No.31,Jin-rong Street | CN | suspicious |
3500 | firefox.exe | 143.204.205.62:443 | snippets.cdn.mozilla.net | — | US | unknown |
3500 | firefox.exe | 52.26.103.165:443 | tiles.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3500 | firefox.exe | 2.16.106.209:80 | detectportal.firefox.com | Akamai International B.V. | — | whitelisted |
3500 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3500 | firefox.exe | 202.173.15.148:80 | kxlogo.knet.cn | KNET Techonlogy (BeiJing) Co.,Ltd. | CN | unknown |
3500 | firefox.exe | 218.24.18.58:80 | www.duba.net | CHINA UNICOM China169 Backbone | CN | suspicious |
3500 | firefox.exe | 52.11.30.237:443 | search.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3500 | firefox.exe | 54.189.245.11:443 | push.services.mozilla.com | Amazon.com, Inc. | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.duba.net |
| malicious |
detectportal.firefox.com |
| whitelisted |
a1089.dscd.akamai.net |
| whitelisted |
zliebao.v.qingcdn.com |
| suspicious |
location.services.mozilla.com |
| whitelisted |
locprod1-elb-eu-west-1.prod.mozaws.net |
| whitelisted |
push.services.mozilla.com |
| whitelisted |
autopush.prod.mozaws.net |
| whitelisted |
tiles.services.mozilla.com |
| whitelisted |
snippets.cdn.mozilla.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3500 | firefox.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1316 | kinst_150_1_20170912.exe | A Network Trojan was detected | ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) |
1316 | kinst_150_1_20170912.exe | A Network Trojan was detected | ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) |
1316 | kinst_150_1_20170912.exe | Misc activity | ADWARE [PTsecurity] PUP.Win32/KingSoft.E |
1316 | kinst_150_1_20170912.exe | Misc activity | ADWARE [PTsecurity] PUP.Win32/KingSoft.E |
1316 | kinst_150_1_20170912.exe | A Network Trojan was detected | ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) |
1316 | kinst_150_1_20170912.exe | Misc activity | ADWARE [PTsecurity] PUP.Win32/KingSoft.E |
1316 | kinst_150_1_20170912.exe | Misc activity | ADWARE [PTsecurity] PUP.Win32/KingSoft.E |
1316 | kinst_150_1_20170912.exe | A Network Trojan was detected | ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) |
1316 | kinst_150_1_20170912.exe | A Network Trojan was detected | ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) |
Process | Message |
---|---|
duba_100_50.exe | 14:13:34|~02888| [KAVMENU] reg_duba_32bit |
kavlog2.exe | _tWinMain End. |
kxescore.exe | c:\program files\kingsoft\kingsoft antivirus\ksapi.dll |
kxescore.exe | c:\program files\kingsoft\kingsoft antivirus\ksapi.dll |
kxetray.exe | c:\program files\kingsoft\kingsoft antivirus\ksapi.dll |
kxetray.exe | c:\program files\kingsoft\kingsoft antivirus\ksapi.dll |
kxescore.exe | <ERROR>Inst |
kxescore.exe | <FATAL>load Install Interface c:\program files\kingsoft\kingsoft antivirus\security\ksde\knetctrl.dll Fatal = 1 |
kxescore.exe | <FATAL>Install KNetFlt Driver = 1 |
kxescore.exe | <FATAL>load Install Interface c:\program files\kingsoft\kingsoft antivirus\security\ksde\kmctrl.dll Fatal = 1 |