File name: | javasetup_3464356675.exe |
Full analysis: | https://app.any.run/tasks/721c044f-befa-4b4e-94c7-02545efe03a8 |
Verdict: | Malicious activity |
Analysis date: | May 15, 2019, 09:02:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
MD5: | C5C1430AE5B7407C897F683DA1B2DCC2 |
SHA1: | 0358B6CABDDA6F54B09A34DFBC9363CA6276AC58 |
SHA256: | AFCB308AAB662164AB2B2A4A9F7FE179FB40128C1BACA16EFC297CBA754B14E9 |
SSDEEP: | 49152:ud+aIBnhJfU+JNjHI8JGMu5IZP9vyhAcUK55Mm:r1hi+JBJGMECP9yhdUml |
.exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
---|---|---|
.exe | | | Win64 Executable (generic) (37.3) |
.dll | | | Win32 Dynamic Link Library (generic) (8.8) |
.exe | | | Win32 Executable (generic) (6) |
.exe | | | Generic Win/DOS Executable (2.7) |
ProductVersion: | 3.8.7 |
---|---|
ProductName: | Rer |
LegalTrademarks: | |
LegalCopyright: | |
FileVersion: | 1.8.4.3 |
FileDescription: | Rer Setup |
CompanyName: | Bul |
Comments: | |
CharacterSet: | Windows, Latin1 |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0000 |
ProductVersionNumber: | 0.0.0.0 |
FileVersionNumber: | 0.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | 6 |
OSVersion: | 4 |
EntryPoint: | 0x312a |
UninitializedDataSize: | 1024 |
InitializedDataSize: | 164864 |
CodeSize: | 24576 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2016:04:02 05:20:13+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 02-Apr-2016 03:20:13 |
Detected languages: |
|
Comments: | - |
CompanyName: | Bul |
FileDescription: | Rer Setup |
FileVersion: | 1.8.4.3 |
LegalCopyright: | - |
LegalTrademarks: | - |
ProductName: | Rer |
ProductVersion: | 3.8.7 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000C8 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 02-Apr-2016 03:20:13 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00005E66 | 0x00006000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.4976 |
.rdata | 0x00007000 | 0x000012A2 | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.05833 |
.data | 0x00009000 | 0x00025D18 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.18773 |
.ndata | 0x0002F000 | 0x00008000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x00037000 | 0x00001090 | 0x00001200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.75468 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.20725 | 716 | UNKNOWN | English - United States | RT_MANIFEST |
103 | 2.16096 | 20 | UNKNOWN | English - United States | RT_GROUP_ICON |
105 | 2.66174 | 256 | UNKNOWN | English - United States | RT_DIALOG |
106 | 2.88094 | 284 | UNKNOWN | English - United States | RT_DIALOG |
111 | 2.48825 | 96 | UNKNOWN | English - United States | RT_DIALOG |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3420 | "C:\Users\admin\AppData\Local\Temp\javasetup_3464356675.exe" | C:\Users\admin\AppData\Local\Temp\javasetup_3464356675.exe | — | explorer.exe |
User: admin Company: Bul Integrity Level: MEDIUM Description: Rer Setup Exit code: 0 Version: 1.8.4.3 | ||||
1740 | "C:\Users\admin\AppData\Local\Temp\javasetup_3464356675.exe" /RSF /ppn:YyhwYgxaFRAiP211FM5W /mnl | C:\Users\admin\AppData\Local\Temp\javasetup_3464356675.exe | javasetup_3464356675.exe | |
User: admin Company: Bul Integrity Level: HIGH Description: Rer Setup Exit code: 0 Version: 1.8.4.3 | ||||
1648 | "C:\Users\admin\AppData\Local\Temp\javasetup_3464356675.exe" /RSF /ppn:YyhwYgxaFRAiP211FM5W /_ShowProgress /PrTxt:TG9hZGluZy4uLg== /mnl | C:\Users\admin\AppData\Local\Temp\javasetup_3464356675.exe | — | javasetup_3464356675.exe |
User: admin Company: Bul Integrity Level: HIGH Description: Rer Setup Exit code: 259 Version: 1.8.4.3 | ||||
3504 | "C:\Users\admin\Downloads\JavaSetup.exe" | C:\Users\admin\Downloads\JavaSetup.exe | — | javasetup_3464356675.exe |
User: admin Company: Oracle Corporation Integrity Level: HIGH Description: Java Platform SE binary Exit code: 0 Version: 8.0.1110.14 | ||||
1864 | "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ic-dc.clearcontentbinaries.com/pr/519d1546-8bc5-11e6-b7fc-0695da005429/typ_2.html?exlg=898 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | javasetup_3464356675.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3636 | "C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:1864 CREDAT:79873 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | IEXPLORE.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
4040 | "C:\Users\admin\AppData\Local\Temp\jds1350843.tmp\JavaSetup.exe" | C:\Users\admin\AppData\Local\Temp\jds1350843.tmp\JavaSetup.exe | JavaSetup.exe | |
User: admin Company: Oracle Corporation Integrity Level: HIGH Description: Java Platform SE binary Exit code: 0 Version: 8.0.1110.14 | ||||
2668 | /d /c TIMEOUT 3 & cmd /d /c del "C:\Users\admin\AppData\Local\Temp\JAVASE~1.EXE" | C:\Windows\system32\cmd.exe | — | javasetup_3464356675.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1732 | TIMEOUT 3 | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1212 | cmd /d /c del "C:\Users\admin\AppData\Local\Temp\JAVASE~1.EXE" | C:\Windows\system32\cmd.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1740 | javasetup_3464356675.exe | C:\Users\admin\AppData\Local\Temp\001349AE.log | — | |
MD5:— | SHA256:— | |||
848 | svchost.exe | C:\Windows\appcompat\programs\RecentFileCache.bcf | txt | |
MD5:71CA7046B0B8C29B86E377E31888B3D7 | SHA256:1EF7983D907EA8D5C152B0A6352827CA3F4133C26E42A77E66AF092D86073AD0 | |||
1740 | javasetup_3464356675.exe | C:\Users\admin\AppData\Local\Temp\inH12640463880\css\ie6_main.scss | text | |
MD5:D10348D17ADF8A90670696728F54562D | SHA256:E8A3D15CF32009B01B9145B6E62FF6CAA9C2981F81CE063578C73C7ADFF08DFC | |||
1740 | javasetup_3464356675.exe | C:\Users\admin\AppData\Local\Temp\inH12640463880\form.bmp.Mask | binary | |
MD5:D2FC989F9C2043CD32332EC0FAD69C70 | SHA256:27DD029405CBFB0C3BF8BAC517BE5DB9AA83E981B1DC2BD5C5D6C549FA514101 | |||
1740 | javasetup_3464356675.exe | C:\Users\admin\AppData\Local\Temp\inH12640463880\css\helpers\_backgrounds.scss | text | |
MD5:6092A3768F84CFBC6E5C52301F5B63EA | SHA256:8A22A3285F3C7D82AA1A4273BDD62729DA241723507C1ECD5D2FD0A24C12E23B | |||
1740 | javasetup_3464356675.exe | C:\Users\admin\AppData\Local\Temp\inH12640463880\css\helpers\_lists.scss | text | |
MD5:BDA575F11636073D71B86B89C94C6E42 | SHA256:B15B8DB0368E31991FBE43C121409484562E20FB9599B5B3828E3093217DE163 | |||
1740 | javasetup_3464356675.exe | C:\Users\admin\AppData\Local\Temp\inH12640463880\css\_helpers.scss | text | |
MD5:5F158DBBD9FC4594A2F6C13854501916 | SHA256:BF12B79F67F1CB9988797F7D81F6F504C8DFE0F0435482E64819A140DBC8DA14 | |||
1740 | javasetup_3464356675.exe | C:\Users\admin\AppData\Local\Temp\inH12640463880\css\swAgent.css | text | |
MD5:2543E3AF757C7D7C8A26C7CF57795F60 | SHA256:C38892A06C8F50C6386ED794AF4F1EA3E1897AD5F0C7E19594D9EA7B20CFB3F1 | |||
1740 | javasetup_3464356675.exe | C:\Users\admin\AppData\Local\Temp\inH12640463880\css\helpers\_border-radius.scss | text | |
MD5:6BDF3FD89410E39D33F8137E04AD4A16 | SHA256:2C6B98CB19C3E3A0E37472767C53DF213243AE92BC80EF9A7F5BAA17F7B6FA31 | |||
1740 | javasetup_3464356675.exe | C:\Users\admin\AppData\Local\Temp\inH12640463880\css\_functions.scss | text | |
MD5:8F7259DE64F6DDF352BF461F44D34A81 | SHA256:80EDC9D67172BC830D68D33F4547735FB072CADF3EF25AAB37A10B50DB87A069 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1740 | javasetup_3464356675.exe | POST | 200 | 54.194.149.175:80 | http://ww4.wetedecaredeli.com/ | IE | — | — | malicious |
1740 | javasetup_3464356675.exe | GET | 200 | 199.115.112.67:80 | http://img.wetedecaredeli.com/img/Jimomoromoj/Jimomoromoj_logo.png | US | image | 2.10 Kb | malicious |
1740 | javasetup_3464356675.exe | HEAD | 200 | 46.166.187.59:80 | http://app.wetedecaredeli.com/ofr/Solululadul/osutils.cis | NL | — | — | malicious |
1740 | javasetup_3464356675.exe | GET | 200 | 199.115.112.67:80 | http://img.wetedecaredeli.com/img/Nuhududanew/BG_TC_FS_N.png | US | image | 23.5 Kb | malicious |
1740 | javasetup_3464356675.exe | GET | 200 | 199.115.112.67:80 | http://img.wetedecaredeli.com/img/Tefenece/Tefenece_logo_black.png | US | image | 1.82 Kb | malicious |
1740 | javasetup_3464356675.exe | GET | 200 | 199.115.112.67:80 | http://img.wetedecaredeli.com/img/Nuhududanew/BG_FS.jpg | US | image | 19.1 Kb | malicious |
1740 | javasetup_3464356675.exe | GET | 200 | 199.115.112.67:80 | http://img.wetedecaredeli.com/img/Nuhududanew/BG_LONG.png | US | image | 233 Kb | malicious |
1740 | javasetup_3464356675.exe | GET | 200 | 199.115.112.67:80 | http://portal.wetedecaredeli.com/ofr/Niniwic/YL/Niniwic_Tefenece_12Apr16 | US | binary | 8.93 Kb | malicious |
1740 | javasetup_3464356675.exe | GET | 200 | 199.115.112.67:80 | http://img.wetedecaredeli.com/img/Sibarasawi/logo_comp.png | US | image | 12.4 Kb | malicious |
1740 | javasetup_3464356675.exe | HEAD | 200 | 46.166.187.59:80 | http://app.wetedecaredeli.com/ofr/Niniwic/YL/Niniwic_Tefenece_12Apr16 | NL | image | 1.83 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1740 | javasetup_3464356675.exe | 18.203.190.76:80 | www.wetedecaredeli.com | — | US | malicious |
1740 | javasetup_3464356675.exe | 199.115.112.67:80 | img.wetedecaredeli.com | Leaseweb USA, Inc. | US | malicious |
1740 | javasetup_3464356675.exe | 52.50.98.206:80 | vpn.wetedecaredeli.com | Amazon.com, Inc. | IE | malicious |
1740 | javasetup_3464356675.exe | 46.166.187.59:80 | app.wetedecaredeli.com | NForce Entertainment B.V. | NL | malicious |
1740 | javasetup_3464356675.exe | 54.230.129.169:80 | d30cmqc1wgivj.cloudfront.net | Amazon.com, Inc. | US | suspicious |
1740 | javasetup_3464356675.exe | 54.194.149.175:80 | ww4.wetedecaredeli.com | Amazon.com, Inc. | IE | malicious |
1864 | IEXPLORE.EXE | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3860 | iexplore.exe | 104.111.217.243:443 | www.java.com | Akamai International B.V. | NL | whitelisted |
4040 | JavaSetup.exe | 184.31.87.231:443 | javadl-esd-secure.oracle.com | Akamai International B.V. | NL | whitelisted |
4040 | JavaSetup.exe | 104.111.217.243:443 | www.java.com | Akamai International B.V. | NL | whitelisted |
Domain | IP | Reputation |
---|---|---|
ww4.wetedecaredeli.com |
| malicious |
www.wetedecaredeli.com |
| malicious |
app.wetedecaredeli.com |
| malicious |
vpn.wetedecaredeli.com |
| malicious |
img.wetedecaredeli.com |
| malicious |
portal.wetedecaredeli.com |
| malicious |
d30cmqc1wgivj.cloudfront.net |
| whitelisted |
ic-dc.clearcontentbinaries.com |
| whitelisted |
www.bing.com |
| whitelisted |
javadl-esd-secure.oracle.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1740 | javasetup_3464356675.exe | Misc activity | ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M2 |
1740 | javasetup_3464356675.exe | Misc activity | ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1 |
1740 | javasetup_3464356675.exe | Misc activity | ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M4 |
1740 | javasetup_3464356675.exe | Misc activity | ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M3 |
1740 | javasetup_3464356675.exe | Potentially Bad Traffic | ET POLICY Executable served from Amazon S3 |
1740 | javasetup_3464356675.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |