analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://2627858.com/yuanyuanqihua/login.php/include/js/jquery/include/include/js/include/js/include/js/include/js/include/js/include/js/include/js/jquery/login.php

Full analysis: https://app.any.run/tasks/f10ac09c-5f86-4645-858e-a5473143b4a6
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: April 15, 2019, 11:25:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
ramnit
Indicators:
MD5:

E8707B7F7956BF25182A524A64C716BA

SHA1:

F9A47C059214A6FCF4BAAFD9A969CA815DA22D6D

SHA256:

B9EF182D529F4F1C20496A25A54ADD514612CF06F19914AC5E74365079C0295E

SSDEEP:

3:N1KbuLdIZMQEKrKbVXL5AUWNQjGeAXbBAUWiJQBAUWiJQBAUWiJQBAUWiJQBAUWO:CdPEKmbVb5AUWNQj5AVAUWqUAUWqUAU7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • RAMNIT was detected

      • iexplore.exe (PID: 2744)
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 916)
    • Changes internet zones settings

      • iexplore.exe (PID: 916)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2744)
    • Creates files in the user directory

      • iexplore.exe (PID: 2744)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 4008)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2744)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe #RAMNIT iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
916"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2744"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:916 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
4008C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
Total events
1 144
Read events
852
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
38
Unknown types
31

Dropped files

PID
Process
Filename
Type
916iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
916iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2744iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EMDIGA0Z\login[1].php
MD5:
SHA256:
2744iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EMDIGA0Z\base[1].css
MD5:
SHA256:
2744iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EMDIGA0Z\vdimgck[1].php
MD5:
SHA256:
2744iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:95E3CFCE1C8CA7A07093F6B5D5D4658A
SHA256:B58AD7FE4A78C8004FD4E399B051B02EEE36E729B6A0884A6558407DFAC519C1
2744iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:ECEF9EBE9EA2C6F3593B7CA315DBE721
SHA256:64A0FB09EF32662FBBB9CD379B2B0ED3BAE27DA7EE0DECD2FFD39D71DA3E4B1F
2744iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EMDIGA0Z\adsview[1].htmtext
MD5:4B9F4249AD39C97603ACD263DECF23AB
SHA256:525C0EFB1C018672F8DDD8D01CED23C1CB364E5CC9DB51A278349FDF077524D4
2744iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
2744iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\EMDIGA0Z\login[1].csshtml
MD5:92003D3B84EFD1BDCA7FBB05EFC950F3
SHA256:58DF0D0C99F10F688CB600C9FF95AF161380D652E926C348BA6274023A408A7A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
26
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2744
iexplore.exe
GET
200
47.90.92.3:80
http://www.2627858.com/yuanyuanqihua/login.php/include/js/jquery/include/include/js/include/js/include/js/include/js/include/js/include/js/include/js/jquery/login.php
HK
html
64.4 Kb
malicious
2744
iexplore.exe
GET
200
47.90.92.3:80
http://www.2627858.com/yuanyuanqihua/login.php/include/js/jquery/include/include/js/include/js/include/js/include/js/include/js/include/js/include/js/jquery/css/base.css
HK
html
64.4 Kb
malicious
2744
iexplore.exe
GET
47.90.92.3:80
http://www.2627858.com/yuanyuanqihua/login.php/include/js/jquery/include/include/js/include/js/include/js/include/js/include/js/include/js/include/js/include/vdimgck.php
HK
malicious
2744
iexplore.exe
GET
200
47.90.92.3:80
http://www.2627858.com/yuanyuanqihua/login.php/include/js/jquery/include/include/js/include/js/include/js/include/js/include/js/include/js/include/js/include/js/jquery/jquery.js
HK
html
64.4 Kb
malicious
2744
iexplore.exe
GET
200
47.90.92.3:80
http://www.2627858.com/yuanyuanqihua/login.php/include/js/jquery/include/include/js/include/js/include/js/include/js/include/js/include/js/include/js/include/js/jquery/jquery.js
HK
html
64.4 Kb
malicious
2744
iexplore.exe
GET
200
47.90.92.3:80
http://www.2627858.com/yuanyuanqihua/login.php/include/js/jquery/include/include/js/include/js/include/js/include/js/include/js/include/js/include/js/jquery/css/login.css
HK
html
64.4 Kb
malicious
2744
iexplore.exe
GET
47.90.92.3:80
http://www.2627858.com/yuanyuanqihua/login.php/include/js/jquery/include/include/js/include/js/include/js/include/js/include/js/include/js/include/js/jquery/login.php?dopost=showad
HK
malicious
2744
iexplore.exe
GET
200
61.133.125.200:80
http://zz.dedecms.com/pos/v57login.html
CN
html
1.49 Kb
whitelisted
2744
iexplore.exe
GET
200
47.90.92.3:80
http://www.2627858.com/yuanyuanqihua/login.php/include/js/jquery/include/include/js/include/js/include/js/include/js/include/js/include/js/include/js/jquery/css/base.css
HK
html
64.4 Kb
malicious
2744
iexplore.exe
GET
47.90.92.3:80
http://www.2627858.com/yuanyuanqihua/login.php/include/js/jquery/include/include/js/include/js/include/js/include/js/include/js/include/js/include/js/include/vdimgck.php
HK
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
916
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2744
iexplore.exe
27.221.109.49:80
cbjs.baidu.com
CHINA UNICOM China169 Backbone
CN
unknown
61.133.125.200:80
ad.dedecms.com
CHINA UNICOM China169 Backbone
CN
unknown
2744
iexplore.exe
47.90.92.3:80
2627858.com
Alibaba (China) Technology Co., Ltd.
HK
suspicious
2744
iexplore.exe
115.239.210.141:80
pos.baidu.com
No.288,Fu-chun Road
CN
suspicious
2744
iexplore.exe
61.133.125.200:80
ad.dedecms.com
CHINA UNICOM China169 Backbone
CN
unknown
2744
iexplore.exe
27.221.109.45:80
ubmcmm.baidustatic.com
CHINA UNICOM China169 Backbone
CN
unknown
2744
iexplore.exe
115.239.210.141:443
pos.baidu.com
No.288,Fu-chun Road
CN
suspicious
2744
iexplore.exe
111.202.114.81:443
eclick.baidu.com
China Unicom Beijing Province Network
CN
unknown
2744
iexplore.exe
111.202.114.81:80
eclick.baidu.com
China Unicom Beijing Province Network
CN
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
2627858.com
  • 47.90.92.3
malicious
www.2627858.com
  • 47.90.92.3
malicious
ad.dedecms.com
  • 61.133.125.200
whitelisted
zz.dedecms.com
  • 61.133.125.200
unknown
cbjs.baidu.com
  • 27.221.109.49
whitelisted
pos.baidu.com
  • 115.239.210.141
whitelisted
eclick.baidu.com
  • 111.202.114.81
whitelisted
ubmcmm.baidustatic.com
  • 27.221.109.45
suspicious
dup.baidustatic.com
  • 27.221.109.49
whitelisted

Threats

PID
Process
Class
Message
2744
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS DRIVEBY EXE Embeded in Page Likely Evil M1
2744
iexplore.exe
A Network Trojan was detected
ET TROJAN PE EXE or DLL Windows file download Text
2744
iexplore.exe
A Network Trojan was detected
ET TROJAN RAMNIT.A M2
2744
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS DRIVEBY EXE Embeded in Page Likely Evil M1
2744
iexplore.exe
A Network Trojan was detected
ET TROJAN PE EXE or DLL Windows file download Text
2744
iexplore.exe
A Network Trojan was detected
ET TROJAN RAMNIT.A M2
2744
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS DRIVEBY EXE Embeded in Page Likely Evil M1
2744
iexplore.exe
A Network Trojan was detected
ET TROJAN PE EXE or DLL Windows file download Text
2744
iexplore.exe
A Network Trojan was detected
ET TROJAN RAMNIT.A M2
2744
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS DRIVEBY EXE Embeded in Page Likely Evil M1
No debug info