| File name: | 888.exe |
| Full analysis: | https://app.any.run/tasks/75314adc-74ef-4526-9ace-5ceee22d7a68 |
| Verdict: | Malicious activity |
| Threats: | A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. |
| Analysis date: | March 11, 2025, 13:05:29 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 6 sections |
| MD5: | 4255C26801587A9017E7CFDEBEB61745 |
| SHA1: | 893A8B7BD541023BE3F7942328C3FA9EDF9CCAE4 |
| SHA256: | BBB6542D8602DFE0B66073266A3606E6804F5B2C67D64266B0EF245220CCC3CC |
| SSDEEP: | 24576:LBQgCVhsZKkobPyMMbNgjPPjo09aUKZcw0AcbhqafgC:LygCVqZP09aRZcnAcbhqafgC |
MALICIOUS
Executing a file with an untrusted certificate
- 888.exe (PID: 7348)
COBALTSTRIKE has been detected (YARA)
- 888.exe (PID: 7348)
XORed URL has been found (YARA)
- 888.exe (PID: 7348)
SUSPICIOUS
Reads security settings of Internet Explorer
- 888.exe (PID: 7348)
INFO
Checks supported languages
- 888.exe (PID: 7348)
Checks proxy server information
- 888.exe (PID: 7348)
- slui.exe (PID: 7724)
Reads the software policy settings
- 888.exe (PID: 7348)
- slui.exe (PID: 7724)
Reads the computer name
- 888.exe (PID: 7348)
Reads the machine GUID from the registry
- 888.exe (PID: 7348)
Application based on Rust
- 888.exe (PID: 7348)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
xor-url
(PID) Process(7348) 888.exe
Decrypted-URLs (1)http://code.jquery.com/
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:03:08 11:33:52+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.42 |
| CodeSize: | 213504 |
| InitializedDataSize: | 854528 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x32ae0 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 7.9.5.3 |
| ProductVersionNumber: | 7.1.3.3 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| ProductVersion: | 7.1.3.3 |
| FileVersion: | 7.9.5.3 |
| ProductName: | PixlrExpress Compiler |
| FileDescription: | PixlrExpress Compiler Inc. |
| LegalCopyright: | Copyright (c) 2024 |
Total processes
124
Monitored processes
2
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 7348 | "C:\Users\admin\Desktop\888.exe" | C:\Users\admin\Desktop\888.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: PixlrExpress Compiler Inc. Version: 7.9.5.3 Modules
xor-url(PID) Process(7348) 888.exe Decrypted-URLs (1)http://code.jquery.com/ | |||||||||||||||
| 7724 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
6 804
Read events
6 804
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
25
DNS requests
6
Threats
9
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | GET | 200 | 144.48.4.219:443 | https://144.48.4.219/jquery-3.3.1.min.js | unknown | binary | 5.50 Kb | malicious |
— | — | GET | 200 | 144.48.4.219:443 | https://144.48.4.219/jquery-3.3.1.min.js | unknown | binary | 5.50 Kb | malicious |
— | — | GET | 200 | 144.48.4.219:443 | https://144.48.4.219/jquery-3.3.1.min.js | unknown | binary | 5.54 Kb | malicious |
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | GET | 200 | 144.48.4.219:443 | https://144.48.4.219/jquery-3.3.1.min.js | unknown | binary | 5.54 Kb | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
2104 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
7348 | 888.exe | 144.48.4.219:443 | — | KLAYER LLC | HK | unknown |
2104 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4932 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
7724 | slui.exe | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Malware Command and Control Activity Detected | ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2 |
— | — | A Network Trojan was detected | ET MALWARE Cobalt Strike Beacon Activity (GET) |
— | — | Malware Command and Control Activity Detected | ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2 |
— | — | A Network Trojan was detected | ET MALWARE Cobalt Strike Beacon Activity (GET) |
— | — | Malware Command and Control Activity Detected | ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2 |
— | — | A Network Trojan was detected | ET MALWARE Cobalt Strike Beacon Activity (GET) |
— | — | Malware Command and Control Activity Detected | ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2 |
— | — | A Network Trojan was detected | ET MALWARE Cobalt Strike Beacon Activity (GET) |
— | — | Malware Command and Control Activity Detected | ET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response |