analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

kkk

Full analysis: https://app.any.run/tasks/e3038d72-0a76-4ec6-a9aa-e03f804c826c
Verdict: Malicious activity
Analysis date: March 14, 2019, 15:01:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

8EFE63FBEC56DA047389523C77654EF6

SHA1:

B73FC2CECEB2B76CF1F8E5AE5987A5ED52E512C4

SHA256:

BFC97F484B27A23CE32D54A542422938B66B537F956BA0A9CD69B7AB64190EFA

SSDEEP:

196608:ZBqsN8Fwc75pl5sDSOmRSdE+K5Uy2TVMP3HxRYAsxMdyEW:/N87PsS9Sm+3VMPHfYDxdf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Tomcat7.exe (PID: 3556)
      • Tomcat7.exe (PID: 2760)
      • Tomcat7.exe (PID: 2652)
      • Tomcat7.exe (PID: 3688)
      • Tomcat7.exe (PID: 3772)
      • Tomcat7.exe (PID: 3516)
      • nsC01D.tmp (PID: 3040)
      • nsC4E0.tmp (PID: 1868)
      • Tomcat7w.exe (PID: 4060)
      • nsC6A8.tmp (PID: 2172)
      • nsC5CC.tmp (PID: 3200)
      • nsC793.tmp (PID: 3276)

    • Loads dropped or rewritten executable

      • kkk.exe (PID: 3864)

    • Changes the autorun value in the registry

      • kkk.exe (PID: 3864)

  • SUSPICIOUS

    • Creates files in the program directory

      • Tomcat7.exe (PID: 3556)
      • Tomcat7.exe (PID: 3772)
      • Tomcat7.exe (PID: 3516)
      • kkk.exe (PID: 3864)

    • Starts application with an unusual extension

      • kkk.exe (PID: 3864)

    • Executable content was dropped or overwritten

      • kkk.exe (PID: 3864)

    • Creates files in the user directory

      • kkk.exe (PID: 3864)

    • Creates a software uninstall entry

      • kkk.exe (PID: 3864)

    • Creates files in the Windows directory

      • Tomcat7.exe (PID: 3516)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

ProductVersion: 7.0.90
ProductName: Apache Tomcat
LegalCopyright: Copyright (c) 1999-2018 The Apache Software Foundation
InternalName: apache-tomcat-7.0.90.exe
FileVersion: 2
FileDescription: Apache Tomcat Installer
CompanyName: Apache Software Foundation
Comments: tomcat.apache.org
CharacterSet: Windows, Latin1
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 7.0.90.0
FileVersionNumber: 7.0.90.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 6
OSVersion: 4
EntryPoint: 0x3328
UninitializedDataSize: 1024
InitializedDataSize: 118784
CodeSize: 25088
LinkerVersion: 6
PEType: PE32
TimeStamp: 2018:01:30 04:57:38+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 30-Jan-2018 03:57:38
Detected languages:
  • English - United States
Comments: tomcat.apache.org
CompanyName: Apache Software Foundation
FileDescription: Apache Tomcat Installer
FileVersion: 2.0
InternalName: apache-tomcat-7.0.90.exe
LegalCopyright: Copyright (c) 1999-2018 The Apache Software Foundation
ProductName: Apache Tomcat
ProductVersion: 7.0.90

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000D8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 30-Jan-2018 03:57:38
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00006077
0x00006200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.40397
.rdata
0x00008000
0x00001248
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.04426
.data
0x0000A000
0x0001A838
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.22445
.ndata
0x00025000
0x0001E000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00043000
0x00006E68
0x00007000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.3461

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.28813
1070
UNKNOWN
English - United States
RT_MANIFEST
2
3.58585
3752
UNKNOWN
English - United States
RT_ICON
3
4.1463
3240
UNKNOWN
English - United States
RT_ICON
4
3.71606
2216
UNKNOWN
English - United States
RT_ICON
5
2.64646
1640
UNKNOWN
English - United States
RT_ICON
6
2.71436
1384
UNKNOWN
English - United States
RT_ICON
7
4.23914
872
UNKNOWN
English - United States
RT_ICON
8
2.95894
744
UNKNOWN
English - United States
RT_ICON
9
2.78721
296
UNKNOWN
English - United States
RT_ICON
102
2.71813
180
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
15
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start drop and start drop and start start kkk.exe no specs kkk.exe nsc01d.tmp no specs tomcat7.exe no specs nsc4e0.tmp no specs tomcat7.exe no specs nsc5cc.tmp no specs tomcat7.exe no specs nsc6a8.tmp no specs tomcat7.exe no specs nsc793.tmp no specs tomcat7.exe no specs tomcat7w.exe no specs notepad.exe no specs tomcat7.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3364"C:\Users\admin\AppData\Local\Temp\kkk.exe" C:\Users\admin\AppData\Local\Temp\kkk.exeexplorer.exe
User:
admin
Company:
Apache Software Foundation
Integrity Level:
MEDIUM
Description:
Apache Tomcat Installer
Exit code:
3221226540
Version:
2.0
3864"C:\Users\admin\AppData\Local\Temp\kkk.exe" C:\Users\admin\AppData\Local\Temp\kkk.exe
explorer.exe
User:
admin
Company:
Apache Software Foundation
Integrity Level:
HIGH
Description:
Apache Tomcat Installer
Exit code:
0
Version:
2.0
3040"C:\Users\admin\AppData\Local\Temp\nsc9BAC.tmp\nsC01D.tmp" "C:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\Tomcat7.exe" //IS//Tomcat7 --DisplayName "Apache Tomcat 7.0 Tomcat7" --Description "Apache Tomcat 7.0.90 Server - https://tomcat.apache.org/" --LogPath "C:\Program Files\Apache Software Foundation\Tomcat 7.0\logs" --Install "C:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\Tomcat7.exe" --Jvm "C:\Program Files\Java\jre1.8.0_92\bin\client\jvm.dll" --StartPath "C:\Program Files\Apache Software Foundation\Tomcat 7.0" --StopPath "C:\Program Files\Apache Software Foundation\Tomcat 7.0"C:\Users\admin\AppData\Local\Temp\nsc9BAC.tmp\nsC01D.tmpkkk.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3556"C:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\Tomcat7.exe" //IS//Tomcat7 --DisplayName "Apache Tomcat 7.0 Tomcat7" --Description "Apache Tomcat 7.0.90 Server - https://tomcat.apache.org/" --LogPath "C:\Program Files\Apache Software Foundation\Tomcat 7.0\logs" --Install "C:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\Tomcat7.exe" --Jvm "C:\Program Files\Java\jre1.8.0_92\bin\client\jvm.dll" --StartPath "C:\Program Files\Apache Software Foundation\Tomcat 7.0" --StopPath "C:\Program Files\Apache Software Foundation\Tomcat 7.0"C:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\Tomcat7.exensC01D.tmp
User:
admin
Company:
Apache Software Foundation
Integrity Level:
HIGH
Description:
Commons Daemon Service Runner
Exit code:
0
Version:
1.1.0.0
1868"C:\Users\admin\AppData\Local\Temp\nsc9BAC.tmp\nsC4E0.tmp" "C:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\Tomcat7.exe" //US//Tomcat7 --Classpath "C:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\bootstrap.jar;C:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\tomcat-juli.jar" --StartClass org.apache.catalina.startup.Bootstrap --StopClass org.apache.catalina.startup.Bootstrap --StartParams start --StopParams stop --StartMode jvm --StopMode jvmC:\Users\admin\AppData\Local\Temp\nsc9BAC.tmp\nsC4E0.tmpkkk.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2652"C:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\Tomcat7.exe" //US//Tomcat7 --Classpath "C:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\bootstrap.jar;C:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\tomcat-juli.jar" --StartClass org.apache.catalina.startup.Bootstrap --StopClass org.apache.catalina.startup.Bootstrap --StartParams start --StopParams stop --StartMode jvm --StopMode jvmC:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\Tomcat7.exensC4E0.tmp
User:
admin
Company:
Apache Software Foundation
Integrity Level:
HIGH
Description:
Commons Daemon Service Runner
Exit code:
0
Version:
1.1.0.0
3200"C:\Users\admin\AppData\Local\Temp\nsc9BAC.tmp\nsC5CC.tmp" "C:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\Tomcat7.exe" //US//Tomcat7 --JvmOptions "-Dcatalina.home=C:\Program Files\Apache Software Foundation\Tomcat 7.0#-Dcatalina.base=C:\Program Files\Apache Software Foundation\Tomcat 7.0#-Djava.io.tmpdir=C:\Program Files\Apache Software Foundation\Tomcat 7.0\temp#-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager#-Djava.util.logging.config.file=C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\logging.properties"C:\Users\admin\AppData\Local\Temp\nsc9BAC.tmp\nsC5CC.tmpkkk.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3688"C:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\Tomcat7.exe" //US//Tomcat7 --JvmOptions "-Dcatalina.home=C:\Program Files\Apache Software Foundation\Tomcat 7.0#-Dcatalina.base=C:\Program Files\Apache Software Foundation\Tomcat 7.0#-Djava.io.tmpdir=C:\Program Files\Apache Software Foundation\Tomcat 7.0\temp#-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager#-Djava.util.logging.config.file=C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\logging.properties"C:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\Tomcat7.exensC5CC.tmp
User:
admin
Company:
Apache Software Foundation
Integrity Level:
HIGH
Description:
Commons Daemon Service Runner
Exit code:
0
Version:
1.1.0.0
2172"C:\Users\admin\AppData\Local\Temp\nsc9BAC.tmp\nsC6A8.tmp" "C:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\Tomcat7.exe" //US//Tomcat7 --JvmOptions9 "--add-opens=java.base/java.lang=ALL-UNNAMED#--add-opens=java.base/java.io=ALL-UNNAMED#--add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED"C:\Users\admin\AppData\Local\Temp\nsc9BAC.tmp\nsC6A8.tmpkkk.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2760"C:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\Tomcat7.exe" //US//Tomcat7 --JvmOptions9 "--add-opens=java.base/java.lang=ALL-UNNAMED#--add-opens=java.base/java.io=ALL-UNNAMED#--add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED"C:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\Tomcat7.exensC6A8.tmp
User:
admin
Company:
Apache Software Foundation
Integrity Level:
HIGH
Description:
Commons Daemon Service Runner
Exit code:
0
Version:
1.1.0.0
Total events
407
Read events
374
Write events
0
Delete events
0

Modification events

No data
Executable files
10
Suspicious files
23
Text files
190
Unknown types
9

Dropped files

PID
Process
Filename
Type
3864kkk.exeC:\Program Files\Apache Software Foundation\Tomcat 7.0\lib\catalina.jarcompressed
MD5:550F29D3D0F09F0327252956C8585507
SHA256:5350F358546DD9FA2F7B4A2D097EB56A9A757DA101750C590A034AA0588C85C9
3864kkk.exeC:\Program Files\Apache Software Foundation\Tomcat 7.0\lib\servlet-api.jarcompressed
MD5:84DC775A9515A5E32FEFEE0726E17EB3
SHA256:304583347B2B526BC756A4314D014484CFF828491A77AC135A8DF451BDE55AA5
3864kkk.exeC:\Program Files\Apache Software Foundation\Tomcat 7.0\NOTICEtext
MD5:7C690A783EB0FBD1A31EF9EBD8479597
SHA256:95B54C6460A90A612CB4E4B8C4AA2FF0B14156F72A4713DDDD7DA6810BCCD078
3864kkk.exeC:\Program Files\Apache Software Foundation\Tomcat 7.0\lib\annotations-api.jarcompressed
MD5:E5D17EDAED010B15A58CC4F04853046F
SHA256:4B7F62717E76C866BC66332A4788FC070A21A669C060CC9DDD4B3A6B58496921
3864kkk.exeC:\Program Files\Apache Software Foundation\Tomcat 7.0\lib\el-api.jarcompressed
MD5:DD436E0562DCDAD12490AD4078645AE1
SHA256:6BD8E2D49B912E351BD4F1E1229A6DFF71B4A7DE9EEABD71BC1D9FBDF486E220
3864kkk.exeC:\Program Files\Apache Software Foundation\Tomcat 7.0\lib\jasper.jarcompressed
MD5:9B5BBD94FE9EB9C6BF7030957232F12F
SHA256:C95F29E0178E57B007B2B79F5924A2717797C28CE0D48F3530A06B134EFF4804
3864kkk.exeC:\Program Files\Apache Software Foundation\Tomcat 7.0\lib\jsp-api.jarcompressed
MD5:1803A6EE33E9249ED27EEF90BA4772D8
SHA256:794B2D15EB93471C8444860803187AAB52E402B5DD97414E5BABE99221CA55D7
3864kkk.exeC:\Program Files\Apache Software Foundation\Tomcat 7.0\lib\tomcat-api.jarcompressed
MD5:715D2384375BFABEBDB74E228A600C08
SHA256:4BF18629CB88D1E816891E121E998662A12A94ABBF5C2F343640F245675D1033
3864kkk.exeC:\Program Files\Apache Software Foundation\Tomcat 7.0\lib\jasper-el.jarcompressed
MD5:B56633789BF5223B5F4527E315CC4F12
SHA256:1E10EF319739CFB46979F26E96572C347F0342706589E376CF107C0481E4EB03
3864kkk.exeC:\Program Files\Apache Software Foundation\Tomcat 7.0\lib\catalina-ha.jarcompressed
MD5:9DD51B7CEE5F81C9CD34EA6627E3B102
SHA256:C4372AFF7FCD9B01E4DA279285A98FDC5D32A85E0BF4BE10E127C6C3870614F3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
kkk