analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Woxy Cracked by Crank and Yuki.rar

Full analysis: https://app.any.run/tasks/d466692a-8fb3-427c-a565-3ddb686ba295
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: December 06, 2018, 07:46:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
evasion
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

10419F8F6E1A25F43E4B3347FF1676D6

SHA1:

D93624EF949EA0BBCED6427A2F0D5D79E428547C

SHA256:

C4CB51AA8D733BCBF8C64E1768158594D0B69926C574F28222F7CBB6D9677463

SSDEEP:

196608:JQYH11ve3hR7eOet0KhqEAIwHYalwQWx6ouNZJawvrDtGiF+8o/Dj8yPaT7FTpVi:Jfve3hR7eOet0KwQwHYRDsouu4UYcj8u

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • explorer.exe (PID: 756)
      • Woxy Cracked by Crank and Yuki.exe (PID: 3788)
      • SeafkoAgent.exe (PID: 2196)
      • woxy.exe (PID: 3964)
    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 1904)
      • explorer.exe (PID: 756)
    • Changes the autorun value in the registry

      • explorer.exe (PID: 756)
    • Changes settings of System certificates

      • explorer.exe (PID: 756)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • SeafkoAgent.exe (PID: 2196)
      • explorer.exe (PID: 756)
      • WinRAR.exe (PID: 3292)
      • woxy.exe (PID: 3964)
    • Starts itself from another location

      • SeafkoAgent.exe (PID: 2196)
    • Creates executable files which already exist in Windows

      • SeafkoAgent.exe (PID: 2196)
      • explorer.exe (PID: 756)
    • Checks for external IP

      • explorer.exe (PID: 756)
    • Connects to unusual port

      • explorer.exe (PID: 756)
    • Adds / modifies Windows certificates

      • explorer.exe (PID: 756)
  • INFO

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 3292)
    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 3292)
      • woxy.exe (PID: 3964)
    • Application was crashed

      • Woxy Cracked by Crank and Yuki.exe (PID: 3788)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start winrar.exe searchprotocolhost.exe no specs woxy.exe woxy cracked by crank and yuki.exe seafkoagent.exe explorer.exe wmiapsrv.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3292"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Woxy Cracked by Crank and Yuki.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1904"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3964"C:\Users\admin\Desktop\woxy.exe" C:\Users\admin\Desktop\woxy.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Exit code:
0
Version:
0.0.0.0
3788"C:\Users\admin\AppData\Local\Temp\Woxy Cracked by Crank and Yuki.exe" C:\Users\admin\AppData\Local\Temp\Woxy Cracked by Crank and Yuki.exe
woxy.exe
User:
admin
Integrity Level:
HIGH
Description:
Woxy
Exit code:
3762504530
Version:
1.0.0.0
2196"C:\Users\admin\AppData\Local\Temp\SeafkoAgent.exe" C:\Users\admin\AppData\Local\Temp\SeafkoAgent.exe
woxy.exe
User:
admin
Company:
Microsoft
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
0
Version:
1.0.0.0
756"C:\Users\admin\AppData\Local\explorer.exe" C:\Users\admin\AppData\Local\explorer.exe
SeafkoAgent.exe
User:
admin
Company:
Microsoft
Integrity Level:
HIGH
Description:
Windows Explorer
Version:
1.0.0.0
3804C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Performance Reverse Adapter
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 676
Read events
1 616
Write events
0
Delete events
0

Modification events

No data
Executable files
13
Suspicious files
4
Text files
59
Unknown types
4

Dropped files

PID
Process
Filename
Type
3292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\domains.txt
MD5:
SHA256:
3292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Making configs tutorial.htmlhtml
MD5:652FE189D0316045A425F0E5705A65EF
SHA256:71992C72B2C76F4E81C51A1150807B6EA12BD937A8994800F4DC7B9AD254BA68
3292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\READ PLEASE.txttext
MD5:EE870FC978170511F13D1B028B9AB212
SHA256:EBED6BCE13950A45C20D53AE092BFF11402E5033ED32739B7B09D7C67EB6644C
3292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Mail.dllexecutable
MD5:02D3665BE12327062013A05F044235CB
SHA256:2FC6995F4F2AD0AEDA381B8A43141A4F20A3A207C283C3AAE453043AD1448262
3292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Amazon.com.initext
MD5:2AFD5F14E39464FC84EA4E8EB1D1900D
SHA256:4375339A0BC859948FEA4718D8A11ECA5880EC2E2709D622C038543CFD4B26A5
3292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Cryptomate.initext
MD5:1272A8374667832B4EC6F4BBD89E2EA9
SHA256:456242E31D418322D9606944DE014313117770D7DCA441424B0287CD2B9AC997
3292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Colorful.Console.dllexecutable
MD5:C0049EEC203866B1B032006CEF00FFB7
SHA256:2FB5DF27FE90D3261A0CE2491315EA299B6A2D4399CC22C23272EE959B445559
3292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Amazon.initext
MD5:4EF53D09C02F3A1A5E79025BF42FC169
SHA256:641CE969229FA21F07B5AD2979CC8348F09FD79A6C07FBC58D576820B5C51A27
3292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Bestbuy.initext
MD5:5502553F370CE9C40E01D665E172B736
SHA256:105A3EC63E47CC4973DC7E3E269C1287B76B12E9A15B61F22CB43B6D36484CBF
3292WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Blizzard.initext
MD5:C0B49B202D279C8FEE710A36D1CA3138
SHA256:40C0520A640A32C2D915F831D327E16254F12C1293E5568B7840614D0D52BCBE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
13
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
756
explorer.exe
GET
204
216.58.212.206:80
http://clients3.google.com/generate_204
US
whitelisted
756
explorer.exe
GET
200
205.185.216.42:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
55.2 Kb
whitelisted
756
explorer.exe
GET
200
205.185.216.42:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DF3C24F9BFD666761B268073FE06D1CC8D4F82A4.crt
US
der
914 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
756
explorer.exe
145.14.145.6:443
a-rat.000webhostapp.com
Hostinger International Limited
US
shared
756
explorer.exe
216.239.38.21:443
ipinfo.io
Google Inc.
US
whitelisted
756
explorer.exe
205.185.216.42:80
www.download.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
756
explorer.exe
34.232.49.99:6667
irc.caelestia.net
Amazon.com, Inc.
US
unknown
756
explorer.exe
216.58.212.206:80
clients3.google.com
Google Inc.
US
whitelisted
756
explorer.exe
23.227.190.242:6667
irc.criten.net
Incero LLC
US
unknown
756
explorer.exe
107.170.56.30:6667
irc.swiftirc.net
Digital Ocean, Inc.
US
unknown
756
explorer.exe
45.55.156.41:6669
irc.beyondirc.net
Digital Ocean, Inc.
US
unknown
756
explorer.exe
54.38.217.240:6669
irc.euirc.net
OVH SAS
FR
unknown

DNS requests

Domain
IP
Reputation
clients3.google.com
  • 216.58.212.206
whitelisted
ipinfo.io
  • 216.239.38.21
shared
a-rat.000webhostapp.com
  • 145.14.145.6
shared
www.download.windowsupdate.com
  • 205.185.216.42
whitelisted
irc.caelestia.net
  • 34.232.49.99
unknown
irc.criten.net
  • 23.227.190.242
unknown
irc.euirc.net
  • 54.38.217.240
unknown
irc.swiftirc.net
  • 107.170.56.30
malicious
irc.beyondirc.net
  • 45.55.156.41
unknown

Threats

PID
Process
Class
Message
756
explorer.exe
A Network Trojan was detected
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
756
explorer.exe
Potential Corporate Privacy Violation
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
756
explorer.exe
A Network Trojan was detected
SC BACKDOOR TeleRAT webhook using attempt
756
explorer.exe
Misc activity
ET CHAT IRC PONG response
756
explorer.exe
Misc activity
ET CHAT IRC USER command
756
explorer.exe
Misc activity
ET CHAT IRC NICK command
756
explorer.exe
Misc activity
ET CHAT IRC PING command
756
explorer.exe
Misc activity
ET CHAT IRC PONG response
756
explorer.exe
Misc activity
ET CHAT IRC USER command
756
explorer.exe
Misc activity
ET CHAT IRC NICK command
3 ETPRO signatures available at the full report
No debug info