File name: | Woxy Cracked by Crank and Yuki.rar |
Full analysis: | https://app.any.run/tasks/d466692a-8fb3-427c-a565-3ddb686ba295 |
Verdict: | Malicious activity |
Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
Analysis date: | December 06, 2018, 07:46:23 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 10419F8F6E1A25F43E4B3347FF1676D6 |
SHA1: | D93624EF949EA0BBCED6427A2F0D5D79E428547C |
SHA256: | C4CB51AA8D733BCBF8C64E1768158594D0B69926C574F28222F7CBB6D9677463 |
SSDEEP: | 196608:JQYH11ve3hR7eOet0KhqEAIwHYalwQWx6ouNZJawvrDtGiF+8o/Dj8yPaT7FTpVi:Jfve3hR7eOet0KwQwHYRDsouu4UYcj8u |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3292 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Woxy Cracked by Crank and Yuki.rar" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1904 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
3964 | "C:\Users\admin\Desktop\woxy.exe" | C:\Users\admin\Desktop\woxy.exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: Exit code: 0 Version: 0.0.0.0 | ||||
3788 | "C:\Users\admin\AppData\Local\Temp\Woxy Cracked by Crank and Yuki.exe" | C:\Users\admin\AppData\Local\Temp\Woxy Cracked by Crank and Yuki.exe | woxy.exe | |
User: admin Integrity Level: HIGH Description: Woxy Exit code: 3762504530 Version: 1.0.0.0 | ||||
2196 | "C:\Users\admin\AppData\Local\Temp\SeafkoAgent.exe" | C:\Users\admin\AppData\Local\Temp\SeafkoAgent.exe | woxy.exe | |
User: admin Company: Microsoft Integrity Level: HIGH Description: Windows Explorer Exit code: 0 Version: 1.0.0.0 | ||||
756 | "C:\Users\admin\AppData\Local\explorer.exe" | C:\Users\admin\AppData\Local\explorer.exe | SeafkoAgent.exe | |
User: admin Company: Microsoft Integrity Level: HIGH Description: Windows Explorer Version: 1.0.0.0 | ||||
3804 | C:\Windows\system32\wbem\WmiApSrv.exe | C:\Windows\system32\wbem\WmiApSrv.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: WMI Performance Reverse Adapter Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3292 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\domains.txt | — | |
MD5:— | SHA256:— | |||
3292 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Making configs tutorial.html | html | |
MD5:652FE189D0316045A425F0E5705A65EF | SHA256:71992C72B2C76F4E81C51A1150807B6EA12BD937A8994800F4DC7B9AD254BA68 | |||
3292 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\READ PLEASE.txt | text | |
MD5:EE870FC978170511F13D1B028B9AB212 | SHA256:EBED6BCE13950A45C20D53AE092BFF11402E5033ED32739B7B09D7C67EB6644C | |||
3292 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Mail.dll | executable | |
MD5:02D3665BE12327062013A05F044235CB | SHA256:2FC6995F4F2AD0AEDA381B8A43141A4F20A3A207C283C3AAE453043AD1448262 | |||
3292 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Amazon.com.ini | text | |
MD5:2AFD5F14E39464FC84EA4E8EB1D1900D | SHA256:4375339A0BC859948FEA4718D8A11ECA5880EC2E2709D622C038543CFD4B26A5 | |||
3292 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Cryptomate.ini | text | |
MD5:1272A8374667832B4EC6F4BBD89E2EA9 | SHA256:456242E31D418322D9606944DE014313117770D7DCA441424B0287CD2B9AC997 | |||
3292 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Colorful.Console.dll | executable | |
MD5:C0049EEC203866B1B032006CEF00FFB7 | SHA256:2FB5DF27FE90D3261A0CE2491315EA299B6A2D4399CC22C23272EE959B445559 | |||
3292 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Amazon.ini | text | |
MD5:4EF53D09C02F3A1A5E79025BF42FC169 | SHA256:641CE969229FA21F07B5AD2979CC8348F09FD79A6C07FBC58D576820B5C51A27 | |||
3292 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Bestbuy.ini | text | |
MD5:5502553F370CE9C40E01D665E172B736 | SHA256:105A3EC63E47CC4973DC7E3E269C1287B76B12E9A15B61F22CB43B6D36484CBF | |||
3292 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa3292.41690\Configs\Blizzard.ini | text | |
MD5:C0B49B202D279C8FEE710A36D1CA3138 | SHA256:40C0520A640A32C2D915F831D327E16254F12C1293E5568B7840614D0D52BCBE |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
756 | explorer.exe | GET | 204 | 216.58.212.206:80 | http://clients3.google.com/generate_204 | US | — | — | whitelisted |
756 | explorer.exe | GET | 200 | 205.185.216.42:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 55.2 Kb | whitelisted |
756 | explorer.exe | GET | 200 | 205.185.216.42:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/DF3C24F9BFD666761B268073FE06D1CC8D4F82A4.crt | US | der | 914 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
756 | explorer.exe | 145.14.145.6:443 | a-rat.000webhostapp.com | Hostinger International Limited | US | shared |
756 | explorer.exe | 216.239.38.21:443 | ipinfo.io | Google Inc. | US | whitelisted |
756 | explorer.exe | 205.185.216.42:80 | www.download.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
756 | explorer.exe | 34.232.49.99:6667 | irc.caelestia.net | Amazon.com, Inc. | US | unknown |
756 | explorer.exe | 216.58.212.206:80 | clients3.google.com | Google Inc. | US | whitelisted |
756 | explorer.exe | 23.227.190.242:6667 | irc.criten.net | Incero LLC | US | unknown |
756 | explorer.exe | 107.170.56.30:6667 | irc.swiftirc.net | Digital Ocean, Inc. | US | unknown |
756 | explorer.exe | 45.55.156.41:6669 | irc.beyondirc.net | Digital Ocean, Inc. | US | unknown |
756 | explorer.exe | 54.38.217.240:6669 | irc.euirc.net | OVH SAS | FR | unknown |
Domain | IP | Reputation |
---|---|---|
clients3.google.com |
| whitelisted |
ipinfo.io |
| shared |
a-rat.000webhostapp.com |
| shared |
www.download.windowsupdate.com |
| whitelisted |
irc.caelestia.net |
| unknown |
irc.criten.net |
| unknown |
irc.euirc.net |
| unknown |
irc.swiftirc.net |
| malicious |
irc.beyondirc.net |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
756 | explorer.exe | A Network Trojan was detected | ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) |
756 | explorer.exe | Potential Corporate Privacy Violation | ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) |
756 | explorer.exe | A Network Trojan was detected | SC BACKDOOR TeleRAT webhook using attempt |
756 | explorer.exe | Misc activity | ET CHAT IRC PONG response |
756 | explorer.exe | Misc activity | ET CHAT IRC USER command |
756 | explorer.exe | Misc activity | ET CHAT IRC NICK command |
756 | explorer.exe | Misc activity | ET CHAT IRC PING command |
756 | explorer.exe | Misc activity | ET CHAT IRC PONG response |
756 | explorer.exe | Misc activity | ET CHAT IRC USER command |
756 | explorer.exe | Misc activity | ET CHAT IRC NICK command |