analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

invoice.doc

Full analysis: https://app.any.run/tasks/7581f496-04e0-4f5c-b8ba-6827facb6dc7
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Malware Trends Tracker     >>>
Analysis date: September 30, 2020, 06:14:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
exploit
CVE-2017-11882
rat
azorult
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

8A2325E7F1446F5204B2B838584DBE8A

SHA1:

D00A92AC5B488D28C5677651D94077AB2FBD370B

SHA256:

C5A2E16C54143D39709187E53EC5196587EB004D64F0D3AEFF35BC61F123279E

SSDEEP:

12288:GxvA3pjJx7BC0zqE5JB2Oo83D34CAlM+yhz0pfS4Xpl6kJIzau81m+l06jqf:Q43prBtbFD4BA0g4Xpl6kJIzV81Fmjf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • jkfnfjp.exe (PID: 2404)
      • jkfnfjp.exe (PID: 3312)

    • Changes settings of System certificates

      • jkfnfjp.exe (PID: 3312)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 3288)

    • Connects to CnC server

      • jkfnfjp.exe (PID: 3312)

    • AZORULT was detected

      • jkfnfjp.exe (PID: 3312)

  • SUSPICIOUS

    • Application launched itself

      • jkfnfjp.exe (PID: 2404)

    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 3288)
      • jkfnfjp.exe (PID: 3312)

    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 3288)

    • Adds / modifies Windows certificates

      • jkfnfjp.exe (PID: 3312)

    • Executed via COM

      • EQNEDT32.EXE (PID: 3288)

    • Reads Internet Cache Settings

      • jkfnfjp.exe (PID: 3312)
      • EQNEDT32.EXE (PID: 3288)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 764)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe jkfnfjp.exe no specs #AZORULT jkfnfjp.exe

Process information

PID
CMD
Path
Indicators
Parent process
764"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\invoice.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
3288"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
2404C:\Users\admin\AppData\Roaming\jkfnfjp.exeC:\Users\admin\AppData\Roaming\jkfnfjp.exeEQNEDT32.EXE
User:
admin
Company:
RSA Security
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
3312C:\Users\admin\AppData\Roaming\jkfnfjp.exeC:\Users\admin\AppData\Roaming\jkfnfjp.exe
jkfnfjp.exe
User:
admin
Company:
RSA Security
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Total events
1 619
Read events
922
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
4
Text files
3
Unknown types
4

Dropped files

PID
Process
Filename
Type
764WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR7669.tmp.cvr
MD5:
SHA256:
3288EQNEDT32.EXEC:\Users\admin\AppData\Local\Temp\Cab828E.tmp
MD5:
SHA256:
3288EQNEDT32.EXEC:\Users\admin\AppData\Local\Temp\Tar828F.tmp
MD5:
SHA256:
3312jkfnfjp.exeC:\Users\admin\AppData\Local\Temp\CabBAF4.tmp
MD5:
SHA256:
3312jkfnfjp.exeC:\Users\admin\AppData\Local\Temp\TarBAF5.tmp
MD5:
SHA256:
3288EQNEDT32.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_0450F37A94D5EA2CF49E48BAD46C6D66binary
MD5:801AC5689614760B415E3C0C9169118C
SHA256:56F0DFB8CBEC40858DB812E5D7ED3E220FE986B3B7819D071E0C6CFE990FEFD1
3288EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\linkzsee[1].exeexecutable
MD5:A8CD21CE72B150D171F528E561099C9A
SHA256:CE71CCAA67A6A21A110CC99DA99DA0E7595A392FE54CEAD5685DBF706E3C9D05
764WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$voice.doc.rtfpgc
MD5:51E463818A070D61CE7A1B2376B979BC
SHA256:1713A0B62E9B5C70A9B7DC5DF4C5C73F919707E763C8336AFAB5F21A9442D77F
3288EQNEDT32.EXEC:\Users\admin\AppData\Roaming\jkfnfjp.exeexecutable
MD5:A8CD21CE72B150D171F528E561099C9A
SHA256:CE71CCAA67A6A21A110CC99DA99DA0E7595A392FE54CEAD5685DBF706E3C9D05
3288EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\linkzsee[1].htmhtml
MD5:C1A5EDD7F778F1C91C4FCBCBD1F546E3
SHA256:2A1BCE0E14E8887ECE21173597C3F3C7E93BE0C67EBCBB307602727E0A3B552C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
17
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3312
jkfnfjp.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.22 Kb
whitelisted
3288
EQNEDT32.EXE
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEAm3dP7Fjebz%2Fohu3pXPtrY%3D
US
der
278 b
whitelisted
1056
svchost.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAKXB1YM1Knrv%2BJy8eCW2II%3D
US
der
471 b
whitelisted
1056
svchost.exe
GET
200
2.16.186.74:80
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
unknown
der
781 b
whitelisted
1056
svchost.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
US
der
471 b
whitelisted
1056
svchost.exe
GET
200
23.210.253.93:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
NL
der
813 b
whitelisted
1056
svchost.exe
GET
200
172.217.22.35:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D
US
der
492 b
whitelisted
1056
svchost.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3288
EQNEDT32.EXE
GET
301
104.18.43.26:80
http://readcivil.com/wp-content/plugins/xomert/linkzsee.exe
US
html
268 b
malicious
1056
svchost.exe
GET
200
104.18.24.243:80
http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIGkp0%2Fv9GUvNUu1EP06Tu7%2BChyAQUkZ47RGw9V5xCdyo010%2FRzEqXLNoCEyAAASWxwt68EQiA3cUAAAABJbE%3D
US
der
1.75 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3288
EQNEDT32.EXE
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3312
jkfnfjp.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3312
jkfnfjp.exe
13.107.42.12:443
ss3siw.bl.files.1drv.com
Microsoft Corporation
US
suspicious
3312
jkfnfjp.exe
13.107.42.13:443
onedrive.live.com
Microsoft Corporation
US
malicious
1056
svchost.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3312
jkfnfjp.exe
103.253.212.238:443
bprbalidananiaga.co.id
Rumahweb Indonesia CV.
ID
malicious
205.185.216.42:80
www.download.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
1056
svchost.exe
2.16.186.74:80
crl.microsoft.com
Akamai International B.V.
whitelisted
3288
EQNEDT32.EXE
104.18.43.26:443
readcivil.com
Cloudflare Inc
US
shared
1056
svchost.exe
172.217.22.35:80
ocsp.pki.goog
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
readcivil.com
  • 104.18.43.26
  • 104.18.42.26
  • 172.67.217.188
malicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted
onedrive.live.com
  • 13.107.42.13
shared
crl3.digicert.com
  • 93.184.220.29
whitelisted
ss3siw.bl.files.1drv.com
  • 13.107.42.12
whitelisted
bprbalidananiaga.co.id
  • 103.253.212.238
malicious
crl.microsoft.com
  • 2.16.186.74
  • 2.16.186.120
whitelisted
ocsp.msocsp.com
  • 104.18.24.243
  • 104.18.25.243
whitelisted
ocsp.pki.goog
  • 172.217.22.35
whitelisted
www.microsoft.com
  • 23.210.253.93
whitelisted

Threats

PID
Process
Class
Message
3288
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious
3312
jkfnfjp.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3312
jkfnfjp.exe
A Network Trojan was detected
ET TROJAN Win32/AZORult V3.3 Client Checkin M2
3312
jkfnfjp.exe
A Network Trojan was detected
STEALER [PTsecurity] AZORult
3312
jkfnfjp.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
invoice.doc