analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PO.doc

Full analysis: https://app.any.run/tasks/9be41a33-240c-4d3f-b281-1fcc9c226277
Verdict: Malicious activity
Threats:

AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.

Analysis date: September 30, 2020, 07:19:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
exploit
CVE-2017-11882
rat
azorult
Indicators:
MIME: text/rtf
File info: Rich Text Format data, unknown version
MD5:

8A2325E7F1446F5204B2B838584DBE8A

SHA1:

D00A92AC5B488D28C5677651D94077AB2FBD370B

SHA256:

C5A2E16C54143D39709187E53EC5196587EB004D64F0D3AEFF35BC61F123279E

SSDEEP:

12288:GxvA3pjJx7BC0zqE5JB2Oo83D34CAlM+yhz0pfS4Xpl6kJIzau81m+l06jqf:Q43prBtbFD4BA0g4Xpl6kJIzV81Fmjf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • jkfnfjp.exe (PID: 3780)
      • jkfnfjp.exe (PID: 3312)
    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 1712)
    • AZORULT was detected

      • jkfnfjp.exe (PID: 3780)
    • Changes settings of System certificates

      • jkfnfjp.exe (PID: 3780)
    • Connects to CnC server

      • jkfnfjp.exe (PID: 3780)
  • SUSPICIOUS

    • Executed via COM

      • EQNEDT32.EXE (PID: 1712)
    • Reads Internet Cache Settings

      • EQNEDT32.EXE (PID: 1712)
      • jkfnfjp.exe (PID: 3780)
    • Creates files in the user directory

      • EQNEDT32.EXE (PID: 1712)
      • jkfnfjp.exe (PID: 3780)
    • Application launched itself

      • jkfnfjp.exe (PID: 3312)
    • Executable content was dropped or overwritten

      • EQNEDT32.EXE (PID: 1712)
    • Adds / modifies Windows certificates

      • jkfnfjp.exe (PID: 3780)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1500)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs eqnedt32.exe jkfnfjp.exe no specs #AZORULT jkfnfjp.exe

Process information

PID
CMD
Path
Indicators
Parent process
1500"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\PO.doc.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
1712"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Exit code:
0
Version:
00110900
3312C:\Users\admin\AppData\Roaming\jkfnfjp.exeC:\Users\admin\AppData\Roaming\jkfnfjp.exeEQNEDT32.EXE
User:
admin
Company:
RSA Security
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
3780C:\Users\admin\AppData\Roaming\jkfnfjp.exeC:\Users\admin\AppData\Roaming\jkfnfjp.exe
jkfnfjp.exe
User:
admin
Company:
RSA Security
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Total events
1 495
Read events
767
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
6
Text files
5
Unknown types
7

Dropped files

PID
Process
Filename
Type
1500WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRC2A5.tmp.cvr
MD5:
SHA256:
1712EQNEDT32.EXEC:\Users\admin\AppData\Local\Temp\CabDCD4.tmp
MD5:
SHA256:
1712EQNEDT32.EXEC:\Users\admin\AppData\Local\Temp\TarDCE4.tmp
MD5:
SHA256:
3780jkfnfjp.exeC:\Users\admin\AppData\Local\Temp\CabF108.tmp
MD5:
SHA256:
3780jkfnfjp.exeC:\Users\admin\AppData\Local\Temp\TarF109.tmp
MD5:
SHA256:
1500WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:B9215E1EAF357778B154D092369D6478
SHA256:7FD1131314984BBFF232ADA4E74302A80369243A0DD0EF170A91AB1A9B419548
1712EQNEDT32.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\linkzsee[1].exeexecutable
MD5:A8CD21CE72B150D171F528E561099C9A
SHA256:CE71CCAA67A6A21A110CC99DA99DA0E7595A392FE54CEAD5685DBF706E3C9D05
1712EQNEDT32.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\H7FA5LN0.txttext
MD5:85E389145C17C6EFC0DE1BE5CE6862FA
SHA256:A7323B220F4D7E30D3A4439B2F51DEF09CF8DC3E7D78129BD1B9C7F5E138CCC6
1500WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:CA823A61DD47E78ED0B0E333ED33390E
SHA256:1C3C1F986CFA7887939E35D3EA8B006B01142F8309D0876893EBD38EDCA41117
1500WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\PO.doc.rtf.LNKlnk
MD5:2D012DA2C0DBAD2632FE39654A32D2AA
SHA256:F1553818E071B8E1648477CCCB586CC488877FF969227643F03F20EC76EB1F59
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
16
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3780
jkfnfjp.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
1056
svchost.exe
GET
200
104.18.25.243:80
http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIGkp0%2Fv9GUvNUu1EP06Tu7%2BChyAQUkZ47RGw9V5xCdyo010%2FRzEqXLNoCEyAAASWxwt68EQiA3cUAAAABJbE%3D
US
der
1.75 Kb
whitelisted
1056
svchost.exe
GET
200
2.16.186.74:80
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
unknown
der
550 b
whitelisted
1056
svchost.exe
GET
200
172.217.22.99:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D
US
der
492 b
whitelisted
1712
EQNEDT32.EXE
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEAm3dP7Fjebz%2Fohu3pXPtrY%3D
US
der
278 b
whitelisted
3780
jkfnfjp.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAtqs7A%2Bsan2xGCSaqjN%2FrM%3D
US
der
1.47 Kb
whitelisted
1712
EQNEDT32.EXE
GET
301
104.18.43.26:80
http://readcivil.com/wp-content/plugins/xomert/linkzsee.exe
US
html
268 b
malicious
1056
svchost.exe
GET
200
2.16.186.74:80
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
unknown
der
781 b
whitelisted
1056
svchost.exe
GET
200
13.107.4.50:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
57.5 Kb
whitelisted
1056
svchost.exe
GET
200
23.210.249.93:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
NL
der
813 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3780
jkfnfjp.exe
13.107.42.13:443
onedrive.live.com
Microsoft Corporation
US
malicious
1712
EQNEDT32.EXE
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1712
EQNEDT32.EXE
104.18.43.26:80
readcivil.com
Cloudflare Inc
US
shared
1712
EQNEDT32.EXE
104.18.43.26:443
readcivil.com
Cloudflare Inc
US
shared
3780
jkfnfjp.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3780
jkfnfjp.exe
13.107.42.12:443
ss3siw.bl.files.1drv.com
Microsoft Corporation
US
suspicious
3780
jkfnfjp.exe
103.253.212.238:443
bprbalidananiaga.co.id
Rumahweb Indonesia CV.
ID
malicious
1056
svchost.exe
2.16.186.74:80
crl.microsoft.com
Akamai International B.V.
whitelisted
1056
svchost.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1056
svchost.exe
104.18.25.243:80
ocsp.msocsp.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
readcivil.com
  • 104.18.43.26
  • 104.18.42.26
  • 172.67.217.188
malicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted
onedrive.live.com
  • 13.107.42.13
shared
ss3siw.bl.files.1drv.com
  • 13.107.42.12
whitelisted
bprbalidananiaga.co.id
  • 103.253.212.238
malicious
crl.microsoft.com
  • 2.16.186.74
  • 2.16.186.120
whitelisted
ocsp.msocsp.com
  • 104.18.25.243
  • 104.18.24.243
whitelisted
ocsp.pki.goog
  • 172.217.22.99
whitelisted
www.microsoft.com
  • 23.210.249.93
whitelisted
www.download.windowsupdate.com
  • 13.107.4.50
whitelisted

Threats

PID
Process
Class
Message
1712
EQNEDT32.EXE
A Network Trojan was detected
ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious
3780
jkfnfjp.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3780
jkfnfjp.exe
A Network Trojan was detected
ET TROJAN Win32/AZORult V3.3 Client Checkin M2
3780
jkfnfjp.exe
A Network Trojan was detected
STEALER [PTsecurity] AZORult
3780
jkfnfjp.exe
Potentially Bad Traffic
ET POLICY HTTP traffic on port 443 (POST)
No debug info