File name: | mininews4 |
Full analysis: | https://app.any.run/tasks/cf5d0353-6e04-4365-ad58-fc9277c2916f |
Verdict: | Malicious activity |
Analysis date: | September 19, 2019, 01:11:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | E71E52E4F9CE195AB09F04691E099A1E |
SHA1: | 0944BFFBB64C8F8625D4B9DAE465919492B1A42C |
SHA256: | D854B133EE52E0865F1C15C9BA89A709F365AB56A7E02FA6EE48FDFA97AAC2A0 |
SSDEEP: | 24576:v2jFWOZoeqTJ0CmtVcv7rQX9rt++/nEYbdP+WgDNgKVQVLXi:vKFXoeEJ0ftVXt+mp2jNgKVQVLXi |
.exe | | | Win32 Executable (generic) (3.6) |
---|---|---|
.exe | | | Generic Win/DOS Executable (1.6) |
.exe | | | DOS Executable Generic (1.5) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 2016:10:14 05:48:00+02:00 |
PEType: | PE32 |
LinkerVersion: | 9 |
CodeSize: | 887808 |
InitializedDataSize: | 631808 |
UninitializedDataSize: | - |
EntryPoint: | 0xaec5c |
OSVersion: | 5 |
ImageVersion: | - |
SubsystemVersion: | 5 |
Subsystem: | Windows GUI |
FileVersionNumber: | 4.1.1.0 |
ProductVersionNumber: | 4.1.1.0 |
FileFlagsMask: | 0x0017 |
FileFlags: | (none) |
FileOS: | Win32 |
ObjectFileType: | Executable application |
FileSubtype: | - |
LanguageCode: | Chinese (Simplified) |
CharacterSet: | Unicode |
FileDescription: | 4.1.1.0 |
FileVersion: | 4.1.1.0 |
InternalName: | mininews4 |
LegalCopyright: | 上海广乐网络科技有限公司 |
OriginalFileName: | mininews4.exe |
ProductName: | mininews4 |
ProductVersion: | 4.1.0.4 |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 14-Oct-2016 03:48:00 |
Detected languages: |
|
FileDescription: | 4.1.1.0 |
FileVersion: | 4.1.1.0 |
InternalName: | mininews4 |
LegalCopyright: | 上海广乐网络科技有限公司 |
OriginalFilename: | mininews4.exe |
ProductName: | mininews4 |
ProductVersion: | 4.1.0.4 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000118 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 14-Oct-2016 03:48:00 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000D8B69 | 0x000D8C00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.58549 |
.rdata | 0x000DA000 | 0x0004EC19 | 0x0004EE00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.88961 |
.data | 0x00129000 | 0x0002BCDC | 0x00028E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.57273 |
.rsrc | 0x00155000 | 0x00012C4C | 0x00012E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.47897 |
.reloc | 0x00168000 | 0x0000F8E4 | 0x0000FA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 5.75227 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.02301 | 622 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 5.80973 | 9640 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
3 | 5.68863 | 4264 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
4 | 6.05318 | 1128 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
100 | 2.44608 | 62 | Latin 1 / Western European | Chinese - PRC | RT_GROUP_ICON |
101 | 2.96406 | 150 | Latin 1 / Western European | Chinese - PRC | RT_DIALOG |
134 | 5.24723 | 337 | Latin 1 / Western European | Chinese - PRC | XML |
135 | 5.28803 | 330 | Latin 1 / Western European | Chinese - PRC | XML |
ID_DESKTOP | 7.48825 | 37031 | Latin 1 / Western European | Chinese - PRC | MYICON |
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
IMM32.dll |
KERNEL32.dll |
OLEAUT32.dll |
PSAPI.DLL |
SHELL32.dll |
SHLWAPI.dll |
USER32.dll |
Title | Ordinal | Address |
---|---|---|
??0CActiveXUI@DuiLib@@QAE@ABV01@@Z | 1 | 0x0001BBEA |
??0CActiveXUI@DuiLib@@QAE@XZ | 2 | 0x00047E4E |
??0CAnimationData@DuiLib@@QAE@HHHH@Z | 3 | 0x0001B285 |
??0CAnimationTabLayoutUI@DuiLib@@QAE@ABV01@@Z | 4 | 0x0001DB68 |
??0CAnimationTabLayoutUI@DuiLib@@QAE@XZ | 5 | 0x00056F54 |
??0CButtonUI@DuiLib@@QAE@ABV01@@Z | 6 | 0x0001AFAD |
??0CButtonUI@DuiLib@@QAE@XZ | 7 | 0x0003FAE3 |
??0CCheckBoxUI@DuiLib@@QAE@ABV01@@Z | 8 | 0x0001B548 |
??0CCheckBoxUI@DuiLib@@QAE@XZ | 9 | 0x0004169A |
??0CChildLayoutUI@DuiLib@@QAE@ABV01@@Z | 10 | 0x0001D02B |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3012 | "C:\Users\admin\AppData\Local\Temp\mininews4.exe" | C:\Users\admin\AppData\Local\Temp\mininews4.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: 4.1.1.0 Exit code: 3221225547 Version: 4.1.1.0 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3012 | mininews4.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\plugin[1].htm | — | |
MD5:— | SHA256:— | |||
3012 | mininews4.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@eastday[1].txt | — | |
MD5:— | SHA256:— | |||
3012 | mininews4.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\citySelectData2[1].js | text | |
MD5:44F78F0A52B297F5D08CB6FDF23C1493 | SHA256:404E624DD623B6DE4B8F01FD204A8A9D03DCB6633E3A650CAFC957807D78AE89 | |||
3012 | mininews4.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\58362[1].js | text | |
MD5:A7FE9D6F29081F34AAB1B4D797621FC3 | SHA256:AF6B6281F68E99469CA847E1D43F0245BF2A4C86E2B512C5CD3353C756B7ED23 | |||
3012 | mininews4.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\wea_plugin_widget_v20150401130731[1].css | text | |
MD5:A7B0DC64638D87497FFF5C47529BCFDC | SHA256:59166E2CA98F03214AB129AF85FA66533D37B86D53491975F8771CD2ABBC4C82 | |||
3012 | mininews4.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\jquery.min[1].js | text | |
MD5:A20CB3A6C7EE4AD7437840D985B0B8A0 | SHA256:C2D976E7AA1DAE34751637ADD18310C71BD68CECAD6764EB3573508FFC3798F9 | |||
3012 | mininews4.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\index[1].htm | html | |
MD5:EB14B6CF55A69A672EF14DEBA51F1654 | SHA256:E46A8C66B369FA6C0E12C667316B18165100E185D33C68546B70AF2C068169EF | |||
3012 | mininews4.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\ds[1].js | text | |
MD5:23A74074B858C58DAA71A4D1C7E5B1A6 | SHA256:601338483EB163549C54627F045963291D53A6BA36054A4FC34235F87D67BC9A | |||
3012 | mininews4.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\json2[1].js | text | |
MD5:A6D5FDBBCB076DD9385DD2135DBFB589 | SHA256:4A065D1CEA69F0B359BE440FB17BD28A9EC7906196C6AEAA8467BE49746F8BF0 | |||
3012 | mininews4.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\index.dat | dat | |
MD5:1594F22490F3E9E2C12436BBA551C3BF | SHA256:560C4D07AF9B2BEB34700D6CFAD77CBEFA0A366379A17039FFC18F835882B823 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3012 | mininews4.exe | GET | — | 163.171.128.148:80 | http://tianqi.eastday.com/jscss/v26/js/jquery.min.js | US | — | — | whitelisted |
3012 | mininews4.exe | GET | — | 163.171.128.148:80 | http://mini.eastday.com/mini/resources/json2.js | US | — | — | suspicious |
3012 | mininews4.exe | GET | 200 | 163.171.128.148:80 | http://mini.eastday.com/kuaiya/index.html?1568855548 | US | html | 1.90 Kb | suspicious |
3012 | mininews4.exe | GET | 200 | 106.75.18.180:80 | http://hotnews.dftoutiao.com/hotwordsnews/getnews?qid=kuaiyamini&platform=pc&newstype=now | CN | text | 6.14 Kb | unknown |
3012 | mininews4.exe | GET | 200 | 119.188.176.49:80 | http://dup.baidustatic.com/js/ds.js?time= | CN | text | 35.2 Kb | whitelisted |
3012 | mininews4.exe | GET | 200 | 163.171.128.148:80 | http://tianqi.eastday.com/jscss/v26/js/citySelectData2.js | US | text | 87.5 Kb | whitelisted |
3012 | mininews4.exe | GET | 200 | 163.171.128.148:80 | http://tianqi.eastday.com/jscss/v26/css/wea_plugin_widget_v20150401130731.css | US | text | 62.3 Kb | whitelisted |
3012 | mininews4.exe | GET | 200 | 163.171.128.148:80 | http://mini.eastday.com/mini/resources/json2.js | US | text | 5.45 Kb | suspicious |
3012 | mininews4.exe | GET | 200 | 163.171.128.148:80 | http://tianqi.eastday.com/plugin/widget.html?sc=3&z=1&t=0&v=0&d=1&bd=0&k=&f=&q=1&a=1&c=54511&w=317&h=28&align=left&hc=1&hd=1&cl=1&f=ffffff&bgc=D89F58&qid=kuaiya | US | html | 3.41 Kb | whitelisted |
3012 | mininews4.exe | GET | 200 | 163.171.128.148:80 | http://tianqi.eastday.com/jscss/v26/js/common.js | US | html | 56.8 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3012 | mininews4.exe | 42.236.125.79:80 | i.kpzip.com | CHINA UNICOM China169 Backbone | CN | malicious |
3012 | mininews4.exe | 123.59.74.13:80 | position.dftoutiao.com | China Unicom Beijing Province Network | CN | unknown |
3012 | mininews4.exe | 106.75.18.180:80 | hotnews.dftoutiao.com | China Unicom Beijing Province Network | CN | unknown |
3012 | mininews4.exe | 47.246.43.252:80 | afpmm.alicdn.com | — | US | suspicious |
3012 | mininews4.exe | 163.171.128.148:80 | mini.eastday.com | — | US | malicious |
3012 | mininews4.exe | 14.204.144.137:80 | i.kpzip.com | CHINA UNICOM China169 Backbone | CN | malicious |
3012 | mininews4.exe | 119.188.176.49:80 | dup.baidustatic.com | CHINA UNICOM China169 Backbone | CN | unknown |
3012 | mininews4.exe | 14.215.138.25:80 | tajs.qq.com | China Telecom (Group) | CN | suspicious |
3012 | mininews4.exe | 106.11.134.4:80 | afpeng.alimama.com | Hangzhou Alibaba Advertising Co.,Ltd. | CN | unknown |
3012 | mininews4.exe | 14.215.138.25:443 | tajs.qq.com | China Telecom (Group) | CN | suspicious |
Domain | IP | Reputation |
---|---|---|
i.kpzip.com |
| unknown |
dns.msftncsi.com |
| shared |
hotnews.dftoutiao.com |
| unknown |
mini.eastday.com |
| suspicious |
tianqi.eastday.com |
| whitelisted |
dup.baidustatic.com |
| whitelisted |
afpmm.alicdn.com |
| whitelisted |
position.dftoutiao.com |
| unknown |
afpeng.alimama.com |
| unknown |
tajs.qq.com |
| whitelisted |
Process | Message |
---|---|
mininews4.exe | core libvlc debug: VLC media player - 2.2.6 Umbrella
|
mininews4.exe | core libvlc debug: revision 2.2.6-0-g1aae789
|
mininews4.exe | core libvlc debug: revision 2.2.6-0-g1aae789
|
mininews4.exe | core libvlc debug: configured with ../extras/package/win32/../../../configure '--enable-update-check' '--enable-lua' '--enable-faad' '--enable-flac' '--enable-theora' '--enable-twolame' '--enable-quicktime' '--enable-avcodec' '--enable-merge-ffmpeg' '--enable-dca' '--enable-mpc' '--enable-libass' '--enable-x264' '--enable-schroedinger' '--enable-realrtsp' '--enable-live555' '--enable-dvdread' '--enable-shout' '--enable-goom' '--enable-caca' '--disable-sdl' '--enable-qt' '--enable-skins2' '--enable-sse' '--enable-mmx' '--enable-libcddb' '--enable-zvbi' '--disable-telx' '--enable-nls' '--host=i686-w64-mingw32' 'host_alias=i686-w64-mingw32'
|
mininews4.exe | core libvlc debug: using multimedia timers as clock source
|
mininews4.exe | core libvlc debug: min period: 1 ms, max period: 1000000 ms
|
mininews4.exe | core libvlc debug: searching plug-in modules
|
mininews4.exe | core libvlc debug: loading plugins cache file C:\Program Files\VideoLAN\VLC\plugins\plugins.dat
|
mininews4.exe | core libvlc debug: recursively browsing `C:\Program Files\VideoLAN\VLC\plugins'
|
mininews4.exe | core libvlc debug: saving plugins cache C:\Program Files\VideoLAN\VLC\plugins\plugins.dat
|