analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://67.198.185.101/XKIOEEEEE.KDJDD.php

Full analysis: https://app.any.run/tasks/61147c70-2def-4d72-aa32-4b1e45da1180
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: July 17, 2019, 06:50:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
exploit
underminer
underminerek
Indicators:
MD5:

70F0424A75073266648E14935B635104

SHA1:

50BF53CF2BE2E86CDEC56942AFEC5C128C283F85

SHA256:

DA58593BB748C36664AEDB5BFBE282585F4F52ADB30D08C9285F21E93DD46EEA

SSDEEP:

3:N1KYcWL19nglpXH:CW3gD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Connects to CnC server

      • rundll32.exe (PID: 2964)
  • SUSPICIOUS

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2644)
    • Reads Internet Cache Settings

      • dllhost.exe (PID: 3792)
    • Reads the BIOS version

      • rundll32.exe (PID: 2964)
    • Uses RUNDLL32.EXE to load library

      • dllhost.exe (PID: 3792)
    • Low-level read access rights to disk partition

      • rundll32.exe (PID: 2964)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2996)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3336)
    • Creates files in the user directory

      • iexplore.exe (PID: 3336)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2644)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3336)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3336)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
5
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs dllhost.exe rundll32.exe

Process information

PID
CMD
Path
Indicators
Parent process
2996"C:\Program Files\Internet Explorer\iexplore.exe" "http://67.198.185.101/XKIOEEEEE.KDJDD.php"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3336"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2996 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2644C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
3792"C:\Windows\system32\dllhost.exe"C:\Windows\system32\dllhost.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2964InetCpl.cpl,ClearMyTracksByProcess 8C:\Windows\system32\rundll32.exe
dllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
548
Read events
451
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
48
Unknown types
32

Dropped files

PID
Process
Filename
Type
3336iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D1ZPHUTH\8yZ7YDpM2Cu3lqbB7WFJV19PE9mb1f8c[1].php
MD5:
SHA256:
3336iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D1ZPHUTH\ninjamediascript_devdojo_com[1].txt
MD5:
SHA256:
3336iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txttext
MD5:7B1C33C257A900D3C7B6B7C95018DE9B
SHA256:34B508C87295369E8515908B0BBC0DB7C3FD1485B44ED5488756DFE95BACAF10
3336iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:BFB6E758AB278FB5BBFDF02D0E2C8534
SHA256:CBF03E7883CAD95ABB862B4A04EFCDF6E9EF761DEA671772D20DE9AF646DBD41
3336iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D1ZPHUTH\ninjamediascript_devdojo_com[1].htmhtml
MD5:F9426D09E2F1123D0EF56F1731BDB8FA
SHA256:8BA5B8E94400F10D51390C45763F905748FD02073B6A4A2E944D0DB8B97A0B6A
3336iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D1ZPHUTH\index[1].php
MD5:
SHA256:
3336iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:777A435EEADBFC0091DCDBF54A72E9C7
SHA256:7142925806BDB3CE88F7B38D32041BA8C7AC10FE5C8393D4E38F05DFA9B06899
3336iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D1ZPHUTH\8yZ7YDpM2Cu3lqbB7WFJV19PE9mb1f8c[1].htmhtml
MD5:7868311DD93653783D17FB018D107014
SHA256:2DCC8A6BE17055DD4E30B9ECED8A6CC42994937ACFEDEAC58B6AA7CB56785E75
3336iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:69206A72985CE058CB06254420880108
SHA256:960234A5EB4EB22A73E68DFEFE9C2BD897A0EF1C30B3053B85309EA6E0D3114E
3336iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txttext
MD5:740FB740A09E1E48166F75614D65E84D
SHA256:C2736CB7B86E188F2FF15FB3245625D8CC22A422889F26908B70189C377194F1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
20
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3336
iexplore.exe
GET
302
67.198.185.101:80
http://67.198.185.101/XKIOEEEEE.KDJDD.php
US
unknown
3336
iexplore.exe
GET
200
104.25.142.116:80
http://ninjamediascript.devdojo.com/storage/posts/February2014/must-be-monday.gif
US
image
141 Kb
shared
3336
iexplore.exe
GET
200
67.198.185.100:80
http://67.198.185.100/8yZ7YDpM2Cu3lqbB7WFJV19PE9mb1f8c.php
US
html
1.68 Kb
unknown
3336
iexplore.exe
GET
200
104.25.142.116:80
http://ninjamediascript.devdojo.com/themes/simple/assets/js/jquery.fitvid.js
US
html
1.00 Kb
shared
3336
iexplore.exe
GET
200
104.25.142.116:80
http://ninjamediascript.devdojo.com/?pop
US
html
3.03 Kb
shared
3336
iexplore.exe
GET
200
104.25.142.116:80
http://ninjamediascript.devdojo.com/themes/simple/assets/css/style.css
US
text
2.71 Kb
shared
3336
iexplore.exe
GET
200
104.25.142.116:80
http://ninjamediascript.devdojo.com/storage/posts/February2014/must-be-monday-animation.gif
US
image
706 Kb
shared
3336
iexplore.exe
GET
200
104.25.142.116:80
http://ninjamediascript.devdojo.com/storage/themes/December2017/YFJWUNeiVSaE0fAJQq21.png
US
image
4.55 Kb
shared
3336
iexplore.exe
GET
200
38.75.137.9:9088
http://38.75.137.9:9088/js/k55qtf704vukk11a8r24riuuoc.js
US
text
3.20 Kb
suspicious
3336
iexplore.exe
GET
200
38.75.137.9:9088
http://38.75.137.9:9088/index.php?ad_id=US_eOO8F7UvFmYbo7NrJgQ&re=US_eOO8F7UvFmYbo7NrJgQ&rt=US_eOO8F7UvFmYbo7NrJgQ&id=9088&zone=US_eOO8F7UvFmYbo7NrJgQ&prod=US_eOO8F7UvFmYbo7NrJgQ&lp=Type&st=US_eOO8F7UvFmYbo7NrJgQ&e=1563346335&y=203383538274
US
html
969 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2996
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3336
iexplore.exe
67.198.185.101:80
Krypt Technologies
US
unknown
3336
iexplore.exe
23.111.8.154:443
oss.maxcdn.com
netDNA
US
unknown
3336
iexplore.exe
104.25.142.116:80
ninjamediascript.devdojo.com
Cloudflare Inc
US
shared
3336
iexplore.exe
67.198.185.98:443
adpop.xyz
Krypt Technologies
US
suspicious
3336
iexplore.exe
67.198.185.100:80
Krypt Technologies
US
unknown
2964
rundll32.exe
38.75.137.9:9088
Cogent Communications
US
suspicious
3336
iexplore.exe
38.75.137.9:9088
Cogent Communications
US
suspicious
2996
iexplore.exe
67.198.185.100:80
Krypt Technologies
US
unknown
3792
dllhost.exe
38.75.137.9:9088
Cogent Communications
US
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
adpop.xyz
  • 67.198.185.98
malicious
oss.maxcdn.com
  • 23.111.8.154
whitelisted
ninjamediascript.devdojo.com
  • 104.25.142.116
  • 104.25.141.116
unknown
bbs.favcom.space
  • 38.75.136.222
  • 38.75.137.28
malicious

Threats

PID
Process
Class
Message
3336
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
3336
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
3336
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS Possible Underminer EK Landing
3336
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY Outdated Flash Version M1
3336
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS Underminer EK IE Exploit
2964
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Encrypted Hidden Bee binary payload
2964
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Encrypted Hidden Bee binary payload
1 ETPRO signatures available at the full report
No debug info