analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://projectwatchdognowinlinetoofargreat.duckdns.org/ceo.exe

Full analysis: https://app.any.run/tasks/7d759c17-c1e8-495a-977f-9a47487f9d29
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: June 12, 2019, 06:05:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
lokibot
opendir
Indicators:
MD5:

2CBA5E0D54EEAA10F6F7C7060B9D12CC

SHA1:

671EE60041541980F89DA68F92C13402D957DE12

SHA256:

01964C91DDD53350F3E0512DB21B2134AF3AE156B522A45928CEEA17139999DE

SSDEEP:

3:N1KOXUtQGC+SSbrD+C7BCBLWiaLN:COXcQGiSbrIWBLN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ceo[1].exe (PID: 1372)
      • ceo[1].exe (PID: 3524)
    • LOKIBOT was detected

      • ceo[1].exe (PID: 3524)
    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3792)
    • Detected artifacts of LokiBot

      • ceo[1].exe (PID: 3524)
    • Connects to CnC server

      • ceo[1].exe (PID: 3524)
    • Actions looks like stealing of personal data

      • ceo[1].exe (PID: 3524)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2152)
      • iexplore.exe (PID: 3792)
      • ceo[1].exe (PID: 3524)
    • Application launched itself

      • ceo[1].exe (PID: 1372)
    • Loads DLL from Mozilla Firefox

      • ceo[1].exe (PID: 3524)
    • Creates files in the user directory

      • ceo[1].exe (PID: 3524)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2152)
    • Creates files in the user directory

      • iexplore.exe (PID: 3792)
    • Application launched itself

      • iexplore.exe (PID: 2152)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3792)
      • iexplore.exe (PID: 2152)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start iexplore.exe iexplore.exe ceo[1].exe no specs #LOKIBOT ceo[1].exe

Process information

PID
CMD
Path
Indicators
Parent process
2152"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3792"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2152 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1372"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ceo[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ceo[1].exeiexplore.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\i0488cjo\ceo[1].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3524"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ceo[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ceo[1].exe
ceo[1].exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\i0488cjo\ceo[1].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
Total events
634
Read events
581
Write events
50
Delete events
3

Modification events

(PID) Process:(2152) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2152) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2152) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2152) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2152) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2152) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2152) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{2BA4BA55-8CD8-11E9-A370-5254004A04AF}
Value:
0
(PID) Process:(2152) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2152) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
1
(PID) Process:(2152) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E307060003000C00060006000A004000
Executable files
3
Suspicious files
1
Text files
12
Unknown types
7

Dropped files

PID
Process
Filename
Type
2152iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2152iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2152iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFD2191EC245EE6D93.TMP
MD5:
SHA256:
2152iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF752FD47CA45E9C26.TMP
MD5:
SHA256:
2152iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{2BA4BA55-8CD8-11E9-A370-5254004A04AF}.dat
MD5:
SHA256:
2152iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ceo[1].exeexecutable
MD5:2B3C1C8C4132E8BB66527E78678F4B5C
SHA256:854825404B97AE39811D49270A825FF29EEBD31018A1658E89EC08AB7DFC85F1
2152iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{2BA4BA56-8CD8-11E9-A370-5254004A04AF}.datbinary
MD5:9D92822D1996A55C557F536D7156BE1C
SHA256:010282FCB17543B320B4F64D917E9B6884FE138120292B6596EB02060AE529A2
3792iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:389A92EBE2ADB10BAF585FDB2BAEA8C5
SHA256:D78FB60D1E8EFFCCFAB139F84FBD5AA977029428ABDC62DD129FB0488851BA7A
3524ceo[1].exeC:\Users\admin\AppData\Roaming\F63AAA\A71D80.lck
MD5:
SHA256:
3792iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019061220190613\index.datdat
MD5:F83AFAB782021272CC803F2FA9E935CA
SHA256:2D3D9FA2CE4B397A66B638F29A96682EB456CB843365EDED6932B17CB767BEF0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
8
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3524
ceo[1].exe
POST
103.39.135.18:80
http://cmcanglk.com/loki/ssg/five/fre.php
IN
malicious
3792
iexplore.exe
GET
200
23.249.165.218:80
http://projectwatchdognowinlinetoofargreat.duckdns.org/ceo.exe
US
executable
544 Kb
malicious
3524
ceo[1].exe
POST
103.39.135.18:80
http://cmcanglk.com/loki/ssg/five/fre.php
IN
malicious
3524
ceo[1].exe
POST
103.39.135.18:80
http://cmcanglk.com/loki/ssg/five/fre.php
IN
malicious
3524
ceo[1].exe
POST
103.39.135.18:80
http://cmcanglk.com/loki/ssg/five/fre.php
IN
malicious
3524
ceo[1].exe
POST
103.39.135.18:80
http://cmcanglk.com/loki/ssg/five/fre.php
IN
malicious
3524
ceo[1].exe
POST
103.39.135.18:80
http://cmcanglk.com/loki/ssg/five/fre.php
IN
malicious
2152
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3792
iexplore.exe
23.249.165.218:80
projectwatchdognowinlinetoofargreat.duckdns.org
ColoCrossing
US
malicious
2152
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3524
ceo[1].exe
103.39.135.18:80
cmcanglk.com
RackBank Datacenters Private Ltd
IN
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
projectwatchdognowinlinetoofargreat.duckdns.org
  • 23.249.165.218
malicious
cmcanglk.com
  • 103.39.135.18
malicious

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3792
iexplore.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
3792
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3524
ceo[1].exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
3524
ceo[1].exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
3524
ceo[1].exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1
3524
ceo[1].exe
A Network Trojan was detected
ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2
3524
ceo[1].exe
A Network Trojan was detected
MALWARE [PTsecurity] Loki Bot Check-in M2
3524
ceo[1].exe
A Network Trojan was detected
ET TROJAN LokiBot User-Agent (Charon/Inferno)
3524
ceo[1].exe
A Network Trojan was detected
ET TROJAN LokiBot Checkin
6 ETPRO signatures available at the full report
No debug info