File name: | HskDDNS_5.0.0.21724.zip |
Full analysis: | https://app.any.run/tasks/113a8283-cab8-4c4f-b925-ee7607937b84 |
Verdict: | Malicious activity |
Analysis date: | November 16, 2019, 08:31:53 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v1.0 to extract |
MD5: | D1E6C3AF5BD8263A1E11158EF5BB54AF |
SHA1: | 206E651011F98CAF3E50B2B16E9957CC3F687D19 |
SHA256: | 7616A7BA2639294D832CEDE343ED8381B87083BE4F1CADF3E66B025E59AD5E88 |
SSDEEP: | 98304:8OcA3BPQXFvr1GT7GfhIGIR9BSiD0q2n1olG3bXX9YepmOj7Ar+qsHwl:8O5B4Z1GT7KqdVDR43b2XOj7waQl |
.zip | | | ZIP compressed archive (100) |
---|
ZipFileName: | HskDDNS_5.0.0.21724.exe |
---|---|
ZipUncompressedSize: | 6261616 |
ZipCompressedSize: | 5717160 |
ZipCRC: | 0x96b75a38 |
ZipModifyDate: | 2019:11:16 14:35:17 |
ZipCompression: | Deflated |
ZipBitFlag: | - |
ZipRequiredVersion: | 10 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2304 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\HskDDNS_5.0.0.21724.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3704 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2304.14422\HskDDNS_5.0.0.21724.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2304.14422\HskDDNS_5.0.0.21724.exe | — | WinRAR.exe |
User: admin Company: 上海贝锐信息科技股份有限公司 Integrity Level: MEDIUM Description: 花生壳程序 Exit code: 0 Version: 5.0.0.21724 | ||||
2456 | "C:\Users\admin\AppData\Local\Temp\Rar$EXa2304.14422\HskDDNS_5.0.0.21724.exe" "C:\Users\admin\AppData\Local\Temp\Rar$EXa2304.14422\HskDDNS_5.0.0.21724.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXa2304.14422\HskDDNS_5.0.0.21724.exe | HskDDNS_5.0.0.21724.exe | |
User: admin Company: 上海贝锐信息科技股份有限公司 Integrity Level: HIGH Description: 花生壳程序 Exit code: 0 Version: 5.0.0.21724 | ||||
1524 | "C:\Program Files\Oray\HskDDNS\phtunnel.exe" -S -v | C:\Program Files\Oray\HskDDNS\phtunnel.exe | services.exe | |
User: SYSTEM Company: 上海贝锐信息科技股份有限公司 Integrity Level: SYSTEM Description: 花生壳程序 Version: 1.0.0.1 | ||||
1324 | "C:\Program Files\Oray\HskDDNS\HskDDNSMaint.exe" 1524 0 HskService | C:\Program Files\Oray\HskDDNS\HskDDNSMaint.exe | phtunnel.exe | |
User: SYSTEM Company: Shanghai Best Oray Integrity Level: SYSTEM Description: SunLogin Clients Maintainence Process Version: 3, 5, 18, 18283 | ||||
956 | "C:\Program Files\Oray\HskDDNS\HskDDNS.exe" | C:\Program Files\Oray\HskDDNS\HskDDNS.exe | HskDDNS_5.0.0.21724.exe | |
User: admin Company: 上海贝锐信息科技股份有限公司 Integrity Level: HIGH Description: 花生壳程序 Version: 5.0.0.21724 | ||||
4080 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | HskDDNS.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
1608 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4080 CREDAT:79873 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2040 | "C:\Program Files\Oray\HskDDNS\HskDDNS.exe" --mod=localscan -i 0 -w 185.92.25.20 | C:\Program Files\Oray\HskDDNS\HskDDNS.exe | phtunnel.exe | |
User: SYSTEM Company: 上海贝锐信息科技股份有限公司 Integrity Level: SYSTEM Description: 花生壳程序 Exit code: 255 Version: 5.0.0.21724 | ||||
3824 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 3221225547 Version: 75.0.3770.100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2456 | HskDDNS_5.0.0.21724.exe | C:\Users\Public\Desktop\花生壳.lnk | lnk | |
MD5:CBC86E89D37A152A77420D6C91998031 | SHA256:FB153EAAA71E7B1532642179AFD47F397C5315C60E8BD606DC568BFF94F7B49A | |||
1524 | phtunnel.exe | C:\Program Files\Oray\HskDDNS\phtunnel.json | text | |
MD5:023C4497D3BAE7B3011417445C34D9E9 | SHA256:645F44A0F3C2316B739D3BCB31E036AB9DA871EE3B1A0C76B5E61274AD90F098 | |||
2456 | HskDDNS_5.0.0.21724.exe | C:\Program Files\Oray\HskDDNS\oraylog.dll | executable | |
MD5:79186064E2310681C28052F0BE5C4652 | SHA256:A9612CC064B472BFA2CAC89CDF2C73B0F804BFA98A8DBCA767D2A329A205B20B | |||
1524 | phtunnel.exe | C:\Windows\system32\config\systemprofile\phtunnel.pid | text | |
MD5:443D689EF45B90232F958F6D09EF3172 | SHA256:96E473C63085DBC5B19C20F7825A732F0DD61D40DAA87A36E8210F2A8AAFBBF0 | |||
956 | HskDDNS.exe | C:\Users\admin\AppData\Local\Temp\NetProj.48x48.png | image | |
MD5:EB128548D171E158D55A9324EAC9ACBD | SHA256:640BD10707A94C0983E78D96DFF49468B0D1C65D52FC7ED91DE6AC20C63BEE36 | |||
956 | HskDDNS.exe | C:\Users\admin\AppData\Local\Temp\calc.48x48.png | image | |
MD5:F9A7FE118D73079F2DDD67E8CE65C95D | SHA256:3560247B3C9785F803E73AB7F0D0FFA097C12E73003BD211A9B3ABEFEA0C3ECF | |||
2456 | HskDDNS_5.0.0.21724.exe | C:\Program Files\Oray\HskDDNS\HskDDNSMaint.exe | executable | |
MD5:8BC19CC265C5732EBF2800E34EE6E905 | SHA256:9A66D29989DFD4E25306928EA63B3E9D371C3B252432832AEF7E0A8E3D697F4D | |||
2456 | HskDDNS_5.0.0.21724.exe | C:\Program Files\Oray\HskDDNS\phtunnel.exe | executable | |
MD5:DD8AC5044E2EB46508BFB106A755DD29 | SHA256:494FBE379FC15D6FB3CCCDEB1B634750C465F2ABDE30F95952D2D91E7F9BEF5D | |||
2456 | HskDDNS_5.0.0.21724.exe | C:\ProgramData\HskDDNS\collectdata\equipment_id | text | |
MD5:4D28EA86AE6C2ACA83B5A4E7C2044DE2 | SHA256:CC6BAA231B1484C90C753E9FA333A2756530EAAD881531DB4CBDB7BB1A2BD5C3 | |||
2456 | HskDDNS_5.0.0.21724.exe | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\花生壳\卸载花生壳.lnk | lnk | |
MD5:D00F3795B4965097F8547B2D22A5F236 | SHA256:F2BCB84C0023970B2CCE8099DE16C3C94C036C264657ED0A08787721C1F128DF |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2748 | chrome.exe | GET | 200 | 74.125.4.216:80 | http://r2---sn-aigzrney.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=185.92.25.20&mm=28&mn=sn-aigzrney&ms=nvh&mt=1573893262&mv=m&mvi=1&pl=24&shardbypass=yes | US | crx | 293 Kb | whitelisted |
2748 | chrome.exe | GET | 302 | 216.58.207.46:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx | US | html | 508 b | whitelisted |
2748 | chrome.exe | GET | 302 | 216.58.207.46:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx | US | html | 513 b | whitelisted |
2404 | iexplore.exe | GET | 301 | 2.16.186.27:80 | http://shell.windows.com/fileassoc/fileassoc.asp?Ext=apk | unknown | — | — | whitelisted |
956 | HskDDNS.exe | POST | 200 | 114.55.209.149:80 | http://ph-tk.oray.com/track | CN | text | 50 b | unknown |
2456 | HskDDNS_5.0.0.21724.exe | POST | 200 | 114.55.209.149:80 | http://ph-tk.oray.com/track | CN | text | 50 b | unknown |
2456 | HskDDNS_5.0.0.21724.exe | POST | 200 | 114.55.209.149:80 | http://ph-tk.oray.com/track | CN | text | 50 b | unknown |
2456 | HskDDNS_5.0.0.21724.exe | GET | 200 | 222.73.7.11:80 | http://client.oray.net/feedback/install?isgreen=0&track=oray.com&r=1573893151&version=5.0.0.21724&key=c91ea8b1aa8ceed0a148c43c5345bb96&client=ddns | CN | text | 7 b | unknown |
2748 | chrome.exe | GET | 200 | 47.246.43.206:80 | http://download.oray.com/peanuthull/android/peanuthull_2.5.apk | US | compressed | 18.9 Mb | malicious |
4080 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2456 | HskDDNS_5.0.0.21724.exe | 222.73.7.11:80 | client.oray.net | China Telecom (Group) | CN | unknown |
2456 | HskDDNS_5.0.0.21724.exe | 172.217.22.46:80 | www.google-analytics.com | Google Inc. | US | whitelisted |
1524 | phtunnel.exe | 118.31.225.247:443 | hsk-api.oray.com | Hangzhou Alibaba Advertising Co.,Ltd. | CN | unknown |
2456 | HskDDNS_5.0.0.21724.exe | 114.55.209.149:80 | ph-tk.oray.com | Hangzhou Alibaba Advertising Co.,Ltd. | CN | unknown |
1524 | phtunnel.exe | 47.99.166.140:6061 | phsle5-std01.oray.net | Hangzhou Alibaba Advertising Co.,Ltd. | CN | unknown |
956 | HskDDNS.exe | 118.31.225.247:443 | hsk-api.oray.com | Hangzhou Alibaba Advertising Co.,Ltd. | CN | unknown |
4080 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
1608 | iexplore.exe | 223.4.222.86:443 | hsk.oray.com | Hangzhou Alibaba Advertising Co.,Ltd. | CN | unknown |
1608 | iexplore.exe | 120.26.161.226:443 | login.oray.com | Hangzhou Alibaba Advertising Co.,Ltd. | CN | unknown |
1608 | iexplore.exe | 47.246.2.230:443 | cdn.orayimg.com | — | US | malicious |
Domain | IP | Reputation |
---|---|---|
ph-tk.oray.com |
| unknown |
client.oray.net |
| unknown |
hsk-api.oray.com |
| unknown |
phsle5-std01.oray.net |
| unknown |
www.google-analytics.com |
| whitelisted |
hsk.oray.com |
| suspicious |
www.bing.com |
| whitelisted |
cdn.orayimg.com |
| malicious |
console.oray.com |
| unknown |
static.orayimg.com |
| malicious |
Process | Message |
---|---|
HskDDNSMaint.exe | load oraylog.dll
|
HskDDNSMaint.exe | CreateFileMapping oraylog file mapping ok, |
HskDDNSMaint.exe | Global\764F2066-E3C5-4108-A748-B7D2D1003748C__PROGRA~1_Oray_HskDDNS_oraylog.dll.sd.share |
HskDDNSMaint.exe | |
HskDDNSMaint.exe | oraylog MapViewOfFile ok
|
HskDDNS.exe | 2019-11-16 08:32:42.158 - Info - [interface] now status is 4
|
HskDDNS.exe | [sª |
HskDDNS.exe | [string "..."]:4547: attempt to index a nil value (global 'password_edit') |
HskDDNS.exe | |
HskDDNS.exe | lua::call() attempt to call global `on_init' (not a function)
|