analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://gohaiendo.com/ppk/index.php

Full analysis: https://app.any.run/tasks/fe7fbd70-ebeb-470d-9d12-0c2103fe339e
Verdict: Malicious activity
Analysis date: April 25, 2019, 01:52:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MD5:

2682A39039DF00D3CAED8DDB7A8CA27C

SHA1:

D64B11891D7DCA85B97B8CCD32B4950CBDA0383A

SHA256:

D933C5D09DBF5668F41E146E6E3DA9AE57DC1974B3195F676389763488E9D32D

SSDEEP:

3:N1KZK5LGWWkHn:C05QkHn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2596)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2596)
    • Changes internet zones settings

      • iexplore.exe (PID: 3928)
    • Creates files in the user directory

      • iexplore.exe (PID: 2596)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3928"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2596"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3928 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
374
Read events
314
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
13
Unknown types
5

Dropped files

PID
Process
Filename
Type
3928iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
3928iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2596iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JXSODIPY\index[1].htm
MD5:
SHA256:
2596iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\93BD9T09\login[1].php
MD5:
SHA256:
2596iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:2330F8A93E467289AEC89A5A6C63DDD6
SHA256:72CAF2FACAE8F71D546382FD4A3B09157C8F84B7B0210F0E184DFF2181D5873D
2596iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\93BD9T09\login[1].htmhtml
MD5:B03ADBB5DA8B9EE15F55203DE4B3E71D
SHA256:DAECACA6FB71B551E157164A6D6A22E521C268E2F7830DDFB955746231092E4B
3928iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019042520190426\index.datdat
MD5:34DAAEA39B3296D3355ABE69C130267B
SHA256:CC4E39E68470CD4DD5A6FDD1669519D6AD7A72E8CEC97BE4CBF0BF3EA92BAA70
2596iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019042520190426\index.datdat
MD5:02D0B24240EDE105527A468357720FBB
SHA256:E98A71AE6CD5687CF762AFF8CF2E931678AC992CFE833726A928D4A8B5C43038
2596iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:FA3BEC6AD44C2FF2AA78FF9CA5800CA6
SHA256:9181A3132BBBB20C8FFE67282CA3B1416C76B4D403F274E2754FFD041FEFCA5F
2596iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OFP6RXXF\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
9
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2596
iexplore.exe
GET
200
197.157.216.75:80
http://gohaiendo.com/ppk/index.php
NG
malicious
2596
iexplore.exe
GET
197.157.216.75:80
http://gohaiendo.com/ppk/images/bg_1.png
NG
malicious
3928
iexplore.exe
GET
404
197.157.216.75:80
http://gohaiendo.com/favicon.ico
NG
html
288 b
malicious
2596
iexplore.exe
GET
200
197.157.216.75:80
http://gohaiendo.com/ppk/login.php
NG
html
663 b
malicious
3928
iexplore.exe
GET
404
197.157.216.75:80
http://gohaiendo.com/favicon.ico
NG
html
288 b
malicious
2596
iexplore.exe
GET
200
197.157.216.75:80
http://gohaiendo.com/ppk/images/l1.png
NG
image
15.8 Kb
malicious
2596
iexplore.exe
GET
200
197.157.216.75:80
http://gohaiendo.com/ppk/f.st/style.css
NG
text
273 b
malicious
3928
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2596
iexplore.exe
GET
200
197.157.216.75:80
http://gohaiendo.com/ppk/images/l0.png
NG
image
15.3 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3928
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2596
iexplore.exe
197.157.216.75:80
gohaiendo.com
KKON-ABUJA
NG
malicious
3928
iexplore.exe
197.157.216.75:80
gohaiendo.com
KKON-ABUJA
NG
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
gohaiendo.com
  • 197.157.216.75
  • 143.208.165.41
  • 66.181.168.248
  • 2.91.135.36
  • 89.190.74.198
  • 78.90.243.124
  • 80.80.165.93
  • 109.166.208.203
  • 91.201.175.46
  • 93.152.140.34
malicious

Threats

PID
Process
Class
Message
2596
iexplore.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
No debug info