Malware analysis http://icanhazip.com Malicious activity

Add for printing

URL:	http://icanhazip.com
Full analysis:	https://app.any.run/tasks/9854a8fe-277f-452d-b10a-86ccc59cc183
Verdict:	Malicious activity
Analysis date:	September 11, 2019, 08:36:55
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	evasion
Indicators:
MD5:	623F118A47E904AC29B29452EBC3631C
SHA1:	3122E7BA6412F4088057AACE9BC65C97CC760688
SHA256:	F2DAFB20B3906460D4426E24D7EE64E71B7B4BB4078B8CF83F29E3B6758F7BC8
SSDEEP:	3:N1KXtIn:Cqn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Uses IPCONFIG.EXE to discover IP address
  - cmd.exe (PID: 3700)
- Checks for external IP
  - iexplore.exe (PID: 2808)
  - iexplore.exe (PID: 3440)
INFO
- Changes internet zones settings
  - iexplore.exe (PID: 2808)
- Reads internet explorer settings
  - iexplore.exe (PID: 3440)
  - iexplore.exe (PID: 3512)
- Manual execution by user
  - cmd.exe (PID: 3700)
- Creates files in the user directory
  - iexplore.exe (PID: 3440)
  - iexplore.exe (PID: 2808)
  - iexplore.exe (PID: 3512)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 3440)
  - iexplore.exe (PID: 2808)
  - iexplore.exe (PID: 3512)
- Application launched itself
  - iexplore.exe (PID: 2808)
- Reads settings of System Certificates
  - iexplore.exe (PID: 2808)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2808	"C:\Program Files\Internet Explorer\iexplore.exe" "http://icanhazip.com"	C:\Program Files\Internet Explorer\iexplore.exe		explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
3440	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2808 CREDAT:71937	C:\Program Files\Internet Explorer\iexplore.exe		iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
3700	"C:\Windows\system32\cmd.exe"	C:\Windows\system32\cmd.exe	—	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
2464	nslookup 82.103.130.125	C:\Windows\system32\nslookup.exe		cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2052	ipconfig	C:\Windows\system32\ipconfig.exe	—	cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: IP Configuration Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2064	nslookup icanhazip.com	C:\Windows\system32\nslookup.exe		cmd.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: nslookup Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3512	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2808 CREDAT:6403	C:\Program Files\Internet Explorer\iexplore.exe		iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

631

Read events

528

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2808	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico		—
		MD5:—	SHA256:—
2808	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].ico		—
		MD5:—	SHA256:—
2808	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico		—
		MD5:—	SHA256:—
3440	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VZUZTWPS\icanhazip_com[1].txt		text
		MD5:1FBF8548893FE06F77ED65841B573495	SHA256:02A6F3F5B5B586C252AAD026143AB6690F4B8B3B4803E38603EFD9D91013C388
2808	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@icanhazip[1].txt		text
		MD5:1C96AD70389B96F460161EEDDD475DFF	SHA256:2EC73834CF21D3DA7D2A49C525D8406108DEFF497D513C32B9AA75A1642B2BE8
3440	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@icanhazip[1].txt		text
		MD5:AE4A082AEACDB61E09AEADC87BB11A4D	SHA256:EFE65D47DF6016FD9D554671C33A5120FAE2C0FAAB8884759AC56F25CBAD5A9A
2808	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019091120190912\index.dat		dat
		MD5:7A52E4E39EA442FC9ABAC1E60F704F5B	SHA256:966543B54CD1B674A6F957720105C66637243842FF0731F8E594BDFB3655BAF7
3512	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@google[1].txt		—
		MD5:—	SHA256:—
3440	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019091120190912\index.dat		dat
		MD5:F25AA668435E56F83D075C612DEF53A9	SHA256:C0558F6D9ECB93EF49EC19693928ADA049008D4FE32825A0CB1E692F03DFCF6E
3440	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat		dat
		MD5:1713ADD7D581179784F677A0412104CF	SHA256:E0D80FECFD1932C69CC1BD645EAC7BF4A50F3CAA5A8A568CA697828DE2D6E48C

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2808	iexplore.exe	GET	200	104.20.16.242:80	http://icanhazip.com/favicon.ico	US	text	15 b	shared
3440	iexplore.exe	GET	200	104.20.16.242:80	http://icanhazip.com/	US	text	15 b	shared
2808	iexplore.exe	GET	200	204.79.197.200:80	http://www.bing.com/favicon.ico	US	image	237 b	whitelisted
3512	iexplore.exe	GET	301	172.217.23.174:80	http://google.com/	US	html	219 b	whitelisted
3512	iexplore.exe	GET	302	172.217.21.196:80	http://www.google.com/	US	html	231 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2808	iexplore.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
2808	iexplore.exe	104.20.16.242:80	icanhazip.com	Cloudflare Inc	US	shared
3440	iexplore.exe	104.20.16.242:80	icanhazip.com	Cloudflare Inc	US	shared
3512	iexplore.exe	172.217.23.174:80	google.com	Google Inc.	US	whitelisted
3512	iexplore.exe	172.217.21.196:80	www.google.com	Google Inc.	US	whitelisted
3512	iexplore.exe	172.217.21.196:443	www.google.com	Google Inc.	US	whitelisted
3512	iexplore.exe	216.58.206.3:443	www.gstatic.com	Google Inc.	US	whitelisted
2808	iexplore.exe	172.217.21.196:443	www.google.com	Google Inc.	US	whitelisted

DNS requests

Domain	IP	Reputation
icanhazip.com	104.20.16.242 104.20.17.242	shared
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
google.com	172.217.23.174	whitelisted
www.google.com	172.217.21.196	whitelisted
www.gstatic.com	216.58.206.3	whitelisted

Threats

PID	Process	Class	Message
3440	iexplore.exe	Attempted Information Leak	ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
2808	iexplore.exe	Attempted Information Leak	ET POLICY IP Check Domain (icanhazip. com in HTTP Host)

Add for printing

No debug info

General Info

http://icanhazip.com

623F118A47E904AC29B29452EBC3631C

3122E7BA6412F4088057AACE9BC65C97CC760688

F2DAFB20B3906460D4426E24D7EE64E71B7B4BB4078B8CF83F29E3B6758F7BC8

3:N1KXtIn:Cqn

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Uses IPCONFIG.EXE to discover IP address

Checks for external IP

INFO

Changes internet zones settings

Reads internet explorer settings

Manual execution by user

Creates files in the user directory

Reads Internet Cache Settings

Application launched itself

Reads settings of System Certificates

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings