| URL: | http://www.outdooreer.com/outdoor/jacket/breathability-rating-jackets/ |
| Full analysis: | https://app.any.run/tasks/48fb3b14-38a1-4da6-91be-0e4003555cd9 |
| Verdict: | Malicious activity |
| Threats: | Balada Injector is a long-running malware campaign that targets WordPress websites by exploiting vulnerabilities in plugins and themes. The attackers inject malicious code into compromised sites, leading to unauthorized redirects, data theft, and the creation of [backdoors](https://any.run/malware-trends/backdoor) for persistent access. The campaign operates in waves, with spikes in activity observed every few weeks, continually adapting to exploit newly discovered vulnerabilities. |
| Analysis date: | May 31, 2024, 05:13:47 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | 72C9739FCD08C9F73B24F4B7F60600AA |
| SHA1: | 37886691CD5A2B61503746E059FBF4252BA1098E |
| SHA256: | 3E2C7B4761DF61FF444CA171509ED335C60C09CC96D582E8BE2BC2258A43FC98 |
| SSDEEP: | 3:N1KJS4lByT2Ra8Z0cXHNr/48GOS:Cc4iobXtr/HGOS |
MALICIOUS
BALADA has been detected (SURICATA)
- msedge.exe (PID: 124)
SUSPICIOUS
Contacting a server suspected of hosting an Exploit Kit
- msedge.exe (PID: 124)
INFO
Reads the computer name
- wmpnscfg.exe (PID: 860)
Checks supported languages
- wmpnscfg.exe (PID: 860)
Manual execution by a user
- wmpnscfg.exe (PID: 860)
Application launched itself
- msedge.exe (PID: 3972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
54
Monitored processes
23
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 124 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1192 --field-trial-handle=908,i,17083778110726454541,15039426071612595717,131072 /prefetch:3 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | msedge.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 109.0.1518.115 Modules
| |||||||||||||||
| 316 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2216 --field-trial-handle=908,i,17083778110726454541,15039426071612595717,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 524 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2228 --field-trial-handle=908,i,17083778110726454541,15039426071612595717,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 748 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1296 --field-trial-handle=908,i,17083778110726454541,15039426071612595717,131072 /prefetch:2 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 860 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1044 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2852 --field-trial-handle=908,i,17083778110726454541,15039426071612595717,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1332 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3852 --field-trial-handle=908,i,17083778110726454541,15039426071612595717,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1380 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2356 --field-trial-handle=908,i,17083778110726454541,15039426071612595717,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1832 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 --field-trial-handle=908,i,17083778110726454541,15039426071612595717,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1888 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4028 --field-trial-handle=908,i,17083778110726454541,15039426071612595717,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
Total events
3 569
Read events
3 527
Write events
36
Delete events
6
Modification events
| (PID) Process: | (3972) msedge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (3972) msedge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (3972) msedge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Edge\ThirdParty |
| Operation: | write | Name: | StatusCodes |
Value: | |||
| (PID) Process: | (3972) msedge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Edge\ThirdParty |
| Operation: | write | Name: | StatusCodes |
Value: 01000000 | |||
| (PID) Process: | (3972) msedge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (3972) msedge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062} |
| Operation: | write | Name: | dr |
Value: 1 | |||
| (PID) Process: | (3972) msedge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Edge\StabilityMetrics |
| Operation: | write | Name: | user_experience_metrics.stability.exited_cleanly |
Value: 0 | |||
| (PID) Process: | (3972) msedge.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault |
| Operation: | write | Name: | S-1-5-21-1302019708-1500728564-335382590-1000 |
Value: 2D2796554F782F00 | |||
| (PID) Process: | (3972) msedge.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\FirstNotDefault |
| Operation: | delete value | Name: | S-1-5-21-1302019708-1500728564-335382590-1000 |
Value: | |||
| (PID) Process: | (3972) msedge.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Edge |
| Operation: | write | Name: | UsageStatsInSample |
Value: 1 | |||
Executable files
1
Suspicious files
81
Text files
38
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3972 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1060ee.TMP | — | |
MD5:— | SHA256:— | |||
| 3972 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 3972 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF1061b9.TMP | — | |
MD5:— | SHA256:— | |||
| 3972 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old | — | |
MD5:— | SHA256:— | |||
| 3972 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF1061d9.TMP | — | |
MD5:— | SHA256:— | |||
| 3972 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF106275.TMP | — | |
MD5:— | SHA256:— | |||
| 3972 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old | — | |
MD5:— | SHA256:— | |||
| 3996 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics.pma~RF10541d.TMP | binary | |
MD5:886E82F2CA62ECCCE64601B30592078A | SHA256:E5E13D53601100FF3D6BB71514CBCCC4C73FE9B7EF5E930100E644187B42948E | |||
| 3972 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old | text | |
MD5:646FEFDB4D82709E3056F5C71953783C | SHA256:7B83D8689750F64D31016F1E8AC2A4EB9D7DB406E4C9C66211D4ED17DEBFEAD9 | |||
| 3972 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.old | text | |
MD5:4BDB64FCF217848BCEEF4FF1723E32A0 | SHA256:6DB71689542AA54221535B9135FD82321DFE987612818B1D3BBA1629C4DC2F63 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
53
TCP/UDP connections
48
DNS requests
66
Threats
21
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
124 | msedge.exe | GET | 200 | 31.11.35.122:80 | http://www.outdooreer.com/outdoor/jacket/breathability-rating-jackets/ | unknown | — | — | — |
124 | msedge.exe | GET | 200 | 31.11.35.122:80 | http://www.outdooreer.com/wp-includes/css/dist/block-library/style.min.css?ver=5.4 | unknown | — | — | — |
— | — | GET | 200 | 31.11.35.122:80 | http://www.outdooreer.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/vendors-style.css?ver=3.4.0 | unknown | — | — | — |
— | — | GET | 200 | 31.11.35.122:80 | http://www.outdooreer.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/style.css?ver=3.4.0 | unknown | — | — | — |
— | — | GET | 200 | 31.11.35.122:80 | http://www.outdooreer.com/wp-includes/css/dashicons.min.css?ver=5.4 | unknown | — | — | — |
— | — | GET | 200 | 31.11.35.122:80 | http://www.outdooreer.com/wp-content/plugins/post-views-counter/css/frontend.css?ver=1.3.7 | unknown | — | — | — |
— | — | GET | 200 | 31.11.35.122:80 | http://www.outdooreer.com/wp-content/plugins/woocommerce-products-filter/js/chosen/chosen.min.css?ver=5.4 | unknown | — | — | — |
124 | msedge.exe | GET | 200 | 31.11.35.122:80 | http://www.outdooreer.com/wp-content/plugins/woocommerce-products-filter/css/front.css?ver=5.4 | unknown | — | — | — |
— | — | GET | 200 | 31.11.35.122:80 | http://www.outdooreer.com/wp-content/plugins/woocommerce-products-filter/js/icheck/skins/square/green.css?ver=5.4 | unknown | — | — | — |
124 | msedge.exe | GET | 200 | 31.11.35.122:80 | http://www.outdooreer.com/wp-content/plugins/woocommerce-products-filter/ext/image/css/html_types/image.css?ver=5.4 | unknown | — | — | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3972 | msedge.exe | 239.255.255.250:1900 | — | — | — | unknown |
124 | msedge.exe | 31.11.35.122:80 | www.outdooreer.com | Aruba S.p.A. | IT | unknown |
124 | msedge.exe | 13.107.42.16:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
124 | msedge.exe | 13.107.21.239:443 | edge.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
124 | msedge.exe | 95.101.181.35:443 | www.bing.com | Akamai International B.V. | IT | unknown |
124 | msedge.exe | 204.79.197.239:443 | edge.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
124 | msedge.exe | 80.66.79.252:443 | stay.linestoget.com | — | RU | unknown |
3972 | msedge.exe | 224.0.0.251:5353 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
124 | msedge.exe | 152.199.21.175:443 | msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com | EDGECAST | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.outdooreer.com |
| unknown |
config.edge.skype.com |
| unknown |
edge.microsoft.com |
| unknown |
www.bing.com |
| unknown |
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com |
| unknown |
stay.linestoget.com |
| unknown |
done.restartyourchoices.com |
| unknown |
sleep.stratosbody.com |
| unknown |
www.googletagmanager.com |
| unknown |
fonts.googleapis.com |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Exploit Kit Activity Detected | ET EXPLOIT_KIT Balada Domain in DNS Lookup (linestoget .com) |
— | — | Exploit Kit Activity Detected | ET EXPLOIT_KIT Balada Domain in DNS Lookup (linestoget .com) |
— | — | Exploit Kit Activity Detected | ET EXPLOIT_KIT Balada Domain in TLS SNI (linestoget .com) |
— | — | Exploit Kit Activity Detected | ET EXPLOIT_KIT Balada Domain in TLS SNI (linestoget .com) |
— | — | Exploit Kit Activity Detected | ET EXPLOIT_KIT Balada Domain in DNS Lookup (stratosbody .com) |
— | — | Exploit Kit Activity Detected | ET EXPLOIT_KIT Balada Domain in DNS Lookup (stratosbody .com) |
— | — | A Network Trojan was detected | ET HUNTING Possible Obfuscator io JavaScript Obfuscation |
— | — | Potentially Bad Traffic | SUSPICIOUS [ANY.RUN] JavaScript Obfuscation (ParseInt) |
— | — | Misc activity | ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M1 |
— | — | Misc activity | ET HUNTING [TW] Likely Javascript-Obfuscator Usage Observed M3 |