URL: | http://chuff.cf |
Full analysis: | https://app.any.run/tasks/43dc0e1a-c993-46c6-ac37-f7835bdc449e |
Verdict: | Malicious activity |
Analysis date: | March 31, 2020, 06:04:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 575764104E129172FF21EFD1CAF3BCF9 |
SHA1: | B7C0DB680EC707E0F6756A54E1067126440DA39D |
SHA256: | 641474AFDB9B9CB5FB5F287E8CA0814E223074EBCBB7FA0DF115EA2421A3902B |
SSDEEP: | 3:N1KdNQon:Cx |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2884 | "C:\Program Files\Internet Explorer\iexplore.exe" http://chuff.cf | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2496 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2884 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
2496 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\TKP7DMNH.txt | — | |
MD5:— | SHA256:— | |||
2496 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\4V3RLV70.txt | — | |
MD5:— | SHA256:— | |||
2884 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2496 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\lander[1].css | text | |
MD5:859A6E25A07F5A7639111927E53B65F2 | SHA256:94D7A7930BBDD72C10E20C6792D74523C59359EA0AC49870F8D1A9EDF4D58706 | |||
2884 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\imagestore\f7ruq93\imagestore.dat | binary | |
MD5:034E9D8BFEF4C1BB0209E1A867642D22 | SHA256:09CFF2A36E527C11EC6BBDD786EE917C31BBE4F19AAB1292D6860F0C8ADBF0C3 | |||
2496 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab8804.tmp | — | |
MD5:— | SHA256:— | |||
2496 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar8805.tmp | — | |
MD5:— | SHA256:— | |||
2496 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\icon-dashboard[1].png | image | |
MD5:EF32F530BEBC2C09A5CB0CD5EFE14D81 | SHA256:D0680224E568784E18F0CCB8858581A65D69B9552208D4F8680C8FE951D570EA | |||
2496 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4 | binary | |
MD5:23B7C0D3A4D4D22DE9A7122C801DC4E1 | SHA256:C5789867F883CE695A0DD026B482215637DA72E9172FB52307C6A9EA9D32216B | |||
2496 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\icon-privacy[1].png | image | |
MD5:A34D0191E31BD7542CA7D757CD4D079E | SHA256:AADAD80036FFFD621FC59393016F301BFFE05DD3FF4F9034D7FB8F37CE32E67C |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2496 | iexplore.exe | GET | 301 | 88.198.252.121:80 | http://domain.dot.tk/p/?d=CHUFF.CF&i=81.17.242.238&c=353&ro=0&ref=unknown&_=1585634712580 | DE | — | — | whitelisted |
2496 | iexplore.exe | GET | 302 | 35.204.240.39:80 | http://freenom.link/?k=80808080&_=1585634666 | US | — | — | whitelisted |
2496 | iexplore.exe | GET | 200 | 35.204.240.39:80 | http://www.freenom.link/images.v2/network.png | US | image | 7.59 Kb | suspicious |
2496 | iexplore.exe | GET | 200 | 35.204.240.39:80 | http://www.freenom.link/js/searchr.js | US | text | 1.93 Kb | suspicious |
2496 | iexplore.exe | GET | 200 | 35.204.240.39:80 | http://www.freenom.link/images.v2/icon-dashboard-green.png | US | image | 9.68 Kb | suspicious |
2496 | iexplore.exe | GET | 200 | 35.204.240.39:80 | http://www.freenom.link/images.v2/icon-plus.png | US | image | 736 b | suspicious |
2496 | iexplore.exe | GET | 200 | 35.204.240.39:80 | http://www.freenom.link/images.v2/icon-dashboard.png | US | image | 11.1 Kb | suspicious |
2496 | iexplore.exe | GET | 200 | 35.204.240.39:80 | http://www.freenom.link/images.v2/freenom-world.png | US | image | 9.02 Kb | suspicious |
2496 | iexplore.exe | GET | 200 | 172.217.21.227:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
2496 | iexplore.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2496 | iexplore.exe | 209.197.3.15:443 | maxcdn.bootstrapcdn.com | Highwinds Network Group, Inc. | US | whitelisted |
2496 | iexplore.exe | 209.197.3.15:80 | maxcdn.bootstrapcdn.com | Highwinds Network Group, Inc. | US | whitelisted |
2496 | iexplore.exe | 195.20.50.138:80 | chuff.cf | Verotel International B.V. | NL | suspicious |
— | — | 195.20.50.138:80 | chuff.cf | Verotel International B.V. | NL | suspicious |
— | — | 88.198.252.121:80 | domain.dot.tk | Hetzner Online GmbH | DE | suspicious |
2496 | iexplore.exe | 35.204.240.39:80 | freenom.link | Google Inc. | US | suspicious |
— | — | 35.204.240.39:80 | freenom.link | Google Inc. | US | suspicious |
2496 | iexplore.exe | 209.197.3.24:443 | code.jquery.com | Highwinds Network Group, Inc. | US | malicious |
2884 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2496 | iexplore.exe | 172.217.21.227:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
chuff.cf |
| suspicious |
domain.dot.tk |
| whitelisted |
freenom.link |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
www.freenom.link |
| suspicious |
maxcdn.bootstrapcdn.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
code.jquery.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .cf Domain |
— | — | Potentially Bad Traffic | ET DNS Query to a .tk domain - Likely Hostile |
2496 | iexplore.exe | Potentially Bad Traffic | ET POLICY HTTP Request to a *.tk domain |
2496 | iexplore.exe | Misc activity | SUSPICIOUS [PTsecurity] Malicious Redirect (EK seen) |