File name: | Firefox Installer.de.exe |
Full analysis: | https://app.any.run/tasks/99b3fcfa-956e-4239-a5b5-b01fe9eea22a |
Verdict: | Malicious activity |
Analysis date: | February 10, 2019, 14:12:09 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
MD5: | BBDEF37D2B1E8ACBC106084850E7499E |
SHA1: | 0E81CAF6B53E719908D48B62CCD468D7E855705D |
SHA256: | 71B6B29E3EDBA20AB333BA77F2846890674C7A1B1705C3384A2936FBE6CCE8CC |
SSDEEP: | 6144:4mvr9RLcN0BvxoLjGRU4UUU3UUUD9rOAe1i/M1v/oyE6hl+S9/Re56RKVKdV17wl:4mr9RUsJGjqU4UUU3UUUZa7IMdTJ/Rcb |
.exe | | | UPX compressed Win32 Executable (64.2) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.6) |
.exe | | | Win32 Executable (generic) (10.6) |
.exe | | | Generic Win/DOS Executable (4.7) |
.exe | | | DOS Executable Generic (4.7) |
ProductVersion: | 18.05 |
---|---|
ProductName: | Firefox |
OriginalFileName: | 7zS.sfx.exe |
LegalCopyright: | Mozilla |
InternalName: | 7zS.sfx |
FileVersion: | 18.05 |
FileDescription: | Firefox |
CompanyName: | Mozilla |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Windows NT 32-bit |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 18.5.0.0 |
FileVersionNumber: | 18.5.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x34310 |
UninitializedDataSize: | 147456 |
InitializedDataSize: | 65536 |
CodeSize: | 65536 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2018:08:31 00:18:33+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 30-Aug-2018 22:18:33 |
Detected languages: |
|
CompanyName: | Mozilla |
FileDescription: | Firefox |
FileVersion: | 18.05 |
InternalName: | 7zS.sfx |
LegalCopyright: | Mozilla |
OriginalFilename: | 7zS.sfx.exe |
ProductName: | Firefox |
ProductVersion: | 18.05 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000F0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 3 |
Time date stamp: | 30-Aug-2018 22:18:33 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
UPX0 | 0x00001000 | 0x00024000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
UPX1 | 0x00025000 | 0x00010000 | 0x0000F600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.89699 |
.rsrc | 0x00035000 | 0x00010000 | 0x0000F200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.39743 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.38843 | 1365 | UNKNOWN | UNKNOWN | RT_MANIFEST |
2 | 5.28933 | 5160 | UNKNOWN | English - United States | RT_ICON |
3 | 5.05971 | 11560 | UNKNOWN | English - United States | RT_ICON |
4 | 7.98148 | 40620 | UNKNOWN | English - United States | RT_ICON |
5 | 6.59467 | 136 | UNKNOWN | English - United States | RT_STRING |
97 | 6.89291 | 184 | UNKNOWN | English - United States | RT_DIALOG |
188 | 6.06482 | 84 | UNKNOWN | English - United States | RT_STRING |
207 | 5.46967 | 52 | UNKNOWN | English - United States | RT_STRING |
KERNEL32.DLL |
MSVCRT.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2940 | "C:\Users\admin\AppData\Local\Temp\Firefox Installer.de.exe" | C:\Users\admin\AppData\Local\Temp\Firefox Installer.de.exe | explorer.exe | |
User: admin Company: Mozilla Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 18.05 | ||||
3904 | .\setup-stub.exe | C:\Users\admin\AppData\Local\Temp\7zSC7BF5EB9\setup-stub.exe | Firefox Installer.de.exe | |
User: admin Company: mozilla.org Integrity Level: MEDIUM Description: Firefox Nightly Installer Exit code: 0 Version: 67.0a1 | ||||
3784 | "C:\Users\admin\AppData\Local\Temp\7zSC7BF5EB9\setup-stub.exe" /UAC:5010E /NCRC | C:\Users\admin\AppData\Local\Temp\7zSC7BF5EB9\setup-stub.exe | setup-stub.exe | |
User: admin Company: mozilla.org Integrity Level: HIGH Description: Firefox Nightly Installer Exit code: 0 Version: 67.0a1 | ||||
3352 | "C:\Users\admin\AppData\Local\Temp\nsb9988.tmp\download.exe" /LaunchedFromStub /INI=C:\Users\admin\AppData\Local\Temp\nsb9988.tmp\config.ini | C:\Users\admin\AppData\Local\Temp\nsb9988.tmp\download.exe | setup-stub.exe | |
User: admin Company: Mozilla Integrity Level: HIGH Description: Firefox Exit code: 0 Version: 18.05 | ||||
3224 | .\setup.exe /LaunchedFromStub /INI=C:\Users\admin\AppData\Local\Temp\nsb9988.tmp\config.ini | C:\Users\admin\AppData\Local\Temp\7zS81D83AE9\setup.exe | download.exe | |
User: admin Company: mozilla.org Integrity Level: HIGH Description: Firefox Nightly Installer Exit code: 0 Version: 67.0a1 | ||||
2332 | "C:\Users\admin\AppData\Local\Temp\nsiEBED.tmp\nsF5A3.tmp" "C:\Program Files\Firefox Nightly\maintenanceservice_installer.exe" | C:\Users\admin\AppData\Local\Temp\nsiEBED.tmp\nsF5A3.tmp | — | setup.exe |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3040 | "C:\Program Files\Firefox Nightly\maintenanceservice_installer.exe" | C:\Program Files\Firefox Nightly\maintenanceservice_installer.exe | nsF5A3.tmp | |
User: admin Company: Mozilla Corporation Integrity Level: HIGH Description: Mozilla Maintenance Service Installer Exit code: 0 Version: 67.0a1 | ||||
2120 | "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe" install | C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe | — | maintenanceservice_installer.exe |
User: admin Company: Mozilla Foundation Integrity Level: HIGH Exit code: 0 Version: 67.0a1 | ||||
400 | %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16 | C:\Windows\System32\csrss.exe | — | — |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Client Server Runtime Process Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2324 | "C:\Program Files\Firefox Nightly\firefox.exe" | C:\Program Files\Firefox Nightly\firefox.exe | — | setup-stub.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Nightly Exit code: 0 Version: 67.0a1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3784 | setup-stub.exe | C:\Users\admin\AppData\Local\Temp\nsb9988.tmp\download.exe | — | |
MD5:— | SHA256:— | |||
3784 | setup-stub.exe | C:\Users\admin\AppData\Local\Temp\nsb9988.tmp\bgstub_2x.jpg | image | |
MD5:E6B3252C0722A72DC6EC9DBD8E50E6FA | SHA256:4736734F8D6C0671B22FF75706D639ABB3B9DE2B111CF3843C91983F6C19AF79 | |||
3784 | setup-stub.exe | C:\Users\admin\AppData\Local\Temp\nsb9988.tmp\InetBgDL.dll | executable | |
MD5:73A0BEC837004BC5AE5CD0A5B0D3BCF8 | SHA256:0DD38281A824298100B2BC89EE5B8A5C9CD9EC7A3B051DFF42037A891FA7C534 | |||
3784 | setup-stub.exe | C:\Users\admin\AppData\Local\Temp\nsb9988.tmp\bgstub.jpg | image | |
MD5:B5C054D2CEB21424777CF0A5A665DBC5 | SHA256:D756B51AE5EB99CDDAEE671A202F73C7F56CEB43C936B1856BD434E90B207EA7 | |||
2940 | Firefox Installer.de.exe | C:\Users\admin\AppData\Local\Temp\7zSC7BF5EB9\setup-stub.exe | executable | |
MD5:23827AE7E1FECACAE78362396ED556C8 | SHA256:6D95A9593BC4726556535C177C8E7F9BE120BF6A195D4CDFC15FB49C29E718C0 | |||
3784 | setup-stub.exe | C:\Users\admin\AppData\Local\Temp\nsb9988.tmp\config.ini | text | |
MD5:63A63D35CF97699B161B8E1E20916731 | SHA256:CF54A33781B1E2E6CAAE72E3F63297BC9172279BB5F991A16AC0919A87C90A4D | |||
3352 | download.exe | C:\Users\admin\AppData\Local\Temp\7zS81D83AE9\core\AccessibleHandler.dll | executable | |
MD5:8EDBAF9B320D6812C7385B18B08565A0 | SHA256:5D0CEFA4CF46CA22443BAD43F877943939DBEBA8A3F77F6BE5C3CB624E2089E0 | |||
3352 | download.exe | C:\Users\admin\AppData\Local\Temp\7zS81D83AE9\core\AccessibleMarshal.dll | executable | |
MD5:15634E1732860958E6F331011D504A84 | SHA256:11D6729A2AE74E7A4EFE0DFBE466B555B3FEE0B999A685023F5C4DF16ADC969A | |||
3784 | setup-stub.exe | C:\Users\admin\AppData\Local\Temp\nsb9988.tmp\System.dll | executable | |
MD5:17ED1C86BD67E78ADE4712BE48A7D2BD | SHA256:BD046E6497B304E4EA4AB102CAB2B1F94CE09BDE0EEBBA4C59942A732679E4EB | |||
3784 | setup-stub.exe | C:\Users\admin\AppData\Local\Temp\nsb9988.tmp\nsDialogs.dll | executable | |
MD5:42B064366F780C1F298FA3CB3AEAE260 | SHA256:C13104552B8B553159F50F6E2CA45114493397A6FA4BF2CBB960C4A2BBD349AB |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3784 | setup-stub.exe | GET | 200 | 52.42.67.12:80 | http://download-stats.mozilla.org/stub/v8/nightly/nightly/de/0/0/6/1/7601/1/0/0/2/0/45173704/45173704/0/0/13/13/0/0/22/2/0/0/1/0/0/67.0a1/20190210094433/1/1/0/3/13.32.221.111/campaign%3D%2528not%2Bset%2529%26content%3D%2528not%2Bset%2529%26medium%3D%2528none%2529%26source%3Dwww.mozilla.org/0/0 | US | — | — | whitelisted |
2300 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2300 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2300 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2300 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2300 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2300 | firefox.exe | POST | 200 | 172.217.16.131:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 463 b | whitelisted |
2300 | firefox.exe | POST | 200 | 172.217.16.131:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 463 b | whitelisted |
2300 | firefox.exe | POST | 200 | 172.217.16.131:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 463 b | whitelisted |
2300 | firefox.exe | POST | 200 | 172.217.16.131:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 463 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3784 | setup-stub.exe | 52.5.199.146:443 | download.mozilla.org | Amazon.com, Inc. | US | unknown |
3784 | setup-stub.exe | 52.42.67.12:80 | download-stats.mozilla.org | Amazon.com, Inc. | US | unknown |
3784 | setup-stub.exe | 13.32.221.111:443 | download-installer.cdn.mozilla.net | Amazon.com, Inc. | US | unknown |
2300 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2300 | firefox.exe | 2.16.186.112:80 | detectportal.firefox.com | Akamai International B.V. | — | whitelisted |
2300 | firefox.exe | 34.215.11.207:443 | accounts.firefox.com | Amazon.com, Inc. | US | unknown |
2300 | firefox.exe | 52.18.148.152:443 | location.services.mozilla.com | Amazon.com, Inc. | IE | unknown |
2300 | firefox.exe | 52.89.32.107:443 | search.services.mozilla.com | Amazon.com, Inc. | US | unknown |
2300 | firefox.exe | 104.16.40.2:443 | www.mozilla.org | Cloudflare Inc | US | shared |
2300 | firefox.exe | 13.32.159.252:443 | snippets.cdn.mozilla.net | Amazon.com, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
download.mozilla.org |
| whitelisted |
download-installer.cdn.mozilla.net |
| whitelisted |
download-stats.mozilla.org |
| whitelisted |
location.services.mozilla.com |
| whitelisted |
detectportal.firefox.com |
| whitelisted |
locprod1-elb-eu-west-1.prod.mozaws.net |
| whitelisted |
a1089.dscd.akamai.net |
| whitelisted |
www.mozilla.org |
| whitelisted |
www.mozilla.org.cdn.cloudflare.net |
| whitelisted |
ocsp.digicert.com |
| whitelisted |