analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.cashcow.ai//blog/wp-content/uploads/2018/12/t_outpost_baselessly.html

Full analysis: https://app.any.run/tasks/7c0ec11e-80a8-4c51-8b45-e25c25383194
Verdict: Malicious activity
Analysis date: January 11, 2019, 10:42:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MD5:

1484C9495552C10B61FD21B53DA041E8

SHA1:

540322AA2D5A955647E10F320D73CFB92134E4F2

SHA256:

829C9E7B3443E76F11797DC3A1AC15EA7E58549AE66EFEDD60DF0ACCD0BA9C6B

SSDEEP:

3:N1KJS4aeUHJSOAQyXbcKyqszW4Qn:Cc4aeUHJSOAZLGN64Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads CPU info

      • firefox.exe (PID: 2836)
      • firefox.exe (PID: 2824)
      • firefox.exe (PID: 2344)
      • firefox.exe (PID: 3760)
    • Application launched itself

      • firefox.exe (PID: 2824)
    • Creates files in the user directory

      • firefox.exe (PID: 2824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
4
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start firefox.exe firefox.exe firefox.exe firefox.exe

Process information

PID
CMD
Path
Indicators
Parent process
2824"C:\Program Files\Mozilla Firefox\firefox.exe" http://www.cashcow.ai//blog/wp-content/uploads/2018/12/t_outpost_baselessly.htmlC:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
61.0.2
2344"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2824.0.225485574\371004064" -childID 1 -isForBrowser -prefsHandle 1384 -prefsLen 8310 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2824 "\\.\pipe\gecko-crash-server-pipe.2824" 1460 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
2836"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2824.6.263999787\315336976" -childID 2 -isForBrowser -prefsHandle 2340 -prefsLen 11442 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2824 "\\.\pipe\gecko-crash-server-pipe.2824" 2480 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
3760"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2824.12.764734604\756071981" -childID 3 -isForBrowser -prefsHandle 2980 -prefsLen 12017 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2824 "\\.\pipe\gecko-crash-server-pipe.2824" 2992 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
Total events
574
Read events
572
Write events
2
Delete events
0

Modification events

(PID) Process:(2824) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2824) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
Executable files
0
Suspicious files
59
Text files
15
Unknown types
35

Dropped files

PID
Process
Filename
Type
2824firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
2824firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
2824firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
2824firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm
MD5:
SHA256:
2824firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:E1E2E5A660A8A86956B472905FE1049A
SHA256:2F3F680B0088BBA211E36FBA3A8E5AE071E1E8B2FE0A2AA735F081E8BCF8F48D
2824firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.binbinary
MD5:707C12070C52E55C2A996AC15E219B95
SHA256:6C5410C655C8EFC48D123ABE708C8940A4218072C0DAF85E03AB45DA6D2CE6B9
2824firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\entries\04DADB58A3F6E90C4E782FD44982452BEEA2FDABder
MD5:D27F878D07C232AA61BCFE01CCC4C8D1
SHA256:E6FC8AC971CDC49D023F5C60883A58F8C66BB7E819163AFE71279D6F2E5C4BDD
2824firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\doomed\13839binary
MD5:2B47F318FDCFABF9B88818D1F266B6CA
SHA256:552E9205F11D8BED37E6D3C068CD7393893CACAE4F21D922E895FB26B3191A54
2824firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\entries\3D99BC163C0765C725B78828AD06970AD4127FBAcompressed
MD5:49566AEEC6D1DBEF485033B8DEB074A8
SHA256:975775A72C31B845015B455A32595659E2CC22FC19FAD1C05A03AA535D72AD8D
2824firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\except-flash-digest256.sbstorebinary
MD5:C921D8E98FA01B4F303481E112202E92
SHA256:4EF1038730EC8BC7206713C29A936768831B922C5E6C83355FD62D7401D8C1DC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
26
DNS requests
69
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2824
firefox.exe
GET
403
198.134.112.243:80
http://terraclicks.com/anonymous/
US
whitelisted
2824
firefox.exe
GET
200
198.134.112.243:80
http://terraclicks.com/favicon.ico
US
whitelisted
2824
firefox.exe
GET
198.134.112.243:80
http://terraclicks.com/favicon.ico
US
whitelisted
2824
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2824
firefox.exe
GET
200
185.143.221.14:80
http://185.143.221.14/index.php?key=0xxzRlxAJalMPUvptVh1vG9UFk3MF4T9
unknown
html
705 b
suspicious
2824
firefox.exe
GET
404
35.154.9.197:80
http://www.cashcow.ai/favicon.ico
IN
html
289 b
malicious
2824
firefox.exe
GET
200
35.154.9.197:80
http://www.cashcow.ai//blog/wp-content/uploads/2018/12/t_outpost_baselessly.html
IN
html
2.17 Kb
malicious
2824
firefox.exe
POST
200
172.217.22.78:80
http://ocsp.pki.goog/GTSGIAG3
US
der
463 b
whitelisted
2824
firefox.exe
POST
200
195.138.255.17:80
http://ocsp.int-x3.letsencrypt.org/
DE
der
527 b
whitelisted
2824
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2824
firefox.exe
172.217.22.78:80
www3.l.google.com
Google Inc.
US
whitelisted
2824
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2824
firefox.exe
52.35.21.241:443
shavar.services.mozilla.com
Amazon.com, Inc.
US
unknown
2824
firefox.exe
216.58.210.10:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2824
firefox.exe
35.154.9.197:80
www.cashcow.ai
Amazon.com, Inc.
IN
malicious
2824
firefox.exe
52.10.130.148:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
2824
firefox.exe
134.249.116.78:80
Kyivstar PJSC
UA
suspicious
2824
firefox.exe
52.89.32.107:443
search.r53-2.services.mozilla.com
Amazon.com, Inc.
US
unknown
2824
firefox.exe
52.222.150.204:443
tracking-protection.cdn.mozilla.net
Amazon.com, Inc.
US
unknown
2824
firefox.exe
185.143.221.14:80
suspicious

DNS requests

Domain
IP
Reputation
www.cashcow.ai
  • 35.154.9.197
  • 35.154.147.98
malicious
detectportal.firefox.com
  • 104.107.216.187
  • 104.107.216.169
whitelisted
livelb-154770235.ap-south-1.elb.amazonaws.com
  • 35.154.147.98
  • 35.154.9.197
malicious
a1089.dscd.akamai.net
  • 104.107.216.169
  • 104.107.216.187
whitelisted
search.r53-2.services.mozilla.com
  • 34.216.89.123
  • 52.27.184.151
  • 52.89.32.107
whitelisted
search.services.mozilla.com
  • 52.89.32.107
  • 52.27.184.151
  • 34.216.89.123
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
cs9.wac.phicdn.net
  • 93.184.220.29
whitelisted
tiles.services.mozilla.com
  • 52.10.130.148
  • 34.215.13.51
  • 35.166.45.24
  • 52.34.107.172
  • 34.209.108.219
  • 52.25.70.97
  • 52.39.131.77
  • 34.216.156.21
whitelisted
tiles.r53-2.services.mozilla.com
  • 34.216.156.21
  • 52.39.131.77
  • 52.25.70.97
  • 34.209.108.219
  • 52.34.107.172
  • 35.166.45.24
  • 34.215.13.51
  • 52.10.130.148
whitelisted

Threats

PID
Process
Class
Message
2824
firefox.exe
A Network Trojan was detected
MALWARE [PTsecurity] Malicious Redirect URL
No debug info