analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.acu.ac.th/acu_tuf/acu/[email protected]

Full analysis: https://app.any.run/tasks/af174687-7183-4f40-9319-57069359cf81
Verdict: Malicious activity
Analysis date: February 11, 2019, 10:21:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
phishing
Indicators:
MD5:

4EEF1F9CB262153C257B4C27A532820E

SHA1:

AD95945F037CE7B90B25618F789A46719258E1C5

SHA256:

AC5BD99FDEF025169AE77D380FC0FE6585D0CED895084963D18EBB13565642D9

SSDEEP:

3:N1KJS4IzLRpGJWqXjn1SJ4NTLC/lm9MAn:Cc4Iba9zsJ4Ni/k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads CPU info

      • firefox.exe (PID: 2844)
      • firefox.exe (PID: 2336)
      • firefox.exe (PID: 3044)
      • firefox.exe (PID: 1044)
      • firefox.exe (PID: 3672)

    • Application launched itself

      • firefox.exe (PID: 2844)

    • Creates files in the user directory

      • firefox.exe (PID: 2844)

    • Reads settings of System Certificates

      • firefox.exe (PID: 2844)

    • Dropped object may contain Bitcoin addresses

      • firefox.exe (PID: 2844)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
5
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start firefox.exe firefox.exe firefox.exe firefox.exe firefox.exe

Process information

PID
CMD
Path
Indicators
Parent process
2844"C:\Program Files\Mozilla Firefox\firefox.exe" http://www.acu.ac.th/acu_tuf/acu/[email protected]C:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
61.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
2336"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2844.0.225485574\371004064" -childID 1 -isForBrowser -prefsHandle 1456 -prefsLen 8310 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2844 "\\.\pipe\gecko-crash-server-pipe.2844" 1332 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
3044"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2844.6.717442892\315336976" -childID 2 -isForBrowser -prefsHandle 2336 -prefsLen 11442 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2844 "\\.\pipe\gecko-crash-server-pipe.2844" 2416 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
3672"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2844.12.698285912\625958214" -childID 3 -isForBrowser -prefsHandle 2800 -prefsLen 12017 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2844 "\\.\pipe\gecko-crash-server-pipe.2844" 2880 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
1044"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2844.18.1862465607\1584066111" -childID 4 -isForBrowser -prefsHandle 1704 -prefsLen 12017 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2844 "\\.\pipe\gecko-crash-server-pipe.2844" 3172 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
Total events
260
Read events
248
Write events
12
Delete events
0

Modification events

(PID) Process:(2844) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2844) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2844) firefox.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
0
Suspicious files
80
Text files
28
Unknown types
103

Dropped files

PID
Process
Filename
Type
2844firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
2844firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
2844firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
2844firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
MD5:
SHA256:
2844firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm
MD5:
SHA256:
2844firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm
MD5:
SHA256:
2844firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\allow-flashallow-digest256.pset
MD5:
SHA256:
2844firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\allow-flashallow-digest256.sbstore
MD5:
SHA256:
2844firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-track-digest256.pset
MD5:
SHA256:
2844firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-track-digest256.sbstore
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
34
DNS requests
93
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2844
firefox.exe
GET
200
62.240.36.58:80
http://cos.ly/pdfview/securedoc.php?rand=13InboxLightaspxn.1774256418&fid.4.1252899642&fid=1&fav.1&rand.13InboxLight.aspxn.1774256418&fid.1252899642&fid.1&fav.1&[email protected]&.rand=13InboxLight.aspx?n=1774256418&fid=4
LY
html
5.02 Kb
malicious
2844
firefox.exe
GET
200
62.240.36.58:80
http://cos.ly/pdfview/securedoc_files/jquery-1.4.4.min.js.download
LY
html
355 b
malicious
2844
firefox.exe
GET
200
62.240.36.58:80
http://cos.ly/pdfview/[email protected]
LY
html
5.28 Kb
malicious
2844
firefox.exe
POST
302
62.240.36.58:80
http://cos.ly/pdfview/proceeds.php
LY
malicious
2844
firefox.exe
GET
200
62.240.36.58:80
http://cos.ly/pdfview/securedoc_files/logo-adobe-pdf.jpg
LY
image
11.0 Kb
malicious
2844
firefox.exe
GET
200
62.240.36.58:80
http://cos.ly/pdfview/securedoc.php?rand=13InboxLightaspxn.1774256418&fid.4.1252899642&fid=1&fav.1&rand.13InboxLight.aspxn.1774256418&fid.1252899642&fid.1&fav.1&[email protected]&.rand=13InboxLight.aspx?n=1774256418&fid=4
LY
html
5.02 Kb
malicious
2844
firefox.exe
GET
200
62.240.36.58:80
http://cos.ly/pdfview/securedoc_files/icon-lock-circle.svg
LY
image
1.26 Kb
malicious
2844
firefox.exe
GET
200
62.240.36.58:80
http://cos.ly/pdfview/securedoc_files/jquery.h5validate.js.download
LY
html
356 b
malicious
2844
firefox.exe
POST
302
62.240.36.58:80
http://cos.ly/pdfview/proceed.php
LY
malicious
2844
firefox.exe
POST
200
172.217.16.131:80
http://ocsp.pki.goog/GTSGIAG3
US
der
463 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2844
firefox.exe
2.16.186.112:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
2844
firefox.exe
52.25.70.97:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
2844
firefox.exe
110.164.58.67:80
www.acu.ac.th
Triple T Internet/Triple T Broadband
TH
unknown
2844
firefox.exe
172.217.16.202:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2844
firefox.exe
172.217.16.131:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2844
firefox.exe
52.89.32.107:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
2844
firefox.exe
13.35.253.94:443
tracking-protection.cdn.mozilla.net
US
suspicious
2844
firefox.exe
34.251.59.153:443
location.services.mozilla.com
Amazon.com, Inc.
IE
unknown
2844
firefox.exe
62.240.36.58:80
cos.ly
GPTC Autonomous System, Tripoli Libya
LY
malicious
2844
firefox.exe
104.111.215.61:443
i.pinimg.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
detectportal.firefox.com
  • 2.16.186.112
  • 2.16.186.50
whitelisted
a1089.dscd.akamai.net
  • 2.16.186.50
  • 2.16.186.112
whitelisted
www.acu.ac.th
  • 110.164.58.67
unknown
tiles.services.mozilla.com
  • 52.25.70.97
  • 52.88.30.0
  • 54.186.163.246
  • 52.34.107.172
  • 52.26.103.165
  • 52.43.40.243
  • 52.41.78.152
  • 52.39.131.77
  • 34.208.7.98
  • 34.209.108.219
  • 34.208.103.195
  • 54.187.46.234
  • 35.160.41.125
whitelisted
tiles.r53-2.services.mozilla.com
  • 52.39.131.77
  • 52.41.78.152
  • 52.43.40.243
  • 52.26.103.165
  • 52.34.107.172
  • 54.186.163.246
  • 52.88.30.0
  • 52.25.70.97
  • 35.160.41.125
whitelisted
search.services.mozilla.com
  • 52.89.32.107
  • 52.27.184.151
  • 34.216.89.123
whitelisted
search.r53-2.services.mozilla.com
  • 34.216.89.123
  • 52.89.32.107
  • 52.27.184.151
whitelisted
safebrowsing.googleapis.com
  • 172.217.16.202
whitelisted
cos.ly
  • 62.240.36.58
malicious
ocsp.pki.goog
  • 172.217.16.131
whitelisted

Threats

PID
Process
Class
Message
2844
firefox.exe
A Network Trojan was detected
MALWARE [PTsecurity] Adobe PDF Phishing Landing
2844
firefox.exe
A Network Trojan was detected
MALWARE [PTsecurity] Adobe PDF Phishing Landing
1 ETPRO signatures available at the full report
No debug info