URL: | http://www.acu.ac.th/acu_tuf/acu/[email protected] |
Full analysis: | https://app.any.run/tasks/af174687-7183-4f40-9319-57069359cf81 |
Verdict: | Malicious activity |
Analysis date: | February 11, 2019, 10:21:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 4EEF1F9CB262153C257B4C27A532820E |
SHA1: | AD95945F037CE7B90B25618F789A46719258E1C5 |
SHA256: | AC5BD99FDEF025169AE77D380FC0FE6585D0CED895084963D18EBB13565642D9 |
SSDEEP: | 3:N1KJS4IzLRpGJWqXjn1SJ4NTLC/lm9MAn:Cc4Iba9zsJ4Ni/k |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2844 | "C:\Program Files\Mozilla Firefox\firefox.exe" http://www.acu.ac.th/acu_tuf/acu/[email protected] | C:\Program Files\Mozilla Firefox\firefox.exe | explorer.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 61.0.2 Modules
| |||||||||||||||
2336 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2844.0.225485574\371004064" -childID 1 -isForBrowser -prefsHandle 1456 -prefsLen 8310 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2844 "\\.\pipe\gecko-crash-server-pipe.2844" 1332 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 61.0.2 Modules
| |||||||||||||||
3044 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2844.6.717442892\315336976" -childID 2 -isForBrowser -prefsHandle 2336 -prefsLen 11442 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2844 "\\.\pipe\gecko-crash-server-pipe.2844" 2416 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 61.0.2 Modules
| |||||||||||||||
3672 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2844.12.698285912\625958214" -childID 3 -isForBrowser -prefsHandle 2800 -prefsLen 12017 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2844 "\\.\pipe\gecko-crash-server-pipe.2844" 2880 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 61.0.2 Modules
| |||||||||||||||
1044 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2844.18.1862465607\1584066111" -childID 4 -isForBrowser -prefsHandle 1704 -prefsLen 12017 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2844 "\\.\pipe\gecko-crash-server-pipe.2844" 3172 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 61.0.2 Modules
|
(PID) Process: | (2844) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (2844) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
(PID) Process: | (2844) firefox.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US |
PID | Process | Filename | Type | |
---|---|---|---|---|
2844 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | — | |
MD5:— | SHA256:— | |||
2844 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | — | |
MD5:— | SHA256:— | |||
2844 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | — | |
MD5:— | SHA256:— | |||
2844 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm | — | |
MD5:— | SHA256:— | |||
2844 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm | — | |
MD5:— | SHA256:— | |||
2844 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm | — | |
MD5:— | SHA256:— | |||
2844 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\allow-flashallow-digest256.pset | — | |
MD5:— | SHA256:— | |||
2844 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\allow-flashallow-digest256.sbstore | — | |
MD5:— | SHA256:— | |||
2844 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-track-digest256.pset | — | |
MD5:— | SHA256:— | |||
2844 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-track-digest256.sbstore | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2844 | firefox.exe | GET | 200 | 62.240.36.58:80 | http://cos.ly/pdfview/securedoc.php?rand=13InboxLightaspxn.1774256418&fid.4.1252899642&fid=1&fav.1&rand.13InboxLight.aspxn.1774256418&fid.1252899642&fid.1&fav.1&[email protected]&.rand=13InboxLight.aspx?n=1774256418&fid=4 | LY | html | 5.02 Kb | malicious |
2844 | firefox.exe | GET | 200 | 62.240.36.58:80 | http://cos.ly/pdfview/securedoc_files/jquery-1.4.4.min.js.download | LY | html | 355 b | malicious |
2844 | firefox.exe | GET | 200 | 62.240.36.58:80 | http://cos.ly/pdfview/[email protected] | LY | html | 5.28 Kb | malicious |
2844 | firefox.exe | POST | 302 | 62.240.36.58:80 | http://cos.ly/pdfview/proceeds.php | LY | — | — | malicious |
2844 | firefox.exe | GET | 200 | 62.240.36.58:80 | http://cos.ly/pdfview/securedoc_files/logo-adobe-pdf.jpg | LY | image | 11.0 Kb | malicious |
2844 | firefox.exe | GET | 200 | 62.240.36.58:80 | http://cos.ly/pdfview/securedoc.php?rand=13InboxLightaspxn.1774256418&fid.4.1252899642&fid=1&fav.1&rand.13InboxLight.aspxn.1774256418&fid.1252899642&fid.1&fav.1&[email protected]&.rand=13InboxLight.aspx?n=1774256418&fid=4 | LY | html | 5.02 Kb | malicious |
2844 | firefox.exe | GET | 200 | 62.240.36.58:80 | http://cos.ly/pdfview/securedoc_files/icon-lock-circle.svg | LY | image | 1.26 Kb | malicious |
2844 | firefox.exe | GET | 200 | 62.240.36.58:80 | http://cos.ly/pdfview/securedoc_files/jquery.h5validate.js.download | LY | html | 356 b | malicious |
2844 | firefox.exe | POST | 302 | 62.240.36.58:80 | http://cos.ly/pdfview/proceed.php | LY | — | — | malicious |
2844 | firefox.exe | POST | 200 | 172.217.16.131:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 463 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2844 | firefox.exe | 2.16.186.112:80 | detectportal.firefox.com | Akamai International B.V. | — | whitelisted |
2844 | firefox.exe | 52.25.70.97:443 | tiles.services.mozilla.com | Amazon.com, Inc. | US | unknown |
2844 | firefox.exe | 110.164.58.67:80 | www.acu.ac.th | Triple T Internet/Triple T Broadband | TH | unknown |
2844 | firefox.exe | 172.217.16.202:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
2844 | firefox.exe | 172.217.16.131:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
2844 | firefox.exe | 52.89.32.107:443 | search.services.mozilla.com | Amazon.com, Inc. | US | unknown |
2844 | firefox.exe | 13.35.253.94:443 | tracking-protection.cdn.mozilla.net | — | US | suspicious |
2844 | firefox.exe | 34.251.59.153:443 | location.services.mozilla.com | Amazon.com, Inc. | IE | unknown |
2844 | firefox.exe | 62.240.36.58:80 | cos.ly | GPTC Autonomous System, Tripoli Libya | LY | malicious |
2844 | firefox.exe | 104.111.215.61:443 | i.pinimg.com | Akamai International B.V. | NL | whitelisted |
Domain | IP | Reputation |
---|---|---|
detectportal.firefox.com |
| whitelisted |
a1089.dscd.akamai.net |
| whitelisted |
www.acu.ac.th |
| unknown |
tiles.services.mozilla.com |
| whitelisted |
tiles.r53-2.services.mozilla.com |
| whitelisted |
search.services.mozilla.com |
| whitelisted |
search.r53-2.services.mozilla.com |
| whitelisted |
safebrowsing.googleapis.com |
| whitelisted |
cos.ly |
| malicious |
ocsp.pki.goog |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2844 | firefox.exe | A Network Trojan was detected | MALWARE [PTsecurity] Adobe PDF Phishing Landing |
2844 | firefox.exe | A Network Trojan was detected | MALWARE [PTsecurity] Adobe PDF Phishing Landing |