analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://poker.williamhill.com/

Full analysis: https://app.any.run/tasks/f889528f-b343-482d-a2a3-60f07b5859d4
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: July 18, 2019, 10:39:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
adware
Indicators:
MD5:

6581A6C3482EA0C5B014D6D0A7A43475

SHA1:

44857C2463ABE9C7FFF832B0E55751CDA5FFF866

SHA256:

D72A98A704A5857B48D4C36BD03910A4D6D053CDE4C14FF03A6A40409BBA8EEA

SSDEEP:

3:N8OzS1byR:2OzSu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • SetupPoker.exe (PID: 1512)
      • internalSetupPoker.exe (PID: 3488)
    • Connects to CnC server

      • internalSetupPoker.exe (PID: 3488)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • SetupPoker.exe (PID: 1512)
      • firefox.exe (PID: 3872)
    • Reads Internet Cache Settings

      • internalSetupPoker.exe (PID: 3488)
    • Creates files in the user directory

      • internalSetupPoker.exe (PID: 3488)
    • Reads internet explorer settings

      • internalSetupPoker.exe (PID: 3488)
    • Starts CMD.EXE for commands execution

      • internalSetupPoker.exe (PID: 3488)
  • INFO

    • Reads CPU info

      • firefox.exe (PID: 3872)
    • Application launched itself

      • firefox.exe (PID: 3872)
    • Reads settings of System Certificates

      • firefox.exe (PID: 3872)
      • internalSetupPoker.exe (PID: 3488)
    • Dropped object may contain Bitcoin addresses

      • firefox.exe (PID: 3872)
    • Creates files in the user directory

      • firefox.exe (PID: 3872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe setuppoker.exe internalsetuppoker.exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3872"C:\Program Files\Mozilla Firefox\firefox.exe" "https://poker.williamhill.com/"C:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
67.0.4
2700"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3872.0.17354899\1886252546" -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3872 "\\.\pipe\gecko-crash-server-pipe.3872" 1172 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
67.0.4
3392"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3872.3.468614725\267735086" -childID 1 -isForBrowser -prefsHandle 1624 -prefMapHandle 1780 -prefsLen 1 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3872 "\\.\pipe\gecko-crash-server-pipe.3872" 1756 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
67.0.4
2132"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3872.13.192589341\1795676904" -childID 2 -isForBrowser -prefsHandle 2560 -prefMapHandle 2564 -prefsLen 5842 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3872 "\\.\pipe\gecko-crash-server-pipe.3872" 2576 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
67.0.4
4056"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3872.20.2137051840\509319689" -childID 3 -isForBrowser -prefsHandle 3344 -prefMapHandle 3716 -prefsLen 6804 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3872 "\\.\pipe\gecko-crash-server-pipe.3872" 3584 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
67.0.4
1512"C:\Users\admin\Downloads\SetupPoker.exe" C:\Users\admin\Downloads\SetupPoker.exe
firefox.exe
User:
admin
Company:
William Hill Poker
Integrity Level:
MEDIUM
Description:
William Hill Poker Setup
Exit code:
0
Version:
1.1.1.35
3488C:\Users\admin\AppData\Local\Temp\nsbB043.tmp\internalSetupPoker.exe C:/Users/admin/AppData/Local/Temp/nsbB043.tmp /baseInstaller='C:/Users/admin/Downloads/SetupPoker.exe' /fallbackfolder='C:/Users/admin/AppData/Local/Temp/nsbB043.tmp/fallbackfiles/'C:\Users\admin\AppData\Local\Temp\nsbB043.tmp\internalSetupPoker.exe
SetupPoker.exe
User:
admin
Company:
William Hill Poker
Integrity Level:
MEDIUM
Description:
William Hill Poker
Exit code:
0
Version:
1.1.1.37
3624cmd /c ""C:\Users\admin\AppData\Local\Temp\3881.bat" "C:\Users\admin\AppData\Local\Temp\30580640042D44ED8DA58B4AEFC69B9D\""C:\Windows\system32\cmd.exeinternalSetupPoker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 779
Read events
1 723
Write events
55
Delete events
1

Modification events

(PID) Process:(3872) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Browser
Value:
0000000000000000
(PID) Process:(3872) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3872) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000078000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3872) firefox.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3872) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3872) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3488) internalSetupPoker.exeKey:HKEY_CURRENT_USER\Software\PTECH\44
Operation:writeName:userid
Value:
B38142F32D264301BE64050A86A4B3AD
(PID) Process:(3488) internalSetupPoker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\internalSetupPoker_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3488) internalSetupPoker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\internalSetupPoker_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3488) internalSetupPoker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\internalSetupPoker_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
Executable files
6
Suspicious files
342
Text files
451
Unknown types
120

Dropped files

PID
Process
Filename
Type
3872firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
3872firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
3872firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pluginreg.dat.tmp
MD5:
SHA256:
3872firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
3872firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
3872firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
MD5:
SHA256:
3872firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm
MD5:
SHA256:
3872firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm
MD5:
SHA256:
3872firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp
MD5:
SHA256:
3872firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pluginreg.dattext
MD5:37818D9B7248F34395C2DB3C0BD4B07F
SHA256:FF229E03D2AB696E81957957EA8D71280B5800A2B0F70EA77998C3FA4E98A8A6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
63
TCP/UDP connections
201
DNS requests
319
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3872
firefox.exe
POST
52.49.163.13:80
http://ocsp.quovadisglobal.com/
IE
whitelisted
3872
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3872
firefox.exe
POST
200
52.49.163.13:80
http://ocsp.quovadisglobal.com/
IE
der
1.80 Kb
whitelisted
3872
firefox.exe
POST
52.49.163.13:80
http://ocsp.quovadisglobal.com/
IE
whitelisted
3872
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3872
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3872
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3872
firefox.exe
POST
200
172.217.23.163:80
http://ocsp.pki.goog/GTSGIAG3
US
der
471 b
whitelisted
3872
firefox.exe
POST
52.49.163.13:80
http://ocsp.quovadisglobal.com/
IE
whitelisted
3872
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3872
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3872
firefox.exe
52.11.30.237:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
3872
firefox.exe
52.210.139.31:443
location.services.mozilla.com
Amazon.com, Inc.
IE
malicious
52.49.163.13:80
ocsp.quovadisglobal.com
Amazon.com, Inc.
IE
unknown
3872
firefox.exe
52.85.183.185:443
poker.williamhill.com
Amazon.com, Inc.
US
unknown
3872
firefox.exe
95.100.39.8:80
detectportal.firefox.com
Akamai International B.V.
DE
whitelisted
3872
firefox.exe
54.192.202.51:443
snippets.cdn.mozilla.net
Amazon.com, Inc.
US
unknown
3872
firefox.exe
34.210.151.118:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
3872
firefox.exe
52.27.151.4:443
push.services.mozilla.com
Amazon.com, Inc.
US
unknown
3872
firefox.exe
172.217.22.106:443
ajax.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
detectportal.firefox.com
  • 95.100.39.8
  • 95.100.39.17
  • 2.16.186.50
  • 2.16.186.112
whitelisted
a1089.dscd.akamai.net
  • 95.100.39.17
  • 95.100.39.8
  • 2.16.186.112
  • 2.16.186.50
whitelisted
location.services.mozilla.com
  • 52.210.139.31
  • 108.128.247.43
  • 52.50.56.62
whitelisted
locprod1-elb-eu-west-1.prod.mozaws.net
  • 52.50.56.62
  • 108.128.247.43
  • 52.210.139.31
whitelisted
push.services.mozilla.com
  • 52.27.151.4
whitelisted
autopush.prod.mozaws.net
  • 52.27.151.4
whitelisted
tiles.services.mozilla.com
  • 34.210.151.118
  • 52.26.103.165
  • 35.166.166.56
  • 52.34.132.219
  • 52.25.71.236
  • 52.26.166.58
  • 52.27.87.181
  • 34.213.89.114
whitelisted
snippets.cdn.mozilla.net
  • 54.192.202.51
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
tiles.r53-2.services.mozilla.com
  • 34.213.89.114
  • 52.27.87.181
  • 52.26.166.58
  • 52.25.71.236
  • 52.34.132.219
  • 35.166.166.56
  • 52.26.103.165
  • 34.210.151.118
whitelisted

Threats

PID
Process
Class
Message
3488
internalSetupPoker.exe
A Network Trojan was detected
ET TROJAN Playtech Downloader Online Gaming Checkin
3488
internalSetupPoker.exe
Misc activity
ADWARE [PTsecurity] Win32/PlayTech.A
3488
internalSetupPoker.exe
Misc activity
ADWARE [PTsecurity] Win32/PlayTech.A
3488
internalSetupPoker.exe
Misc activity
ADWARE [PTsecurity] Win32/PlayTech.A
Process
Message
internalSetupPoker.exe
07/18/19 11:40:16 (15) -- ProcessId: 3488, ThreadId: 2464 -- DebugLog -- WebInstallerGeneralLogSource -- CreateDirectoryRecurcive -- Created directory successfully: C:\Users\admin\AppData\Local\Temp\30580640042D44ED8DA58B4AEFC69B9D\
internalSetupPoker.exe
07/18/19 11:40:16 (15) -- ProcessId: 3488, ThreadId: 2464 -- DebugLog -- WebInstallerMain -- createUserId -- new userId:B38142F32D264301BE64050A86A4B3AD
internalSetupPoker.exe
07/18/19 11:40:16 (46) -- ProcessId: 3488, ThreadId: 2464 -- DebugLog -- ---------------------------------------------------------------------------------------- -- --
internalSetupPoker.exe
07/18/19 11:40:16 (46) -- ProcessId: 3488, ThreadId: 2464 -- DebugLog -- -------------------------------- System Info ------------------------------------------- -- --
internalSetupPoker.exe
07/18/19 11:40:16 (46) -- ProcessId: 3488, ThreadId: 2464 -- DebugLog -- ---------------------------------------------------------------------------------------- -- --
internalSetupPoker.exe
07/18/19 11:40:16 (46) -- ProcessId: 3488, ThreadId: 2464 -- DebugLog -- OS(build) -- 7(7601) --
internalSetupPoker.exe
07/18/19 11:40:16 (46) -- ProcessId: 3488, ThreadId: 2464 -- DebugLog -- OS Ver -- 6.1 (7601) --
internalSetupPoker.exe
07/18/19 11:40:16 (46) -- ProcessId: 3488, ThreadId: 2464 -- DebugLog -- OS 64Bit -- False --
internalSetupPoker.exe
07/18/19 11:40:16 (46) -- ProcessId: 3488, ThreadId: 2464 -- DebugLog -- Installer Version -- 1.1.1.37 --
internalSetupPoker.exe
07/18/19 11:40:16 (46) -- ProcessId: 3488, ThreadId: 2464 -- DebugLog -- Installer ID -- 44