URL: | https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.Cryptowall/Ransomware.Cryptowall.zip?raw=true |
Full analysis: | https://app.any.run/tasks/f92e8d6d-894f-424a-a98e-20ae2a1e5455 |
Verdict: | Malicious activity |
Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
Analysis date: | January 14, 2022, 21:11:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 1C2DF4ACD4C5C0715EF0252B698FD6B6 |
SHA1: | 9873878ED48B2E0AD25889232E0EEB243BF468A2 |
SHA256: | E38FCFEBD4D0DC3922AF8069B71D3F87D3B259DD4FD59B0C9B5CA4714F4E5A2A |
SSDEEP: | 3:N8tEdsxHuJKqIEHDhzzu5c7K5E31z5c7K5FfDUj:2u6tuJKz+By5cOaFz5cO7DUj |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
880 | "C:\Program Files\Mozilla Firefox\firefox.exe" "https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.Cryptowall/Ransomware.Cryptowall.zip?raw=true" | C:\Program Files\Mozilla Firefox\firefox.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
3904 | "C:\Program Files\Mozilla Firefox\firefox.exe" https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.Cryptowall/Ransomware.Cryptowall.zip?raw=true | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
2404 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3904.0.499002023\258823247" -parentBuildID 20201112153044 -prefsHandle 1144 -prefMapHandle 1136 -prefsLen 1 -prefMapSize 238726 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3904 "\\.\pipe\gecko-crash-server-pipe.3904" 1216 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 1 Version: 83.0 Modules
| |||||||||||||||
868 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3904.6.2122202073\9987182" -childID 1 -isForBrowser -prefsHandle 3004 -prefMapHandle 3000 -prefsLen 245 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3904 "\\.\pipe\gecko-crash-server-pipe.3904" 3016 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
3424 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3904.13.843543187\270927113" -childID 2 -isForBrowser -prefsHandle 2212 -prefMapHandle 2232 -prefsLen 6644 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3904 "\\.\pipe\gecko-crash-server-pipe.3904" 2168 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
2808 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3904.20.1615068559\870576500" -childID 3 -isForBrowser -prefsHandle 3480 -prefMapHandle 3472 -prefsLen 7399 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3904 "\\.\pipe\gecko-crash-server-pipe.3904" 3512 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
3872 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3904.27.604004350\685509159" -childID 4 -isForBrowser -prefsHandle 3780 -prefMapHandle 1692 -prefsLen 7638 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3904 "\\.\pipe\gecko-crash-server-pipe.3904" 3792 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
3036 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Ransomware.Cryptowall.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
1632 | "C:\Users\admin\Desktop\cryptowall.bin.exe" | C:\Users\admin\Desktop\cryptowall.bin.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
2896 | "C:\Users\admin\Desktop\cryptowall.bin.exe" | C:\Users\admin\Desktop\cryptowall.bin.exe | — | cryptowall.bin.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
|
(PID) Process: | (880) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Launcher |
Value: CABCBA075D010000 | |||
(PID) Process: | (3904) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Browser |
Value: EDC4BA075D010000 | |||
(PID) Process: | (3904) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry |
Value: 0 | |||
(PID) Process: | (3904) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\DllPrefetchExperiment |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe |
Value: 0 | |||
(PID) Process: | (3904) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|DisableTelemetry |
Value: 1 | |||
(PID) Process: | (3904) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|DisableDefaultBrowserAgent |
Value: 0 | |||
(PID) Process: | (3904) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|ServicesSettingsServer |
Value: https://firefox.settings.services.mozilla.com/v1 | |||
(PID) Process: | (3904) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|SecurityContentSignatureRootHash |
Value: 97:E8:BA:9C:F1:2F:B3:DE:53:CC:42:A4:E6:57:7E:D6:4D:F4:93:C2:47:B4:14:FE:A0:36:81:8D:38:23:56:0E | |||
(PID) Process: | (3904) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (3904) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3904 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
3904 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite | — | |
MD5:— | SHA256:— | |||
3904 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js | text | |
MD5:617E94164ABA9B4BBA5626338358197D | SHA256:1D57170AE5D05D711C14C0AFAD022B5F044D4348EBFF778F7FC975EF5231E24D | |||
3904 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | text | |
MD5:617E94164ABA9B4BBA5626338358197D | SHA256:1D57170AE5D05D711C14C0AFAD022B5F044D4348EBFF778F7FC975EF5231E24D | |||
3904 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal | binary | |
MD5:98BB2A9D15359389D682CF8367064407 | SHA256:8BAF1B57A1AC6A06E97B4F9519F535E1CB4FD475E8DEA68643770C6F80E7741F | |||
3904 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.bin | binary | |
MD5:994A33896BB41A278A315D0D796422B6 | SHA256:54EC50A20FFF8CC016710E49437CF6A11D3FE5EE7B28C185E4A9AAFEE2908B63 | |||
3904 | firefox.exe | C:\Users\admin\AppData\Local\Temp\mz_etilqs_hYpRifUULnavPMG | binary | |
MD5:33EA878F52612BC48470BD6A19770B4D | SHA256:CB7FB6CA811DC7872F2FEDDFA43CAD4EB87BB7DC20E1CA98F53CCA0555BAE88E | |||
3904 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\settings\main\ms-language-packs\asrouter.ftl.tmp | text | |
MD5:3625F1DDA6D119478AD89D13950C9ACA | SHA256:CB40F6A8D58901D612A86690A41D4E273F24936FC926E98F82C0918CBEF4FC64 | |||
3904 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
3904 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3904 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
508 | svchost.exe | GET | 200 | 142.250.185.195:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIAjrICMzZli2TN25s%3D | US | der | 724 b | whitelisted |
3904 | firefox.exe | POST | 200 | 142.250.185.195:80 | http://ocsp.pki.goog/gts1c3 | US | der | 471 b | whitelisted |
3904 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
508 | svchost.exe | GET | 302 | 34.117.59.81:80 | http://myexternalip.com/raw | US | text | 50 b | shared |
3904 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt?ipv4 | US | text | 8 b | whitelisted |
508 | svchost.exe | POST | — | 94.247.31.19:8080 | http://proxy1-1-1.i2p/wtobdk0a3e1izo | ES | — | — | malicious |
508 | svchost.exe | GET | — | 184.106.112.172:80 | http://curlmyip.com/ | US | — | — | malicious |
508 | svchost.exe | GET | 200 | 142.250.185.195:80 | http://ocsp.pki.goog/gts1d4/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSMBFDqU0NJQdZdEGU3bkhj0FoRrQQUJeIYDrJXkZQq5dRdhpCD3lOzuJICEQDiOJGRlIYAiAoAAAABKkNX | US | der | 472 b | whitelisted |
508 | svchost.exe | POST | — | 94.247.31.19:8080 | http://proxy2-2-2.i2p/3w4hxy7uoq0lv7 | ES | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3904 | firefox.exe | 34.107.221.82:80 | detectportal.firefox.com | — | US | whitelisted |
3904 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3904 | firefox.exe | 142.250.74.202:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
3904 | firefox.exe | 140.82.121.4:443 | github.com | — | US | malicious |
3904 | firefox.exe | 13.32.121.7:443 | firefox.settings.services.mozilla.com | Amazon.com, Inc. | US | suspicious |
3904 | firefox.exe | 35.163.137.0:443 | location.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3904 | firefox.exe | 44.239.15.106:443 | push.services.mozilla.com | University of California, San Diego | US | unknown |
3904 | firefox.exe | 185.199.108.133:443 | raw.githubusercontent.com | GitHub, Inc. | NL | malicious |
3904 | firefox.exe | 142.250.185.110:443 | www.youtube.com | Google Inc. | US | whitelisted |
3904 | firefox.exe | 13.32.121.113:443 | content-signature-2.cdn.mozilla.net | Amazon.com, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
detectportal.firefox.com |
| whitelisted |
prod.detectportal.prod.cloudops.mozgcp.net |
| whitelisted |
github.com |
| shared |
firefox.settings.services.mozilla.com |
| whitelisted |
location.services.mozilla.com |
| whitelisted |
locprod2-elb-us-west-2.prod.mozaws.net |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
cs9.wac.phicdn.net |
| whitelisted |
safebrowsing.googleapis.com |
| whitelisted |
push.services.mozilla.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3904 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
3904 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
508 | svchost.exe | A Network Trojan was detected | ET POLICY Possible IP Check ip-addr.es |
508 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY External IP Check myexternalip.com |
508 | svchost.exe | Potential Corporate Privacy Violation | ET POLICY IP Check Domain (myexternalip .com in TLS SNI) |
508 | svchost.exe | A Network Trojan was detected | ET TROJAN CryptoWall Check-in |
508 | svchost.exe | A Network Trojan was detected | ET TROJAN CryptoWall CryptoWall 3.0 Check-in |
508 | svchost.exe | A Network Trojan was detected | ET TROJAN CryptoWall Check-in |
508 | svchost.exe | A Network Trojan was detected | ET TROJAN CryptoWall CryptoWall 3.0 Check-in |
508 | svchost.exe | A Network Trojan was detected | ET POLICY Possible IP Check ip-addr.es |