URL: | https://github.com/ytisf/theZoo/blob/master/malware/Binaries/VBS.LoveLetter/VBS.LoveLetter.zip?raw=true |
Full analysis: | https://app.any.run/tasks/6e94d9d3-1eed-4337-b01a-6dfe776bbbba |
Verdict: | Malicious activity |
Analysis date: | January 14, 2022, 21:15:45 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 64096E4A8C7CD9CFE3E1C836E5FCF0C0 |
SHA1: | 2163E2B0CB6535A45DA86A431A1331B730306034 |
SHA256: | E619D680824F0B97516DCEA48C30358103B4ED0E208C9A896B56938F3AF78B11 |
SSDEEP: | 3:N8tEdsxHuJKqIEHDhzzJkTnRZTTnRYkwXEj:2u6tuJKz+B0nHnOkwUj |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2152 | "C:\Program Files\Mozilla Firefox\firefox.exe" "https://github.com/ytisf/theZoo/blob/master/malware/Binaries/VBS.LoveLetter/VBS.LoveLetter.zip?raw=true" | C:\Program Files\Mozilla Firefox\firefox.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
3548 | "C:\Program Files\Mozilla Firefox\firefox.exe" https://github.com/ytisf/theZoo/blob/master/malware/Binaries/VBS.LoveLetter/VBS.LoveLetter.zip?raw=true | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 83.0 Modules
| |||||||||||||||
2176 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3548.0.1788581737\1450600332" -parentBuildID 20201112153044 -prefsHandle 820 -prefMapHandle 1136 -prefsLen 1 -prefMapSize 238726 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3548 "\\.\pipe\gecko-crash-server-pipe.3548" 1212 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 83.0 Modules
| |||||||||||||||
2964 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3548.6.1040900307\760295890" -childID 1 -isForBrowser -prefsHandle 2692 -prefMapHandle 2688 -prefsLen 245 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3548 "\\.\pipe\gecko-crash-server-pipe.3548" 2704 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
3932 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3548.13.684717385\757885265" -childID 2 -isForBrowser -prefsHandle 3016 -prefMapHandle 3012 -prefsLen 6644 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3548 "\\.\pipe\gecko-crash-server-pipe.3548" 3028 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
1864 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3548.20.1771444790\289226261" -childID 3 -isForBrowser -prefsHandle 3484 -prefMapHandle 3476 -prefsLen 7307 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3548 "\\.\pipe\gecko-crash-server-pipe.3548" 3480 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
2620 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3548.21.1940623927\1957833002" -childID 4 -isForBrowser -prefsHandle 3500 -prefMapHandle 3112 -prefsLen 7307 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3548 "\\.\pipe\gecko-crash-server-pipe.3548" 3528 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
2056 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3548.22.144875186\1172631201" -childID 5 -isForBrowser -prefsHandle 3636 -prefMapHandle 3548 -prefsLen 7307 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3548 "\\.\pipe\gecko-crash-server-pipe.3548" 3616 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
2700 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3548.41.337711223\1621509513" -childID 6 -isForBrowser -prefsHandle 3940 -prefMapHandle 3636 -prefsLen 7378 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3548 "\\.\pipe\gecko-crash-server-pipe.3548" 3700 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
2660 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\VBS.LoveLetter.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
|
(PID) Process: | (2152) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Launcher |
Value: FFD2744A29000000 | |||
(PID) Process: | (3548) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Browser |
Value: 6FDB744A29000000 | |||
(PID) Process: | (3548) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry |
Value: 0 | |||
(PID) Process: | (3548) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\DllPrefetchExperiment |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe |
Value: 0 | |||
(PID) Process: | (3548) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|DisableTelemetry |
Value: 1 | |||
(PID) Process: | (3548) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|DisableDefaultBrowserAgent |
Value: 0 | |||
(PID) Process: | (3548) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|ServicesSettingsServer |
Value: https://firefox.settings.services.mozilla.com/v1 | |||
(PID) Process: | (3548) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|SecurityContentSignatureRootHash |
Value: 97:E8:BA:9C:F1:2F:B3:DE:53:CC:42:A4:E6:57:7E:D6:4D:F4:93:C2:47:B4:14:FE:A0:36:81:8D:38:23:56:0E | |||
(PID) Process: | (3548) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (3548) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3548 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
3548 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite | — | |
MD5:— | SHA256:— | |||
3548 | firefox.exe | C:\Users\admin\AppData\Local\Temp\mz_etilqs_pMu1xartqOwGXpG | binary | |
MD5:351821E41EC0086E5EE4B40B74B78C7C | SHA256:7D0661D8684356385C846B65461F3E45C1F187264BC7C9AF978218FCA02FC8B8 | |||
3548 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal | binary | |
MD5:DD8BEF675B2E01C2C96BA933BD7BE50D | SHA256:04056F638F5491C56D142FADC3B018950B3E036464087D6F2DDD53CD125107AB | |||
3548 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json | binary | |
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A | SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA | |||
3548 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp | jsonlz4 | |
MD5:B17F8D93B0C43D6B72DC03752C20A2D9 | SHA256:ADA0F70D374223FB63C2F19471FAB45D986A681E2485692E63F00F5071F19D76 | |||
3548 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | text | |
MD5:299A2B747C11E4BDA194E563FEA4A699 | SHA256:94EE461F62E8B4A0A65471A41E10C8C56722B73C0A019D76ACA7F5BAF109813E | |||
3548 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\settings\main\ms-language-packs\asrouter.ftl | text | |
MD5:3625F1DDA6D119478AD89D13950C9ACA | SHA256:CB40F6A8D58901D612A86690A41D4E273F24936FC926E98F82C0918CBEF4FC64 | |||
3548 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
3548 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3548 | firefox.exe | POST | 200 | 142.250.186.35:80 | http://ocsp.pki.goog/gts1c3 | US | der | 472 b | whitelisted |
3548 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3548 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2876 | OUTLOOK.EXE | GET | — | 64.4.26.155:80 | http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig | US | — | — | whitelisted |
3548 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3548 | firefox.exe | POST | 200 | 142.250.186.35:80 | http://ocsp.pki.goog/gts1c3 | US | der | 471 b | whitelisted |
3548 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 278 b | whitelisted |
3548 | firefox.exe | POST | 200 | 142.250.186.35:80 | http://ocsp.pki.goog/gts1c3 | US | der | 471 b | whitelisted |
3548 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt?ipv4 | US | text | 8 b | whitelisted |
3548 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3548 | firefox.exe | 13.35.253.75:443 | content-signature-2.cdn.mozilla.net | — | US | suspicious |
3548 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3548 | firefox.exe | 34.107.221.82:80 | detectportal.firefox.com | — | US | whitelisted |
3548 | firefox.exe | 142.250.185.234:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
3548 | firefox.exe | 143.204.98.64:443 | firefox-settings-attachments.cdn.mozilla.net | — | US | shared |
3548 | firefox.exe | 52.42.77.140:443 | location.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3548 | firefox.exe | 143.204.98.74:443 | snippets.cdn.mozilla.net | — | US | malicious |
3548 | firefox.exe | 140.82.121.3:443 | github.com | — | US | suspicious |
3548 | firefox.exe | 52.32.106.164:443 | push.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3548 | firefox.exe | 142.250.186.35:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
detectportal.firefox.com |
| whitelisted |
prod.detectportal.prod.cloudops.mozgcp.net |
| whitelisted |
github.com |
| shared |
firefox.settings.services.mozilla.com |
| whitelisted |
location.services.mozilla.com |
| whitelisted |
locprod2-elb-us-west-2.prod.mozaws.net |
| whitelisted |
safebrowsing.googleapis.com |
| whitelisted |
push.services.mozilla.com |
| whitelisted |
autopush.prod.mozaws.net |
| whitelisted |
content-signature-2.cdn.mozilla.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3548 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
3548 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
3548 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
3548 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |