URL: | https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt.zip?raw=true |
Full analysis: | https://app.any.run/tasks/59f42db2-d0d5-4997-a740-38f7b4cd17df |
Verdict: | Malicious activity |
Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
Analysis date: | January 14, 2022, 21:25:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | E814E74E779C742604AE86A4174A89A2 |
SHA1: | D895E91DE65D17F56B309B752DE124D79AD2092C |
SHA256: | F1C068BE0B77983EECECEC8C8DA89657C980AEAB1EDFBA2BDD8F8A28F7FB80D1 |
SSDEEP: | 3:N8tEdsxHuJKqIEHDhzzu/WJEZO0iKm/WJEZPrUj:2u6tuJKz+By/1OFz/1DUj |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2204 | "C:\Program Files\Mozilla Firefox\firefox.exe" "https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt.zip?raw=true" | C:\Program Files\Mozilla Firefox\firefox.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
3600 | "C:\Program Files\Mozilla Firefox\firefox.exe" https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt.zip?raw=true | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 83.0 Modules
| |||||||||||||||
968 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.0.1456457962\1037867663" -parentBuildID 20201112153044 -prefsHandle 1112 -prefMapHandle 1104 -prefsLen 1 -prefMapSize 238726 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 1196 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 83.0 Modules
| |||||||||||||||
2492 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.6.796398814\1877326896" -childID 1 -isForBrowser -prefsHandle 2236 -prefMapHandle 2232 -prefsLen 245 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 2248 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
3776 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.13.856972663\2020650511" -childID 2 -isForBrowser -prefsHandle 3064 -prefMapHandle 3072 -prefsLen 6644 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 3088 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
528 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.20.100487020\364565955" -childID 3 -isForBrowser -prefsHandle 3592 -prefMapHandle 3588 -prefsLen 7399 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 3604 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
2184 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3600.27.282170398\488014667" -childID 4 -isForBrowser -prefsHandle 3812 -prefMapHandle 3808 -prefsLen 7470 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3600 "\\.\pipe\gecko-crash-server-pipe.3600" 3824 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
2748 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Ransomware.TeslaCrypt.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
2968 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\virus | C:\Windows\system32\rundll32.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2436 | "C:\Users\admin\Desktop\virus.exe" | C:\Users\admin\Desktop\virus.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Description: calc Exit code: 1 Version: 1, 0, 0, 1 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3600 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
3600 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite | — | |
MD5:— | SHA256:— | |||
3600 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js | text | |
MD5:D748C99244F9B31BC03B7D6A97B5A524 | SHA256:377BF890C465D2CF23A53D4E8B2ED204D48F0ED6B8F66D41F3294DA893414E11 | |||
3600 | firefox.exe | C:\Users\admin\AppData\Local\Temp\mz_etilqs_hQaPUCIdGkfax5t | binary | |
MD5:351821E41EC0086E5EE4B40B74B78C7C | SHA256:7D0661D8684356385C846B65461F3E45C1F187264BC7C9AF978218FCA02FC8B8 | |||
3600 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | text | |
MD5:D748C99244F9B31BC03B7D6A97B5A524 | SHA256:377BF890C465D2CF23A53D4E8B2ED204D48F0ED6B8F66D41F3294DA893414E11 | |||
3600 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal | binary | |
MD5:28E38965AE6095A96E65F516A4FF076E | SHA256:3A2B81CC64EC4A556FBE246A43886451FD86988E21868CAFF08F934136A64170 | |||
3600 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
3600 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
3600 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
3600 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | binary | |
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A | SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2828 | nwmtlyc.exe | GET | 200 | 34.117.59.81:80 | http://ipinfo.io/ip | US | text | 12 b | shared |
3600 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3600 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3600 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 278 b | whitelisted |
2216 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
2216 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
3600 | firefox.exe | POST | 200 | 142.250.185.131:80 | http://ocsp.pki.goog/gts1c3 | US | der | 471 b | whitelisted |
3600 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3600 | firefox.exe | POST | 200 | 142.250.185.131:80 | http://ocsp.pki.goog/gts1c3 | US | der | 472 b | whitelisted |
3600 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt | US | text | 8 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3600 | firefox.exe | 34.107.221.82:80 | detectportal.firefox.com | — | US | whitelisted |
3600 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3600 | firefox.exe | 142.250.186.74:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
3600 | firefox.exe | 142.250.185.131:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
3600 | firefox.exe | 185.199.110.133:443 | raw.githubusercontent.com | GitHub, Inc. | NL | malicious |
3600 | firefox.exe | 35.163.35.154:443 | location.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3600 | firefox.exe | 13.32.121.49:443 | snippets.cdn.mozilla.net | Amazon.com, Inc. | US | suspicious |
3600 | firefox.exe | 13.32.121.7:443 | firefox.settings.services.mozilla.com | Amazon.com, Inc. | US | suspicious |
3600 | firefox.exe | 44.237.168.235:443 | push.services.mozilla.com | University of California, San Diego | US | unknown |
3600 | firefox.exe | 142.250.186.174:443 | www.youtube.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
detectportal.firefox.com |
| whitelisted |
github.com |
| shared |
prod.detectportal.prod.cloudops.mozgcp.net |
| whitelisted |
firefox.settings.services.mozilla.com |
| whitelisted |
location.services.mozilla.com |
| whitelisted |
locprod2-elb-us-west-2.prod.mozaws.net |
| whitelisted |
example.org |
| whitelisted |
ipv4only.arpa |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
cs9.wac.phicdn.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3600 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
3600 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
— | — | A Network Trojan was detected | ET TROJAN Win32/Teslacrypt Ransomware .onion domain (7tno4hib47vlep5o) |
3600 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
3600 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
2828 | nwmtlyc.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ipinfo.io |
— | — | A Network Trojan was detected | ET TROJAN Win32/Teslacrypt Ransomware .onion domain (wh47f2as19.com) |
— | — | A Network Trojan was detected | ET TROJAN Win32/Teslacrypt Ransomware .onion domain (epmhyca5ol6plmx3) |
— | — | A Network Trojan was detected | ET TROJAN Win32/Teslacrypt Ransomware .onion domain (7hwr34n18.com) |
— | — | A Network Trojan was detected | ET TROJAN Win32/Teslacrypt Ransomware .onion domain (7tno4hib47vlep5o) |