URL: | https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt.zip?raw=true |
Full analysis: | https://app.any.run/tasks/97ce8aa6-5b9d-4d3b-9972-47534fc545b0 |
Verdict: | Malicious activity |
Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
Analysis date: | January 14, 2022, 21:31:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | E814E74E779C742604AE86A4174A89A2 |
SHA1: | D895E91DE65D17F56B309B752DE124D79AD2092C |
SHA256: | F1C068BE0B77983EECECEC8C8DA89657C980AEAB1EDFBA2BDD8F8A28F7FB80D1 |
SSDEEP: | 3:N8tEdsxHuJKqIEHDhzzu/WJEZO0iKm/WJEZPrUj:2u6tuJKz+By/1OFz/1DUj |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3584 | "C:\Program Files\Mozilla Firefox\firefox.exe" "https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt.zip?raw=true" | C:\Program Files\Mozilla Firefox\firefox.exe | — | Explorer.EXE |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 83.0 | ||||
4004 | "C:\Program Files\Mozilla Firefox\firefox.exe" https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.TeslaCrypt/Ransomware.TeslaCrypt.zip?raw=true | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 83.0 | ||||
2776 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4004.0.747823453\2024456920" -parentBuildID 20201112153044 -prefsHandle 1092 -prefMapHandle 808 -prefsLen 1 -prefMapSize 238726 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4004 "\\.\pipe\gecko-crash-server-pipe.4004" 1176 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 83.0 | ||||
2280 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4004.6.3089490\740757383" -childID 1 -isForBrowser -prefsHandle 3000 -prefMapHandle 2996 -prefsLen 181 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4004 "\\.\pipe\gecko-crash-server-pipe.4004" 3012 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 | ||||
3608 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4004.13.931894775\1537001399" -childID 2 -isForBrowser -prefsHandle 1728 -prefMapHandle 2084 -prefsLen 6644 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4004 "\\.\pipe\gecko-crash-server-pipe.4004" 2052 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 | ||||
1156 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4004.20.1721627263\356573178" -childID 3 -isForBrowser -prefsHandle 3524 -prefMapHandle 2116 -prefsLen 7399 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4004 "\\.\pipe\gecko-crash-server-pipe.4004" 3512 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 | ||||
3868 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4004.27.56539703\1629860482" -childID 4 -isForBrowser -prefsHandle 3760 -prefMapHandle 3736 -prefsLen 7470 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 4004 "\\.\pipe\gecko-crash-server-pipe.4004" 3772 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 | ||||
2400 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Ransomware.TeslaCrypt.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 | ||||
3948 | "C:\Users\admin\Desktop\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe" | C:\Users\admin\Desktop\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe | — | Explorer.EXE |
User: admin Integrity Level: MEDIUM Exit code: 12 | ||||
2700 | C:\Users\admin\Desktop\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe | C:\Users\admin\Desktop\E906FA3D51E86A61741B3499145A114E9BFB7C56.exe | E906FA3D51E86A61741B3499145A114E9BFB7C56.exe | |
User: admin Integrity Level: MEDIUM Exit code: 1 |
(PID) Process: | (3584) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Launcher |
Value: A8AC032550000000 | |||
(PID) Process: | (4004) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Browser |
Value: AAB3032550000000 | |||
(PID) Process: | (4004) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry |
Value: 0 | |||
(PID) Process: | (4004) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\DllPrefetchExperiment |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe |
Value: 0 | |||
(PID) Process: | (4004) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|DisableTelemetry |
Value: 1 | |||
(PID) Process: | (4004) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|DisableDefaultBrowserAgent |
Value: 0 | |||
(PID) Process: | (4004) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|ServicesSettingsServer |
Value: https://firefox.settings.services.mozilla.com/v1 | |||
(PID) Process: | (4004) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|SecurityContentSignatureRootHash |
Value: 97:E8:BA:9C:F1:2F:B3:DE:53:CC:42:A4:E6:57:7E:D6:4D:F4:93:C2:47:B4:14:FE:A0:36:81:8D:38:23:56:0E | |||
(PID) Process: | (4004) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (4004) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
4004 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
4004 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite | — | |
MD5:— | SHA256:— | |||
4004 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite-wal | sqlite-wal | |
MD5:F17AFA7F60B4993368EA5E797BE93898 | SHA256:261D107E3FD8E734F236C6BED4E0ADFB7D091FA9D2A4DD1877BB5FFEB83F390F | |||
4004 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | binary | |
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A | SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA | |||
4004 | firefox.exe | C:\Users\admin\AppData\Local\Temp\mz_etilqs_7lTOMavfoXYKeaz | binary | |
MD5:351821E41EC0086E5EE4B40B74B78C7C | SHA256:7D0661D8684356385C846B65461F3E45C1F187264BC7C9AF978218FCA02FC8B8 | |||
4004 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal | binary | |
MD5:9EB77B2B82F0B12D8DA2E506D4FC50A4 | SHA256:7EEDC9852248848B1DC2B33BA77E6265703BE541116EB379EEE20E8C507BCA68 | |||
4004 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
4004 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
4004 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
4004 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4004 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
4004 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
4004 | firefox.exe | POST | 200 | 142.250.185.99:80 | http://ocsp.pki.goog/gts1c3 | US | der | 472 b | whitelisted |
4004 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
4004 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 278 b | whitelisted |
4004 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
4004 | firefox.exe | POST | 200 | 142.250.185.99:80 | http://ocsp.pki.goog/gts1c3 | US | der | 471 b | whitelisted |
4004 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt?ipv4 | US | text | 8 b | whitelisted |
4004 | firefox.exe | GET | 200 | 2.16.106.209:80 | http://ciscobinary.openh264.org/openh264-win32-2e1774ab6dc6c43debb0b5b628bdf122a391d521.zip | unknown | compressed | 479 Kb | whitelisted |
4004 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt | US | text | 8 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4004 | firefox.exe | 142.250.185.206:443 | location.services.mozilla.com | Google Inc. | US | whitelisted |
4004 | firefox.exe | 142.250.185.99:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
4004 | firefox.exe | 142.250.186.106:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
4004 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
4004 | firefox.exe | 143.204.98.120:443 | content-signature-2.cdn.mozilla.net | — | US | suspicious |
4004 | firefox.exe | 143.204.98.122:443 | firefox-settings-attachments.cdn.mozilla.net | — | US | suspicious |
4004 | firefox.exe | 143.204.98.70:443 | snippets.cdn.mozilla.net | — | US | malicious |
4004 | firefox.exe | 143.204.98.40:443 | tracking-protection.cdn.mozilla.net | — | US | malicious |
4004 | firefox.exe | 185.199.108.133:443 | raw.githubusercontent.com | GitHub, Inc. | NL | malicious |
— | — | 35.244.181.201:443 | aus5.mozilla.org | — | US | suspicious |
Domain | IP | Reputation |
---|---|---|
detectportal.firefox.com |
| whitelisted |
prod.detectportal.prod.cloudops.mozgcp.net |
| whitelisted |
github.com |
| shared |
firefox.settings.services.mozilla.com |
| whitelisted |
location.services.mozilla.com |
| whitelisted |
locprod2-elb-us-west-2.prod.mozaws.net |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
cs9.wac.phicdn.net |
| whitelisted |
example.org |
| whitelisted |
ipv4only.arpa |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
4004 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
4004 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
2672 | jparrvs.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ipinfo.io |
— | — | A Network Trojan was detected | ET TROJAN Win32/Teslacrypt Ransomware .onion domain (wh47f2as19.com) |
— | — | A Network Trojan was detected | ET TROJAN Win32/Teslacrypt Ransomware .onion domain (epmhyca5ol6plmx3) |
— | — | A Network Trojan was detected | ET TROJAN Win32/Teslacrypt Ransomware .onion domain (7hwr34n18.com) |
— | — | A Network Trojan was detected | ET TROJAN Win32/Teslacrypt Ransomware .onion domain (7tno4hib47vlep5o) |
— | — | A Network Trojan was detected | ET TROJAN Win32/Teslacrypt Ransomware .onion domain (epmhyca5ol6plmx3) |
— | — | A Network Trojan was detected | ET TROJAN Win32/Teslacrypt Ransomware .onion domain (epmhyca5ol6plmx3) |
4004 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |