Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_fa449b5f-86a5-478f-b600-b98a032fd148.json (copy)

JSON data

dropped

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_fa449b5f-86a5-478f-b600-b98a032fd148.json.tmp

JSON data

dropped

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]

dropped

C:\Users\user\AppData\Local\Temp\tmpaddon

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Apr 25 16:36:43 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\ExperimentStoreData.json (copy)

JSON data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\ExperimentStoreData.json.tmp

JSON data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\SiteSecurityServiceState-1.txt

CSV text

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\SiteSecurityServiceState.txt (copy)

CSV text

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\addonStartup.json.lz4 (copy)

Mozilla lz4 compressed data, originally 23432 bytes

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\addonStartup.json.lz4.tmp

Mozilla lz4 compressed data, originally 23432 bytes

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\cert_override.txt

ASCII text, with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\crashes\store.json.mozlz4 (copy)

Mozilla lz4 compressed data, originally 56 bytes

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\crashes\store.json.mozlz4.tmp

Mozilla lz4 compressed data, originally 56 bytes

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

ASCII text

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

ASCII text

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\prefs-1.js

ASCII text, with very long lines (1717), with CRLF line terminators

modified

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\prefs.js (copy)

ASCII text, with very long lines (1717), with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\saved-telemetry-pings\49ca02b7-2997-464a-92f7-9f6e0f689319 (copy)

JSON data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\saved-telemetry-pings\49ca02b7-2997-464a-92f7-9f6e0f689319.tmp

JSON data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\saved-telemetry-pings\8f6c3a69-05b6-4c42-b4d8-a492273cb8c9 (copy)

JSON data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\saved-telemetry-pings\8f6c3a69-05b6-4c42-b4d8-a492273cb8c9.tmp

JSON data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\saved-telemetry-pings\956ba27e-1e2c-4538-a4ee-7e8f2d44f56e (copy)

JSON data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\saved-telemetry-pings\956ba27e-1e2c-4538-a4ee-7e8f2d44f56e.tmp

JSON data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\saved-telemetry-pings\c6cb1392-07c6-4da5-bbab-276546d09062 (copy)

JSON data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\saved-telemetry-pings\c6cb1392-07c6-4da5-bbab-276546d09062.tmp

JSON data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionCheckpoints.json (copy)

JSON data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionCheckpoints.json.tmp

JSON data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionstore-backups\recovery.baklz4 (copy)

Mozilla lz4 compressed data, originally 5825 bytes

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Mozilla lz4 compressed data, originally 5825 bytes

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Mozilla lz4 compressed data, originally 6233 bytes

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionstore.jsonlz4 (copy)

Mozilla lz4 compressed data, originally 3371 bytes

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionstore.jsonlz4.tmp

Mozilla lz4 compressed data, originally 3371 bytes

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\xulstore.json (copy)

JSON data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\xulstore.json.tmp

JSON data

dropped

Chrome Cache Entry: 128

ASCII text, with very long lines (10409)

downloaded

Chrome Cache Entry: 129

JSON data

downloaded

There are 35 hidden files, click here to show them.

URLs

Name

Malicious

https://dz8aopenkvv6s.cloudfront.net

Details

Filetype:	URL
Filename:	https://dz8aopenkvv6s.cloudfront.net

Signature Hits	Behavior Group	Mitre Attack
Tries to harvest and steal browser information (history, passwords, etc)	Stealing of Sensitive Information	Extra Window Memory Injection OS Credential Dumping Data from Local System
Drops PE files	Persistence and Installation Behavior	Extra Window Memory Injection
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Allocates a big amount of memory (probably used for heap spraying)	Software Vulnerabilities	Extra Window Memory Injection
Classification label	System Summary	Extra Window Memory Injection
Connects to IPs without corresponding DNS lookups	Networking	Extra Window Memory Injection
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Extra Window Memory Injection
Downloads files from webservers via HTTP	Networking	Extra Window Memory Injection Ingress Tool Transfer
HTML page is missing a favicon	Phishing	Extra Window Memory Injection
Performs DNS lookups	Networking	Non-Application Layer Protocol Application Layer Protocol
Reads ini files	System Summary	Extra Window Memory Injection File and Directory Discovery
Reads software policies	System Summary	System Information Discovery
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading Extra Window Memory Injection
Uses HTTPS	Networking
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis		Encrypted Channel
Uses an in-process (OLE) Automation server	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking

https://dz8aopenkvv6s.cloudfront.net/

Details

Name:	https://dz8aopenkvv6s.cloudfront.net/
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	browser
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
HTML page is missing a favicon	Phishing
Spawns processes	System Summary	Process Injection

http://detectportal.firefox.com/canonical.html

34.107.221.82

http://detectportal.firefox.com/success.txt?ipv4

34.107.221.82

Domains

Name

Malicious

example.org

93.184.215.14

star-mini.c10r.facebook.com

31.13.88.35

twitter.com

104.244.42.65

prod.balrog.prod.cloudops.mozgcp.net

35.244.181.201

prod.detectportal.prod.cloudops.mozgcp.net

34.107.221.82

services.addons.mozilla.org

99.84.208.24

dyna.wikimedia.org

208.80.154.224

prod.remote-settings.prod.webservices.mozgcp.net

34.149.100.209

contile.services.mozilla.com

34.117.188.166

prod.content-signature-chains.prod.webservices.mozgcp.net

34.160.144.191

youtube-ui.l.google.com

64.233.177.190

reddit.map.fastly.net

151.101.129.140

us-west1.prod.sumo.prod.webservices.mozgcp.net

34.149.128.2

ipv4only.arpa

192.0.0.170

dz8aopenkvv6s.cloudfront.net

18.154.230.111

prod.ads.prod.webservices.mozgcp.net

34.117.188.166

www.google.com

172.217.215.105

normandy-cdn.services.mozilla.com

35.201.103.21

telemetry-incoming.r53-2.services.mozilla.com

34.120.208.123

www.reddit.com

unknown

spocs.getpocket.com

unknown

content-signature-2.cdn.mozilla.net

unknown

support.mozilla.org

unknown

firefox.settings.services.mozilla.com

unknown

push.services.mozilla.com

unknown

www.youtube.com

unknown

www.facebook.com

unknown

detectportal.firefox.com

unknown

normandy.cdn.mozilla.net

unknown

shavar.services.mozilla.com

unknown

www.wikipedia.org

unknown

There are 21 hidden domains, click here to show them.

IPs

Domain

Country

Malicious

1.1.1.1

unknown

Australia

74.125.136.84

unknown

United States

172.217.215.105

www.google.com

United States

142.250.9.139

unknown

United States

192.168.2.16

unknown

34.149.100.209

prod.remote-settings.prod.webservices.mozgcp.net

United States

99.84.208.24

services.addons.mozilla.org

United States

34.107.243.93

unknown

United States

34.107.221.82

prod.detectportal.prod.cloudops.mozgcp.net

United States

52.25.6.244

unknown

United States

35.244.181.201

prod.balrog.prod.cloudops.mozgcp.net

United States

34.117.188.166

contile.services.mozilla.com

United States

239.255.255.250

unknown

Reserved

18.154.230.111

dz8aopenkvv6s.cloudfront.net

United States

64.233.176.100

unknown

United States

13.33.19.100

unknown

United States

35.201.103.21

normandy-cdn.services.mozilla.com

United States

142.250.9.95

unknown

United States

34.160.144.191

prod.content-signature-chains.prod.webservices.mozgcp.net

United States

44.239.14.124

unknown

United States

23.40.207.139

unknown

United States

74.125.138.94

unknown

United States

127.0.0.1

unknown

34.120.208.123

telemetry-incoming.r53-2.services.mozilla.com

United States

There are 14 hidden IPs, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
https://dz8aopenkvv6s.cloudfront.net

Files

URLs

Domains

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthttps://dz8aopenkvv6s.cloudfront.net

Files

URLs

Domains

IPs

IOC Report
https://dz8aopenkvv6s.cloudfront.net