Analysis Overview
Threat Level: Known bad
The file https://ipfs.io/ipfs/QmSyDbR2nuBPKW6WqLXxE5ShWXBuytHfyPQv6qcZLVdCkF#fuck was found to be: Known bad.
Malicious Activity Summary
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Checks processor information in registry
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-05 09:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-05 09:43
Reported
2023-06-05 09:44
Platform
win10v2004-20230220-en
Max time kernel
17s
Max time network
20s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://ipfs.io/ipfs/QmSyDbR2nuBPKW6WqLXxE5ShWXBuytHfyPQv6qcZLVdCkF#fuck
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://ipfs.io/ipfs/QmSyDbR2nuBPKW6WqLXxE5ShWXBuytHfyPQv6qcZLVdCkF#fuck
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.0.572665097\1233169657" -parentBuildID 20221007134813 -prefsHandle 1852 -prefMapHandle 1844 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {38d4a787-d634-43bd-807f-0b0884b4ac7a} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 1932 1eb4bde3058 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.1.1526808825\1784290663" -parentBuildID 20221007134813 -prefsHandle 2428 -prefMapHandle 2424 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65ebdaf1-496b-48f0-b299-0b1c0387187c} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 2440 1eb3ef73858 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.2.1891444219\559510074" -childID 1 -isForBrowser -prefsHandle 2936 -prefMapHandle 2924 -prefsLen 21789 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9bec9fb-84d3-4f6e-b14e-a811479cfaf0} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 3084 1eb4fcf0658 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.3.224290234\2025922390" -childID 2 -isForBrowser -prefsHandle 4056 -prefMapHandle 4052 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fe9682f-3b09-4520-839d-6b6db368f982} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 4068 1eb3ef6f858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.5.82020418\1483630587" -childID 4 -isForBrowser -prefsHandle 4968 -prefMapHandle 4964 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c1e84f9-bca3-4398-888b-71b85b41d3e5} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 4980 1eb5107bf58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.6.1239013968\627561918" -childID 5 -isForBrowser -prefsHandle 5152 -prefMapHandle 4980 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8373f0b2-536d-4257-bd42-8053bc8eb60e} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 5064 1eb52475d58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.4.1694306728\1260038150" -childID 3 -isForBrowser -prefsHandle 4692 -prefMapHandle 4524 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cd027f0-2d2e-4dcd-840a-fc6563f27a55} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 4728 1eb3ef61158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4388.7.1885968724\2028133042" -childID 6 -isForBrowser -prefsHandle 5444 -prefMapHandle 5564 -prefsLen 26753 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b556efb-7d59-4f3e-a3e9-0dccd46ab811} 4388 "\\.\pipe\gecko-crash-server-pipe.4388" 5576 1eb53428f58 tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:49739 | tcp | |
| US | 8.8.8.8:53 | ipfs.io | udp |
| US | 8.8.8.8:53 | ipfs.io | udp |
| US | 209.94.90.1:443 | ipfs.io | tcp |
| US | 8.8.8.8:53 | ipfs.io | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.120.5.221:443 | prod.pocket.prod.cloudops.mozgcp.net | tcp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 44.227.219.172:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.65.55:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.90.94.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.237.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.5.120.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.100.149.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| NL | 142.251.36.10:443 | ajax.googleapis.com | tcp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | ajax.googleapis.com | udp |
| US | 8.8.8.8:53 | firebasestorage.googleapis.com | udp |
| NL | 142.250.179.138:443 | firebasestorage.googleapis.com | tcp |
| NL | 142.250.179.138:443 | firebasestorage.googleapis.com | tcp |
| NL | 142.251.36.10:443 | firebasestorage.googleapis.com | udp |
| US | 8.8.8.8:53 | firebasestorage.googleapis.com | udp |
| US | 8.8.8.8:53 | firebasestorage.googleapis.com | udp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | 55.65.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.219.227.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.144.160.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.179.250.142.in-addr.arpa | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | tracking-protection.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | alphatrade-options.com | udp |
| NL | 142.250.179.138:443 | firebasestorage.googleapis.com | udp |
| US | 68.65.122.159:443 | alphatrade-options.com | tcp |
| US | 8.8.8.8:53 | alphatrade-options.com | udp |
| US | 8.8.8.8:53 | alphatrade-options.com | udp |
| US | 34.120.158.37:443 | tracking-protection.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | tracking-protection.cdn.mozilla.net | udp |
| US | 34.120.158.37:443 | tracking-protection.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | www.fuck | udp |
| US | 8.8.8.8:53 | t0.gstatic.com | udp |
| NL | 142.250.179.132:443 | t0.gstatic.com | tcp |
| US | 8.8.8.8:53 | t0.gstatic.com | udp |
| US | 8.8.8.8:53 | t0.gstatic.com | udp |
| US | 8.8.8.8:53 | 37.158.120.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.122.65.68.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.179.250.142.in-addr.arpa | udp |
| NL | 142.250.179.132:443 | t0.gstatic.com | udp |
| N/A | 127.0.0.1:49747 | tcp | |
| US | 8.8.8.8:53 | support.mozilla.org | udp |
| US | 8.8.8.8:53 | prod.sumo.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.sumo.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 42.220.44.20.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | ff15a3b0f41ab54a9cd895e1e0ad4f08 |
| SHA1 | 42b604472b3008f464e326e665bcdacf701b2741 |
| SHA256 | 77b7ef4dc4f6ad0ffd34b73756a7ba0e0bd75c0fca30c870fda7d8f8fd8d1f31 |
| SHA512 | 4471b213d10a18be08acbb377329739138cd2c74f9012a6ed23d074c507e26000d38e9e7a9e879ee1b5094e87931271d3f7a4d65027dbd0d449bcbd63e55d7df |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs.js
| MD5 | 1984b45f201f1fd79d2154406648433b |
| SHA1 | 42f082dc6d4d43333688690bf4dfa7c7f8b618ab |
| SHA256 | 000a408519010d12b94281710f9a987f822093a1efb5293bbb50ca2e4a6a9df9 |
| SHA512 | e73a00cc8994d4023168e93ff5f5b6e6b13ffeb740872b64f565787cbb57e49e64eb03e4de1d8068a6f303f0615749fb27cb47bdbc4cef3fef1290bd3a3a17cc |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js
| MD5 | 18c1f65bb045a360292834bc1c14a6c1 |
| SHA1 | 50e8dee3d9ea8c7d530f38bbab4c98e942022b24 |
| SHA256 | 22c63c3436458d243c86f20e985e7b4e9e5a412d7cb3ccaff455a35c064533b1 |
| SHA512 | 0a1f0b8fee9a6591f3163dc3b8f72ce9854d9c3f0d941c079469bb27e6c93fc2a6eb7eda617bff58efba93902b48a6244de68841425cf79008e5beee2758e0b2 |