hxxps://traffbe[.]com/leaks

Analysis

max time kernel
3s
max time network
23s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
12/07/2023, 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://traffbe.com/leaks

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000_Classes\Local Settings	firefox.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4912	firefox.exe
Token: SeDebugPrivilege	4912	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4912	firefox.exe
4912	firefox.exe
4912	firefox.exe
4912	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4912	firefox.exe
4912	firefox.exe
4912	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4912	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 4912	1784	firefox.exe	83
PID 1784 wrote to memory of 4912	1784	firefox.exe	83
PID 1784 wrote to memory of 4912	1784	firefox.exe	83
PID 1784 wrote to memory of 4912	1784	firefox.exe	83
PID 1784 wrote to memory of 4912	1784	firefox.exe	83
PID 1784 wrote to memory of 4912	1784	firefox.exe	83
PID 1784 wrote to memory of 4912	1784	firefox.exe	83
PID 1784 wrote to memory of 4912	1784	firefox.exe	83
PID 1784 wrote to memory of 4912	1784	firefox.exe	83
PID 1784 wrote to memory of 4912	1784	firefox.exe	83
PID 1784 wrote to memory of 4912	1784	firefox.exe	83
PID 4912 wrote to memory of 2980	4912	firefox.exe	85
PID 4912 wrote to memory of 2980	4912	firefox.exe	85
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 2940	4912	firefox.exe	86
PID 4912 wrote to memory of 4740	4912	firefox.exe	87
PID 4912 wrote to memory of 4740	4912	firefox.exe	87
PID 4912 wrote to memory of 4740	4912	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://traffbe.com/leaks
1⤵
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" https://traffbe.com/leaks
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4912.0.1677322292\1051741629" -parentBuildID 20221007134813 -prefsHandle 1848 -prefMapHandle 1840 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a282393-1fdf-4cdb-9583-7ff4212e66f9} 4912 "\\.\pipe\gecko-crash-server-pipe.4912" 1928 2053f3cdb58 gpu
    3⤵
    PID:2980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4912.1.1114246691\1820611742" -parentBuildID 20221007134813 -prefsHandle 2340 -prefMapHandle 2308 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5a725c6-754b-48f1-818e-6696b0b06c5e} 4912 "\\.\pipe\gecko-crash-server-pipe.4912" 2352 2053eee7558 socket
    3⤵
    PID:2940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4912.2.1983211277\465076960" -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 2988 -prefsLen 21857 -prefMapSize 232675 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b1eed4cc-157a-4e89-a7b0-aca9d21e2bee} 4912 "\\.\pipe\gecko-crash-server-pipe.4912" 2964 2053f35e058 tab
    3⤵
    PID:4740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4912.3.1591748217\439303574" -childID 2 -isForBrowser -prefsHandle 3760 -prefMapHandle 3748 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {88a4925b-6fb5-4947-8b64-8883ff2612e4} 4912 "\\.\pipe\gecko-crash-server-pipe.4912" 3772 20543babe58 tab
    3⤵
    PID:2836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4912.6.1299868660\1846120791" -childID 5 -isForBrowser -prefsHandle 5248 -prefMapHandle 5252 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8abaeaf9-d764-41fb-8bd5-f553fe407369} 4912 "\\.\pipe\gecko-crash-server-pipe.4912" 5236 2054569eb58 tab
    3⤵
    PID:4388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4912.5.1257845505\559534825" -childID 4 -isForBrowser -prefsHandle 5044 -prefMapHandle 5048 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f511813a-7c05-444e-8024-b0a9cd12f577} 4912 "\\.\pipe\gecko-crash-server-pipe.4912" 4864 2054569e558 tab
    3⤵
    PID:3156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4912.4.1055553746\646408033" -childID 3 -isForBrowser -prefsHandle 4920 -prefMapHandle 4804 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f44a6acb-7754-4647-a68e-e7a5681d3ca7} 4912 "\\.\pipe\gecko-crash-server-pipe.4912" 4928 205430d7e58 tab
    3⤵
    PID:4156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4912.7.1417216958\1480004713" -childID 6 -isForBrowser -prefsHandle 4928 -prefMapHandle 5280 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1084 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6b40d54-a626-4a01-8afa-565b5f3fbef4} 4912 "\\.\pipe\gecko-crash-server-pipe.4912" 5044 20543eddf58 tab
    3⤵
    PID:4428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\vjiou3c0.default-release\activity-stream.discovery_stream.json.tmp

Filesize
142KB

MD5
48284252a8c4df534b7c31ba3beaf6f3

SHA1
a62eff5912a416f61d61d08c7b5c9c4a90353f66

SHA256
a77d52ede9e60262a1761ff052a6370b2b665513451202bda876a43d20046c92

SHA512
b23429478e024001ba3af3f7d52d755865885b284f123ca70000e62a85c5e27e60464ccb18ef463535675c8735ad97e61679965956d0607061c18ba71976128c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\prefs.js

Filesize
6KB

MD5
59eb7fa1f930da23c29701daaf1297d4

SHA1
8269cf1bda57fda05593eda4242b4b7797970ff6

SHA256
e0c22212c51e0d6e3be80180f9af969efe62f3af8e575ca2c1692f211d1937d5

SHA512
d77326b9be503ed17ed4597dd985b4e93e72fcca9d2cb6028bc5325146cb57d1e28a9dd378bbf9d3d1accfd1376ebad2c9fb1c86d33523668f4499cdf060be48

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\prefs.js

Filesize
6KB

MD5
83e40cf7b66961386fe578967a588bb3

SHA1
73dad1bead700628951dfeea8d465e8c2bfa4dbd

SHA256
038970ccd044526f971bbaf5132c56c61a5919b1bb31c95835b4616066f0fc32

SHA512
e0ea0b2165fc22e2e160d9466b262c877d5fbfb136760d3a4c6ebf2bf397c101448af9eac0a16e35b29fe00fed9304a45d64bfaf3b669ac50a41ee677ba54b9b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\vjiou3c0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
fc12d38053cf2fa34c23387f96f53f02

SHA1
ca24033033aaa96f46b1412edbebe76f3dd59c54

SHA256
aadda8022d2a15607284c2963f28967b7dba895f44e4682e684c1e4cbe3317a5

SHA512
e9710edca0d3e14d30ed26e345b5c470431674bc954590b0c0ac2a2edd050b3e6ce7a98d14f72b08af897c690c749d09934f2137f6955e265fb7838c16c4cf04

Download Submit