hxxps://curious-cheesecake-147cfb[.]netlify[.]app/

General

Target

https://curious-cheesecake-147cfb.netlify.app/

Score

6^/10

motw phishing

Malware Config

Signatures

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs
phishing motw

Processes:

flow ioc

6 https://www.google.com/recaptcha/api2/aframe

flow	ioc
6	https://www.google.com/recaptcha/api2/aframe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings firefox.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 3508 firefox.exe
Token: SeDebugPrivilege 3508 firefox.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

firefox.exe

pid process

3508 firefox.exe
3508 firefox.exe
3508 firefox.exe
3508 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

3508 firefox.exe
3508 firefox.exe
3508 firefox.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

3508 firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	firefox.exe

description	pid	process
Token: SeDebugPrivilege	3508	firefox.exe
Token: SeDebugPrivilege	3508	firefox.exe

pid	process
3508	firefox.exe
3508	firefox.exe
3508	firefox.exe
3508	firefox.exe

pid	process
3508	firefox.exe
3508	firefox.exe
3508	firefox.exe

pid	process
3508	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 2804 wrote to memory of 3508	2804	firefox.exe	firefox.exe
PID 2804 wrote to memory of 3508	2804	firefox.exe	firefox.exe
PID 2804 wrote to memory of 3508	2804	firefox.exe	firefox.exe
PID 2804 wrote to memory of 3508	2804	firefox.exe	firefox.exe
PID 2804 wrote to memory of 3508	2804	firefox.exe	firefox.exe
PID 2804 wrote to memory of 3508	2804	firefox.exe	firefox.exe
PID 2804 wrote to memory of 3508	2804	firefox.exe	firefox.exe
PID 2804 wrote to memory of 3508	2804	firefox.exe	firefox.exe
PID 2804 wrote to memory of 3508	2804	firefox.exe	firefox.exe
PID 2804 wrote to memory of 3508	2804	firefox.exe	firefox.exe
PID 2804 wrote to memory of 3508	2804	firefox.exe	firefox.exe
PID 3508 wrote to memory of 4460	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 4460	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 2144	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 648	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 648	3508	firefox.exe	firefox.exe
PID 3508 wrote to memory of 648	3508	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://curious-cheesecake-147cfb.netlify.app/"
1⤵
- Suspicious use of WriteProcessMemory
PID:2804

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://curious-cheesecake-147cfb.netlify.app/
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3508

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3508.0.876987565\423461105" -parentBuildID 20221007134813 -prefsHandle 1724 -prefMapHandle 1716 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8f56f16-808a-443d-82b5-77c88e81e153} 3508 "\\.\pipe\gecko-crash-server-pipe.3508" 1792 1d8eb4f3758 gpu
3⤵
PID:4460

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3508.1.1854422326\1294395197" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fed11b74-f1a2-4d40-b398-c84edea51eb5} 3508 "\\.\pipe\gecko-crash-server-pipe.3508" 2168 1d8eb1e6b58 socket
3⤵
PID:2144

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3508.2.1593131135\223427287" -childID 1 -isForBrowser -prefsHandle 2824 -prefMapHandle 2840 -prefsLen 21711 -prefMapSize 233444 -jsInitHandle 1236 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c701e5c-c998-47a1-a66b-5a6310c064f9} 3508 "\\.\pipe\gecko-crash-server-pipe.3508" 2816 1d8eb45be58 tab
3⤵
PID:648

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3508.3.1150151248\525444201" -childID 2 -isForBrowser -prefsHandle 3492 -prefMapHandle 3488 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1236 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {61a7013c-a1a4-4cf7-8949-0ceeca28f724} 3508 "\\.\pipe\gecko-crash-server-pipe.3508" 3504 1d8d8e63558 tab
3⤵
PID:2540

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3508.4.1440501578\909182091" -childID 3 -isForBrowser -prefsHandle 4820 -prefMapHandle 4816 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1236 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3ee6ed6-7695-4099-8abf-1fd3d035d1dd} 3508 "\\.\pipe\gecko-crash-server-pipe.3508" 4828 1d8f2b91b58 tab
3⤵
PID:4104

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3508.5.468938402\1442785756" -childID 4 -isForBrowser -prefsHandle 4932 -prefMapHandle 4936 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1236 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {71866df2-0d0a-496a-b7ef-2099cde9f368} 3508 "\\.\pipe\gecko-crash-server-pipe.3508" 4924 1d8f2b91258 tab
3⤵
PID:4808

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3508.6.783660136\1033474646" -childID 5 -isForBrowser -prefsHandle 4724 -prefMapHandle 4800 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1236 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb85e1e5-7789-4f9b-b2b5-3a349487304c} 3508 "\\.\pipe\gecko-crash-server-pipe.3508" 5108 1d8f2458758 tab
3⤵
PID:488

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
2836e6bc2d616153b102c56f54f391ff

SHA1
5e6f0981a421e6cb1fcb67468ab1abd595205893

SHA256
c246defa6f2bba271d8c53785fff874ddabf0ba8888bcb52234bc8b4931de4d8

SHA512
ceb53ee994f11bbc710284518c54bc496c889f209bfc22f1dd9708257f0fc073f7e11b4696e409fc50aaa91c07178afc6f0cadb4999a3d54191c82fb164fabf2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\0dd9e6cb-21a6-4df8-8dd9-081f804652c8
Filesize
746B

MD5
86260df4ab9d4cbc2cf92bba9b6bb052

SHA1
6184ee432493099cfc929750c42d96f89e1beb97

SHA256
de72f1068bf0ba862bce37b98089493e330b7fb3dc400344235be827eb13baee

SHA512
5233a2d722ba4b46e67fcd5f17ec4487d293d6106dab13ba7a17d9a33b1dc6fd81a491bd4e1f385ad20334043a1278a3950acf90baf4e0a1e81c72ad92b57059

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\dbf1d5ea-00ea-44b3-86fb-8cb1078d947b
Filesize
11KB

MD5
5d69c05fb86c31520356ead520953359

SHA1
e8f663675efcbd324284f3fb4b8bb0ab88ef09a0

SHA256
a7274cd7346b6071f7b4038809e4801eafffeb6288d533bec74a27966226aaa0

SHA512
647b343b711f6e89d1330ea4c801fcf6ef9c8d5f1c9aec874e610e1d8edd0852d9588d6298889bdc4c1629101736cd0f33e1dd62d4929ac8ad1daefdf0ecbadd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
Filesize
6KB

MD5
e6f86a76780128ef5243db67e9077e8e

SHA1
e427866974f352a7f61fb2b0cb74f58b1b21e621

SHA256
28ae76e378158405c3c8e5134d9dad3dae77ca4e1a39019396dc40dd3493de8e

SHA512
a7f35e387667d509932d1a61c608f85b01f9ce01ad27fa6475454ba612ec4a3bea41b8693c11d1bdf2cd21b35970fe455d6d6c93a969daa9137e4be694349f01

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
2KB

MD5
690d3e3fee4c84f34318328d3429ec76

SHA1
6878b315b4b2f479044e0a99f10b46a992e22978

SHA256
3d2a01048040fa3375b819f20f9f988ea01c0853199f0eadb402989486dd7d8f

SHA512
ac99055167ab38771500348e994ee6ac02299b94e6b5bb22c7343c16ff4ad285100661465faa2e4f7b5a94a84c20c415ba74049cb79a3580dc49ab350a6c37c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\default\https+++curious-cheesecake-147cfb.netlify.app\ls\usage
Filesize
12B

MD5
ae6378dc8ef271d5f31ff4d16321137f

SHA1
23b7b569fd98375c22e7e0c2362cc8b03399fbd2

SHA256
d745eb02e15753ada5763507045c87175cb74cc601ef850b898fce7bee740e37

SHA512
d6515cefc1be8b975b3262d23deee8f2257a38ae867f9b87912c9c971c8af5c789dd9ab5e8384d65fbbb8c5c993026f76473ab38dbf8b72ee443bf9c1adaa9c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
184KB

MD5
1fdc13de64cfdb8ba3fcd71aad9d33d3

SHA1
b7649cfd66d751435fa56a4b4b20daace452c692

SHA256
fa890605b23aecfebe4300d159f10096cfaba982a942c8ce829617b3de36a783

SHA512
3c9dc261a1f0a96d4433d60de03423d58f0bd63dbf5db48962372658103f16991f6da06c1670deea1e51efd2a15aae699d1d287ee377e0a457299a7dd9f691a7

Download Submit

Analysis

Sharing