Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]

dropped

C:\Users\user\AppData\Local\Temp\tmpaddon

Zip archive data, at least v2.0 to extract, compression method=deflate

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 25 08:26:41 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\ExperimentStoreData.json (copy)

JSON data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\ExperimentStoreData.json.tmp

JSON data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\addonStartup.json.lz4 (copy)

Mozilla lz4 compressed data, originally 23432 bytes

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\addonStartup.json.lz4.tmp

Mozilla lz4 compressed data, originally 23432 bytes

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\addons.json (copy)

JSON data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\addons.json.tmp

JSON data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\extensions.json (copy)

JSON data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\extensions.json.tmp

JSON data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll (copy)

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll.tmp

PE32+ executable (DLL) (GUI) x86-64, for MS Windows

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info (copy)

ASCII text

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info.tmp

ASCII text

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\prefs-1.js

ASCII text, with very long lines (1717), with CRLF line terminators

modified

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\prefs.js (copy)

ASCII text, with very long lines (1717), with CRLF line terminators

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionCheckpoints.json (copy)

JSON data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionCheckpoints.json.tmp

JSON data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionstore-backups\recovery.baklz4 (copy)

Mozilla lz4 compressed data, originally 5506 bytes

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionstore-backups\recovery.jsonlz4 (copy)

Mozilla lz4 compressed data, originally 5506 bytes

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionstore-backups\recovery.jsonlz4.tmp

Mozilla lz4 compressed data, originally 5506 bytes

modified

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\targeting.snapshot.json (copy)

JSON data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\targeting.snapshot.json.tmp

JSON data

dropped

C:\Users\user\Downloads\d781c877-09da-4fe2-87db-962e79e439b6.tmp

Web Open Font Format (Version 2), TrueType, length 76736, version 331.-31196

dropped

C:\Users\user\Downloads\fa-brands-400(1).woff2:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

C:\Users\user\Downloads\fa-brands-400.woff2 (copy)

Web Open Font Format (Version 2), TrueType, length 76736, version 331.-31196

dropped

C:\Users\user\Downloads\fa-brands-400.woff2.crdownload

Web Open Font Format (Version 2), TrueType, length 76736, version 331.-31196

dropped

There are 24 hidden files, click here to show them.

URLs

Name

Malicious

https://use.fontawesome.com/releases/v5.15.4/webfonts/fa-brands-400.woff2

Details

Filetype:	URL
Filename:	https://use.fontawesome.com/releases/v5.15.4/webfonts/fa-brands-400.woff2

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Extra Window Memory Injection
Detected non-DNS traffic on DNS port	Networking	Extra Window Memory Injection
Drops PE files	Persistence and Installation Behavior	Extra Window Memory Injection
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Allocates a big amount of memory (probably used for heap spraying)	Software Vulnerabilities	Extra Window Memory Injection
Classification label	System Summary	Extra Window Memory Injection
Connects to IPs without corresponding DNS lookups	Networking	Extra Window Memory Injection
Creates files inside the user directory	System Summary	Masquerading
Creates mutexes	System Summary
Creates temporary files	System Summary
Disables application error messsages (SetErrorMode)	Hooking and other Techniques for Hiding and Protection	Extra Window Memory Injection
Downloads files from webservers via HTTP	Networking	Extra Window Memory Injection Ingress Tool Transfer
Performs DNS lookups	Networking	Non-Application Layer Protocol
Reads ini files	System Summary	Extra Window Memory Injection File and Directory Discovery
Reads software policies	System Summary
Runs a DLL by calling functions	System Summary	Extra Window Memory Injection Rundll32
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading Extra Window Memory Injection
Uses HTTPS	Networking	Application Layer Protocol
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis		Encrypted Channel
Uses an in-process (OLE) Automation server	System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary

http://detectportal.firefox.com/canonical.html

34.107.221.82

http://detectportal.firefox.com/success.txt?ipv4

34.107.221.82

Domains

Name

Malicious

example.org

93.184.215.14

star-mini.c10r.facebook.com

157.240.252.35

prod.classify-client.prod.webservices.mozgcp.net

35.190.72.216

prod.balrog.prod.cloudops.mozgcp.net

35.244.181.201

twitter.com

104.244.42.1

prod.detectportal.prod.cloudops.mozgcp.net

34.107.221.82

services.addons.mozilla.org

151.101.129.91

dyna.wikimedia.org

185.15.59.224

prod.remote-settings.prod.webservices.mozgcp.net

34.149.100.209

contile.services.mozilla.com

34.117.188.166

prod.content-signature-chains.prod.webservices.mozgcp.net

34.160.144.191

youtube-ui.l.google.com

172.217.18.14

reddit.map.fastly.net

151.101.1.140

ipv4only.arpa

192.0.0.171

prod.ads.prod.webservices.mozgcp.net

34.117.188.166

push.services.mozilla.com

34.107.243.93

www.google.com

142.250.184.228

normandy-cdn.services.mozilla.com

35.201.103.21

telemetry-incoming.r53-2.services.mozilla.com

34.120.208.123

www.reddit.com

unknown

spocs.getpocket.com

unknown

use.fontawesome.com

unknown

content-signature-2.cdn.mozilla.net

unknown

firefox.settings.services.mozilla.com

unknown

www.youtube.com

unknown

www.facebook.com

unknown

detectportal.firefox.com

unknown

normandy.cdn.mozilla.net

unknown

shavar.services.mozilla.com

unknown

www.wikipedia.org

unknown

There are 20 hidden domains, click here to show them.

IPs

Domain

Country

Malicious

142.250.185.67

unknown

United States

216.58.212.142

unknown

United States

2.22.61.56

unknown

European Union

192.168.2.16

unknown

34.149.100.209

prod.remote-settings.prod.webservices.mozgcp.net

United States

151.101.129.91

services.addons.mozilla.org

United States

34.107.243.93

push.services.mozilla.com

United States

44.231.229.39

unknown

United States

34.107.221.82

prod.detectportal.prod.cloudops.mozgcp.net

United States

142.250.181.227

unknown

United States

142.251.168.84

unknown

United States

35.244.181.201

prod.balrog.prod.cloudops.mozgcp.net

United States

34.117.188.166

contile.services.mozilla.com

United States

239.255.255.250

unknown

Reserved

104.21.27.152

unknown

United States

192.168.2.23

unknown

35.201.103.21

normandy-cdn.services.mozilla.com

United States

35.190.72.216

prod.classify-client.prod.webservices.mozgcp.net

United States

34.160.144.191

prod.content-signature-chains.prod.webservices.mozgcp.net

United States

142.250.184.228

www.google.com

United States

127.0.0.1

unknown

34.120.208.123

telemetry-incoming.r53-2.services.mozilla.com

United States

There are 12 hidden IPs, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
https://use.fontawesome.com/releases/v5.15.4/webfonts/fa-brands-400.woff2

Files

URLs

Domains

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthttps://use.fontawesome.com/releases/v5.15.4/webfonts/fa-brands-400.woff2

Files

URLs

Domains

IPs

IOC Report
https://use.fontawesome.com/releases/v5.15.4/webfonts/fa-brands-400.woff2