Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [HKCU\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\command] '' = '"%ProgramFiles%\Mozilla Firefox\firefox.exe" -osint -url "%1"'
- [HKLM\SOFTWARE\Classes\FirefoxHTML-308046B0AF4A39CB\shell\open\command] '' = '"%ProgramFiles%\Mozilla Firefox\firefox.exe" -osint -url "%1"'
- [HKLM\SOFTWARE\Classes\FirefoxPDF-308046B0AF4A39CB\shell\open\command] '' = '"%ProgramFiles%\Mozilla Firefox\firefox.exe" -osint -url "%1"'
- [HKLM\SOFTWARE\Classes\FirefoxURL-308046B0AF4A39CB\shell\open\command] '' = '"%ProgramFiles%\Mozilla Firefox\firefox.exe" -osint -url "%1"'
- [HKLM\Software\Clients\StartMenuInternet\Firefox-308046B0AF4A39CB\shell\open\command] '' = '"%ProgramFiles%\Mozilla Firefox\firefox.exe"'
- [HKLM\Software\Classes\Applications\firefox.exe\shell\open\command] '' = '"%ProgramFiles%\Mozilla Firefox\firefox.exe" -osint -url "%1"'
Creates or modifies the following files
- <SYSTEM32>\tasks\mozilla\firefox background update 308046b0af4a39cb
Malicious functions
Terminates or attempts to terminate
the following user processes:
- iexplore.exe
Reads files which store third party applications passwords
- %APPDATA%\mozilla\firefox\profiles.ini
- %LOCALAPPDATA%\google\chrome\user data\default\web data
- %LOCALAPPDATA%\google\chrome\user data\default\login data
Modifies file system
Creates the following files
- %ALLUSERSPROFILE%\mozilla\updates\308046b0af4a39cb\updates\0\update.log
- %ProgramFiles%\mozilla firefox\updated\tobedeleted\repa093ce70-6b43-406b-a16b-c304b7985220
- %ALLUSERSPROFILE%\mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046b0af4a39cb\updates\downloading\bita689.tmp
- %WINDIR%\temp\tarae4a.tmp
- %WINDIR%\temp\cabae49.tmp
- %WINDIR%\temp\tara997.tmp
- %WINDIR%\temp\caba986.tmp
- %ALLUSERSPROFILE%\mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046b0af4a39cb\active-update.xml.tmp
- %ALLUSERSPROFILE%\mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046b0af4a39cb\update-config.json.tmp
- %ALLUSERSPROFILE%\mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046b0af4a39cb\updates.xml.tmp
- %APPDATA%\microsoft\windows\start menu\programs\firefox private browsing.lnk
- %ALLUSERSPROFILE%\mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\firefox_s-1-5-21-3150914307-1777937420-491476919-1000_shortcuts.ini
- %LOCALAPPDATA%low\sun\java\deployment\security\update.securitypack.timestamp
- %LOCALAPPDATA%low\sun\java\deployment\security\securitypack.jar
- %TEMP%\nsu1cf3.tmp\serviceshelper.dll
- %TEMP%\nsu1cf3.tmp\userinfo.dll
- %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\~irefox.tmp
- %TEMP%\nsu1cf3.tmp\applicationid.dll
- %TEMP%\nsu1cf3.tmp\shelllink.dll
- %TEMP%\nsu1cf3.tmp\litefirewallw.dll
- %APPDATA%\microsoft\crypto\rsa\s-1-5-21-3150914307-1777937420-491476919-1000\83aa4cc77f591dfc2374580bbd95f6ba_d99ef00b-ccd3-4f1d-9980-90ac453b0b47
- %TEMP%\nsu1cf3.tmp\cityhash.dll
- %TEMP%\nsu1cf3.tmp\system.dll
- %ProgramFiles%\mozilla firefox\uninstall\uninstall.update
- %ProgramFiles%\mozilla firefox\updated\updating\update.manifest
- %ProgramFiles%\mozilla firefox\updated\distribution\distribution.ini
Sets the 'hidden' attribute to the following files
- %ALLUSERSPROFILE%\mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046b0af4a39cb\updates\downloading\bita689.tmp
Deletes the following files
- %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\firefox.lnk~rfb230a.tmp
- <SYSTEM32>\tasks\mozilla\firefox default browser agent 308046b0af4a39cb
- %ProgramFiles%\mozilla firefox\uninstall\uninstall.update
- %TEMP%\nsu1cf3.tmp\applicationid.dll
- %TEMP%\nsu1cf3.tmp\cityhash.dll
- %TEMP%\nsu1cf3.tmp\litefirewallw.dll
- %TEMP%\nsu1cf3.tmp\serviceshelper.dll
- %TEMP%\nsu1cf3.tmp\shelllink.dll
- %TEMP%\nsu1cf3.tmp\system.dll
- %TEMP%\nsu1cf3.tmp\userinfo.dll
- %WINDIR%\temp\caba986.tmp
- %WINDIR%\temp\tara997.tmp
- %WINDIR%\temp\cabae49.tmp
- %WINDIR%\temp\tarae4a.tmp
- %ProgramFiles%\mozilla firefox\updated\updating\update.manifest
Moves the following files
- from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\firefox.lnk to %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\firefox.lnk~rfb21e1.tmp
- from %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\firefox.lnk to %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\firefox.lnk~rfb230a.tmp
- from %ALLUSERSPROFILE%\mozilla\updates\308046b0af4a39cb\updates\0\update.log to %ALLUSERSPROFILE%\mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046b0af4a39cb\updates\0\update.log
- from %ALLUSERSPROFILE%\mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046b0af4a39cb\updates.xml.tmp to %ALLUSERSPROFILE%\mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046b0af4a39cb\updates.xml
- from %ALLUSERSPROFILE%\mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046b0af4a39cb\updates\downloading\bita689.tmp to %ALLUSERSPROFILE%\mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046b0af4a39cb\updates\downloading\update.mar
Modifies the following files
- %ALLUSERSPROFILE%\mozilla\updates\308046b0af4a39cb\updates\0\update.status
- %ALLUSERSPROFILE%\mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046b0af4a39cb\update-config.json.tmp
- %ProgramFiles%\mozilla firefox\updated\application.ini
- %ProgramFiles%\mozilla firefox\updated\browser\crashreporter-override.ini
- %ProgramFiles%\mozilla firefox\updated\browser\features\formautofill@mozilla.org.xpi
- %ProgramFiles%\mozilla firefox\updated\browser\features\pictureinpicture@mozilla.org.xpi
- %ProgramFiles%\mozilla firefox\updated\browser\features\screenshots@mozilla.org.xpi
- %ProgramFiles%\mozilla firefox\updated\browser\features\webcompat-reporter@mozilla.org.xpi
- %ProgramFiles%\mozilla firefox\updated\browser\features\webcompat@mozilla.org.xpi
- %ProgramFiles%\mozilla firefox\updated\browser\omni.ja
- %ProgramFiles%\mozilla firefox\updated\browser\override.ini
Modifies multiple files.
Substitutes the following files
- %APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
- %APPDATA%\microsoft\internet explorer\quick launch\user pinned\taskbar\~irefox.tmp
- %ALLUSERSPROFILE%\mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046b0af4a39cb\updates\last-update.log
- %ALLUSERSPROFILE%\mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046b0af4a39cb\updates\0\update.status
- %ALLUSERSPROFILE%\mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046b0af4a39cb\active-update.xml
- %ALLUSERSPROFILE%\mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046b0af4a39cb\updates\0\update.mar
- %ALLUSERSPROFILE%\mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046b0af4a39cb\updates\0\update.version
- %ALLUSERSPROFILE%\mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046b0af4a39cb\active-update.xml.tmp
- %ProgramFiles%\Mozilla Firefox\updated\defaults\pref\channel-prefs.js
- %ProgramFiles%\Mozilla Firefox\updated\update-settings.ini
- %ALLUSERSPROFILE%\mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046b0af4a39cb\updates\0\update.log
Network activity
Connects to
- 'localhost':49196
- 'accounts.google.com':443
- 'gs##tic.com':443
- 'ac#####s.youtube.com':443
- 'ar####e.mozilla.org':443
- 'pk#.goog':80
TCP
HTTP GET requests
- http://pk#.goog/gsr1/gsr1.crt
HTTP POST requests
- http://oc##.#igicert.com/
Other
- 'ja#######d-secure.oracle.com':443
- 'accounts.google.com':443
- 'gs##tic.com':443
- 'fo###.gstatic.com':443
- 'ac#####s.youtube.com':443
- 'google.com':443
- 'play.google.com':443
- 'ar####e.mozilla.org':443
UDP
- DNS ASK ja#######d-secure.oracle.com
- DNS ASK pk#.goog
- DNS ASK us#####lication-dns.net
- DNS ASK re#######oderate.youtube.com
- DNS ASK re#####t.youtube.com
- DNS ASK yo#####-nocookie.com
- DNS ASK yo#####.googleapis.com
- DNS ASK yo#####i.googleapis.com
- DNS ASK yo##ube.com
- DNS ASK forcesafesearch.google.com
- DNS ASK m.###tube.com
- DNS ASK ar####e.mozilla.org
- DNS ASK si#####iew.zscaler.com
- DNS ASK play.google.com
- DNS ASK google.com
- DNS ASK www3.l.google.com
- DNS ASK ac#####s.youtube.com
- DNS ASK fo###.gstatic.com
- DNS ASK gs##tic.com
- DNS ASK accounts.google.com
- DNS ASK wide-youtube.l.google.com
- 'accounts.google.com':443
- 'play.google.com':443
- 'google.com':443
- 'fo###.gstatic.com':443
- 'gs##tic.com':443
- 'ac#####s.youtube.com':443
Miscellaneous
Searches for the following windows
- ClassName: 'Mozilla_firefox_default-release_RemoteWindow' WindowName: ''
- ClassName: 'OleMainThreadWndClass' WindowName: ''
Executes the following
- '%ProgramFiles%\mozilla firefox\firefox.exe' https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password
- '%ProgramFiles%\mozilla firefox\updater.exe' %ALLUSERSPROFILE%\Mozilla\updates\308046B0AF4A39CB\updates\0 "%ProgramFiles%\Mozilla Firefox" "%ProgramFiles%\Mozilla Firefox\updated" 1756/replace <Current directory> "%ProgramFiles%\Mozilla F...
- '%ProgramFiles%\mozilla firefox\uninstall\helper.exe' /PostUpdate
- '<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles%\Mozilla Firefox\AccessibleMarshal.dll"
- '%ProgramFiles%\mozilla firefox\default-browser-agent.exe' unregister-task 308046B0AF4A39CB
- '%ProgramFiles%\mozilla firefox\updater.exe' %ALLUSERSPROFILE%\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\updates\0 "%ProgramFiles%\Mozilla Firefox" "%ProgramFiles%\Mozilla Firefox\updated" -1
