Exhibits behavior characteristic of Cryptowall ransomware Show sources
| Campaign | crypt7 |
| C2 | pastimefoods.com/aXZcgR.php |
| C2 | frc-conf.com/o51qYV.php |
| C2 | localburialinsuranceinfo.com/zDJRc8.php |
| C2 | gerberinsreferral.com/CXqoNH.php |
| C2 | yahoosupportaustralia.com/8gX7hN.php |
| C2 | ks0407.com/VoZQ_j.php |
| C2 | stwholesaleinc.com/yL54uH.php |
| C2 | smfinternational.com/AYNILr.php |
| C2 | 19bee88.com/6OQXbA.php |
| C2 | shrisaisales.in/ZUQce4.php |
| C2 | tuvestir.com/qPA0JU.php |
| C2 | royalsboostersgbball.com/AW3LBH.php |
| C2 | mofiaweb.com/OJP84q.php |
| C2 | mabawamathare.org/WEAbCT.php |
| C2 | flexiblepestsolutions.com/Rr70KQ.php |
| C2 | kingalter.com/uVRfPv.php |
| C2 | adcconsulting.net/XEGeuI.php |
| C2 | 19bee88.com/U4K_eT.php |
| C2 | smfinternational.com/eRs70a.php |
| C2 | hajsy.pro-linuxpl.com/sfrcLI.php |
| C2 | abelindia.com/1LaXd8.php |
| C2 | myshop.lk/6872VF.php |
| C2 | frc-pr.com/dA91lI.php |
| C2 | thegingod.com/HS0ILJ.php |
| C2 | frc-pr.com/BMzH_7.php |
| C2 | parsimaj.com/60wEBT.php |
| C2 | imagescameraclub.com/j7b5kK.php |
| C2 | texmart.in/dEXh_e.php |
| C2 | lexscheep.com/OIsSCj.php |
| C2 | salamasisters.org/C2v9k_.php |
| C2 | httthanglong.com/yzoLR7.php |
| C2 | adrive62.com/Dre8j9.php |
| C2 | fitbalancechallenge.com/YIcZkS.php |
| C2 | novolani.com/HR8srq.php |
| C2 | champagneframeofmind.com/exE3oS.php |
| C2 | mycampusjuice.com/z9r0qh.php |
| C2 | alltimefacts.com/EiFSId.php |
Attempts to connect to a dead IP:Port (5 unique times) Show sources
| network_host_ip | 157.238.74.89:80 (United States) |
| network_host_ip | 151.139.128.14:80 (United States) |
| network_host_ip | 205.185.216.42:80 (United States) |
| network_host_ip | 23.59.155.35:80 (United States) |
| network_host_ip | 72.21.91.29:80 (United States) |
HTTP traffic contains suspicious features which may be indicative of malware related traffic Show sources
| network_anomaly | HTTP traffic contains a POST request with no referer header |
| network_anomaly | http://mofiaweb.com/OJP84q.php?w=m2w54de8rvv78b |
| network_anomaly | http://adcconsulting.net/XEGeuI.php?o=m2w54de8rvv78b |
| network_anomaly | http://adrive62.com/Dre8j9.php?n=m2w54de8rvv78b |
| network_anomaly | http://texmart.in/dEXh_e.php?t=m2w54de8rvv78b |
| network_anomaly | http://yahoosupportaustralia.com/8gX7hN.php?j=m2w54de8rvv78b |
| network_anomaly | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D |
| network_anomaly | http://frc-conf.com/o51qYV.php?l=m2w54de8rvv78b |
| network_anomaly | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D |
| network_anomaly | http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgRjbPY7UZSW1St6RAKsejskvA%3D%3D |
| network_anomaly | http://frc-pr.com/dA91lI.php?d=m2w54de8rvv78b |
| network_anomaly | http://flexiblepestsolutions.com/Rr70KQ.php?v=m2w54de8rvv78b |
| network_anomaly | http://crl.globalsign.net/primobject.crl |
| network_anomaly | http://mycampusjuice.com/z9r0qh.php?x=m2w54de8rvv78b |
| network_anomaly | http://novolani.com/HR8srq.php?z=m2w54de8rvv78b |
| network_anomaly | http://tuvestir.com/qPA0JU.php?q=m2w54de8rvv78b |
| network_anomaly | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D |
| network_anomaly | http://parsimaj.com/60wEBT.php?l=m2w54de8rvv78b |
| network_anomaly | http://shrisaisales.in/ZUQce4.php?a=m2w54de8rvv78b |
| network_anomaly | http://www.shrisaisales.in/ZUQce4.php?a=m2w54de8rvv78b |
| network_anomaly | http://imagescameraclub.com/j7b5kK.php?w=m2w54de8rvv78b |
| network_anomaly | http://abelindia.com/1LaXd8.php?z=m2w54de8rvv78b |
| network_anomaly | http://SuperCravings.com/RTosaZ.php?s=m2w54de8rvv78b |
| network_anomaly | http://frc-pr.com/BMzH_7.php?t=m2w54de8rvv78b |
| network_anomaly | http://myshop.lk/6872VF.php?q=m2w54de8rvv78b |
| network_anomaly | http://alltimefacts.com/EiFSId.php?b=m2w54de8rvv78b |
| network_anomaly | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D |
| network_anomaly | http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEAui0B3Ly3d26KxlCXrBJUE%3D |
| network_anomaly | http://mofiaweb.com/OJP84q.php?o=t34emjh44sc |
| network_anomaly | http://adcconsulting.net/XEGeuI.php?o=t34emjh44sc |
Performs some HTTP requests Show sources
| network_url | http://mofiaweb.com/OJP84q.php?w=m2w54de8rvv78b |
| network_url | http://adcconsulting.net/XEGeuI.php?o=m2w54de8rvv78b |
| network_url | http://adrive62.com/Dre8j9.php?n=m2w54de8rvv78b |
| network_url | http://texmart.in/dEXh_e.php?t=m2w54de8rvv78b |
| network_url | http://yahoosupportaustralia.com/8gX7hN.php?j=m2w54de8rvv78b |
| network_url | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D |
| network_url | http://frc-conf.com/o51qYV.php?l=m2w54de8rvv78b |
| network_url | http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D |
| network_url | http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgRjbPY7UZSW1St6RAKsejskvA%3D%3D |
| network_url | http://frc-pr.com/dA91lI.php?d=m2w54de8rvv78b |
| network_url | http://flexiblepestsolutions.com/Rr70KQ.php?v=m2w54de8rvv78b |
| network_url | http://crl.globalsign.net/primobject.crl |
| network_url | http://mycampusjuice.com/z9r0qh.php?x=m2w54de8rvv78b |
| network_url | http://novolani.com/HR8srq.php?z=m2w54de8rvv78b |
| network_url | http://tuvestir.com/qPA0JU.php?q=m2w54de8rvv78b |
| network_url | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D |
| network_url | http://parsimaj.com/60wEBT.php?l=m2w54de8rvv78b |
| network_url | http://shrisaisales.in/ZUQce4.php?a=m2w54de8rvv78b |
| network_url | http://www.shrisaisales.in/ZUQce4.php?a=m2w54de8rvv78b |
| network_url | http://imagescameraclub.com/j7b5kK.php?w=m2w54de8rvv78b |
| network_url | http://abelindia.com/1LaXd8.php?z=m2w54de8rvv78b |
| network_url | http://SuperCravings.com/RTosaZ.php?s=m2w54de8rvv78b |
| network_url | http://frc-pr.com/BMzH_7.php?t=m2w54de8rvv78b |
| network_url | http://myshop.lk/6872VF.php?q=m2w54de8rvv78b |
| network_url | http://alltimefacts.com/EiFSId.php?b=m2w54de8rvv78b |
| network_url | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D |
| network_url | http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEAui0B3Ly3d26KxlCXrBJUE%3D |
| network_url | http://mofiaweb.com/OJP84q.php?o=t34emjh44sc |
| network_url | http://adcconsulting.net/XEGeuI.php?o=t34emjh44sc |
Mimics the system's user agent string for its own requests Show sources
| stealth_mimics | Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) |
A process attempted to delay the analysis task. Show sources
| api_process_name | explorer.exe tried to sleep 1201 seconds, actually delayed analysis time by 0 seconds |
Creates RWX memory Show sources
| injection_rwx_memory | 0x00000040, NtAllocateVirtualMemory or VirtualProtectEx |
Deletes its original binary from disk Show sources
| file_delete | c:\users\user\appdata\local\temp\949f1903642e72575e107ee492faba670c8e0006.exe |
Installs itself for autorun at Windows startup Show sources
| registry_write | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\9a5b7f1e |
| data | C:\Users\user\AppData\Roaming\9a5b7f1e\252729a89a.exe |
Creates a copy of itself Show sources
| file | C:\Users\user\AppData\Roaming\9a5b7f1e\252729a89a.exe |