Loading ...

Analysis Report https://wasteartstudio.com/files/le3lc-yfgxn3-sncdgk/


General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:116879
Start date:15.03.2019
Start time:04:10:44
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 5s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:https://wasteartstudio.com/files/le3lc-yfgxn3-sncdgk/
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
  • EGA enabled
Analysis stop reason:Timeout
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • URL browsing timeout or error
Show All
  • Exclude process from analysis (whitelisted): ielowutil.exe
  • URL not reachable


Threshold480 - 100Report FP / FNfalsemalicious


StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false


Analysis Advice

Joe Sandbox was unable to browse the URL (domain or webserver down or HTTPS issue), try to browse the URL again later
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsFile System Logical OffsetsCredential DumpingSystem Service DiscoveryApplication Deployment SoftwareData from Local SystemData Encrypted1Standard Non-Application Layer Protocol2
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol2

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for URL or domainShow sources
Source: https://wasteartstudio.com/files/le3lc-yfgxn3-sncdgk/Avira URL Cloud: Label: malware
Source: https://wasteartstudio.com/files/le3lc-yfgxn3-sncdgk/RootAvira URL Cloud: Label: malware


Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: wasteartstudio.com
Urls found in memory or binary dataShow sources
Source: ~DF909342E1DAF91ED2.TMP.1.drString found in binary or memory: https://wasteartstudio.com/files/le3lc-yfgxn3-sncdgk/
Source: {1AFCF3E2-4713-11E9-AADE-9CC1A2A860C6}.dat.1.drString found in binary or memory: https://wasteartstudio.com/files/le3lc-yfgxn3-sncdgk/Root
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49828 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49829 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49829
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49828

System Summary:

Classification labelShow sources
Source: classification engineClassification label: mal48.win@3/14@1/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\CRAIGH~1\AppData\Local\Temp\~DF4785384424B37EA6.TMPJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2696 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2696 CREDAT:17410 /prefetch:2Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

Behavior Graph

Hide Legend


  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 116879 URL: https://wasteartstudio.com/files/le3lc-yfgxn3-sncdgk/ Startdate: 15/03/2019 Architecture: WINDOWS Score: 48 13 Antivirus detection for URL or domain 2->13 6 iexplore.exe 2 61 2->6         started        process3 process4 8 iexplore.exe 39 6->8         started        dnsIp5 11 wasteartstudio.com, 443, 49828, 49829 unknown Indonesia 8->11


Behavior and APIs

No simulations

Antivirus Detection

Initial Sample


Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches




https://wasteartstudio.com/files/le3lc-yfgxn3-sncdgk/100%Avira URL Cloudmalware
https://wasteartstudio.com/files/le3lc-yfgxn3-sncdgk/Root100%Avira URL Cloudmalware

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context


No context


No context


No context

JA3 Fingerprints

No context

Dropped Files

No context



This section contains all screenshots as thumbnails, including those not shown in the slideshow.