Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
http://perr.yg5sjx5kzy.com

Overview

General Information

Sample URL:http://perr.yg5sjx5kzy.com
Analysis ID:1392972
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain

Classification

  • System is w7x64
  • chrome.exe (PID: 3032 cmdline: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)
    • chrome.exe (PID: 2916 cmdline: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1416 --field-trial-handle=1252,i,4711991973511693927,1322772812815079145,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)
  • chrome.exe (PID: 1096 cmdline: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "http://perr.yg5sjx5kzy.com MD5: FFA2B8E17F645BCC20F0E0201FEF83ED)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: http://perr.yg5sjx5kzy.comAvira URL Cloud: detection malicious, Label: malware
Source: http://perr.yg5sjx5kzy.com/favicon.icoAvira URL Cloud: Label: malware
Source: http://perr.yg5sjx5kzy.com/HTTP Parser: No favicon
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\GoogleJump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdaterJump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\chrome_BITS_3032_1665225739Jump to behavior
Source: global trafficHTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=109.0.5414.120&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-109.0.5414.120Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: perr.yg5sjx5kzy.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: perr.yg5sjx5kzy.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Referer: http://perr.yg5sjx5kzy.com/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: unknownDNS traffic detected: queries for: clients2.google.com
Source: unknownHTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: CONSENT=PENDING+962; SOCS=CAESHAgCEhJnd3NfMjAyMzA4MDEtMF9SQzMaAmVuIAEaBgiAi8amBg; __Secure-ENID=14.SE=LM-NkPAvbCtuNhK73uRS1U27fKMegq7R6_Ue_GnOGI1dekNKandC6Dto1fKS9ocnnyUmf2MAXGM269U9HhkgndYLxWy3FrZaGzh_yODdv1ouU12fBCNmRhMUwM3dzKbRlYRnbKhIQz9fV5WGdCRRjXQx5RGii6FbIw100Hc46oWQ6bysmy2hqA
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 15 Feb 2024 15:58:42 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: keep-aliveVary: Origin, Accept-Encodingx-hola-ts: 1708012722140x-hola-conf-ver: 45Data Raw: 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: Not Found
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 15 Feb 2024 15:58:42 GMTContent-Type: text/plain; charset=utf-8Content-Length: 9Connection: keep-aliveVary: Origin, Accept-Encodingx-hola-ts: 1708012722387x-hola-conf-ver: 45Data Raw: 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: Not Found
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
Source: unknownNetwork traffic detected: HTTP traffic on port 49162 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49162
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
Source: classification engineClassification label: mal56.win@18/4@8/5
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\GoogleJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1416 --field-trial-handle=1252,i,4711991973511693927,1322772812815079145,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknownProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" "http://perr.yg5sjx5kzy.com
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1416 --field-trial-handle=1252,i,4711991973511693927,1322772812815079145,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\GoogleJump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdaterJump to behavior
Source: C:\Program Files (x86)\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\chrome_BITS_3032_1665225739Jump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath Interception1
Process Injection
2
Masquerading
OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Process Injection
LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media4
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive5
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture3
Ingress Tool Transfer
Traffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.