Edit tour

Windows Analysis Report
http://107.126.130.70/favicon.ico

Overview

General Information

Sample URL:	http://107.126.130.70/favicon.ico
Analysis ID:	1431914
Infos:

Errors URL not reachable

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

No high impact signatures.

Classification

Process Tree

System is w10x64

chrome.exe (PID: 5288 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5356 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2572 --field-trial-handle=2540,i,6574189812707770867,13748855464644535458,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6492 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://107.126.130.70/favicon.ico" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: global traffic

DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443

Source: unknown	HTTPS traffic detected: 23.202.106.101:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.202.106.101:443 -> 192.168.2.4:49742 version: TLS 1.2

Source: classification engine

Classification label: unknown0.win@18/0@2/4

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2572 --field-trial-handle=2540,i,6574189812707770867,13748855464644535458,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://107.126.130.70/favicon.ico"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2572 --field-trial-handle=2540,i,6574189812707770867,13748855464644535458,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://107.126.130.70/favicon.ico	0%	Avira URL Cloud	safe

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.google.com	192.178.50.36	true	false		high
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
192.178.50.36	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
107.126.130.70	unknown	United States	20057	ATT-MOBILITY-LLC-AS20057US	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431914
Start date and time:	2024-04-26 00:44:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://107.126.130.70/favicon.ico
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	UNKNOWN
Classification:	unknown0.win@18/0@2/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	URL browsing timeout or error

Errors

URL not reachable

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.165.195, 192.178.50.46, 74.125.26.84, 34.104.35.123, 20.114.59.183, 72.21.81.240, 13.85.23.206, 192.229.211.108
Excluded domains from analysis (whitelisted): fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, wu.ec.azureedge.net, clientservices.googleapis.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, glb.cws.prod.dcat.dsp.trafficmanager.net, ocsp.edge.digicert.com, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, clients.l.google.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: http://107.126.130.70/favicon.ico

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

⊘No static file info

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 00:44:52.089842081 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 26, 2024 00:45:00.356215954 CEST	49735	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:00.356364965 CEST	49736	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:00.514336109 CEST	80	49735	107.126.130.70	192.168.2.4
Apr 26, 2024 00:45:00.515372992 CEST	80	49736	107.126.130.70	192.168.2.4
Apr 26, 2024 00:45:00.609148026 CEST	49737	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:00.769610882 CEST	80	49737	107.126.130.70	192.168.2.4
Apr 26, 2024 00:45:01.014652014 CEST	49735	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:01.014738083 CEST	49736	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:01.280563116 CEST	49737	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:01.697695971 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 26, 2024 00:45:02.050684929 CEST	49740	443	192.168.2.4	192.178.50.36
Apr 26, 2024 00:45:02.050767899 CEST	443	49740	192.178.50.36	192.168.2.4
Apr 26, 2024 00:45:02.050839901 CEST	49740	443	192.168.2.4	192.178.50.36
Apr 26, 2024 00:45:02.051398039 CEST	49740	443	192.168.2.4	192.178.50.36
Apr 26, 2024 00:45:02.051434040 CEST	443	49740	192.178.50.36	192.168.2.4
Apr 26, 2024 00:45:02.442148924 CEST	443	49740	192.178.50.36	192.168.2.4
Apr 26, 2024 00:45:02.443217993 CEST	49740	443	192.168.2.4	192.178.50.36
Apr 26, 2024 00:45:02.443252087 CEST	443	49740	192.178.50.36	192.168.2.4
Apr 26, 2024 00:45:02.444308043 CEST	443	49740	192.178.50.36	192.168.2.4
Apr 26, 2024 00:45:02.444381952 CEST	49740	443	192.168.2.4	192.178.50.36
Apr 26, 2024 00:45:02.446211100 CEST	49740	443	192.168.2.4	192.178.50.36
Apr 26, 2024 00:45:02.446283102 CEST	443	49740	192.178.50.36	192.168.2.4
Apr 26, 2024 00:45:02.486597061 CEST	49740	443	192.168.2.4	192.178.50.36
Apr 26, 2024 00:45:02.486635923 CEST	443	49740	192.178.50.36	192.168.2.4
Apr 26, 2024 00:45:02.532967091 CEST	49740	443	192.168.2.4	192.178.50.36
Apr 26, 2024 00:45:02.961472988 CEST	49741	443	192.168.2.4	23.202.106.101
Apr 26, 2024 00:45:02.961505890 CEST	443	49741	23.202.106.101	192.168.2.4
Apr 26, 2024 00:45:02.961612940 CEST	49741	443	192.168.2.4	23.202.106.101
Apr 26, 2024 00:45:02.987344027 CEST	49741	443	192.168.2.4	23.202.106.101
Apr 26, 2024 00:45:02.987355947 CEST	443	49741	23.202.106.101	192.168.2.4
Apr 26, 2024 00:45:03.025922060 CEST	49735	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:03.025933981 CEST	49736	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:03.246561050 CEST	443	49741	23.202.106.101	192.168.2.4
Apr 26, 2024 00:45:03.246752024 CEST	49741	443	192.168.2.4	23.202.106.101
Apr 26, 2024 00:45:03.272887945 CEST	49741	443	192.168.2.4	23.202.106.101
Apr 26, 2024 00:45:03.272902012 CEST	443	49741	23.202.106.101	192.168.2.4
Apr 26, 2024 00:45:03.273122072 CEST	443	49741	23.202.106.101	192.168.2.4
Apr 26, 2024 00:45:03.290338039 CEST	49737	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:03.322299004 CEST	49741	443	192.168.2.4	23.202.106.101
Apr 26, 2024 00:45:03.454262018 CEST	49741	443	192.168.2.4	23.202.106.101
Apr 26, 2024 00:45:03.496121883 CEST	443	49741	23.202.106.101	192.168.2.4
Apr 26, 2024 00:45:03.586884975 CEST	443	49741	23.202.106.101	192.168.2.4
Apr 26, 2024 00:45:03.586951017 CEST	443	49741	23.202.106.101	192.168.2.4
Apr 26, 2024 00:45:03.587002039 CEST	49741	443	192.168.2.4	23.202.106.101
Apr 26, 2024 00:45:03.587229967 CEST	49741	443	192.168.2.4	23.202.106.101
Apr 26, 2024 00:45:03.587249994 CEST	443	49741	23.202.106.101	192.168.2.4
Apr 26, 2024 00:45:03.629725933 CEST	49742	443	192.168.2.4	23.202.106.101
Apr 26, 2024 00:45:03.629827023 CEST	443	49742	23.202.106.101	192.168.2.4
Apr 26, 2024 00:45:03.629914045 CEST	49742	443	192.168.2.4	23.202.106.101
Apr 26, 2024 00:45:03.630608082 CEST	49742	443	192.168.2.4	23.202.106.101
Apr 26, 2024 00:45:03.630640984 CEST	443	49742	23.202.106.101	192.168.2.4
Apr 26, 2024 00:45:03.884850025 CEST	443	49742	23.202.106.101	192.168.2.4
Apr 26, 2024 00:45:03.884926081 CEST	49742	443	192.168.2.4	23.202.106.101
Apr 26, 2024 00:45:03.890408993 CEST	49742	443	192.168.2.4	23.202.106.101
Apr 26, 2024 00:45:03.890431881 CEST	443	49742	23.202.106.101	192.168.2.4
Apr 26, 2024 00:45:03.890687943 CEST	443	49742	23.202.106.101	192.168.2.4
Apr 26, 2024 00:45:03.892944098 CEST	49742	443	192.168.2.4	23.202.106.101
Apr 26, 2024 00:45:03.940115929 CEST	443	49742	23.202.106.101	192.168.2.4
Apr 26, 2024 00:45:04.172842979 CEST	443	49742	23.202.106.101	192.168.2.4
Apr 26, 2024 00:45:04.173006058 CEST	443	49742	23.202.106.101	192.168.2.4
Apr 26, 2024 00:45:04.173065901 CEST	49742	443	192.168.2.4	23.202.106.101
Apr 26, 2024 00:45:04.173645973 CEST	49742	443	192.168.2.4	23.202.106.101
Apr 26, 2024 00:45:04.173645973 CEST	49742	443	192.168.2.4	23.202.106.101
Apr 26, 2024 00:45:04.173691988 CEST	443	49742	23.202.106.101	192.168.2.4
Apr 26, 2024 00:45:04.173718929 CEST	443	49742	23.202.106.101	192.168.2.4
Apr 26, 2024 00:45:07.028358936 CEST	49735	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:07.028369904 CEST	49736	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:07.189002991 CEST	80	49735	107.126.130.70	192.168.2.4
Apr 26, 2024 00:45:07.189075947 CEST	80	49736	107.126.130.70	192.168.2.4
Apr 26, 2024 00:45:07.296964884 CEST	49737	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:07.461657047 CEST	80	49737	107.126.130.70	192.168.2.4
Apr 26, 2024 00:45:07.698230028 CEST	49735	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:07.698635101 CEST	49736	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:07.967006922 CEST	49737	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:12.427438021 CEST	443	49740	192.178.50.36	192.168.2.4
Apr 26, 2024 00:45:12.427566051 CEST	443	49740	192.178.50.36	192.168.2.4
Apr 26, 2024 00:45:12.427764893 CEST	49740	443	192.168.2.4	192.178.50.36
Apr 26, 2024 00:45:12.722825050 CEST	49740	443	192.168.2.4	192.178.50.36
Apr 26, 2024 00:45:12.722882032 CEST	443	49740	192.178.50.36	192.168.2.4
Apr 26, 2024 00:45:15.459804058 CEST	49745	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:15.465723038 CEST	49746	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:15.618361950 CEST	80	49745	107.126.130.70	192.168.2.4
Apr 26, 2024 00:45:15.625036001 CEST	80	49746	107.126.130.70	192.168.2.4
Apr 26, 2024 00:45:15.738306046 CEST	49747	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:15.897169113 CEST	80	49747	107.126.130.70	192.168.2.4
Apr 26, 2024 00:45:16.131444931 CEST	49745	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:16.131556034 CEST	49746	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:16.397690058 CEST	49747	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:18.132165909 CEST	49745	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:18.132251978 CEST	49746	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:18.413062096 CEST	49747	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:19.680811882 CEST	80	49723	162.222.107.40	192.168.2.4
Apr 26, 2024 00:45:19.680939913 CEST	49723	80	192.168.2.4	162.222.107.40
Apr 26, 2024 00:45:19.680964947 CEST	49723	80	192.168.2.4	162.222.107.40
Apr 26, 2024 00:45:19.806015968 CEST	80	49723	162.222.107.40	192.168.2.4
Apr 26, 2024 00:45:22.143186092 CEST	49746	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:22.143188953 CEST	49745	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:22.301992893 CEST	80	49745	107.126.130.70	192.168.2.4
Apr 26, 2024 00:45:22.302647114 CEST	80	49746	107.126.130.70	192.168.2.4
Apr 26, 2024 00:45:22.416244030 CEST	49747	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:22.575237036 CEST	80	49747	107.126.130.70	192.168.2.4
Apr 26, 2024 00:45:22.807631016 CEST	49745	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:22.807640076 CEST	49746	80	192.168.2.4	107.126.130.70
Apr 26, 2024 00:45:23.089725018 CEST	49747	80	192.168.2.4	107.126.130.70

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 00:44:58.455288887 CEST	53	57044	1.1.1.1	192.168.2.4
Apr 26, 2024 00:44:58.556258917 CEST	53	58212	1.1.1.1	192.168.2.4
Apr 26, 2024 00:44:59.397653103 CEST	53	50460	1.1.1.1	192.168.2.4
Apr 26, 2024 00:45:01.922208071 CEST	58756	53	192.168.2.4	1.1.1.1
Apr 26, 2024 00:45:01.922692060 CEST	57040	53	192.168.2.4	1.1.1.1
Apr 26, 2024 00:45:02.047494888 CEST	53	58756	1.1.1.1	192.168.2.4
Apr 26, 2024 00:45:02.047960997 CEST	53	57040	1.1.1.1	192.168.2.4
Apr 26, 2024 00:45:16.683763027 CEST	53	56714	1.1.1.1	192.168.2.4
Apr 26, 2024 00:45:20.765506029 CEST	138	138	192.168.2.4	192.168.2.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 00:45:01.922208071 CEST	192.168.2.4	1.1.1.1	0x20e8	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 26, 2024 00:45:01.922692060 CEST	192.168.2.4	1.1.1.1	0xc048	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 00:45:02.047494888 CEST	1.1.1.1	192.168.2.4	0x20e8	No error (0)	www.google.com		192.178.50.36	A (IP address)	IN (0x0001)	false
Apr 26, 2024 00:45:02.047960997 CEST	1.1.1.1	192.168.2.4	0xc048	No error (0)	www.google.com			65	IN (0x0001)	false
Apr 26, 2024 00:45:16.621306896 CEST	1.1.1.1	192.168.2.4	0x3446	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Apr 26, 2024 00:45:16.621306896 CEST	1.1.1.1	192.168.2.4	0x3446	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fs.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49741	23.202.106.101	443

Timestamp	Bytes transferred	Direction	Data
2024-04-25 22:45:03 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-25 22:45:03 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/0712) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=116361 Date: Thu, 25 Apr 2024 22:45:03 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49742	23.202.106.101	443

Timestamp	Bytes transferred	Direction	Data
2024-04-25 22:45:03 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-25 22:45:04 UTC	487	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (dce/26AC) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=116394 Date: Thu, 25 Apr 2024 22:45:04 GMT Content-Length: 55 Connection: close X-CID: 2
2024-04-25 22:45:04 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 5288, Parent PID: 5312

General

Target ID:	0
Start time:	00:44:54
Start date:	26/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 5356, Parent PID: 5288

General

Target ID:	2
Start time:	00:44:56
Start date:	26/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2572 --field-trial-handle=2540,i,6574189812707770867,13748855464644535458,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff7699e0000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6492, Parent PID: 5312

General

Target ID:	3
Start time:	00:44:59
Start date:	26/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://107.126.130.70/favicon.ico"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.106.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.106.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.106.101
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.106.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.106.101
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.106.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.106.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.106.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.106.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.106.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.106.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.106.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.106.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.106.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.106.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.106.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.106.101
Source: unknown	TCP traffic detected without corresponding DNS query: 23.202.106.101
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 162.222.107.40
Source: unknown	TCP traffic detected without corresponding DNS query: 162.222.107.40
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70
Source: unknown	TCP traffic detected without corresponding DNS query: 107.126.130.70

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://107.126.130.70/favicon.ico

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Errors

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 5288, Parent PID: 5312

General

Chronological Activities

Analysis Process: chrome.exePID: 5356, Parent PID: 5288

General

Chronological Activities

Analysis Process: chrome.exePID: 6492, Parent PID: 5312

General

Chronological Activities

Disassembly

Windows Analysis Report
http://107.126.130.70/favicon.ico