Loading ...

Play interactive tourEdit tour

Analysis Report http://120.92.4.195

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:151577
Start date:12.07.2019
Start time:11:24:32
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 9s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:http://120.92.4.195
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:UNKNOWN
Classification:unknown1.win@3/12@0/1
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • URL browsing timeout or error
Warnings:
Show All
  • Exclude process from analysis (whitelisted): ielowutil.exe
  • Excluded IPs from analysis (whitelisted): 2.19.38.59
  • Excluded domains from analysis (whitelisted): e11290.dspg.akamaiedge.net, go.microsoft.com, go.microsoft.com.edgekey.net
Errors:
  • URL not reachable

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold10 - 100falseunknown

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold30 - 5true
ConfidenceConfidence


Classification

Analysis Advice

Joe Sandbox was unable to browse the URL (domain or webserver down or HTTPS issue), try to browse the URL again later
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsFile System Logical OffsetsCredential DumpingFile and Directory Discovery1Remote File Copy3Data from Local SystemData CompressedStandard Non-Application Layer Protocol2
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol2
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy3

Signature Overview

Click to jump to signature section


Networking:

barindex
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 120.92.4.195
Source: unknownTCP traffic detected without corresponding DNS query: 120.92.4.195
Source: unknownTCP traffic detected without corresponding DNS query: 120.92.4.195
Source: unknownTCP traffic detected without corresponding DNS query: 120.92.4.195
Source: unknownTCP traffic detected without corresponding DNS query: 120.92.4.195
Source: unknownTCP traffic detected without corresponding DNS query: 120.92.4.195
Source: unknownTCP traffic detected without corresponding DNS query: 120.92.4.195
Connects to country known for bullet proof hostersShow sources
Source: unknownNetwork traffic detected: IP: 120.92.4.195 China
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: 120.92.4.195Connection: Keep-Alive
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: KSYUN ELB 1.0.0Date: Fri, 12 Jul 2019 09:25:35 GMTContent-Length: 0Connection: keep-alive
Urls found in memory or binary dataShow sources
Source: ~DF0F81E4B761AE88CA.TMP.1.drString found in binary or memory: http://120.92.4.195/
Source: {6EE48F0C-A4D2-11E9-AADF-9CC1A2A860C6}.dat.1.drString found in binary or memory: http://120.92.4.195/Root

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: unknown1.win@3/12@0/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user~1\AppData\Local\Temp\~DFA70A87FCA7E1DFC6.TMPJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5040 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5040 CREDAT:17410 /prefetch:2Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 151577 URL: http://120.92.4.195 Startdate: 12/07/2019 Architecture: WINDOWS Score: 1 5 iexplore.exe 2 61 2->5         started        process3 7 iexplore.exe 39 5->7         started        dnsIp4 10 120.92.4.195, 49708, 49709, 80 unknown China 7->10

Simulations

Behavior and APIs

No simulations

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
http://120.92.4.1950%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://120.92.4.195/Root0%Avira URL Cloudsafe
http://120.92.4.195/0%virustotalBrowse
http://120.92.4.195/0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.