Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://mrohailkhan.com/energyaustralia/auth/auhs1/

Overview

General Information

Sample URL:https://mrohailkhan.com/energyaustralia/auth/auhs1/
Analysis ID:1588878
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
AI detected suspicious Javascript
Performs DNS queries to domains with low reputation
Detected suspicious crossdomain redirect
HTML body contains password input but no form action
HTML page contains hidden javascript code
Javascript checks online IP of machine
Stores files to the Windows start menu directory

Classification

  • System is w10x64_ra
  • chrome.exe (PID: 7012 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 7112 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1920,i,3395591099186905557,16267342176003747170,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • chrome.exe (PID: 1764 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://mrohailkhan.com/energyaustralia/auth/auhs1/" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: https://mrohailkhan.com/energyaustralia/auth/auhs1/Avira URL Cloud: detection malicious, Label: malware

Phishing

barindex
Source: 0.47.id.script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: https://kamarhokizero.xyz/?spm=Koihoki.pdp_revamp.... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and interaction with suspicious domains. While some of the functionality may be legitimate (e.g., analytics or telemetry), the overall behavior and obfuscation raise significant security concerns.
Source: https://kamarhokizero.xyz/?spm=Koihoki.pdp_revamp.0.0.3bc25fbchQYcAtHTTP Parser: <input type="password" .../> found but no <form action="...
Source: https://kamarhokizero.xyz/?spm=Koihoki.pdp_revamp.0.0.3bc25fbchQYcAt#HTTP Parser: <input type="password" .../> found but no <form action="...
Source: https://kamarhokizero.xyz/?spm=Koihoki.pdp_revamp.0.0.3bc25fbchQYcAtHTTP Parser: Base64 decoded: @3155yUKDpWnht5CzXvVkC6TMrocoxIc2KYEDDgzA3phNe5dd51qpY3oQXtTbY0OyHF5/cLqfNSyhprp8UcuKvA==
Source: https://g.alicdn.com/sd/baxia-entry/index.jsHTTP Parser: !function(){"use strict";var a=location,o=document,c=function(c,m,t,i){(void 0===m&&(m=1),void 0===t&&(t=.1),void 0===i&&(i="baxia-fast"),0>=t||math.random()<t)&&function(a,o){var c=[];for(var m in a)c.push(m+"="+encodeuricomponent(a[m]));(new image).src=o+c.join("&")}({code:m,msg:c+"",pid:i,page:a.href.split(/[#?]/)[0],query:a.search.substr(1),hash:a.hash,referrer:o.referrer,title:o.title,ua:navigator.useragent},"//gm.mmstat.com/fsp.1.1?")};var m=["alires","pha_pageheader","pha_header","/punish","fourier.taobao.com/assist","fourier.alibaba.com/assist","market.m.taobao.com/app/tbhome/common/index.html",".sm.cn",".sm-tc.cn",".alipay.com",".aliyun.com","error.taobao.com","sialiagames","vntth","qookkagames","mobijoygames"];var t=document,i=window,e="https://bdc.alibabachengdun.com/wcfg.json";location.hostname&&location.hostname.indexof("taobao.com")>-1?e="https://umdc.taobao.com/wcfg.json":location.hostname&&location.hostname.indexof("tmall.com")>-1&&(e="https://umdc.tmall.com/wcfg.json");var n=function(a){for(v...
Source: https://kamarhokizero.xyz/?spm=Koihoki.pdp_revamp.0.0.3bc25fbchQYcAtHTTP Parser: <input type="password" .../> found
Source: https://kamarhokizero.xyz/?spm=Koihoki.pdp_revamp.0.0.3bc25fbchQYcAt#HTTP Parser: <input type="password" .../> found
Source: https://kamarhokizero.xyz/?spm=Koihoki.pdp_revamp.0.0.3bc25fbchQYcAtHTTP Parser: No <meta name="author".. found
Source: https://kamarhokizero.xyz/?spm=Koihoki.pdp_revamp.0.0.3bc25fbchQYcAt#HTTP Parser: No <meta name="author".. found
Source: https://kamarhokizero.xyz/?spm=Koihoki.pdp_revamp.0.0.3bc25fbchQYcAt#HTTP Parser: No <meta name="author".. found
Source: https://kamarhokizero.xyz/?spm=Koihoki.pdp_revamp.0.0.3bc25fbchQYcAt#HTTP Parser: No <meta name="author".. found
Source: https://kamarhokizero.xyz/?spm=Koihoki.pdp_revamp.0.0.3bc25fbchQYcAtHTTP Parser: No <meta name="copyright".. found
Source: https://kamarhokizero.xyz/?spm=Koihoki.pdp_revamp.0.0.3bc25fbchQYcAt#HTTP Parser: No <meta name="copyright".. found
Source: https://kamarhokizero.xyz/?spm=Koihoki.pdp_revamp.0.0.3bc25fbchQYcAt#HTTP Parser: No <meta name="copyright".. found
Source: https://kamarhokizero.xyz/?spm=Koihoki.pdp_revamp.0.0.3bc25fbchQYcAt#HTTP Parser: No <meta name="copyright".. found

Networking

barindex
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDNS query: kamarhokizero.xyz
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDNS query: kamarhokizero.xyz
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDNS query: kamarhokizero.xyz
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDNS query: kamarhokizero.xyz
Source: C:\Program Files\Google\Chrome\Application\chrome.exeHTTP traffic: Redirect from: t.ly to https://kamarhokizero.xyz/?spm=koihoki.pdp_revamp.0.0.3bc25fbchqycat
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 2.22.50.131
Source: unknownTCP traffic detected without corresponding DNS query: 2.22.50.131
Source: unknownTCP traffic detected without corresponding DNS query: 2.22.50.131
Source: unknownTCP traffic detected without corresponding DNS query: 2.22.50.131
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.136
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /energyaustralia/auth/auhs1/ HTTP/1.1Host: mrohailkhan.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /g/lzdfe/pdp-platform/0.1.22/pc.css HTTP/1.1Host: g.lazcdn.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://mrohailkhan.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /g/lzdfe/pdp-modules/1.4.4/pc-mod.css HTTP/1.1Host: g.lazcdn.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,*/*;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://mrohailkhan.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /g/??lzd/assets/0.0.7/dpl-buyeruikit/2.0.1/next-noreset-1.css,lzd/assets/0.0.7/dpl-buyeruikit/2.0.1/next-noreset-2.css,lazada/lazada-product-detail/1.7.4/index/index.css HTTP/1.1Host: g.lazcdn.comConnection: keep-alivesec-ch-ua: