Loading ...

Play interactive tourEdit tour

Analysis Report http://live-acc-static.com/

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:208481
Start date:14.02.2020
Start time:16:22:48
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 20s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:urldownload.jbs
Sample URL:http://live-acc-static.com/
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean1.win@9/35@6/1
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 52.109.124.22, 92.123.10.235, 104.108.56.95, 216.58.201.100, 23.5.96.58, 195.138.255.8, 195.138.255.9, 172.217.23.195, 92.123.28.58, 152.199.19.161, 13.107.4.50, 205.185.216.10, 205.185.216.42, 67.26.73.254, 67.27.157.126, 67.26.83.254, 8.253.204.249, 67.27.158.254
  • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, e2836.g.akamaiedge.net, a1697.g.akamai.net, Edge-Prod-FRA.env.au.au-msedge.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e8804.dscx.akamaiedge.net, go.microsoft.com, www-ipv6.godaddy.com.edgekey.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, nexus.officeapps.live.com, www.google.com, www.gstatic.com, elasticShed.au.au-msedge.net, auto.au.download.windowsupdate.com.c.footprint.net, ak.imgaft.com.edgesuite.net, e6001.a.akamaiedge.net, ie9comview.vo.msecnd.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, cds.d2s7q6s2.hwcdn.net, afdap.au.au-msedge.net, parked-content.godaddy.com.edgekey.net, global-wildcard.wsimg.com.edgekey.net, au.au-msedge.net, go.microsoft.com.edgekey.net, au.c-0001.c-msedge.net, cs9.wpc.v0cdn.net
  • Report size getting too big, too many NtCreateKey calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtSetValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold10 - 100falseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold40 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Initial sample is implementing a service and should be registered / started as service



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsGraphical User Interface1Winlogon Helper DLLProcess Injection11Masquerading1Credential DumpingFile and Directory Discovery1Remote File Copy2Data from Local SystemData CompressedStandard Non-Application Layer Protocol3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection11Network SniffingSystem Information Discovery11Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Signature Overview

Click to jump to signature section


Networking:

barindex
Downloads compressed data via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKCache-Control: no-cachePragma: no-cacheContent-Type: text/html; charset=utf-8Content-Encoding: gzipExpires: -1Vary: Accept-EncodingServer: Microsoft-IIS/7.5X-AspNet-Version: 4.0.30319X-Powered-By: ASP.NETDate: Fri, 14 Feb 2020 15:24:40 GMTContent-Length: 6889Age: 1Connection: keep-aliveData Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 1e ff ae db db e9 eb bc be cc eb 47 e9 cb 7b 2f bf fb f2 f8 d5 ef f5 f4 f7 79 b1 f3 20 dd de 3e c2 b7 17 b3 ed 65 b5 9c ae 9b b6 5a e4 f5 76 fe 6e 55 d4 f9 ec ee c3 87 d3 6a d1 64 65 fe b3 d0 ec e9 97 27 6f 7e 9f 97 a7 e9 bc 5d 94 47 c9 63 f3 23 cf 66 f4 a3 99 d6 c5 aa 4d 9b 7a fa d9 47 f3 b6 5d 3d ba 7b f7 ea ea 6a 7c 51 55 17 65 3e 26 30 77 b3 59 93 2f 9b fc ee ac 5a 64 c5 b2 b9 3b cd ce c7 3f dd 7c 94 b6 d7 ab fc b3 8f da fc 5d 7b f7 a7 b3 cb 4c 00 7d 74 f4 f8 ae fc 46 b0 db a2 2d f3 a3 b2 b8 cc b7 b3 e9 74 bb 69 b3 b6 98 02 e6 e3 bb f2 55 f2 78 91 b7 59 ba cc 16 04 a9 ae 26 55 4b 70 a7 d5 b2 cd 97 ed 67 1f 15 cb 59 fe 6e b4 ac ce ab b2 ac ae 3e 4a ef 52 fb b2 58 be 4d eb bc fc ec a3 a6 bd 2e f3 66 9e e7 ed 47 e9 bc ce cf 05 fd c6 e2 3f cb 66 b3 6b 74 76 37 6b 9a bc 6d ee 5e d5 f3 66 5b 7f cf f7 ef ef de df 79 70 b0 9b 9d 67 f7 ef 9d df db 7d b8 f7 70 36 9b 3e b8 f7 e9 64 67 72 ef d3 87 77 d7 ef a6 55 9d ef 8d 17 c5 72 3c 6d 08 ab 45 3e 2b b2 cf 3e ca ca 52 10 e1 ee 7d 1a a0 d5 51 32 9e 96 79 56 a7 bf 38 e1 9f 8f 52 1a d2 fc 30 f9 25 c9 78 59 5d d5 d9 8a be b8 9a 17 6d be dd ac b2 69 fe 28 95 4f 0f 93 ab 62 d6 ce 1f a5 07 3b ab 77 dc fa a2 5e 4e aa 77 68 2d 5f ec cb 37 93 aa 9e 81 b3 f6 56 ef d2 a6 2a 8b 59 fa e3 0f 3f 3d 79 b0 ff d0 7c b5 5d 67 b3 62 dd 3c 4a ef a3 f9 22 ab 2f 8a e5 36 e1 40 ec f1 28 dd 3d c0 87 0c 3d 9b 75 c0 13 c4 c3 e4 bc 28 5b 80 5f d5 d5 45 31 7b f4 f4 f7 3e 5b 64 17 f9 9b 3a 5b 36 e7 55 bd 18 7f 51 4c eb aa a9 ce 5b 86 50 d0 24 6d e5 cb 6c 52 e6 b3 cf 3e 6e eb 75 fe f1 88 a6 b8 6e 4f aa b2 aa 9b b6 fe ec e3 1f 7f 7a 0f ff 7d 3c 4a f3 e5 cc fb f8 19 3f f4 f1 e7 0a e7 0d e8 b8 73 c7 0c 83 70 75 23 3c e1 c7 7c 15 8e 90 06 d3 ce d7 8b 49 f3 a6 02 6d e7 79 71 31 6f 1f a5 9f f2 70 74 70 f2 87 d2 a2 cc cf e9 fb 3d a6 a6 7e d4 56 2b a2 80 ff 89 21 d8 3e 3e 9b 64 d3 b7 17 75 b5 5e ce b6 0b 90 e3 51 ba ae cb ad 8f c1 6c c4 6b d9 db bd 71 b1 b8 c8 88 26 60 35 6e d1 dc 2d 88 87 b7 e9 b3 bc 5e 16 d3 ed a2 d9 6e e7 f4 cf 75 b5 ae b7 45 8a b6 f7 09 f6 78 b5 bc f8 18 63 76 3d d4 f9 2a cf 08 c1 65 a5 bf 7a 43 7c c2 58 7d d0 28 f7 3e f5 3e 31 a3 94 66 1e 12 3c 88 f7 1f e6 ac 6a b7 e9 4b fa f9 75 47 78 bc 9e b6 45 b5 6c fe ff 3c c6 87 0f 69 74 5e 5b ee e6 36 88 9c 13 9c 75 9d 6f 17 65 b9 a6 fe 7d 3c 6e 8b c2 8f 4b 73 a8 db 5d c2 02 6a 6b 3b 2b 8b 8b e5 a3 14 d4 3c 4c a6 10 d1 47 e9 8f
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKCache-Control: no-cachePragma: no-cacheContent-Type: text/html; charset=utf-8Content-Encoding: gzipExpires: -1Vary: Accept-EncodingServer: Microsoft-IIS/7.5X-AspNet-Version: 4.0.30319X-Powered-By: ASP.NETDate: Fri, 14 Feb 2020 15:24:41 GMTContent-Length: 136Age: 1Connection: keep-aliveData Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 1e cf db 45 79 f4 78 52 cd ae 8f 1e df d5 1f fc d9 ff 03 77 74 57 b6 1a 00 00 00 Data Ascii: `I%&/m{JJt`$@iG#)*eVe]f@{{;N'?\fdlJ!?~|?"EyxRwtW
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: live-acc-static.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /?reqp=1&reqr= HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Referer: http://parked-content.godaddy.com/park/rKMcpv1hpUNgMzqhM3MjYaOvrt==Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: live-acc-static.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /img.aspx?q=L3MkWGAkYGx2ZQV1AmNkAmx1ZwD4Zmt0WGV2MlHmpGHjZQRyZwMyWGAkWGV2ovHmpGNyZwMwWGAkZPHlAzIzWGAkZPHlAzLyZ3RyZwMyMlHmpGVjZwNjZwR0ZQtlAQDkWGV2L3xyZ3RkWGV2qTpyZ3RkWGV2rPHmpFHlAz56WGAkZPHlAzMjWGAkZwx4WGV2nT5aWGAkZFHlAaEzWGAkAvHlAaOjWGAknTLyZwMkMFHmpJ5zYKSyqaRgLzVgZGt4AGpkAQR4AwH0ZQt5APHlAzMapPHmpGN=-1 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://live-acc-static.com/?reqp=1&reqr=Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: live-acc-static.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: live-acc-static.comConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: msapplication.xml1.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xf37c0160,0x01d5e34a</date><accdate>0xf37c0160,0x01d5e34a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml1.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xf37c0160,0x01d5e34a</date><accdate>0xf37c0160,0x01d5e34a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml6.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xf385ea12,0x01d5e34a</date><accdate>0xf385ea12,0x01d5e34a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml6.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xf385ea12,0x01d5e34a</date><accdate>0xf385ea12,0x01d5e34a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml8.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xf3884c8f,0x01d5e34a</date><accdate>0xf3884c8f,0x01d5e34a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml8.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xf3884c8f,0x01d5e34a</date><accdate>0xf3884c8f,0x01d5e34a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: live-acc-static.com
Urls found in memory or binary dataShow sources
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://afs.googleusercontent.com/dp-godaddy/thm/Bullet_7.gif
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://ak2.imgaft.com/images/GDPPC_CAF_Search3.png
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://ak2.imgaft.com/images/GD_Sharehead.jpg
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://ak2.imgaft.com/images/bul_blacksquare.png
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://ak2.imgaft.com/images/feature-illu-dot-com-domain.png
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://ak2.imgaft.com/images/icon-afternic-dot-com-domain-44px.png
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://ak2.imgaft.com/images/icon-afternic-is-this-your-domain-44px.png
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://ak2.imgaft.com/images/new_logo_GDTrans.png
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://ak2.imgaft.com/script/jquery-1.3.1.min.js
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://auctions.godaddy.com/trpItemListing.aspx?ci=85897&utm_source=godaddy&utm_medium=parkedpages&i
Source: jquery-1.3.1.min[1].js.5.drString found in binary or memory: http://docs.jquery.com/License
Source: jquery-1.3.1.min[1].js.5.drString found in binary or memory: http://jquery.com/
Source: wget.exe, 00000002.00000002.4344912495.0000000000F20000.00000004.00000040.sdmp, cmdline.out.2.drString found in binary or memory: http://live-acc-static.com/
Source: wget.exe, 00000002.00000002.4344912495.0000000000F20000.00000004.00000040.sdmpString found in binary or memory: http://live-acc-static.com/6
Source: wget.exe, 00000002.00000002.4344912495.0000000000F20000.00000004.00000040.sdmpString found in binary or memory: http://live-acc-static.com/8
Source: {19F5D7A4-4F3E-11EA-AAE3-9CC1A2A860C6}.dat.4.drString found in binary or memory: http://live-acc-static.com/?reqp=1&reqr=
Source: {19F5D7A4-4F3E-11EA-AAE3-9CC1A2A860C6}.dat.4.drString found in binary or memory: http://live-acc-static.com/?reqp=1&reqr=&live-acc-static.com
Source: {19F5D7A4-4F3E-11EA-AAE3-9CC1A2A860C6}.dat.4.drString found in binary or memory: http://live-acc-static.com/?reqp=1&reqr=dex.html
Source: wget.exe, 00000002.00000002.4344912495.0000000000F20000.00000004.00000040.sdmpString found in binary or memory: http://live-acc-static.com/ic.c
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://live-acc-static.com/img.aspx?q=L3MkWGAkYGx2ZQV1AmNkAmx1ZwD4Zmt0WGV2MlHmpGHjZQRyZwMyWGAkWGV2ov
Source: rKMcpv1hpUNgMzqhM3MjYaOvrt==[1].htm.5.drString found in binary or memory: http://live-acc-static.com?reqp=1&reqr=
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://live-acc-static.com?src=1&reqp=1
Source: {19F5D7A4-4F3E-11EA-AAE3-9CC1A2A860C6}.dat.4.drString found in binary or memory: http://live-acc-static/Desktop/download/index.html.com/?reqp=1&reqr=dex.htmlRoot
Source: wget.exe, 00000002.00000002.4344939967.0000000000F2B000.00000004.00000040.sdmp, wget.exe, 00000002.00000002.4344912495.0000000000F20000.00000004.00000040.sdmp, {19F5D7A4-4F3E-11EA-AAE3-9CC1A2A860C6}.dat.4.dr, index.html.2.drString found in binary or memory: http://parked-content.godaddy.com/park/rKMcpv1hpUNgMzqhM3MjYaOvrt==
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://parked-content.godaddy.com/park/rKMcpv1hpUNgMzqhM3MjYaOvrt==?reqp=1&qaspoofip=84.17.52.81
Source: jquery-1.3.1.min[1].js.5.drString found in binary or memory: http://sizzlejs.com/
Source: msapplication.xml.4.drString found in binary or memory: http://www.amazon.com/
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://www.godaddy.com/Hosting/Legacy.aspx?ci=85899&isc=GPPT05K500&utm_source=godaddy&utm_medium=par
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://www.godaddy.com/agreements/ShowDoc.aspx?pageid=privacy_parkedpage
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://www.godaddy.com/api/dpp/search/single
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://www.godaddy.com/domains/activate.aspx?ci=85891&utm_source=godaddy&utm_medium=parkedpages&isc=
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://www.godaddy.com/domains/search.aspx?ci=85899&isc=GPPT05K500&utm_source=godaddy&utm_medium=par
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://www.godaddy.com/domains/searchresults.aspx?ci=87915&isc=GPPT05K500&utm_source=godaddy&utm_med
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://www.godaddy.com/domains/searchresults.aspx?isc=GPPT02K500&utm_medium=parkedpages&utm_source=g
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://www.godaddy.com/email/email-hosting.aspx?ci=85899&isc=GPPT02K500&utm_source=godaddy&utm_mediu
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://www.godaddy.com/gdshop/catalog.asp?ci=85899&isc=GPPT05K500&utm_source=godaddy&utm_medium=park
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://www.godaddy.com/gdshop/ecommerce/shopping-cart.asp?ci=85899&isc=GPPT02K500&utm_source=godaddy
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://www.godaddy.com/hosting/website-builder.aspx?ci=85899&isc=GPPT05K500&utm_source=godaddy&utm_m
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://www.godaddy.com/ssl/ssl-certificates.aspx?ci=85899&isc=GPPT05K500&utm_source=godaddy&utm_medi
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://www.godaddy.com?ci=85890&isc=GPPT02K500
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://www.godaddy.com?ci=85917&utm_source=godaddy&utm_medium=parkedpages&isc=GPPT02K500
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://www.godaddy.com?utm_source=godaddy&utm_medium=parkedpages&ci=85917&isc=GPPT05K500
Source: msapplication.xml2.4.drString found in binary or memory: http://www.google.com/
Source: IQ9U8KP9.htm.5.drString found in binary or memory: http://www.google.com/adsense/domains/caf.js
Source: msapplication.xml3.4.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml4.4.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml5.4.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml6.4.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml7.4.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml8.4.drString found in binary or memory: http://www.youtube.com/
Source: caf[1].js0.5.dr, caf[1].js.5.drString found in binary or memory: https://ajax.googleapis.com/ajax
Source: IQ9U8KP9.htm.5.drString found in binary or memory: https://cpclicktracking.com/caf.aspx/?domain=live-acc-static.com&e=Wzp9AGNjZFMxCFMwCGNznG0zMG0zow0zL
Source: caf[1].js0.5.drString found in binary or memory: https://fonts.googleapis.com/css
Source: IQ9U8KP9.htm.5.drString found in binary or memory: https://img1.wsimg.com/ux/fonts/boing/1.0/Boing-Bold.woff
Source: IQ9U8KP9.htm.5.drString found in binary or memory: https://img1.wsimg.com/ux/fonts/boing/1.0/Boing-Bold.woff2
Source: IQ9U8KP9.htm.5.drString found in binary or memory: https://img1.wsimg.com/ux/fonts/sherpa/1.0/gdsherpa-bold.woff
Source: IQ9U8KP9.htm.5.drString found in binary or memory: https://img1.wsimg.com/ux/fonts/sherpa/1.0/gdsherpa-bold.woff2
Source: IQ9U8KP9.htm.5.drString found in binary or memory: https://www.godaddy.com/assets/wrhs-assets/e45150781afa53f31929ddc736b0b369/uxcore2.min.css
Source: IQ9U8KP9.htm.5.drString found in binary or memory: https://www.godaddy.com/domains/popups/icannfee.aspx?isc=GPPT02K500&ci=ciICANN&domain=gdstatic.com&a
Source: IQ9U8KP9.htm.5.drString found in binary or memory: https://www.godaddy.com/domains/search.aspx?isc=PW999COM&utm_medium=parkedpages&utm_source=godaddy
Source: IQ9U8KP9.htm.5.drString found in binary or memory: https://www.godaddy.com/offers/domains?isc=GPPT02K500
Source: IQ9U8KP9.htm.5.drString found in binary or memory: https://www.godaddy.com/offers/domains?isc=GPPT05K500&utm_medium=parkedpages&utm_source=godaddy
Source: {19F5D7A4-4F3E-11EA-AAE3-9CC1A2A860C6}.dat.4.drString found in binary or memory: https://www.google.com/
Source: {19F5D7A4-4F3E-11EA-AAE3-9CC1A2A860C6}.dat.4.drString found in binary or memory: https://www.google.com/afs/ads/i/iframe.html
Source: {19F5D7A4-4F3E-11EA-AAE3-9CC1A2A860C6}.dat.4.drString found in binary or memory: https://www.google.com/afs/ads/i/iframe.html#slave-0-1
Source: {19F5D7A4-4F3E-11EA-AAE3-9CC1A2A860C6}.dat.4.drString found in binary or memory: https://www.google.com/dp/ads?r=m&domain_name=live-acc-static.com&client=dp-godaddy1_xml&channel=gd-
Source: caf[1].js0.5.dr, caf[1].js.5.drString found in binary or memory: https://www.google.com/uds

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: clean1.win@9/35@6/1
Creates files inside the user directoryShow sources
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5668:120:WilError_01
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF7BEA2A826074902D.TMPJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://live-acc-static.com/' > cmdline.out 2>&1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://live-acc-static.com/'
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' C:\Users\user\Desktop\download\index.html
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5716 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\ssvagent.exe 'C:\PROGRA~2\Java\JRE18~1.0_1\bin\ssvagent.exe' -new
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://live-acc-static.com/' Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5716 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\ssvagent.exe 'C:\PROGRA~2\Java\JRE18~1.0_1\bin\ssvagent.exe' -newJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://live-acc-static.com/' Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\SysWOW64\wget.exeQueries volume information: C:\Users\user\Desktop\download VolumeInformationJump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 208481 URL: http://live-acc-static.com/ Startdate: 14/02/2020 Architecture: WINDOWS Score: 1 6 iexplore.exe 12 72 2->6         started        8 cmd.exe 2 2->8         started        process3 10 iexplore.exe 50 6->10         started        13 wget.exe 2 8->13         started        15 conhost.exe 8->15         started        dnsIp4 19 www.godaddy.com 10->19 21 parked-content.godaddy.com 10->21 25 2 other IPs or domains 10->25 17 ssvagent.exe 501 10->17         started        23 live-acc-static.com 184.168.221.82, 49869, 49872, 49873 unknown United States 13->23 process5

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
live-acc-static.com0%VirustotalBrowse
ak2.imgaft.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://live-acc-static.com/favicon.ico0%Avira URL Cloudsafe
http://live-acc-static.com?src=1&reqp=10%Avira URL Cloudsafe
http://ak2.imgaft.com/images/feature-illu-dot-com-domain.png0%VirustotalBrowse
http://ak2.imgaft.com/images/feature-illu-dot-com-domain.png0%Avira URL Cloudsafe
http://ak2.imgaft.com/images/icon-afternic-is-this-your-domain-44px.png0%VirustotalBrowse
http://ak2.imgaft.com/images/icon-afternic-is-this-your-domain-44px.png0%Avira URL Cloudsafe
http://live-acc-static.com/?reqp=1&reqr=0%Avira URL Cloudsafe
http://ak2.imgaft.com/script/jquery-1.3.1.min.js0%VirustotalBrowse
http://ak2.imgaft.com/script/jquery-1.3.1.min.js0%Avira URL Cloudsafe
http://ak2.imgaft.com/images/new_logo_GDTrans.png0%VirustotalBrowse
http://ak2.imgaft.com/images/new_logo_GDTrans.png0%Avira URL Cloudsafe
http://live-acc-static.com/60%Avira URL Cloudsafe
http://live-acc-static.com/80%Avira URL Cloudsafe
http://live-acc-static.com?reqp=1&reqr=0%Avira URL Cloudsafe
http://ak2.imgaft.com/images/icon-afternic-dot-com-domain-44px.png0%VirustotalBrowse
http://ak2.imgaft.com/images/icon-afternic-dot-com-domain-44px.png0%Avira URL Cloudsafe
http://live-acc-static/Desktop/download/index.html.com/?reqp=1&reqr=dex.htmlRoot0%Avira URL Cloudsafe
http://live-acc-static.com/?reqp=1&reqr=dex.html0%Avira URL Cloudsafe
http://live-acc-static.com/img.aspx?q=L3MkWGAkYGx2ZQV1AmNkAmx1ZwD4Zmt0WGV2MlHmpGHjZQRyZwMyWGAkWGV2ov0%Avira URL Cloudsafe
http://ak2.imgaft.com/images/bul_blacksquare.png0%VirustotalBrowse
http://ak2.imgaft.com/images/bul_blacksquare.png0%Avira URL Cloudsafe
http://live-acc-static.com/img.aspx?q=L3MkWGAkYGx2ZQV1AmNkAmx1ZwD4Zmt0WGV2MlHmpGHjZQRyZwMyWGAkWGV2ovHmpGNyZwMwWGAkZPHlAzIzWGAkZPHlAzLyZ3RyZwMyMlHmpGVjZwNjZwR0ZQtlAQDkWGV2L3xyZ3RkWGV2qTpyZ3RkWGV2rPHmpFHlAz56WGAkZPHlAzMjWGAkZwx4WGV2nT5aWGAkZFHlAaEzWGAkAvHlAaOjWGAknTLyZwMkMFHmpJ5zYKSyqaRgLzVgZGt4AGpkAQR4AwH0ZQt5APHlAzMapPHmpGN=-10%Avira URL Cloudsafe
http://ak2.imgaft.com/images/GDPPC_CAF_Search3.png0%VirustotalBrowse
http://ak2.imgaft.com/images/GDPPC_CAF_Search3.png0%Avira URL Cloudsafe
http://live-acc-static.com/?reqp=1&reqr=&live-acc-static.com0%Avira URL Cloudsafe
http://www.wikipedia.com/0%VirustotalBrowse
http://www.wikipedia.com/0%URL Reputationsafe
http://live-acc-static.com/0%VirustotalBrowse
http://live-acc-static.com/0%Avira URL Cloudsafe
http://live-acc-static.com/ic.c0%Avira URL Cloudsafe
http://ak2.imgaft.com/images/GD_Sharehead.jpg0%VirustotalBrowse
http://ak2.imgaft.com/images/GD_Sharehead.jpg0%Avira URL Cloudsafe
https://cpclicktracking.com/caf.aspx/?domain=live-acc-static.com&e=Wzp9AGNjZFMxCFMwCGNznG0zMG0zow0zL0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.