Loading ...

Play interactive tourEdit tour

Analysis Report https://storage.googleapis.com/specialoiest/2020.htm

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:208482
Start date:14.02.2020
Start time:16:22:49
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 1s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:https://storage.googleapis.com/specialoiest/2020.htm
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.win@3/14@3/0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • URL browsing timeout or error
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, ielowutil.exe, conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 2.17.180.113, 92.123.10.235, 216.58.201.112, 216.58.201.100
  • Excluded domains from analysis (whitelisted): e11290.dspg.akamaiedge.net, fs.microsoft.com, go.microsoft.com, storage.googleapis.com, go.microsoft.com.edgekey.net, e1723.g.akamaiedge.net, www.google.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
Errors:
  • URL not reachable

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold480 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work
Initial sample is implementing a service and should be registered / started as service
Joe Sandbox was unable to browse the URL (domain or webserver down or HTTPS issue), try to browse the URL again later



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsGraphical User Interface1Winlogon Helper DLLProcess Injection1Masquerading1Credential DumpingFile and Directory Discovery1Application Deployment SoftwareData from Local SystemData CompressedStandard Non-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection1Network SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: technologiescity.comGoogle Safe Browsing: Label: phishing
Source: https://technologiescity.com/newdr/aloiest/2020.htm5Google Safe Browsing: Label: phishing
Source: https://technologiescity.com/newdr/Google Safe Browsing: Label: phishing

Networking:

barindex
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)Show sources
Source: unknownDNS traffic detected: query: technologiescity.com replaycode: Server failure (2)
Source: unknownDNS traffic detected: query: technologiescity.com replaycode: Name error (3)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: technologiescity.com
Urls found in memory or binary dataShow sources
Source: {880883BC-4F89-11EA-AAE2-44C1B3FB757B}.dat.1.drString found in binary or memory: https://storage.google
Source: imagestore.dat.2.drString found in binary or memory: https://storage.googleapis.com/favicon.icoR
Source: {880883BC-4F89-11EA-AAE2-44C1B3FB757B}.dat.1.drString found in binary or memory: https://storage.googleapis.com/specialoiest/2020.Root
Source: {880883BC-4F89-11EA-AAE2-44C1B3FB757B}.dat.1.drString found in binary or memory: https://storage.googleapis.com/specialoiest/2020.apis.com/specialoiest/2020.htmRoot
Source: {880883BC-4F89-11EA-AAE2-44C1B3FB757B}.dat.1.drString found in binary or memory: https://storage.googleapis.com/specialoiest/2020.htm
Source: {880883BC-4F89-11EA-AAE2-44C1B3FB757B}.dat.1.drString found in binary or memory: https://storage.googleapis.com/specialoiest/2020.htm2Processing
Source: ~DF471DE9C09854879A.TMP.1.drString found in binary or memory: https://storage.googleapis.com/specialoiest/2020.htm5
Source: {880883BC-4F89-11EA-AAE2-44C1B3FB757B}.dat.1.drString found in binary or memory: https://storage.googleapis.com/specialoiest/2020.htmRoot
Source: {880883BC-4F89-11EA-AAE2-44C1B3FB757B}.dat.1.drString found in binary or memory: https://storage.googleapis.com/specialoiest/2020.ty.com/newdr/aloiest/2020.htmRoot
Source: 2020[1].htm.2.drString found in binary or memory: https://technologiescity.com/newdr/
Source: ~DF471DE9C09854879A.TMP.1.drString found in binary or memory: https://technologiescity.com/newdr/aloiest/2020.htm5

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal48.win@3/14@3/0
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{880883BA-4F89-11EA-AAE2-44C1B3FB757B}.datJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFF6F39E5740013319.TMPJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5496 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5496 CREDAT:17410 /prefetch:2Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 208482 URL: https://storage.googleapis.... Startdate: 14/02/2020 Architecture: WINDOWS Score: 48 13 Antivirus detection for URL or domain 2->13 6 iexplore.exe 1 51 2->6         started        process3 process4 8 iexplore.exe 38 6->8         started        dnsIp5 11 technologiescity.com 8->11

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
technologiescity.com1%VirustotalBrowse
technologiescity.com100%Google Safe Browsingphishing

URLs

SourceDetectionScannerLabelLink
https://storage.google0%Avira URL Cloudsafe
https://technologiescity.com/newdr/aloiest/2020.htm5100%Google Safe Browsingphishing
https://technologiescity.com/newdr/100%Google Safe Browsingphishing

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.