Loading ...

Play interactive tourEdit tour

Analysis Report VM-1-18.html

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:229570
Start date:12.05.2020
Start time:19:15:33
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 25s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:VM-1-18.html
Cookbook file name:defaultwindowshtmlcookbook.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal56.phis.winHTML@3/30@4/1
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .html
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, ielowutil.exe, WMIADAP.exe, conhost.exe
  • Excluded IPs from analysis (whitelisted): 104.118.121.11, 209.197.3.15, 172.217.22.4, 172.217.18.163, 172.217.16.131, 2.18.68.82, 152.199.19.161, 104.118.95.85
  • Excluded domains from analysis (whitelisted): gstaticadssl.l.google.com, fs.microsoft.com, fonts.gstatic.com, ie9comview.vo.msecnd.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, site-cdn.onenote.net.edgekey.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e5684.g.akamaiedge.net, go.microsoft.com, go.microsoft.com.edgekey.net, www.google.com, cds.j3z9t3p6.hwcdn.net, www.gstatic.com, prod.fs.microsoft.com.akadns.net, cs9.wpc.v0cdn.net
  • Report size getting too big, too many NtDeviceIoControlFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold560 - 100false
Phisher
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsGraphical User Interface1Winlogon Helper DLLProcess Injection1Masquerading1Credential DumpingFile and Directory Discovery1Application Deployment SoftwareData from Local SystemData CompressedStandard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection1Network SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Signature Overview

Click to jump to signature section


Phishing:

barindex
Yara detected PhisherShow sources
Source: Yara matchFile source: VM-1-18.html, type: SAMPLE
Yara detected PhisherShow sources
Source: Yara matchFile source: VM-1-18.html, type: SAMPLE

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Found strings which match to known social media urlsShow sources
Source: msapplication.xml1.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8498279f,0x01d628cc</date><accdate>0x8498279f,0x01d628cc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml1.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8498279f,0x01d628cc</date><accdate>0x849d4c04,0x01d628cc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml6.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x84a7806a,0x01d628cc</date><accdate>0x84a7806a,0x01d628cc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml6.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x84a7806a,0x01d628cc</date><accdate>0x84aa1c3f,0x01d628cc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml8.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x84acb7f6,0x01d628cc</date><accdate>0x84acb7f6,0x01d628cc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml8.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x84acb7f6,0x01d628cc</date><accdate>0x84acb7f6,0x01d628cc</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: pages.info-courts.online
Urls found in memory or binary dataShow sources
Source: msapplication.xml.1.drString found in binary or memory: http://www.amazon.com/
Source: KFOmCnqEu92Fr1Mu4mxP[1].ttf.2.dr, KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf.2.dr, KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf.2.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: msapplication.xml2.1.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml3.1.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml4.1.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml5.1.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml6.1.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml7.1.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml8.1.drString found in binary or memory: http://www.youtube.com/
Source: recaptcha__en[1].js.2.drString found in binary or memory: https://developers.google.com/recaptcha/docs/faq#localhost_support
Source: recaptcha__en[1].js.2.drString found in binary or memory: https://developers.google.com/recaptcha/docs/faq#my-computer-or-network-may-be-sending-automated-que
Source: bootstrap.min[1].css.2.drString found in binary or memory: https://getbootstrap.com/)
Source: bootstrap.min[1].css.2.drString found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: {AF08C2B2-94BF-11EA-AAE5-44C1B3FB757B}.dat.1.drString found in binary or memory: https://pages.info-cou
Source: ~DF9A431499939CE256.TMP.1.drString found in binary or memory: https://pages.info-courts.online/main/
Source: ~DF9A431499939CE256.TMP.1.drString found in binary or memory: https://pages.info-courts.online/main/Lhttps://pages.info-courts.online/main/
Source: ~DF9A431499939CE256.TMP.1.drString found in binary or memory: https://pages.info-courts.online/main/htmln
Source: VM-1-18.htmlString found in binary or memory: https://pages.info-courts.online?e=theresa.cousens
Source: main[1].htm0.2.drString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css
Source: recaptcha__en[1].js.2.drString found in binary or memory: https://support.google.com/recaptcha
Source: recaptcha__en[1].js.2.drString found in binary or memory: https://support.google.com/recaptcha#6262736
Source: recaptcha__en[1].js.2.drString found in binary or memory: https://support.google.com/recaptcha/#6175971
Source: recaptcha__en[1].js.2.drString found in binary or memory: https://support.google.com/recaptcha/?hl=en#6223828
Source: recaptcha__en[1].js.2.drString found in binary or memory: https://www.google.com/recaptcha/
Source: main[1].htm0.2.drString found in binary or memory: https://www.google.com/recaptcha/api.js
Source: ~DF9A431499939CE256.TMP.1.drString found in binary or memory: https://www.google.com/recaptcha/api2/anchor?ar=1&k=6LduhMsUAAAAAPuDD8b_OHf5MxaQ3JuM0esExvWr&co=aHR0
Source: ~DF9A431499939CE256.TMP.1.drString found in binary or memory: https://www.google.com/recaptcha/api2/bframe?hl=en&v=JPZ52lNx97aD96bjM7KaA0bo&k=6LduhMsUAAAAAPuDD8b_
Source: bframe[1].htm.2.dr, anchor[1].htm.2.drString found in binary or memory: https://www.google.com:443/recaptcha/
Source: bframe[1].htm.2.dr, api[1].js.2.dr, webworker[1].js.2.dr, anchor[1].htm.2.drString found in binary or memory: https://www.gstatic.com/recaptcha/releases/JPZ52lNx97aD96bjM7KaA0bo/recaptcha__en.js
Source: bframe[1].htm.2.drString found in binary or memory: https://www.gstatic.com/recaptcha/releases/JPZ52lNx97aD96bjM7KaA0bo/styles__ltr.css
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal56.phis.winHTML@3/30@4/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AF08C2B0-94BF-11EA-AAE5-44C1B3FB757B}.datJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFC51238841638E7AD.TMPJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3976 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3976 CREDAT:17410 /prefetch:2Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
pages.info-courts.online0%VirustotalBrowse
site-cdn.onenote.net0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://pages.info-courts.online/main/htmln0%Avira URL Cloudsafe
https://pages.info-cou0%Avira URL Cloudsafe
http://www.wikipedia.com/0%VirustotalBrowse
http://www.wikipedia.com/0%URL Reputationsafe
https://pages.info-courts.online/main/0%VirustotalBrowse
https://pages.info-courts.online/main/0%Avira URL Cloudsafe
https://pages.info-courts.online/main/Lhttps://pages.info-courts.online/main/0%Avira URL Cloudsafe
https://pages.info-courts.online?e=theresa.cousens0%Avira URL Cloudsafe

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
VM-1-18.htmlJoeSecurity_Phisher_1Yara detected PhisherJoe Security
    VM-1-18.htmlJoeSecurity_Phisher_2Yara detected PhisherJoe Security

      PCAP (Network Traffic)

      No yara matches

      Dropped Files

      No yara matches

      Memory Dumps

      No yara matches

      Unpacked PEs

      No yara matches

      Sigma Overview

      No Sigma rule has matched

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      unknownhttp://wwwyoutube.com/favicon.icoGet hashmaliciousBrowse
      • 208.91.197.91
      Eha-1670_20200512170203_767687.xlsGet hashmaliciousBrowse
      • 92.53.96.168
      Eha-1670_20200512170203_767687.xlsGet hashmaliciousBrowse
      • 92.53.96.168
      shipment.delivery.jarGet hashmaliciousBrowse
      • 185.203.116.74
      Document from RK(1)Get hashmaliciousBrowse
      • 185.60.216.15
      https://atlee-my.sharepoint.com/:u:/g/personal/charlene_abiso-re_com/EaSuJSFb4stPmsyRFgv5fCQB8Jj1b1z73KOVjFBHlL4rQw?e=4%3a45ztcL&at=9Get hashmaliciousBrowse
      • 162.222.227.230
      LoanAgreement_70613_05112020.vbsGet hashmaliciousBrowse
      • 104.18.56.209
      1205-3553941.xlsGet hashmaliciousBrowse
      • 104.27.179.167
      Document from RK1Get hashmaliciousBrowse
      • 185.60.216.15
      1205-3553941.xlsGet hashmaliciousBrowse
      • 104.27.178.167
      https://infogram.com/whitestone-reit-1h7z2lrv8x8g2ow?liveGet hashmaliciousBrowse
      • 104.31.86.116
      SandboxEvasion.exeGet hashmaliciousBrowse
      • 192.168.2.5
      http://self-cars.comGet hashmaliciousBrowse
      • 213.136.79.250
      Document from RKGet hashmaliciousBrowse
      • 185.60.216.15
      http://walmart-gifts.comGet hashmaliciousBrowse
      • 5.188.178.2
      http://www.gov-services.comGet hashmaliciousBrowse
      • 34.193.100.21
      SandboxEvasion.exeGet hashmaliciousBrowse
      • 127.0.0.1
      Ela-6277.xlsGet hashmaliciousBrowse
      • 92.53.96.168
      Ela-6277.xlsGet hashmaliciousBrowse
      • 92.53.96.168
      Ela-6277.xlsGet hashmaliciousBrowse
      • 92.53.96.168

      JA3 Fingerprints

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      9e10692f1b7f78228b2d4e424db3a98chttps://atlee-my.sharepoint.com/:u:/g/personal/charlene_abiso-re_com/EaSuJSFb4stPmsyRFgv5fCQB8Jj1b1z73KOVjFBHlL4rQw?e=4%3a45ztcL&at=9Get hashmaliciousBrowse
      • 107.172.205.128
      http://self-cars.comGet hashmaliciousBrowse
      • 107.172.205.128
      http://walmart-gifts.comGet hashmaliciousBrowse
      • 107.172.205.128
      http://www.gov-services.comGet hashmaliciousBrowse
      • 107.172.205.128
      https://smarturl.it/nfmu5bGet hashmaliciousBrowse
      • 107.172.205.128
      http://postsw.servebbs.comGet hashmaliciousBrowse
      • 107.172.205.128
      .htmGet hashmaliciousBrowse
      • 107.172.205.128
      https://bit.ly/2T9Fr6TGet hashmaliciousBrowse
      • 107.172.205.128
      https://thestep.gitbook.io/knight-federal-solutions/Get hashmaliciousBrowse
      • 107.172.205.128
      078d5282c651.dllGet hashmaliciousBrowse
      • 107.172.205.128
      https://storage.googleapis.com/marina254/sharepoint%20(1).htmlGet hashmaliciousBrowse
      • 107.172.205.128
      HTTP://ubar-pro4.ruGet hashmaliciousBrowse
      • 107.172.205.128
      https://www.mprelok.gr/tmc?wtsw=chancludo@gov.govGet hashmaliciousBrowse
      • 107.172.205.128
      https://1drv.ms/b/s!AtZEBt7XulvteMRFCeHmpAMCoWY?e=PfMyHvGet hashmaliciousBrowse
      • 107.172.205.128
      https://cleanmarine.pagexl.comGet hashmaliciousBrowse
      • 107.172.205.128
      HTTP://ubar-pro4.ruGet hashmaliciousBrowse
      • 107.172.205.128
      #U260e#Ufe0f#Ud83d#Udcde Edouard.lebreton##29095.HTMGet hashmaliciousBrowse
      • 107.172.205.128
      http://vibrant-volhard-21fa78.netlify.appGet hashmaliciousBrowse
      • 107.172.205.128
      #U260e#Ufe0f#Ud83d#UdcdeS ##69331.HTMGet hashmaliciousBrowse
      • 107.172.205.128
      https://www.superchoice.com.au/anz/Get hashmaliciousBrowse
      • 107.172.205.128

      Dropped Files

      No context

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.