Loading ...

Play interactive tourEdit tour

Analysis Report http://www.moonli8t.com/fonts/page/

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:229613
Start date:12.05.2020
Start time:20:58:09
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 3s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:http://www.moonli8t.com/fonts/page/
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.phis.win@3/47@5/3
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Browsing link: https://taxpearl.com/error/systemerror-ie-edge/
Warnings:
Show All
  • Exclude process from analysis (whitelisted): ielowutil.exe, WMIADAP.exe
  • Excluded IPs from analysis (whitelisted): 104.118.76.251, 172.217.18.10, 216.58.212.138, 209.197.3.15, 172.217.16.131, 72.247.224.69, 152.199.19.161, 67.27.158.254, 8.248.117.254, 67.27.157.126, 67.26.139.254, 67.27.158.126
  • Excluded domains from analysis (whitelisted): gstaticadssl.l.google.com, fonts.googleapis.com, fs.microsoft.com, ajax.googleapis.com, fonts.gstatic.com, ie9comview.vo.msecnd.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, go.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, cds.j3z9t3p6.hwcdn.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, cs9.wpc.v0cdn.net
  • Report size getting too big, too many NtDeviceIoControlFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold480 - 100false
Phisher
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsGraphical User Interface1Winlogon Helper DLLProcess Injection1Masquerading1Credential DumpingFile and Directory Discovery1Remote File Copy2Data from Local SystemData CompressedStandard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection1Network SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionRootkitInput CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedRemote File Copy2SIM Card SwapPremium SMS Toll Fraud

Signature Overview

Click to jump to signature section


Phishing:

barindex
Yara detected PhisherShow sources
Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\page[1].htm, type: DROPPED

Networking:

barindex
Downloads compressed data via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: text/htmlContent-Encoding: gzipLast-Modified: Tue, 12 May 2020 16:55:08 GMTAccept-Ranges: bytesETag: "03e8b177e28d61:0"Vary: Accept-EncodingServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Fri, 12 Jun 2020 20:03:26 GMTContent-Length: 227Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ed bd 07 60 1c 49 96 25 26 2f 6d ca 7b 7f 4a f5 4a d7 e0 74 a1 08 80 60 13 24 d8 90 40 10 ec c1 88 cd e6 92 ec 1d 69 47 23 29 ab 2a 81 ca 65 56 65 5d 66 16 40 cc ed 9d bc f7 de 7b ef bd f7 de 7b ef bd f7 ba 3b 9d 4e 27 f7 df ff 3f 5c 66 64 01 6c f6 ce 4a da c9 9e 21 80 aa c8 1f 3f 7e 7c 1f 3f 22 1e 2f f2 36 4b e7 6d bb da ce 7f d1 ba b8 4c 3f 4b 3f aa f3 f3 3a 6f e6 1f a5 d3 6a d9 e6 cb 16 9f ed 1c a6 eb ba a4 df d0 b4 79 74 f7 ee e2 bc 7a 97 8d 27 f9 a2 9a b4 75 36 7d db 8c a7 d5 e2 ee 45 75 77 f7 de c3 83 fc e0 c1 de f6 ec 7c f6 e9 f6 fe fe c1 ee f6 c3 07 7b f9 f6 ce ec d3 07 b3 fb 7b f9 c1 f9 fd 83 8f d2 bb 47 ff 0f 83 8c 54 3c 7a 00 00 00 Data Ascii: `I%&/m{JJt`$@iG#)*eVe]f@{{;N'?\fdlJ!?~|?"/6KmL?K?:ojytz'u6}Euw|{{GT<z
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /fonts/page/ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.moonli8t.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.moonli8t.comConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xda56ecf0,0x01d628da</date><accdate>0xda56ecf0,0x01d628da</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xda56ecf0,0x01d628da</date><accdate>0xda574a38,0x01d628da</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xda5f409e,0x01d628da</date><accdate>0xda5f409e,0x01d628da</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xda5f409e,0x01d628da</date><accdate>0xda61bb8b,0x01d628da</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xda61bb8b,0x01d628da</date><accdate>0xda61bb8b,0x01d628da</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xda61bb8b,0x01d628da</date><accdate>0xda61bb8b,0x01d628da</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.moonli8t.com
Urls found in memory or binary dataShow sources
Source: systemerror-ie-edge[1].htm.2.drString found in binary or memory: http://browsehappy.com/
Source: bootstrap.min[1].css.2.drString found in binary or memory: http://getbootstrap.com)
Source: msapplication.xml.1.drString found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.drString found in binary or memory: http://www.live.com/
Source: imagestore.dat.2.drString found in binary or memory: http://www.moonli8t.com/favicon.ico&
Source: ~DF5A49184880622A27.TMP.1.drString found in binary or memory: http://www.moonli8t.com/fonts/page/
Source: {0427D970-94CE-11EA-AADD-C25F135D3C65}.dat.1.drString found in binary or memory: http://www.moonli8t.com/fonts/page/Root
Source: msapplication.xml3.1.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.drString found in binary or memory: http://www.youtube.com/
Source: systemerror-ie-edge[1].htm.2.drString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js
Source: systemerror-ie-edge[1].htm.2.drString found in binary or memory: https://chrome.google.com/webstore/detail/ghbmnnjooekpmoecnnnilnnbdlolhkhi
Source: systemerror-ie-edge[1].htm.2.drString found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: systemerror-ie-edge[1].htm.2.drString found in binary or memory: https://fonts.googleapis.com/css?family=Raleway:400
Source: css[1].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v17/mem5YaGs126MiZpBA-UN7rgOUuhv.woff)
Source: css[1].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v17/mem5YaGs126MiZpBA-UN8rsOUuhv.woff)
Source: css[1].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v17/mem5YaGs126MiZpBA-UN_r8OUuhv.woff)
Source: css[1].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v17/mem6YaGs126MiZpBA-UFUK0Zdcs.woff)
Source: css[1].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v17/mem8YaGs126MiZpBA-UFVZ0d.woff)
Source: css[2].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/raleway/v14/1Ptrg8zYS_SKggPNwIouWqZPBg.woff)
Source: css[2].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/raleway/v14/1Ptrg8zYS_SKggPNwJYtWqZPBg.woff)
Source: css[2].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/raleway/v14/1Ptug8zYS_SKggPNyC0ISQ.woff)
Source: bootstrap.min[1].js.2.drString found in binary or memory: https://getbootstrap.com/)
Source: bootstrap.min[1].css.2.drString found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: systemerror-ie-edge[1].htm.2.drString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.4.0/js/bootstrap.min.js
Source: page[1].htm.2.drString found in binary or memory: https://mfoxa.bemobtracks.com/go/1398e872-dfd6-4481-972e-0d67d52e8f58
Source: {0427D970-94CE-11EA-AADD-C25F135D3C65}.dat.1.drString found in binary or memory: https://taxpearl.com/em/fonts/page/rror/s/page/Root
Source: ~DF5A49184880622A27.TMP.1.drString found in binary or memory: https://taxpearl.com/error/
Source: ~DF5A49184880622A27.TMP.1.drString found in binary or memory: https://taxpearl.com/error/s/page/
Source: {0427D970-94CE-11EA-AADD-C25F135D3C65}.dat.1.drString found in binary or memory: https://taxpearl.com/error/s/page/rror/systemerror-ie-edge/?phone=
Source: ~DF5A49184880622A27.TMP.1.drString found in binary or memory: https://taxpearl.com/error/systemerror-ie-edge/?phone=
Source: ~DF5A49184880622A27.TMP.1.drString found in binary or memory: https://taxpearl.com/error/systemerror-ie-edge/dsffddfdfdsawqwq22121sdsd.php
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal48.phis.win@3/47@5/3
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFE45C98A108FA3149.TMPJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:920 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:920 CREDAT:17410 /prefetch:2Jump to behavior
Uses Rich Edit ControlsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Windows\SysWOW64\msftedit.dllJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
taxpearl.com0%VirustotalBrowse
moonli8t.com0%VirustotalBrowse
www.moonli8t.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.moonli8t.com/fonts/page/Root0%Avira URL Cloudsafe
http://getbootstrap.com)0%URL Reputationsafe
https://mfoxa.bemobtracks.com/go/1398e872-dfd6-4481-972e-0d67d52e8f580%Avira URL Cloudsafe
http://www.wikipedia.com/0%VirustotalBrowse
http://www.wikipedia.com/0%URL Reputationsafe
http://www.moonli8t.com/favicon.ico0%Avira URL Cloudsafe
http://www.moonli8t.com/favicon.ico&0%Avira URL Cloudsafe
http://www.moonli8t.com/fonts/page/0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\page[1].htmJoeSecurity_Phisher_1Yara detected PhisherJoe Security

    Memory Dumps

    No yara matches

    Unpacked PEs

    No yara matches

    Sigma Overview

    No Sigma rule has matched

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.