Loading ...

Play interactive tourEdit tour

Analysis Report https://ion-homes.com/sba/covid19relief/sba.gov/

Overview

General Information

Sample URL:https://ion-homes.com/sba/covid19relief/sba.gov/
Analysis ID:249168

Most interesting Screenshot:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

HTML body contains low number of good links
HTML title does not match URL
HTTP GET or POST without a user agent
Suspicious form URL found

Classification

Startup

  • System is w10x64
  • iexplore.exe (PID: 4464 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 280 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4464 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: https://ion-homes.com/sba/covid19relief/sba.gov/HTTP Parser: Number of links: 0
Source: https://ion-homes.com/sba/covid19relief/sba.gov/HTTP Parser: Number of links: 0
Source: https://covid19relief1.sba.gov/Account/ForgotPasswordHTTP Parser: Number of links: 1
Source: https://covid19relief1.sba.gov/Account/ForgotPasswordHTTP Parser: Number of links: 1
Source: https://ion-homes.com/sba/covid19relief/sba.gov/HTTP Parser: Title: Login - SBA Economic Injury Disaster Loan Portal Application does not match URL
Source: https://ion-homes.com/sba/covid19relief/sba.gov/HTTP Parser: Title: Login - SBA Economic Injury Disaster Loan Portal Application does not match URL
Source: https://covid19relief1.sba.gov/Account/ForgotPasswordHTTP Parser: Title: Forgot password - SBA Economic Injury Disaster Loan Portal Application does not match URL
Source: https://covid19relief1.sba.gov/Account/ForgotPasswordHTTP Parser: Title: Forgot password - SBA Economic Injury Disaster Loan Portal Application does not match URL
Source: https://ion-homes.com/sba/covid19relief/sba.gov/HTTP Parser: Form action: loading.php
Source: https://ion-homes.com/sba/covid19relief/sba.gov/HTTP Parser: Form action: loading.php
Source: https://ion-homes.com/sba/covid19relief/sba.gov/HTTP Parser: No <meta name="author".. found
Source: https://ion-homes.com/sba/covid19relief/sba.gov/HTTP Parser: No <meta name="author".. found
Source: https://covid19relief1.sba.gov/Account/ForgotPasswordHTTP Parser: No <meta name="author".. found
Source: https://covid19relief1.sba.gov/Account/ForgotPasswordHTTP Parser: No <meta name="author".. found
Source: https://ion-homes.com/sba/covid19relief/sba.gov/HTTP Parser: No <meta name="copyright".. found
Source: https://ion-homes.com/sba/covid19relief/sba.gov/HTTP Parser: No <meta name="copyright".. found
Source: https://covid19relief1.sba.gov/Account/ForgotPasswordHTTP Parser: No <meta name="copyright".. found
Source: https://covid19relief1.sba.gov/Account/ForgotPasswordHTTP Parser: No <meta name="copyright".. found
Source: global trafficHTTP traffic detected: GET /space HTTP/1.1Host: ci-mpsnare.iovation.com:80Data Raw: Data Ascii:
Source: global trafficHTTP traffic detected: GET /space HTTP/1.1Host: ci-mpsnare.iovation.com:80Data Raw: Data Ascii:
Source: global trafficHTTP traffic detected: GET /space HTTP/1.1Host: ci-mpsnare.iovation.com:80Data Raw: Data Ascii:
Source: global trafficHTTP traffic detected: GET /space HTTP/1.1Host: ci-mpsnare.iovation.com:80Data Raw: Data Ascii:
Source: gtm[1].js.2.drString found in binary or memory: "vtp_html":"\n\u003Cscript type=\"text\/gtmscript\"\u003E!function(b,e,f,g,a,c,d){b.fbq||(a=b.fbq=function(){a.callMethod?a.callMethod.apply(a,arguments):a.queue.push(arguments)},b._fbq||(b._fbq=a),a.push=a,a.loaded=!0,a.version=\"2.0\",a.queue=[],c=e.createElement(f),c.async=!0,c.src=g,d=e.getElementsByTagName(f)[0],d.parentNode.insertBefore(c,d))}(window,document,\"script\",\"https:\/\/connect.facebook.net\/en_US\/fbevents.js\");fbq(\"init\",\"1398991763758341\");fbq(\"track\",\"PageView\");\u003C\/script\u003E\n\u003Cnoscript\u003E\u003Cimg height=\"1\" width=\"1\" style=\"display:none\" src=\"https:\/\/www.facebook.com\/tr?id=1398991763758341\u0026amp;ev=PageView\u0026amp;noscript=1\"\u003E\n\u003C\/noscript\u003E\n\n", equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x50ddaa1e,0x01d65ff9</date><accdate>0x50ddaa1e,0x01d65ff9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x50ddaa1e,0x01d65ff9</date><accdate>0x50e01b01,0x01d65ff9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x5105603f,0x01d65ff9</date><accdate>0x5105603f,0x01d65ff9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x5105603f,0x01d65ff9</date><accdate>0x5105603f,0x01d65ff9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x510b09d1,0x01d65ff9</date><accdate>0x510b09d1,0x01d65ff9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x510b09d1,0x01d65ff9</date><accdate>0x510b09d1,0x01d65ff9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknownDNS traffic detected: queries for: ion-homes.com
Source: bootstrap-theme[1].css.2.drString found in binary or memory: http://getbootstrap.com)
Source: jquery-1.10.2.min[1].js.2.drString found in binary or memory: http://jquery.org/license
Source: jquery-1.10.2.min[1].js.2.drString found in binary or memory: http://opensource.org/licenses/MIT
Source: msapplication.xml.1.drString found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.drString found in binary or memory: http://www.youtube.com/
Source: gtm[1].js.2.drString found in binary or memory: https://adservice.google.com/ddm/regclk
Source: requestHelp[1].js.2.drString found in binary or memory: https://api.ipify.org?format=jsonp&callback=?
Source: ForgotPassword[1].htm.2.drString found in binary or memory: https://az416426.vo.msecnd.net/scripts/b/ai.2.min.js
Source: config[1].js.2.drString found in binary or memory: https://ci-mpsnare.iovation.com
Source: sba[1].htm.2.drString found in binary or memory: https://covid19relief1.sba.gov//www.googletagmanager.com/ns.html?id=GTM-NK7HKJ
Source: {768545C5-CBEC-11EA-AAE7-9CC1A2A860C6}.dat.1.dr, sba[1].htm.2.drString found in binary or memory: https://covid19relief1.sba.gov/Account/ForgotPassword
Source: ~DF778B5D2A53EF6A67.TMP.1.drString found in binary or memory: https://covid19relief1.sba.gov/Account/ForgotPasswordlmnopqrstuvwxyz
Source: sba[1].htm.2.drString found in binary or memory: https://covid19relief1.sba.gov/Content/AuthenticationLayout.css
Source: sba[1].htm.2.drString found in binary or memory: https://covid19relief1.sba.gov/Content/PageSpecificStyles/Account/Login.css
Source: sba[1].htm.2.drString found in binary or memory: https://covid19relief1.sba.gov/Content/PageSpecificStyles/UIKit/css/bootstrap-theme.css
Source: sba[1].htm.2.drString found in binary or memory: https://covid19relief1.sba.gov/Content/PageSpecificStyles/UIKit/css/bootstrap.css
Source: sba[1].htm.2.drString found in binary or memory: https://covid19relief1.sba.gov/Home/RequestHelp?supportCenterUrl=none
Source: sba[1].htm.2.drString found in binary or memory: https://covid19relief1.sba.gov/Scripts/CustomScripts/PageSpecificScripts/Accont/CapsLockChecker.js
Source: sba[1].htm.2.drString found in binary or memory: https://covid19relief1.sba.gov/Scripts/CustomScripts/PageSpecificScripts/Accont/Login.js
Source: sba[1].htm.2.drString found in binary or memory: https://covid19relief1.sba.gov/Scripts/CustomScripts/PageSpecificScripts/Shared/requestHelp.js
Source: sba[1].htm.2.drString found in binary or memory: https://covid19relief1.sba.gov/Scripts/Iovation/config.js
Source: sba[1].htm.2.drString found in binary or memory: https://covid19relief1.sba.gov/Scripts/Iovation/iovation.js
Source: sba[1].htm.2.drString found in binary or memory: https://covid19relief1.sba.gov/Scripts/es6-promise.auto.min.js
Source: sba[1].htm.2.drString found in binary or memory: https://covid19relief1.sba.gov/Scripts/html2canvas.min.js
Source: sba[1].htm.2.drString found in binary or memory: https://covid19relief1.sba.gov/bundles/jqueryval?v=Vg44pJXrY1H9RNCRrAyqlLemmOJd2r82qW7VhCN93iE1
Source: sba[1].htm.2.drString found in binary or memory: https://covid19relief1.sba.gov/favicon.ico
Source: imagestore.dat.2.drString found in binary or memory: https://covid19relief1.sba.gov/favicon.ico~
Source: ForgotPassword[1].htm.2.drString found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: AuthenticationLayout[1].css.2.drString found in binary or memory: https://fonts.googleapis.com/css?family=Source
Source: css[1].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v17/mem5YaGs126MiZpBA-UN7rgOUuhv.woff)
Source: css[1].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v17/mem5YaGs126MiZpBA-UN_r8OUuhv.woff)
Source: css[1].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v17/mem5YaGs126MiZpBA-UNirkOUuhv.woff)
Source: css[1].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v17/mem6YaGs126MiZpBA-UFUK0Zdcs.woff)
Source: css[1].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v17/mem8YaGs126MiZpBA-UFVZ0d.woff)
Source: css[1].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v17/memnYaGs126MiZpBA-UFUKWiUNhrIqU.woff)
Source: css[1].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v17/memnYaGs126MiZpBA-UFUKXGUdhrIqU.woff)
Source: bootstrap[1].css.2.drString found in binary or memory: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css
Source: gtm[1].js.2.drString found in binary or memory: https://github.com/krux/postscribe/blob/master/LICENSE.
Source: bootstrap-theme[1].css.2.drString found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: html2canvas.min[1].js.2.drString found in binary or memory: https://hertzen.com
Source: html2canvas.min[1].js.2.drString found in binary or memory: https://html2canvas.hertzen.com
Source: {768545C5-CBEC-11EA-AAE7-9CC1A2A860C6}.dat.1.drString found in binary or memory: https://ion-homes.com/sba/covid19relief/sba.gov/
Source: {768545C5-CBEC-11EA-AAE7-9CC1A2A860C6}.dat.1.drString found in binary or memory: https://ion-homes.com/sba/covid19relief/sba.gov/Root
Source: {768545C5-CBEC-11EA-AAE7-9CC1A2A860C6}.dat.1.drString found in binary or memory: https://ion-homes.com/sba/covid19relief/sba.gov/xLogin
Source: iovation[1].js.2.drString found in binary or memory: https://mpsnare.iesnare.com
Source: gtm[1].js.2.drString found in binary or memory: https://pagead2.googlesyndication.com
Source: gtm[1].js.2.drString found in binary or memory: https://www.google.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: classification engineClassification label: clean2.win@3/47@9/5
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{768545C3-CBEC-11EA-AAE7-9CC1A2A860C6}.datJump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF86A52CBC2C75A087.TMPJump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4464 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4464 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Windows\SysWOW64\Macromed\Flash\ss.cfgJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsGraphical User Interface1Winlogon Helper DLLProcess Injection1Masquerading1Credential DumpingFile and Directory Discovery1Remote File Copy1Data from Local SystemData CompressedStandard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection1Network SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information1Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or InformationCredentials in FilesSystem Network Configuration DiscoveryLogon ScriptsInput CaptureData EncryptedRemote File Copy1SIM Card SwapPremium SMS Toll Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.