Loading ...

Play interactive tourEdit tour

Analysis Report http://smvelec.com

Overview

General Information

Sample URL:http://smvelec.com
Analysis ID:286494

Most interesting Screenshot:

Detection

HTMLPhisher
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Phishing site detected (based on shot template match)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected HtmlPhish_10
Yara detected HtmlPhish_7
HTML body contains low number of good links
HTML title does not match URL
None HTTPS page querying sensitive user data (password, username or email)

Classification

Startup

  • System is w10x64
  • iexplore.exe (PID: 7008 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 7056 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7008 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_HtmlPhish_7Yara detected HtmlPhish_7Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\0019-009[1].htmJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\0019-009[1].htmJoeSecurity_HtmlPhish_7Yara detected HtmlPhish_7Joe Security
        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\00034-9[1].htmJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security
          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\00034-9[1].htmJoeSecurity_HtmlPhish_7Yara detected HtmlPhish_7Joe Security
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\-secure00[1].htmJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security
              Click to see the 3 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: http://smvelec.comSlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering
              Antivirus detection for URL or domainShow sources
              Source: http://smvelec.com/cgi-bin/SlashNext: Label: Fake Login Page type: Phishing & Social Engineering
              Source: http://smvelec.com/?C=D;O=ASlashNext: Label: Fake Login Page type: Phishing & Social Engineering
              Source: http://smvelec.com/?C=S;O=ASlashNext: Label: Fake Login Page type: Phishing & Social Engineering
              Source: http://smvelec.com/SlashNext: Label: Fake Login Page type: Phishing & Social Engineering
              Source: http://smvelec.com/good002/SlashNext: Label: Fake Login Page type: Phishing & Social Engineering
              Source: http://smvelec.com/?C=N;O=DSlashNext: Label: Fake Login Page type: Phishing & Social Engineering
              Source: http://smvelec.com/?C=M;O=ASlashNext: Label: Fake Login Page type: Phishing & Social Engineering

              Phishing:

              barindex
              Phishing site detected (based on shot template match)Show sources
              Source: http://smvelec.com/-secure00/Matcher: Template: outlook matched
              Source: http://smvelec.com/0019-009/Matcher: Template: outlook matched
              Yara detected HtmlPhish_10Show sources
              Source: Yara matchFile source: 897506.4.links.csv, type: HTML
              Source: Yara matchFile source: 897506.6.links.csv, type: HTML
              Source: Yara matchFile source: 897506.5.links.csv, type: HTML
              Source: Yara matchFile source: 897506.8.links.csv, type: HTML
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\0019-009[1].htm, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\00034-9[1].htm, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\-secure00[1].htm, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\good002[1].htm, type: DROPPED
              Yara detected HtmlPhish_7Show sources
              Source: Yara matchFile source: 897506.4.links.csv, type: HTML
              Source: Yara matchFile source: 897506.6.links.csv, type: HTML
              Source: Yara matchFile source: 897506.5.links.csv, type: HTML
              Source: Yara matchFile source: 897506.8.links.csv, type: HTML
              Source: Yara matchFile source: dump.pcap, type: PCAP
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\0019-009[1].htm, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\00034-9[1].htm, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\-secure00[1].htm, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\good002[1].htm, type: DROPPED
              Source: http://smvelec.com/-secure00/HTTP Parser: Number of links: 0
              Source: http://smvelec.com/-secure00/HTTP Parser: Number of links: 0
              Source: http://smvelec.com/0019-009/HTTP Parser: Number of links: 0
              Source: http://smvelec.com/0019-009/HTTP Parser: Number of links: 0
              Source: http://smvelec.com/00034-9/HTTP Parser: Number of links: 0
              Source: http://smvelec.com/00034-9/HTTP Parser: Number of links: 0
              Source: http://smvelec.com/good002/HTTP Parser: Number of links: 0
              Source: http://smvelec.com/good002/HTTP Parser: Number of links: 0
              Source: http://smvelec.com/-secure00/HTTP Parser: Title: Share Point Online does not match URL
              Source: http://smvelec.com/-secure00/HTTP Parser: Title: Share Point Online does not match URL
              Source: http://smvelec.com/0019-009/HTTP Parser: Title: Share Point Online does not match URL
              Source: http://smvelec.com/0019-009/HTTP Parser: Title: Share Point Online does not match URL
              Source: http://smvelec.com/00034-9/HTTP Parser: Title: Share Point Online does not match URL
              Source: http://smvelec.com/00034-9/HTTP Parser: Title: Share Point Online does not match URL
              Source: http://smvelec.com/good002/HTTP Parser: Title: Share Point Online does not match URL
              Source: http://smvelec.com/good002/HTTP Parser: Title: Share Point Online does not match URL
              Source: http://smvelec.com/-secure00/HTTP Parser: Has password / email / username input fields
              Source: http://smvelec.com/-secure00/HTTP Parser: Has password / email / username input fields
              Source: http://smvelec.com/0019-009/HTTP Parser: Has password / email / username input fields
              Source: http://smvelec.com/0019-009/HTTP Parser: Has password / email / username input fields
              Source: http://smvelec.com/00034-9/HTTP Parser: Has password / email / username input fields
              Source: http://smvelec.com/00034-9/HTTP Parser: Has password / email / username input fields
              Source: http://smvelec.com/good002/HTTP Parser: Has password / email / username input fields
              Source: http://smvelec.com/good002/HTTP Parser: Has password / email / username input fields
              Source: http://smvelec.com/-secure00/HTTP Parser: No <meta name="author".. found
              Source: http://smvelec.com/-secure00/HTTP Parser: No <meta name="author".. found
              Source: http://smvelec.com/0019-009/HTTP Parser: No <meta name="author".. found
              Source: http://smvelec.com/0019-009/HTTP Parser: No <meta name="author".. found
              Source: http://smvelec.com/00034-9/HTTP Parser: No <meta name="author".. found
              Source: http://smvelec.com/00034-9/HTTP Parser: No <meta name="author".. found
              Source: http://smvelec.com/good002/HTTP Parser: No <meta name="author".. found
              Source: http://smvelec.com/good002/HTTP Parser: No <meta name="author".. found
              Source: http://smvelec.com/-secure00/HTTP Parser: No <meta name="copyright".. found
              Source: http://smvelec.com/-secure00/HTTP Parser: No <meta name="copyright".. found
              Source: http://smvelec.com/0019-009/HTTP Parser: No <meta name="copyright".. found
              Source: http://smvelec.com/0019-009/HTTP Parser: No <meta name="copyright".. found
              Source: http://smvelec.com/00034-9/HTTP Parser: No <meta name="copyright".. found
              Source: http://smvelec.com/00034-9/HTTP Parser: No <meta name="copyright".. found
              Source: http://smvelec.com/good002/HTTP Parser: No <meta name="copyright".. found
              Source: http://smvelec.com/good002/HTTP Parser: No <meta name="copyright".. found

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 1668 WEB-CGI /cgi-bin/ access 192.168.2.4:49724 -> 62.171.183.161:80
              Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 62.171.183.161:80 -> 192.168.2.4:49724
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1User-Agent: AutoItHost: smvelec.com
              Source: global trafficHTTP traffic detected: GET /?C=N;O=D HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /?C=M;O=A HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /?C=S;O=A HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /?C=D;O=A HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /-secure00/ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /-secure00/css/hover.css HTTP/1.1Accept: text/css, */*Referer: http://smvelec.com/-secure00/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /-secure00/images/adobe.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/-secure00/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /-secure00/images/outlook1.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/-secure00/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /-secure00/images/other1.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/-secure00/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /-secure00/images/office3651.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/-secure00/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /-secure00/images/gmail.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/-secure00/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /-secure00/images/8.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/-secure00/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /00034-9/ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /00034-9/css/hover.css HTTP/1.1Accept: text/css, */*Referer: http://smvelec.com/00034-9/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /00034-9/images/adobe.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/00034-9/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /00034-9/images/outlook1.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/00034-9/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /00034-9/images/gmail.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/00034-9/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /00034-9/images/other1.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/00034-9/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /00034-9/images/office3651.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/00034-9/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /00034-9/images/8.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/00034-9/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /0019-009/ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /0019-009/css/hover.css HTTP/1.1Accept: text/css, */*Referer: http://smvelec.com/0019-009/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /0019-009/images/adobe.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/0019-009/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /0019-009/images/outlook1.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/0019-009/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /0019-009/images/office3651.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/0019-009/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /0019-009/images/gmail.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/0019-009/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /0019-009/images/other1.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/0019-009/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /0019-009/images/8.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/0019-009/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /cgi-bin/ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /good002/ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /good002/css/hover.css HTTP/1.1Accept: text/css, */*Referer: http://smvelec.com/good002/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /good002/images/adobe.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/good002/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /good002/images/outlook1.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/good002/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /good002/images/other1.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/good002/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /good002/images/office3651.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/good002/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /good002/images/gmail.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/good002/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /good002/images/8.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: http://smvelec.com/good002/Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: smvelec.comConnection: Keep-Alive
              Source: msapplication.xml1.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xf82e47d0,0x01d68c95</date><accdate>0xf82e47d0,0x01d68c95</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
              Source: msapplication.xml1.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xf82e47d0,0x01d68c95</date><accdate>0xf82e47d0,0x01d68c95</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
              Source: msapplication.xml6.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xf837d15a,0x01d68c95</date><accdate>0xf837d15a,0x01d68c95</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
              Source: msapplication.xml6.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xf837d15a,0x01d68c95</date><accdate>0xf837d15a,0x01d68c95</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
              Source: msapplication.xml8.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xf837d15a,0x01d68c95</date><accdate>0xf837d15a,0x01d68c95</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
              Source: msapplication.xml8.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xf837d15a,0x01d68c95</date><accdate>0xf83a3383,0x01d68c95</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
              Source: unknownDNS traffic detected: queries for: smvelec.com
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 16 Sep 2020 16:57:29 GMTServer: ApacheContent-Length: 315Keep-Alive: timeout=5, max=99Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
              Source: hover[1].css2.2.drString found in binary or memory: http://ianlunn.co.uk/
              Source: hover[1].css2.2.drString found in binary or memory: http://ianlunn.github.io/Hover/)
              Source: popper.min[1].js.2.drString found in binary or memory: http://opensource.org/licenses/MIT).
              Source: {22F5DA74-F889-11EA-90E8-ECF4BBEA1588}.dat.1.drString found in binary or memory: http://smvelec.co
              Source: {22F5DA74-F889-11EA-90E8-ECF4BBEA1588}.dat.1.drString found in binary or memory: http://smvelec.coRoot
              Source: ~DFFFED980A44B87A34.TMP.1.drString found in binary or memory: http://smvelec.com/
              Source: {22F5DA74-F889-11EA-90E8-ECF4BBEA1588}.dat.1.drString found in binary or memory: http://smvelec.com/-se
              Source: ~DFFFED980A44B87A34.TMP.1.drString found in binary or memory: http://smvelec.com/-secure00/
              Source: ~DFFFED980A44B87A34.TMP.1.drString found in binary or memory: http://smvelec.com/-secure00/$Share
              Source: ~DFFFED980A44B87A34.TMP.1.drString found in binary or memory: http://smvelec.com/-secure00/X
              Source: ~DFFFED980A44B87A34.TMP.1.drString found in binary or memory: http://smvelec.com/-secure00/p
              Source: {22F5DA74-F889-11EA-90E8-ECF4BBEA1588}.dat.1.drString found in binary or memory: http://smvelec.com/000
              Source: ~DFFFED980A44B87A34.TMP.1.drString found in binary or memory: http://smvelec.com/00034-9/
              Source: ~DFFFED980A44B87A34.TMP.1.drString found in binary or memory: http://smvelec.com/00034-9/$Share
              Source: ~DFFFED980A44B87A34.TMP.1.drString found in binary or memory: http://smvelec.com/00034-9//
              Source: ~DFFFED980A44B87A34.TMP.1.drString found in binary or memory: http://smvelec.com/00034-9//g
              Source: {22F5DA74-F889-11EA-90E8-ECF4BBEA1588}.dat.1.drString found in binary or memory: http://smvelec.com/001
              Source: ~DFFFED980A44B87A34.TMP.1.drString found in binary or memory: http://smvelec.com/0019-009/
              Source: ~DFFFED980A44B87A34.TMP.1.drString found in binary or memory: http://smvelec.com/0019-009/$Share
              Source: ~DFFFED980A44B87A34.TMP.1.drString found in binary or memory: http://smvelec.com/0019-009/Z
              Source: {22F5DA74-F889-11EA-90E8-ECF4BBEA1588}.dat.1.drString found in binary or memory: http://smvelec.com/?C=
              Source: ~DFFFED980A44B87A34.TMP.1.drString found in binary or memory: http://smvelec.com/?C=D;O=A
              Source: {22F5DA74-F889-11EA-90E8-ECF4BBEA1588}.dat.1.drString found in binary or memory: http://smvelec.com/?C=H
              Source: ~DFFFED980A44B87A34.TMP.1.drString found in binary or memory: http://smvelec.com/?C=M;O=A
              Source: ~DFFFED980A44B87A34.TMP.1.drString found in binary or memory: http://smvelec.com/?C=M;O=Ao
              Source: ~DFFFED980A44B87A34.TMP.1.drString found in binary or memory: http://smvelec.com/?C=N;O=D
              Source: ~DFFFED980A44B87A34.TMP.1.drString found in binary or memory: http://smvelec.com/?C=N;O=DX
              Source: ~DFFFED980A44B87A34.TMP.1.drString found in binary or memory: http://smvelec.com/?C=S;O=A
              Source: ~DFFFED980A44B87A34.TMP.1.drString found in binary or memory: http://smvelec.com/H
              Source: {22F5DA74-F889-11EA-90E8-ECF4BBEA1588}.dat.1.drString found in binary or memory: http://smvelec.com/Root
              Source: {22F5DA74-F889-11EA-90E8-ECF4BBEA1588}.dat.1.drString found in binary or memory: http://smvelec.com/cgi
              Source: ~DFFFED980A44B87A34.TMP.1.drString found in binary or memory: http://smvelec.com/cgi-bin/
              Source: {22F5DA74-F889-11EA-90E8-ECF4BBEA1588}.dat.1.drString found in binary or memory: http://smvelec.com/goo
              Source: ~DFFFED980A44B87A34.TMP.1.drString found in binary or memory: http://smvelec.com/good002/
              Source: ~DFFFED980A44B87A34.TMP.1.drString found in binary or memory: http://smvelec.com/good002/$Share
              Source: msapplication.xml.1.drString found in binary or memory: http://www.amazon.com/
              Source: msapplication.xml2.1.drString found in binary or memory: http://www.google.com/
              Source: msapplication.xml3.1.drString found in binary or memory: http://www.live.com/
              Source: msapplication.xml4.1.drString found in binary or memory: http://www.nytimes.com/
              Source: msapplication.xml5.1.drString found in binary or memory: http://www.reddit.com/
              Source: msapplication.xml6.1.drString found in binary or memory: http://www.twitter.com/
              Source: msapplication.xml7.1.drString found in binary or memory: http://www.wikipedia.com/
              Source: msapplication.xml8.1.drString found in binary or memory: http://www.youtube.com/
              Source: -secure00[1].htm.2.drString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
              Source: -secure00[1].htm.2.drString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
              Source: -secure00[1].htm.2.drString found in binary or memory: https://code.jquery.com/jquery-3.1.1.min.js
              Source: -secure00[1].htm.2.drString found in binary or memory: https://code.jquery.com/jquery-3.2.1.slim.min.js
              Source: -secure00[1].htm.2.drString found in binary or memory: https://code.jquery.com/jquery-3.3.1.js
              Source: free.min[1].css.2.drString found in binary or memory: https://fontawesome.com
              Source: free.min[1].css.2.drString found in binary or memory: https://fontawesome.com/license/free
              Source: -secure00[1].htm.2.drString found in binary or memory: https://fonts.googleapis.com/css?family=Yellowtail&display=swap
              Source: css[1].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/yellowtail/v11/OZpGg_pnoDtINPfRIlLohlvHxw.woff)
              Source: bootstrap.min[1].js.2.dr, bootstrap.min[1].css.2.drString found in binary or memory: https://getbootstrap.com)
              Source: hover[1].css2.2.drString found in binary or memory: https://github.com/IanLunn/Hover
              Source: bootstrap.min[1].js.2.dr, bootstrap.min[1].css.2.drString found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
              Source: bootstrap.min[1].js.2.drString found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
              Source: 585b051251[1].js.2.drString found in binary or memory: https://kit-free.fontawesome.com
              Source: -secure00[1].htm.2.drString found in binary or memory: https://kit.fontawesome.com/585b051251.js
              Source: -secure00[1].htm.2.drString found in binary or memory: https://login.microsoftonline.com/common/login
              Source: -secure00[1].htm.2.drString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css
              Source: -secure00[1].htm.2.drString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
              Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
              Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
              Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: classification engineClassification label: mal88.phis.win@3/63@7/3
              Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
              Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF9BFB1BC5128033AA.TMPJump to behavior
              Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
              Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7008 CREDAT:17410 /prefetch:2
              Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7008 CREDAT:17410 /prefetch:2Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer3SIM Card SwapCarrier Billing Fraud

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.