Loading ...

Play interactive tourEdit tour

Analysis Report Payment conflict- aptiv 082920134110.htm

Overview

General Information

Sample Name:Payment conflict- aptiv 082920134110.htm
Analysis ID:321240
MD5:3f7d70ccc4f96a097a583691dd149f7b
SHA1:3c5695cc2d60c55cc28716b73a494d05bb8d1cc1
SHA256:bb5a0ae3ec35fc0084ad4e530a8904d2918120d7c18ccad3259436c4ed3a8a0b

Most interesting Screenshot:

Detection

HTMLPhisher
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Phishing site detected (based on favicon image match)
Yara detected HtmlPhish_10
Yara detected obfuscated html page
Obfuscated HTML file found
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware

Classification

Startup

  • System is w10x64
  • iexplore.exe (PID: 6864 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6912 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6864 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Payment conflict- aptiv 082920134110.htmJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\authorize_client_id_1gylt35o-e7u6-gwvj-v4zg-4cutdk8lh6wq_atv4duzi6osgxypq0fb5rw3m819ckje27lhn17o6jhs8cike4mfx3gytv905dbrqzwunpla2nws6vafbkoy9x0jq8mu3lzdth1pcir52g74e[1].htmJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus detection for URL or domainShow sources
      Source: https://jutebagbd.com/i1uwpq/qey6392/authorize_client_id:1gylt35o-e7u6-gwvj-v4zg-4cutdk8lh6wq_atv4duzi6osgxypq0fb5rw3m819ckje27lhn17o6jhs8cike4mfx3gytv905dbrqzwunpla2nws6vafbkoy9x0jq8mu3lzdth1pcir52g74e?data=ZW9pbi5tdWxkb3duZXlAYXB0aXYuY29tSlashNext: Label: Fake Login Page type: Phishing & Social Engineering
      Source: https://jutebagbd.com/i1uwpq/qey6392/authorize_client_id:1gylt35o-e7u6-gwvj-v4zg-4cutdk8lh6wq_atv4duzi6osgxypq0fb5rw3m819ckje27lhn17o6jhs8cike4mfx3gytv905dbrqzwunpla2nws6vafbkoy9x0jq8mu3lzdth1pcir52g74e?data=ZW9pbi5tdWxkb3duZXlAYXB0aXYuY29tUrlScan: Label: phishing brand: microsoftPerma Link
      Multi AV Scanner detection for domain / URLShow sources
      Source: jutebagbd.comVirustotal: Detection: 9%Perma Link

      Phishing:

      barindex
      Phishing site detected (based on favicon image match)Show sources
      Source: https://jutebagbd.com/i1uwpq/qey6392/authorize_client_id:1gylt35o-e7u6-gwvj-v4zg-4cutdk8lh6wq_atv4duzi6osgxypq0fb5rw3m819ckje27lhn17o6jhs8cike4mfx3gytv905dbrqzwunpla2nws6vafbkoy9x0jq8mu3lzdth1pcir52g74e?data=ZW9pbi5tdWxkb3duZXlAYXB0aXYuY29tMatcher: Template: microsoft matched with high similarity
      Yara detected HtmlPhish_10Show sources
      Source: Yara matchFile source: 820094.pages.csv, type: HTML
      Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\authorize_client_id_1gylt35o-e7u6-gwvj-v4zg-4cutdk8lh6wq_atv4duzi6osgxypq0fb5rw3m819ckje27lhn17o6jhs8cike4mfx3gytv905dbrqzwunpla2nws6vafbkoy9x0jq8mu3lzdth1pcir52g74e[1].htm, type: DROPPED
      Yara detected obfuscated html pageShow sources
      Source: Yara matchFile source: Payment conflict- aptiv 082920134110.htm, type: SAMPLE
      Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
      Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: unknownDNS traffic detected: queries for: jutebagbd.com
      Source: authorize_client_id_1gylt35o-e7u6-gwvj-v4zg-4cutdk8lh6wq_atv4duzi6osgxypq0fb5rw3m819ckje27lhn17o6jhs8cike4mfx3gytv905dbrqzwunpla2nws6vafbkoy9x0jq8mu3lzdth1pcir52g74e[1].htm.2.drString found in binary or memory: https://fonts.gstatic.com/s/opensans/v16/mem5YaGs126MiZpBA-UN_r8OUuhs.ttf)
      Source: {F19D7E13-2B48-11EB-90EB-ECF4BBEA1588}.dat.1.drString found in binary or memory: https://jutebagbd.com//Desktop/Payment%20conflict-%20aptiv%20082920134110.htmi1uwpq/qey6392/authoriz
      Source: qey6392[1].htm.2.drString found in binary or memory: https://jutebagbd.com/i1uwpq/qey6392/?eoin.muldowney
      Source: ~DF377151FFA9B95D32.TMP.1.drString found in binary or memory: https://jutebagbd.com/i1uwpq/qey6392/authorize_client_id:1gylt35o-e7u6-gwvj-v4zg-4cutdk8lh6wq_atv4du
      Source: imagestore.dat.2.drString found in binary or memory: https://jutebagbd.com/i1uwpq/qey6392/images/favicon.ico~
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
      Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
      Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
      Source: classification engineClassification label: mal84.phis.evad.winHTM@3/20@2/1
      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F19D7E11-2B48-11EB-90EB-ECF4BBEA1588}.datJump to behavior
      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF1E46B92F2D8AF763.TMPJump to behavior
      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
      Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6864 CREDAT:17410 /prefetch:2
      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6864 CREDAT:17410 /prefetch:2Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior

      Data Obfuscation:

      barindex
      Obfuscated HTML file foundShow sources
      Source: Payment conflict- aptiv 082920134110.htmInitial file: Did not found title: "HTML Meta Tag" in HTML/HTM content
      Source: Payment conflict- aptiv 082920134110.htmInitial file: Did not found title: "HTML Meta Tag" in HTML/HTM content

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsScripting1Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Scripting1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi