Analysis Report http://ning.chen.joydevs.com/#bmluZy5jaGVuQHR4ZG90Lmdvdg==

Overview

General Information

Sample URL:	http://ning.chen.joydevs.com/#bmluZy5jaGVuQHR4ZG90Lmdvdg==
Analysis ID:	345167
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Phishing site detected (based on favicon image match)

Yara detected HtmlPhish_10

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: http://ning.chen.joydevs.com/#bmluZy5jaGVuQHR4ZG90Lmdvdg==

SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering

Antivirus detection for URL or domain

Source: https://crabpeacock.com/.,/authorize_client_id:syje4bf0-sj1q-bmhq-d2u3-9lgqsdyaf2mc_mnr9dxwtcoh2q6p8ey14uljg7kfia3sv50zblupyteqj3gvidr5xsfbnc271z6k8ahm0ow94cag1owdxztik93vu05lhjrsny6f8eqmb47p2?data=bmluZy5jaGVuQHR4ZG90Lmdvdg==

SlashNext: Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

Phishing site detected (based on favicon image match)

Matcher: Template: microsoft matched with high similarity

Yara detected HtmlPhish_10

Source: Yara match	File source: 675052.pages.csv, type: HTML
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\authorize_client_id_syje4bf0-sj1q-bmhq-d2u3-9lgqsdyaf2mc_mnr9dxwtcoh2q6p8ey14uljg7kfia3sv50zblupyteqj3gvidr5xsfbnc271z6k8ahm0ow94cag1owdxztik93vu05lhjrsny6f8eqmb47p2[1].htm, type: DROPPED

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 45.136.244.223:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.136.244.223:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.136.244.223:443 -> 192.168.2.4:49756 version: TLS 1.2

Networking:

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 27 Jan 2021 18:39:11 GMTServer: ApacheX-Powered-By: PHP/7.2.34Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 199Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 35 8f c1 0a c2 30 10 44 ef 82 ff b0 c4 83 8a 25 c1 ab a6 fd 02 0f 22 88 07 11 59 e3 4a a2 b1 09 cd 52 f5 ef 4d 2c ee 69 98 1d 1e 33 da f2 d3 37 30 1e 69 4b 78 2d 02 f2 69 76 ec a9 d9 7a c2 44 70 40 c7 52 4a ad 06 b7 84 93 e9 5c 64 e0 4f a4 5a 30 bd 59 dd b1 c7 c1 15 cd 00 e9 b1 03 8b c9 42 0d 2f d7 5e c3 4b fa 60 90 5d 68 65 b1 d7 39 55 22 fb dd 26 27 40 58 e6 98 56 4a 99 0e 2f 91 d0 04 f3 90 26 3c 95 ac 94 80 c5 8f 24 53 f4 8e 67 d3 c9 74 7e 5c 9e 0a e0 4f 0e 91 da 59 26 55 20 ce 89 fc 4d cc f3 53 ab a1 50 ee 93 2b ab ff c0 ac ca e6 2f ef 6e ed 85 fa 00 00 00 Data Ascii: 50D%"YJRM,i370iKx-ivzDp@RJ\dOZ0YB/^K`]he9U"&'@XVJ/&<$Sgt~\OY&U MSP+/n

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ning.chen.joydevs.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: ning.chen.joydevs.com

Source: ~DFC8DFC69DEA962F30.TMP.1.dr	String found in binary or memory: http://ning.chen.joydevs.com/#bmluZy5jaGVuQHR4ZG90Lmdvdg==
Source: {F0C07078-60CE-11EB-90EB-ECF4BBEA1588}.dat.1.dr	String found in binary or memory: http://ning.chen.joydevs.com/#bmluZy5jaGVuQHR4ZG90Lmdvdg==Root
Source: A6FDRX35.htm.2.dr, ~DFC8DFC69DEA962F30.TMP.1.dr, imagestore.dat.2.dr	String found in binary or memory: https://crabpeacock.com/.
Source: {F0C07078-60CE-11EB-90EB-ECF4BBEA1588}.dat.1.dr	String found in binary or memory: https://crabpeacock.covs.com/#bmluZy5jaGVuQHR4ZG90Lmdvdg==m/.
Source: authorize_client_id_syje4bf0-sj1q-bmhq-d2u3-9lgqsdyaf2mc_mnr9dxwtcoh2q6p8ey14uljg7kfia3sv50zblupyteqj3gvidr5xsfbnc271z6k8ahm0ow94cag1owdxztik93vu05lhjrsny6f8eqmb47p2[1].htm.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v16/mem5YaGs126MiZpBA-UN_r8OUuhs.ttf)

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756

Source: unknown	HTTPS traffic detected: 45.136.244.223:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.136.244.223:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.136.244.223:443 -> 192.168.2.4:49756 version: TLS 1.2

System Summary:

Source: classification engine

Classification label: mal72.phis.win@3/20@3/2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F0C07076-60CE-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF8F7A3B09211FC4BE.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6728 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6728 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.136.244.223	unknown	Russian Federation		51659	ASBAXETRU	false
198.187.29.179	unknown	United States		22612	NAMECHEAP-NETUS	false

Contacted Domains

Name	IP	Active
ning.chen.joydevs.com	198.187.29.179	true
crabpeacock.com	45.136.244.223	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ning.chen.joydevs.com/	false	Avira URL Cloud: safe	unknown
https://crabpeacock.com/.,/authorize_client_id:syje4bf0-sj1q-bmhq-d2u3-9lgqsdyaf2mc_mnr9dxwtcoh2q6p8ey14uljg7kfia3sv50zblupyteqj3gvidr5xsfbnc271z6k8ahm0ow94cag1owdxztik93vu05lhjrsny6f8eqmb47p2?data=bmluZy5jaGVuQHR4ZG90Lmdvdg==	true	SlashNext: Fake Login Page type: Phishing & Social Engineering	unknown

ID:	345167
Product:	CloudBasic
Start time:	19:38:16
Start date:	27.01.2021
Cookbook:	browseurl.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F0C07076-60CE-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	19051E4E598B88701435625F1D36B43D	67BED96E3748721CF703121798E9576686013E32	F2C71B9622930064E560A65EC10ECE03C82CE99E4BF583359C233CFAC961C7A7
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F0C07078-60CE-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	0F560EEFCFEF823352B29400ABBBC26F	4C4B3595534E5D29AA32CF49FA3704B38A7DF09B	7012E6D2E8DE4FD0DBAA3D6805F0204C3FFF01CCF3BA88B85AC9C48CC9A2DCBF
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F7265FE7-60CE-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	05AFFE8E6A34754B2FDC817C75963449	BA2C144889181C2048B2465F45FFCFA84D484532	4E21BFFFB0038BEB496CA64472D62BF0B49DF164F217F4B5D77F50B423DEEA21
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat	data	C99F7F2B18880194E7281B44192E045C	0DF5353851ADFD1F0EB4E7D8C5087AF6B02BD439	2F349D52956C9568A2091FC995F2BED2277A927964282C1A4261023521397764
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\A6FDRX35.htm	HTML document, ASCII text, with CRLF line terminators	52B9C847F66C244EE289EDEE6F6815B9	42FDA9C9176F9DFF5BD543D81FB146F940E65A23	2C34DF017C1660CF3F3B1910CE6CC341CB64149C44331FD2FEC28EFAAAF43751
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\ellipsis_white[1].svg	SVG Scalable Vector Graphics image	5AC590EE72BFE06A7CECFD75B588AD73	DDA2CB89A241BC424746D8CF2A22A35535094611	6075736EA9C281D69C4A3D78FF97BB61B9416A5809919BABE5A0C5596F99AAEA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\forgpass[1].png	PNG image data, 121 x 20, 8-bit/color RGB, non-interlaced	B19CAC60E41C79BD974C1080088C6FEF	FFE553D8CA430DD309494E910A989271648A4DDD	E29DB32031DC537AEE9CB557B408395F3324F1E0F744349C0CDF943A3AF39296
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\enterpass[1].png	PNG image data, 170 x 29, 8-bit/color RGB, non-interlaced	BD6E291A9A3CC17ED37605E4FF0010CC	6C1EFD74231E3D253E0F51E4656ECED2F3335D71	706DE242E7C3CFC4B16BA8174723F26FB80566C3171E9E795F057476011A5DE1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\sigin[1].png	PNG image data, 108 x 32, 8-bit/color RGBA, non-interlaced	681B83E88BA6AACCC72705FBF9F2257B	D69957C47026108511225160BE9BD15788D26E14	F32A760F15530284447282AF5C7D0825BABF8BC4739E073928F6128830819F7A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\style[1].css	ASCII text, with very long lines, with no line terminators	9F94F80A5DC09BB962778175292195BC	A7F2E32B422AC9654F39EA870E403599791FCE1C	1CF4B3AD7ABF3189E78C1B3BD07308C92A03FA795FDBC5821FCDE24030CFEAD0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\ellipsis_grey[1].svg	SVG Scalable Vector Graphics image	2B5D393DB04A5E6E1F739CB266E65B4C	6A435DF5CAC3D58CCAD655FE022CCF3DD4B9B721	16C3F6531D0FA5B4D16E82ABF066233B2A9F284C068C663699313C09F5E8D6E6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\firstmsg1[1].png	PNG image data, 353 x 41, 8-bit/color RGBA, non-interlaced	B7EA3983E3C2D7E5F61B8D1B42758189	FE0817947CA4BC53152ED9378470675D9AF189FD	7B6CF23AC2454B039DDF4F51B7074636ED5B08B6A1D254A47430C4ACE2A3569D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\arrow_left[1].svg	SVG Scalable Vector Graphics image	A9CC2824EF3517B6C4160DCF8FF7D410	8DB9AEBAD84CA6E4225BFDD2458FF3821CC4F064	34F9DB946E89F031A80DFCA7B16B2B686469C9886441261AE70A44DA1DFA2D58
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\authorize_client_id_syje4bf0-sj1q-bmhq-d2u3-9lgqsdyaf2mc_mnr9dxwtcoh2q6p8ey14uljg7kfia3sv50zblupyteqj3gvidr5xsfbnc271z6k8ahm0ow94cag1owdxztik93vu05lhjrsny6f8eqmb47p2[1].htm	data	AAE5B9F19459929D599F2EC80B687353	B884EB4011B1FF4015F74EE9D6BEA4B535CE4048	51457D3D0141594D29660FFD0E1EBE39FB6D4DD2FE996F0D1139DBCDD2B30E45
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\favicon[1].ico	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel	7CDD5A7E87E82D145E7F82358F9EBD04	265104CAD00300E4094F8CE6A9EDC86E54812EAD	5D91563B6ACD54468AE282083CF9EE3D2C9B2DAA45A8DE9CB661C2195B9F6CBF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\inv-big-background[1].png	PNG image data, 1920 x 1080, 8-bit colormap, non-interlaced	62DDD263C8A6A4C9074E205B91182D04	1B56D11B012DD79DD99212EBB54ADCFB60920A9D	A59EA699D353D00FF2999111F9FA11FB73A47EDA7800642609CA230560EA3703
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\passwrd[1].png	PNG image data, 69 x 34, 8-bit/color RGBA, non-interlaced	4F2A1D382216546E2C3BC620497FD4E3	F785EC5967B5666387304F779306F9C3E3359FF4	105C03D3360CDB953585482374B2CC953D090741037502B0609629F5BB0135B7
C:\Users\user\AppData\Local\Temp\~DF767230B87732AF12.TMP	data	4C41B12C3B8BCF2C71F6DA047454C1A9	479FBDFD5D2118C09580C82829DF3DA70DA70DD7	0B355A4E51E8A4E29F836CBF48B7C96402FD6BF455FC226756054CA86B415561
C:\Users\user\AppData\Local\Temp\~DF8F7A3B09211FC4BE.TMP	data	1F80DC65257108AD5A228D00F0BDDAE3	5F3B183277C2E53F7EFD079A5DD94C13BA7F6DB7	64B8D9282225A3CFFDF9572F7B16C016BA606A601A95CD0245962D350EF22FF4
C:\Users\user\AppData\Local\Temp\~DFC8DFC69DEA962F30.TMP	data	8BA5893F727A5CA4754830E978AF35EF	EB53FF7548E338E6247F950E98B3BF38AD8E9EE4	A8BAEEFE99D083A93D3BA8E7C270EA585C85714A3DF0F41F5ACD609870ED331D

Analysis Report http://ning.chen.joydevs.com/#bmluZy5jaGVuQHR4ZG90Lmdvdg==

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Phishing:

Compliance:

Networking:

System Summary:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs