Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report https://docs.google.com/document/d/e/2PACX-1vS36Y8R0dZPmbkK0kzlhwl7QP56-1X6JRq34lZp4A2cukPSL9y0gFPCpMx8sjlWiW2dB5LySYzIsG8o/pub

Overview

General Information

Sample URL:https://docs.google.com/document/d/e/2PACX-1vS36Y8R0dZPmbkK0kzlhwl7QP56-1X6JRq34lZp4A2cukPSL9y0gFPCpMx8sjlWiW2dB5LySYzIsG8o/pub
Analysis ID:356040

Most interesting Screenshot:

Detection

HTMLPhisher
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected HtmlPhish_20
Phishing site detected (based on various OCR indicators)

Classification

Startup

  • System is w10x64
  • iexplore.exe (PID: 996 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2900 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\pub[1].htmJoeSecurity_HtmlPhish_20Yara detected HtmlPhish_20Joe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: https://docs.google.com/document/d/e/2PACX-1vS36Y8R0dZPmbkK0kzlhwl7QP56-1X6JRq34lZp4A2cukPSL9y0gFPCpMx8sjlWiW2dB5LySYzIsG8o/pubSlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering

    Phishing:

    barindex
    Yara detected HtmlPhish_20Show sources
    Source: Yara matchFile source: 098239.pages.csv, type: HTML
    Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\pub[1].htm, type: DROPPED
    Phishing site detected (based on various OCR indicators)Show sources
    Source: ScreenshotsOCR Text: lb hUps//docs.goog|e.comdocumenUd/d2PACX-1vS36Y8R0I C;Search... determine-1217x [I - [I X JO- GjCUC1 determine-1217 Updated automatically every 5 minutes ^ I! dl N :: Microsoft a Office 365 I LI i Redirecting - Click here to Published by Google Drive - Report Abuse V lb hUps//docs.goog|e.comdocumenUd/d2PACX-1vS36Y8R0I C;Search... determine-1217x [I - [I X JO- GjCUC1 determine-1217 Updated automatically every 5 minutes ^ I! dl N :: Microsoft a Office 365 I LI i Redirecting - Click here to Published by Google Drive - Report Abuse V Mx8sjlwiw2d C;Search... determine-1217x [I X JO- GjCUC1 determine-1217 Updated automatically every 5 minutes :: Microsoft' a Office 365 Redirecting - Click here to continue W p 0 X " Published by Google Drive - Report Abuse

    Compliance:

    barindex
    Uses new MSVCR DllsShow sources
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
    Uses secure TLS version for HTTPS connectionsShow sources
    Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49722 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49724 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49726 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49723 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49725 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49727 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 198.57.186.221:443 -> 192.168.2.5:49740 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 198.57.186.221:443 -> 192.168.2.5:49741 version: TLS 1.2
    Source: unknownDNS traffic detected: queries for: themes.googleusercontent.com
    Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://docs./url?q=https://sistema.grutorax.com.br/deliver.php&sa=D&source=editors&ust=161400152712
    Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://docs.ax.com.br/deliver.php.grutorax.com.br/deliver.php&sa=D&source=editors&ust=1614001527126
    Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://docs.google.com/
    Source: pub[1].htm.2.drString found in binary or memory: https://docs.google.com/abuse?id=AKkXjoxmn0VxVYna4R2kMixj6xjU5UyiFnb84SzAYSNZgyuuoUgq56SJglMCAzzK8sA
    Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.dr, ~DFC597EDA9F124D6A1.TMP.1.drString found in binary or memory: https://docs.google.com/document/d/e/2PACX-1vS36Y8R0dZPmbkK0kzlhwl7QP56-1X6JRq34lZp4A2cukPSL9y0gFPCp
    Source: css[2].css.2.drString found in binary or memory: https://fonts.google.com/license/googlerestricted
    Source: pub[1].htm.2.drString found in binary or memory: https://fonts.googleapis.com/css?family=Google
    Source: pub[1].htm.2.drString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto
    Source: css[1].css0.2.drString found in binary or memory: https://fonts.gstatic.com/s/comfortaa/v30/1Pt_g8LJRfWJmhDAuUsSQamb1W0lwk4S4Y_LPrc.woff)
    Source: css[2].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/googlesans/v27/4UaGrENHsxJlGDuGo1OIlL3Owpg.woff)
    Source: css[1].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/roboto/v20/KFOmCnqEu92Fr1Mu4mxM.woff)
    Source: pub[1].htm.2.drString found in binary or memory: https://lh3.googleusercontent.com/FCtkh_cVMnq9w0w2EefouDOYE-kLx6conTHn_lapO1sUkLA_arG-RSCq96SJ6Dsgqq
    Source: pub[1].htm.2.drString found in binary or memory: https://lh4.googleusercontent.com/4lqrNCf-I_g3G-ZRjSCrk4CzHer9-aZGLVZMAv1E5urrkm5iZ-6srIQnL3bv29zPMl
    Source: pub[1].htm.2.drString found in binary or memory: https://lh4.googleusercontent.com/592S7q3HqTUOgiQvkzddFGMOaqBqKIpIo48LskWavhxGbCFORGwwPJB3K3jyWmt0xY
    Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://sistema.grutor
    Source: url[1].htm.2.drString found in binary or memory: https://sistema.grutorax.com.br/deliver.php
    Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://sistema.grutorax.com.br/deliver.php&sa=D&source=editors&ust=1614001527126000&usg=AOvVaw0GiDo
    Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://sistema.grutorax.com.br/deliver.php&sa=D&source=editors&ust=1614001527126000&usg=Root
    Source: ~DFC597EDA9F124D6A1.TMP.1.drString found in binary or memory: https://sistema.grutorax.com.br/deliver.php.grutorax.com.br/deliver.php&sa=D&source=editors&ust=1614
    Source: imagestore.dat.2.dr, pub[1].htm.2.drString found in binary or memory: https://ssl.gstatic.com/docs/documents/images/kix-favicon7.ico
    Source: imagestore.dat.2.drString found in binary or memory: https://ssl.gstatic.com/docs/documents/images/kix-favicon7.ico~
    Source: pub[1].htm.2.drString found in binary or memory: https://themes.googleusercontent.com/fonts/css?kit=fND5XPYKrF2tQDwwfWZJI_esZW2xOQ-xsNqO47m55DA
    Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://www.google.com
    Source: imagestore.dat.2.drString found in binary or memory: https://www.google.com/favicon.ico
    Source: imagestore.dat.2.drString found in binary or memory: https://www.google.com/favicon.ico~
    Source: pub[1].htm.2.drString found in binary or memory: https://www.google.com/url?q=https://sistema.grutorax.com.br/deliver.php&sa=D&source=editors
    Source: ~DFC597EDA9F124D6A1.TMP.1.drString found in binary or memory: https://www.google.com/url?q=https://sistema.grutorax.com.br/deliver.php&sa=D&source=editors&ust=161
    Source: {9331828A-7557-11EB-90E5-ECF4BB570DC9}.dat.1.drString found in binary or memory: https://www.google.comm/document/d/e/2PACX-1vS36Y8R0dZPmbkK0kzlhwl7QP56-1X6JRq34lZp4A2cukPSL9y0gFPCp
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
    Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49722 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49724 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49726 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49723 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49725 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.5:49727 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 198.57.186.221:443 -> 192.168.2.5:49740 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 198.57.186.221:443 -> 192.168.2.5:49741 version: TLS 1.2
    Source: classification engineClassification label: mal60.phis.win@3/20@4/2
    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{93318288-7557-11EB-90E5-ECF4BB570DC9}.datJump to behavior
    Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF8D165E106D3995D4.TMPJump to behavior
    Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
    Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:17410 /prefetch:2
    Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:17410 /prefetch:2Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.