Loading ...

Play interactive tourEdit tour

Analysis Report test.html

Overview

General Information

Sample Name:test.html
Analysis ID:404279
MD5:0d80b3a43db9adf29fe973890a099230
SHA1:2d5984c3f0f77273bc7c896a0be318000a790e06
SHA256:edd93d70b8455e9ac5462e8488ce717c7baea2960c6bfece09b7b5855b267ae5
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected HtmlPhish10
Phishing site detected (based on logo template match)
HTML body contains low number of good links
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
No HTML title found
None HTTPS page querying sensitive user data (password, username or email)
Suspicious form URL found

Classification

Startup

  • System is w10x64
  • chrome.exe (PID: 1364 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized 'C:\Users\user\Desktop\test.html' MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 6160 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,16747573067059828566,6713175093340114276,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1688 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
test.htmlJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    Phishing:

    barindex
    Yara detected HtmlPhish10Show sources
    Source: Yara matchFile source: test.html, type: SAMPLE
    Phishing site detected (based on logo template match)Show sources
    Source: file:///C:/Users/user/Desktop/test.htmlMatcher: Template: microsoft matched
    Source: file:///C:/Users/user/Desktop/test.htmlHTTP Parser: Number of links: 0
    Source: file:///C:/Users/user/Desktop/test.htmlHTTP Parser: Number of links: 0
    Source: file:///C:/Users/user/Desktop/test.htmlHTTP Parser: HTML title missing
    Source: file:///C:/Users/user/Desktop/test.htmlHTTP Parser: HTML title missing
    Source: file:///C:/Users/user/Desktop/test.htmlHTTP Parser: Has password / email / username input fields
    Source: file:///C:/Users/user/Desktop/test.htmlHTTP Parser: Has password / email / username input fields
    Source: file:///C:/Users/user/Desktop/test.htmlHTTP Parser: Form action: https://ppdt.trisakti.ac.id/wp-content/time/5/login.php
    Source: file:///C:/Users/user/Desktop/test.htmlHTTP Parser: Form action: https://ppdt.trisakti.ac.id/wp-content/time/5/login.php
    Source: file:///C:/Users/user/Desktop/test.htmlHTTP Parser: No <meta name="author".. found
    Source: file:///C:/Users/user/Desktop/test.htmlHTTP Parser: No <meta name="author".. found
    Source: file:///C:/Users/user/Desktop/test.htmlHTTP Parser: No <meta name="copyright".. found
    Source: file:///C:/Users/user/Desktop/test.htmlHTTP Parser: No <meta name="copyright".. found
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior
    Source: unknownHTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.3:49718 version: TLS 1.2
    Source: Joe Sandbox ViewIP Address: 162.125.66.15 162.125.66.15
    Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
    Source: Joe Sandbox ViewJA3 fingerprint: b32309a26951912be7dba376398abc3b
    Source: Ruleset Data.0.drString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
    Source: Ruleset Data.0.drString found in binary or memory: www.facebook.com/ad.*^ajaxpipe^ equals www.facebook.com (Facebook)
    Source: Ruleset Data.0.drString found in binary or memory: www.facebook.com/ad.*^ajaxpipe^>- equals www.facebook.com (Facebook)
    Source: Ruleset Data.0.drString found in binary or memory: www.facebook.com/ajax/ads/ equals www.facebook.com (Facebook)
    Source: unknownDNS traffic detected: queries for: dl.dropboxusercontent.com
    Source: 3399a358-8acf-4c6e-9fb6-1f82a1649030.tmp.1.dr, manifest.json0.0.dr, 9b3bf54c-5910-42a0-910b-7d92f48775c5.tmp.1.drString found in binary or memory: https://accounts.google.com
    Source: 3399a358-8acf-4c6e-9fb6-1f82a1649030.tmp.1.dr, manifest.json0.0.dr, 9b3bf54c-5910-42a0-910b-7d92f48775c5.tmp.1.drString found in binary or memory: https://apis.google.com
    Source: 3399a358-8acf-4c6e-9fb6-1f82a1649030.tmp.1.dr, 9b3bf54c-5910-42a0-910b-7d92f48775c5.tmp.1.drString found in binary or memory: https://clients2.google.com
    Source: manifest.json1.0.drString found in binary or memory: https://clients2.google.com/service/update2/crx
    Source: 3399a358-8acf-4c6e-9fb6-1f82a1649030.tmp.1.dr, 9b3bf54c-5910-42a0-910b-7d92f48775c5.tmp.1.drString found in binary or memory: https://clients2.googleusercontent.com
    Source: manifest.json0.0.drString found in binary or memory: https://content.googleapis.com
    Source: Reporting and NEL.1.drString found in binary or memory: https://csp.withgoogle.com/csp/report-to/IdentityListAccountsHttp/external
    Source: 9b3bf54c-5910-42a0-910b-7d92f48775c5.tmp.1.drString found in binary or memory: https://dl.dropboxusercontent.com
    Source: 3399a358-8acf-4c6e-9fb6-1f82a1649030.tmp.1.dr, 9b3bf54c-5910-42a0-910b-7d92f48775c5.tmp.1.dr, 4a03e2b9-b11d-4d5c-be43-d5c958236abb.tmp.1.dr, 518a2c58-4a3d-4ff1-b9bc-f50618352008.tmp.1.drString found in binary or memory: https://dns.google
    Source: 9b3bf54c-5910-42a0-910b-7d92f48775c5.tmp.1.drString found in binary or memory: https://encrypted-tbn0.gstatic.com
    Source: test.htmlString found in binary or memory: https://encrypted-tbn0.gstatic.com/images?q=tbn%3AANd9GcSAluhajE56aexBgNLyhO8o4gfUkxvz76QA2g&amp;usq
    Source: manifest.json0.0.drString found in binary or memory: https://feedback.googleusercontent.com
    Source: 3399a358-8acf-4c6e-9fb6-1f82a1649030.tmp.1.drString found in binary or memory: https://fonts.googleapis.com
    Source: manifest.json0.0.drString found in binary or memory: https://fonts.googleapis.com;
    Source: 3399a358-8acf-4c6e-9fb6-1f82a1649030.tmp.1.dr, 9b3bf54c-5910-42a0-910b-7d92f48775c5.tmp.1.drString found in binary or memory: https://fonts.gstatic.com
    Source: manifest.json0.0.drString found in binary or memory: https://fonts.gstatic.com;
    Source: manifest.json0.0.drString found in binary or memory: https://hangouts.google.com/
    Source: 3399a358-8acf-4c6e-9fb6-1f82a1649030.tmp.1.dr, 9b3bf54c-5910-42a0-910b-7d92f48775c5.tmp.1.drString found in binary or memory: https://ogs.google.com
    Source: manifest.json1.0.drString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
    Source: 3399a358-8acf-4c6e-9fb6-1f82a1649030.tmp.1.dr, 9b3bf54c-5910-42a0-910b-7d92f48775c5.tmp.1.drString found in binary or memory: https://play.google.com
    Source: Current Session.0.drString found in binary or memory: https://ppdt.trisakti.ac.id/wp-content/time/5/login.php
    Source: 9b3bf54c-5910-42a0-910b-7d92f48775c5.tmp.1.drString found in binary or memory: https://r7---sn-n02xgoxufvg3-2gbs.gvt1.com
    Source: 9b3bf54c-5910-42a0-910b-7d92f48775c5.tmp.1.drString found in binary or memory: https://redirector.gvt1.com
    Source: manifest.json1.0.drString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
    Source: 3399a358-8acf-4c6e-9fb6-1f82a1649030.tmp.1.dr, 9b3bf54c-5910-42a0-910b-7d92f48775c5.tmp.1.drString found in binary or memory: https://ssl.gstatic.com
    Source: messages.json41.0.drString found in binary or memory: https://support.google.com/chromecast/answer/2998456
    Source: messages.json41.0.drString found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
    Source: 3399a358-8acf-4c6e-9fb6-1f82a1649030.tmp.1.dr, manifest.json0.0.dr, 9b3bf54c-5910-42a0-910b-7d92f48775c5.tmp.1.drString found in binary or memory: https://www.google.com
    Source: manifest.json1.0.drString found in binary or memory: https://www.google.com/
    Source: manifest.json0.0.drString found in binary or memory: https://www.google.com;
    Source: 3399a358-8acf-4c6e-9fb6-1f82a1649030.tmp.1.dr, 9b3bf54c-5910-42a0-910b-7d92f48775c5.tmp.1.drString found in binary or memory: https://www.googleapis.com
    Source: manifest.json1.0.drString found in binary or memory: https://www.googleapis.com/
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
    Source: manifest.json1.0.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
    Source: manifest.json1.0.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/clouddevices
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/hangouts
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/meetings
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
    Source: manifest.json1.0.drString found in binary or memory: https://www.googleapis.com/auth/sierra
    Source: manifest.json1.0.drString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
    Source: manifest.json0.0.drString found in binary or memory: https://www.googleapis.com/auth/userinfo.email
    Source: 3399a358-8acf-4c6e-9fb6-1f82a1649030.tmp.1.dr, 9b3bf54c-5910-42a0-910b-7d92f48775c5.tmp.1.drString found in binary or memory: https://www.gstatic.com
    Source: manifest.json0.0.drString found in binary or memory: https://www.gstatic.com;
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
    Source: unknownHTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.3:49718 version: TLS 1.2
    Source: classification engineClassification label: mal52.phis.winHTML@43/239@2/6
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-60921F8C-554.pmaJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\957d89ea-283c-4003-ad2f-a6b7b92fdf8d.tmpJump to behavior
    Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized 'C:\Users\user\Desktop\test.html'
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,16747573067059828566,6713175093340114276,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1688 /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,16747573067059828566,6713175093340114276,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1688 /prefetch:8Jump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading3OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.