Analysis Report #Ud83d#Udce9-peter.nash.htm

Overview

General Information

Sample Name:	#Ud83d#Udce9-peter.nash.htm
Analysis ID:	432756
MD5:	8c6df9b0709674ba479f63d75b3a2cb6
SHA1:	734aef9ae6219e97ea02bdd13bce9a31c1327b14
SHA256:	ab8c991ac026e2cf24f0c012a09174da7fdc75604c626883c964add719bd1c9e
Infos:
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected HtmlPhish44

Obfuscated HTML file found

HTML body contains low number of good links

HTML title does not match URL

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

None HTTPS page querying sensitive user data (password, username or email)

Classification

Signatures

Phishing:

Yara detected HtmlPhish44

Source: Yara match

File source: #Ud83d#Udce9-peter.nash.htm, type: SAMPLE

HTML body contains low number of good links

Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce9-peter.nash.htm	HTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce9-peter.nash.htm	HTTP Parser: Number of links: 0

HTML title does not match URL

Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce9-peter.nash.htm	HTTP Parser: Title: Undelivered email local access does not match URL
Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce9-peter.nash.htm	HTTP Parser: Title: Undelivered email local access does not match URL

None HTTPS page querying sensitive user data (password, username or email)

Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce9-peter.nash.htm	HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce9-peter.nash.htm	HTTP Parser: Has password / email / username input fields

Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce9-peter.nash.htm	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce9-peter.nash.htm	HTTP Parser: No <meta name="author".. found

Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce9-peter.nash.htm	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce9-peter.nash.htm	HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.3:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.3:49721 version: TLS 1.2

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 104.18.11.207 104.18.11.207

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: global traffic

HTTP traffic detected: GET /bground.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gravitfy.comConnection: Keep-Alive

Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x9f4ff2ee,0x01d75e5f</date><accdate>0x9f4ff2ee,0x01d75e5f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x9f4ff2ee,0x01d75e5f</date><accdate>0x9f4ff2ee,0x01d75e5f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9f60a35c,0x01d75e5f</date><accdate>0x9f60a35c,0x01d75e5f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9f60a35c,0x01d75e5f</date><accdate>0x9f60a35c,0x01d75e5f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9f60a35c,0x01d75e5f</date><accdate>0x9f60a35c,0x01d75e5f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9f60a35c,0x01d75e5f</date><accdate>0x9f60a35c,0x01d75e5f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: maxcdn.bootstrapcdn.com

Source: font-awesome.min[1].css.3.dr	String found in binary or memory: http://fontawesome.io
Source: font-awesome.min[1].css.3.dr	String found in binary or memory: http://fontawesome.io/license
Source: bootstrap.min[1].css.3.dr	String found in binary or memory: http://getbootstrap.com)
Source: msapplication.xml.1.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr	String found in binary or memory: http://www.youtube.com/
Source: css[1].css.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxM.woff)
Source: css[1].css.3.dr	String found in binary or memory: https://fonts.gstatic.com/s/varelaround/v13/w8gdH283Tvk__Lua32TysjIfp8uJ.woff)
Source: bootstrap.min[1].css.3.dr	String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.3:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.3:49721 version: TLS 1.2

Source: classification engine

Classification label: mal52.phis.evad.winHTM@3/23@2/2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFF818C42C07F5AA3B.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3728 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3728 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Data Obfuscation:

Obfuscated HTML file found

Source: #Ud83d#Udce9-peter.nash.htm	Initial file: Did not found title: "Undelivered email local access" in HTML/HTM content
Source: #Ud83d#Udce9-peter.nash.htm	Initial file: Did not found title: "Undelivered email local access" in HTML/HTM content

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.18.11.207	maxcdn.bootstrapcdn.com	United States		13335	CLOUDFLARENETUS	false
185.61.154.34	gravitfy.com	United Kingdom		22612	NAMECHEAP-NETUS	false

Contacted Domains

Name	IP	Active
maxcdn.bootstrapcdn.com	104.18.11.207	true
gravitfy.com	185.61.154.34	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
file:///C:/Users/user/Desktop/%23Ud83d%23Udce9-peter.nash.htm	true		low
http://gravitfy.com/bground.png	false	Avira URL Cloud: safe	unknown

ID:	432756
Product:	CloudBasic
Start time:	18:16:33
Start date:	10.06.2021
Sample:	#Ud83d#Udce9-peter.nash.htm
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	8c6df9b0709674ba479f63d75b3a2cb6
SHA1:	734aef9ae6219e97ea02bdd13bce9a31c1327b14
SHA256:	ab8c991ac026e2cf24f0c012a09174da7fdc75604c626883c964add719bd1c9e

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C85B896D-CA52-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	0E2826A427E60E88909F137FDC395C8C	B2AECBD7ADAC30809728C60D4FC9B429EBCC0BE8	4B77C1E68A5BEE3AA70A30639D793B4DA6D5E9A0B1829F6B933A59AAF5E0CCCD
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C85B896F-CA52-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	8D205509CCCE0D9433AC61F8A5BBF57E	D33FDB8406D8B94AC27B39D604BF97FDF9520DB8	7F29A1EB0B19CCCD54D04E6F5960627D9637A830A00EFFC60694934006B86DDA
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C85B8970-CA52-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	9701AAE376BE0C482C073456ABEC7145	1565B65206C902557FBC61C62282044DE18AD053	0D726F02C25F245A37E71653476A62E76CD2FE03F42191070B8BBFE1CE6926EA
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	0E214DCA0A60D34F536F1B06F0342D17	C2E4C453E8682945EA490475E3D3D7DED1F29B91	F253BDEFFB33FECF156F6F746703A6FF263F4849585313171618F1619B2BD0C7
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	2BC14D8F6960B48CDD928F83176CCA10	E134194C4E325DE58D0441064DAEAADDFB9D942A	063FC58921DEF123FF5AD3AB304F68A4F19E389238349AA179ACF88D13CFCC10
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	BD4DEBBFFF7CD5DF0B455B80B99ED922	F8A3D25325295753E5F5AC2D3C883F55FE7ADEF4	FE11831E42BA983F50C665D6C6BFFA63DE14E79877496BC7AFE2A844A5C4E14E
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	4E14C1B41AF7C03A261C6DFB057B37B7	3757DBF4353AE47CFC15446D612AA07A5D15AC4D	6DF273444F9EE21CAB092AD957C52341B677C79382A8B7FB67A73E7A00CD3D7F
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	055BE08D2F64FBD5B3D420EC42A281B9	4D3911750F15F7F20B43E508F9A836F0030F9B7D	69A2BD6FE50E1E5270AFE5183330B30E1680C5B317C4196C1A6F7DF84972F066
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	3F2D6DBF3A1E7B04E8B1DC7E3AAAAB7A	632282FCDDCB2A1941F240635AF499C922087525	925C807BA5F771C58FFE412A6F4579B71FCBAF44ECD374AC73D6CE230AFB8EBB
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	80EC6FC3101D786E6F10415B26259C55	0FA27202F0A619362A710A9B8A2484D2A15FC645	B65F317BF38F5E31E6AD557DCD8629FB3C2192EF15011F3D8ADA5D4A2D45C45A
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	C7220AB501195C7C76DA38D235B40839	28887A9344E94D65919E582F36F5B0D707AC7B7B	DF7F295A3784B93C550B8C5D2AA62E2FA0EC77BBE4E4C599210680687B71CF56
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	DD5EDD9CE84C762F07D5964713BBCBA6	B3CB1952CDCDDB431D28DEC8D3D02A21B0310F62	EBF850E120B824AA4D118D1DA026A6D10B877C1D65C33F547C96239082EFC197
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\bootstrap.min[1].js	ASCII text, with very long lines	5869C96CC8F19086AEE625D670D741F9	430A443D74830FE9BE26EFCA431F448C1B3740F9	53964478A7C634E8DAD34ECC303DD8048D00DCE4993906DE1BACF67F663486EF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\favicons[1].png	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	5A0E30FE1C08242C6300DF8A8E504C3C	CEF995B7DABA5775344206D9364CB9CA1FF4DA07	81026CD5BBC27FEA74E125B81C7604E292602F9634D2785537A3D6287FA3116C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\css[1].css	ASCII text	F3F1B04EE6133FFAC1F09A4DF6E2CDD1	75BF5BA3433D290670595A9000863CF67CD0391B	8F299DB657E7009004FC4188DB6524BE1BC70EB1361A9FA0F311107F1FBD2D64
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\jquery.min[1].js	ASCII text, with very long lines	4F252523D4AF0B478C810C2547A63E19	5A9DCFBEF655A2668E78BAEBEAA8DC6F41D8DABB	668B046D12DB350CCBA6728890476B3EFEE53B2F42DBB84743E5E9F1AE0CC404
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\bground[1].png	PNG image data, 1200 x 709, 8-bit/color RGBA, non-interlaced	7FF7E5D205A5814E79ADF5670A4BF74B	097EB55B7931E46B95B41EABA471347CF4114C48	A1E112204DA7C73E44B753B8643A0F302F72F024644F66673F5501546A0A7321
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\w8gdH283Tvk__Lua32TysjIfp8uJ[1].woff	Web Open Font Format, TrueType, length 25220, version 1.1	ED1CF004373CD51BD0FD4C0E3DCA9FAE	88D90FFF0F086A342745CED39A6F7C06AA045738	BC7CA2F6B8F07D83BFE12011B3AAF0A69479A86E0813155B0B6C275DD740A549
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\bootstrap.min[1].css	ASCII text, with very long lines	EC3BB52A00E176A7181D454DFFAEA219	6527D8BF3E1E9368BAB8C7B60F56BC01FA3AFD68	F75E846CC83BD11432F4B1E21A45F31BC85283D11D372F7B19ACCD1BF6A2635C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\font-awesome.min[1].css	ASCII text, with very long lines	269550530CC127B6AA5A35925A7DE6CE	512C7D79033E3028A9BE61B540CF1A6870C896F8	799AEB25CC0373FDEE0E1B1DB7AD6C2F6A0E058DFADAA3379689F583213190BD
C:\Users\user\AppData\Local\Temp\~DF3617EA387C4FB37B.TMP	data	9266C8C8171252789B7072B32FD1CAE5	59AA3533D770A527218047DC22195BDA9B6EAA97	93DA202C818FFAEEDF2984BA4E5EEB94A7C46C7843C796B95CE22CB54FA2C776
C:\Users\user\AppData\Local\Temp\~DF90C585B98E4338A8.TMP	data	59ED4BDD06F7012747AB4156106352B8	C7FB37A9E7D73A38C0AF385B73EAA228A74CB899	50C8BA3FEACF25F7BE4353F1A33E11833DE47BCFABA01BD1E3B46DFA86587B75
C:\Users\user\AppData\Local\Temp\~DFF818C42C07F5AA3B.TMP	data	8421E82079D89FB1B05A37EF91E48195	AF51804E3324626C91FE40B1A7AF9835FF5FF9A5	48FEF1F6100E1FB63792680C97E5A1816738E09ACB1A1485B2AD865F50B12735

Analysis Report #Ud83d#Udce9-peter.nash.htm

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs