Loading ...

Play interactive tourEdit tour

Analysis Report #Ud83d#Udce9-peter.nash.htm

Overview

General Information

Sample Name:#Ud83d#Udce9-peter.nash.htm
Analysis ID:432756
MD5:8c6df9b0709674ba479f63d75b3a2cb6
SHA1:734aef9ae6219e97ea02bdd13bce9a31c1327b14
SHA256:ab8c991ac026e2cf24f0c012a09174da7fdc75604c626883c964add719bd1c9e
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected HtmlPhish44
Obfuscated HTML file found
HTML body contains low number of good links
HTML title does not match URL
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
None HTTPS page querying sensitive user data (password, username or email)

Classification

Process Tree

  • System is w10x64
  • iexplore.exe (PID: 3728 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5720 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3728 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
#Ud83d#Udce9-peter.nash.htmJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    Phishing:

    barindex
    Yara detected HtmlPhish44Show sources
    Source: Yara matchFile source: #Ud83d#Udce9-peter.nash.htm, type: SAMPLE
    Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce9-peter.nash.htmHTTP Parser: Number of links: 0
    Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce9-peter.nash.htmHTTP Parser: Number of links: 0
    Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce9-peter.nash.htmHTTP Parser: Title: Undelivered email local access does not match URL
    Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce9-peter.nash.htmHTTP Parser: Title: Undelivered email local access does not match URL
    Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce9-peter.nash.htmHTTP Parser: Has password / email / username input fields
    Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce9-peter.nash.htmHTTP Parser: Has password / email / username input fields
    Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce9-peter.nash.htmHTTP Parser: No <meta name="author".. found
    Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce9-peter.nash.htmHTTP Parser: No <meta name="author".. found
    Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce9-peter.nash.htmHTTP Parser: No <meta name="copyright".. found
    Source: file:///C:/Users/user/Desktop/%23Ud83d%23Udce9-peter.nash.htmHTTP Parser: No <meta name="copyright".. found
    Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
    Source: unknownHTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.3:49723 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.3:49721 version: TLS 1.2
    Source: Joe Sandbox ViewIP Address: 104.18.11.207 104.18.11.207
    Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
    Source: global trafficHTTP traffic detected: GET /bground.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gravitfy.comConnection: Keep-Alive
    Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x9f4ff2ee,0x01d75e5f</date><accdate>0x9f4ff2ee,0x01d75e5f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
    Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x9f4ff2ee,0x01d75e5f</date><accdate>0x9f4ff2ee,0x01d75e5f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
    Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9f60a35c,0x01d75e5f</date><accdate>0x9f60a35c,0x01d75e5f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
    Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9f60a35c,0x01d75e5f</date><accdate>0x9f60a35c,0x01d75e5f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
    Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9f60a35c,0x01d75e5f</date><accdate>0x9f60a35c,0x01d75e5f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
    Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9f60a35c,0x01d75e5f</date><accdate>0x9f60a35c,0x01d75e5f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
    Source: unknownDNS traffic detected: queries for: maxcdn.bootstrapcdn.com