Loading ...

Play interactive tourEdit tour

Windows Analysis Report https://pinnaclepetroleuminc.godaddysites.com/

Overview

General Information

Sample URL:https://pinnaclepetroleuminc.godaddysites.com/
Analysis ID:448978
Infos:

Most interesting Screenshot:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Detected potential crypto function
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 4232 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://pinnaclepetroleuminc.godaddysites.com/' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 4952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • wget.exe (PID: 5720 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://pinnaclepetroleuminc.godaddysites.com/' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • chrome.exe (PID: 720 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation -- 'C:\Users\user\Desktop\download\index.html' MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 6024 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1548,16974770309779326767,15486729119825007596,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1772 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior
Source: unknownHTTPS traffic detected: 72.167.191.83:443 -> 192.168.2.3:49714 version: TLS 1.2

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 466 ICMP L3retriever Ping 192.168.2.3: -> 23.10.249.73:
Source: unknownDNS traffic detected: queries for: pinnaclepetroleuminc.godaddysites.com
Source: wget.exe, 00000003.00000002.212557894.0000000002BA9000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/0
Source: wget.exe, 00000003.00000002.212557894.0000000002BA9000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt
Source: wget.exe, 00000003.00000002.212557894.0000000002BA9000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
Source: wget.exe, 00000003.00000003.211527973.0000000002B68000.00000004.00000001.sdmp, wget.exe, 00000003.00000002.211956778.0000000000CF5000.00000004.00000040.sdmp, cmdline.out.3.drString found in binary or memory: http://certs.godaddy.com/repository/
Source: wget.exe, 00000003.00000002.212557894.0000000002BA9000.00000004.00000001.sdmpString found in binary or memory: http://certs.godaddy.com/repository/1301
Source: wget.exe, 00000003.00000003.211527973.0000000002B68000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000003.00000003.211527973.0000000002B68000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wget.exe, 00000003.00000003.211527973.0000000002B68000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdig2s1-2115.crl
Source: wget.exe, 00000003.00000002.212557894.0000000002BA9000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdig2s1-2115.crl0
Source: wget.exe, 00000003.00000003.211527973.0000000002B68000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdig2s1-2115.crlV
Source: wget.exe, 00000003.00000003.211527973.0000000002B68000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl
Source: wget.exe, 00000003.00000002.212557894.0000000002BA9000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
Source: wget.exe, 00000003.00000003.211527973.0000000002B68000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crlM
Source: wget.exe, 00000003.00000003.211527973.0000000002B68000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crlj
Source: wget.exe, 00000003.00000003.211527973.0000000002B68000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/
Source: wget.exe, 00000003.00000002.212557894.0000000002BA9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/0
Source: wget.exe, 00000003.00000002.212557894.0000000002BA9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/05
Source: index.html.3.drString found in binary or memory: http://scripts.sil.org/OFL
Source: manifest.json0.6.dr, 0d8b8803-4945-4ebd-b34b-3162b3dff053.tmp.7.dr, 992a1d58-1303-4672-b8f3-bf40ed48004b.tmp.7.drString found in binary or memory: https://accounts.google.com
Source: manifest.json0.6.dr, 0d8b8803-4945-4ebd-b34b-3162b3dff053.tmp.7.dr, 992a1d58-1303-4672-b8f3-bf40ed48004b.tmp.7.drString found in binary or memory: https://apis.google.com
Source: wget.exe, 00000003.00000002.212557894.0000000002BA9000.00000004.00000001.sdmpString found in binary or memory: https://certs.godaddy.com/repository/
Source: 0d8b8803-4945-4ebd-b34b-3162b3dff053.tmp.7.dr, 992a1d58-1303-4672-b8f3-bf40ed48004b.tmp.7.drString found in binary or memory: https://clients2.google.com
Source: manifest.json0.6.drString found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 0d8b8803-4945-4ebd-b34b-3162b3dff053.tmp.7.dr, 992a1d58-1303-4672-b8f3-bf40ed48004b.tmp.7.drString found in binary or memory: https://clients2.googleusercontent.com
Source: manifest.json0.6.drString found in binary or memory: https://content.googleapis.com
Source: 83efb3ab-45cc-4f9a-b960-a2a9c2594ccb.tmp.7.dr, 0786e044-ff35-44fc-9ee5-40f554e01a64.tmp.7.dr, 0d8b8803-4945-4ebd-b34b-3162b3dff053.tmp.7.dr, 992a1d58-1303-4672-b8f3-bf40ed48004b.tmp.7.drString found in binary or memory: https://dns.google
Source: manifest.json0.6.drString found in binary or memory: https://feedback.googleusercontent.com
Source: 0d8b8803-4945-4ebd-b34b-3162b3dff053.tmp.7.drString found in binary or memory: https://fonts.googleapis.com
Source: manifest.json0.6.drString found in binary or memory: https://fonts.googleapis.com;
Source: wget.exe, 00000003.00000002.212557894.0000000002BA9000.00000004.00000001.sdmp, 0d8b8803-4945-4ebd-b34b-3162b3dff053.tmp.7.dr, 992a1d58-1303-4672-b8f3-bf40ed48004b.tmp.7.drString found in binary or memory: https://fonts.gstatic.com
Source: manifest.json0.6.drString found in binary or memory: https://fonts.gstatic.com;
Source: manifest.json0.6.drString found in binary or memory: https://hangouts.google.com/
Source: wget.exe, 00000003.00000002.212557894.0000000002BA9000.00000004.00000001.sdmpString found in binary or memory: https://img1.wsimg.com
Source: index.html.3.drString found in binary or memory: https://img1.wsimg.com/isteam/ip/2c799769-c520-435d-aaec-05af746a3db0/image_2021-07-14_175004.png
Source: wget.exe, 00000003.00000002.212557894.0000000002BA9000.00000004.00000001.sdmpString found in binary or memory: https://isteam.wsimg.com
Source: wget.exe, 00000003.00000003.211516799.0000000002BA8000.00000004.00000001.sdmpString found in binary or memory: https://kenyavalleyapt.buzz/info28962/proposal62271299
Source: 0d8b8803-4945-4ebd-b34b-3162b3dff053.tmp.7.dr, 992a1d58-1303-4672-b8f3-bf40ed48004b.tmp.7.drString found in binary or memory: https://ogs.google.com
Source: manifest.json.6.drString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: wget.exe, 00000003.00000002.211937943.0000000000B10000.00000004.00000020.sdmp, cmdline.out.3.dr, index.html.3.drString found in binary or memory: https://pinnaclepetroleuminc.godaddysites.com/
Source: wget.exe, 00000003.00000003.211527973.0000000002B68000.00000004.00000001.sdmpString found in binary or memory: https://pinnaclepetroleuminc.godaddysites.com/M
Source: 0d8b8803-4945-4ebd-b34b-3162b3dff053.tmp.7.dr, 992a1d58-1303-4672-b8f3-bf40ed48004b.tmp.7.drString found in binary or memory: https://play.google.com
Source: 992a1d58-1303-4672-b8f3-bf40ed48004b.tmp.7.drString found in binary or memory: https://r3---sn-1gieen7e.gvt1.com
Source: 992a1d58-1303-4672-b8f3-bf40ed48004b.tmp.7.drString found in binary or memory: https://redirector.gvt1.com
Source: manifest.json.6.drString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 0d8b8803-4945-4ebd-b34b-3162b3dff053.tmp.7.dr, 992a1d58-1303-4672-b8f3-bf40ed48004b.tmp.7.drString found in binary or memory: https://ssl.gstatic.com
Source: messages.json72.6.drString found in binary or memory: https://support.google.com/chromecast/answer/2998456
Source: messages.json72.6.drString found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
Source: index.html.3.drString found in binary or memory: https://www.fontsquirrel.com/license/league-spartan
Source: wget.exe, 00000003.00000002.212548294.0000000002B9F000.00000004.00000001.sdmp, wget.exe, 00000003.00000002.212554022.0000000002BA7000.00000004.00000001.sdmp, index.html.3.drString found in binary or memory: https://www.godaddy.com/websites/website-builder?isc=pwugc&utm_source=wsb&utm_medium=applica
Source: manifest.json0.6.dr, 0d8b8803-4945-4ebd-b34b-3162b3dff053.tmp.7.dr, 992a1d58-1303-4672-b8f3-bf40ed48004b.tmp.7.drString found in binary or memory: https://www.google.com
Source: manifest.json.6.drString found in binary or memory: https://www.google.com/
Source: manifest.json0.6.drString found in binary or memory: https://www.google.com;
Source: 0d8b8803-4945-4ebd-b34b-3162b3dff053.tmp.7.dr, 992a1d58-1303-4672-b8f3-bf40ed48004b.tmp.7.drString found in binary or memory: https://www.googleapis.com
Source: manifest.json.6.drString found in binary or memory: https://www.googleapis.com/
Source: manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: manifest.json.6.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json.6.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/meetings
Source: manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: manifest.json.6.drString found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json.6.drString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: manifest.json0.6.drString found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: 0d8b8803-4945-4ebd-b34b-3162b3dff053.tmp.7.dr, 992a1d58-1303-4672-b8f3-bf40ed48004b.tmp.7.drString found in binary or memory: https://www.gstatic.com
Source: manifest.json0.6.drString found in binary or memory: https://www.gstatic.com;
Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
Source: unknownHTTPS traffic detected: 72.167.191.83:443 -> 192.168.2.3:49714 version: TLS 1.2
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_00D2EB803_2_00D2EB80
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_00D2A21A3_2_00D2A21A
Source: classification engineClassification label: mal48.win@36/175@4/5
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4952:120:WilError_01
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\f400f45c-e7e1-4864-8907-8ceadf68bd67.tmpJump to behavior
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://pinnaclepetroleuminc.godaddysites.com/' > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://pinnaclepetroleuminc.godaddysites.com/'
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation -- 'C:\Users\user\Desktop\download\index.html'
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1548,16974770309779326767,15486729119825007596,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1772 /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://pinnaclepetroleuminc.godaddysites.com/' Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1548,16974770309779326767,15486729119825007596,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1772 /prefetch:8Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior
Source: C:\Windows\SysWOW64\wget.exeCode function: 3_2_00D2F903 push 00000078h; retf 3_2_00D2F905
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: wget.exeBinary or memory string: Hyper-V RAW
Source: wget.exe, 00000003.00000002.211971311.0000000000D18000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\wget.exeQueries volume information: C:\Users\user\Desktop\download VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading3OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemorySystem Information Discovery12Remote Desktop Prot