Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:67744
Start time:11:51:31
Joe Sandbox Product:CloudBasic
Start date:12.07.2018
Overall analysis duration:0h 3m 45s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:https://www.navitime.co.jp
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • EGA enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean1.win@5/294@64/31
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Browsing link: https://www.navitime.co.jp/
  • Browsing link: https://www.navitime.co.jp/transfer/
  • Browsing link: https://www.navitime.co.jp/diagram/
  • Browsing link: https://www.navitime.co.jp/balletdiagram/
  • Browsing link: https://www.navitime.co.jp/diagram/limitedExpress/
  • Browsing link: https://www.navitime.co.jp/transfer/pass/
  • Browsing link: https://www.navitime.co.jp/railroad/
  • Browsing link: https://www.navitime.co.jp/train/
  • Browsing link: https://www.navitime.co.jp/?ctl=0171
  • Browsing link: https://www.navitime.co.jp/congestion/prediction/
  • Browsing link: https://transit.navitime.com/ja/?from=pcnavi.header
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingDetection
Threshold10 - 100Report FP / FNclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold30 - 5true
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Signature Overview

Click to jump to signature section


Networking:

barindex
Connects to many different domainsShow sources
Source: unknownNetwork traffic detected: DNS query count 44
Downloads filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\77PTX9DTJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.pki.goog
Source: global trafficHTTP traffic detected: GET /GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCCEfOiz4zTs88 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: ocsp.pki.goog
Source: global trafficHTTP traffic detected: GET /gsr2/gsr2.crl HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: crl.pki.goog
Source: global trafficHTTP traffic detected: GET /GTSGIAG3.crl HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host: crl.pki.goog
Found strings which match to known social media urlsShow sources
Source: bootstrap.min[1].css.1.drString found in binary or memory: * Copyright 2013 Twitter, Inc equals www.twitter.com (Twitter)
Source: YSImn9dXEug[1].js.1.drString found in binary or memory: * License: https://www.facebook.com/legal/license/Xw9uo4x52zr/ equals www.facebook.com (Facebook)
Source: YSImn9dXEug[1].js.1.drString found in binary or memory: * License: https://www.facebook.com/legal/license/YRMpr4GrYU7/ equals www.facebook.com (Facebook)
Source: qFkemv11bk_[1].js.1.drString found in binary or memory: * License: https://www.facebook.com/legal/license/qZmK4zWM8-v/ equals www.facebook.com (Facebook)
Source: bootstrap.min[1].js.1.drString found in binary or memory: * Copyright 2013 Twitter, Inc. equals www.twitter.com (Twitter)
Source: ~DF8F8BC56498AFCB5E.TMP.0.drString found in binary or memory: https://www.facebook.com/plugins/likebox.php?href=https%3A%2F%2Fwww.facebook.com%2FNAVITIME&width&height=290&colorscheme=light&show_faces=true&header=true&stream=false&show_border=true equals www.facebook.com (Facebook)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.navitime.co.jp
Urls found in memory or binary dataShow sources
Source: gtm[1].js.1.drString found in binary or memory: http://
Source: 375A69B7DF747B011448B62FE0D231010.1.drString found in binary or memory: http://certs.godaddy.com/repository/1301
Source: jstag[1].js.1.drString found in binary or memory: http://code.google.com/p/swfobject/
Source: 375A69B7DF747B011448B62FE0D231010.1.drString found in binary or memory: http://crl.godaddy.com/gdig2s1-802.crl0
Source: EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D0.1.drString found in binary or memory: http://crl.godaddy.com/repository/0
Source: EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D0.1.drString found in binary or memory: http://crl.godaddy.com/repository/gdroot.crl0J
Source: 669061A68B5E502FFE9DEA65A208F232_174F6D439B01D2CE8B340D58211B5C640.1.drString found in binary or memory: http://crl.godaddy.com/repository/mastergodaddy2issuing.crl0J
Source: 01B16CDBADE7DB774141D7E30D50EC69.1.drString found in binary or memory: http://crl.pki.goog/GTSGIAG3.crlp
Source: 739F2FF4259CDC6CBE7B90F1A95601EF0.1.drString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl0
Source: 254248EB318A7F70233257E2AAF7E4DB0.1.drString found in binary or memory: http://crl3.digicert.com/ssca-ecc-g1.crl0
Source: 41E729636896BD186E9FDA558705F7750.1.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g5.crl0
Source: 6B17EC2CD0C9B19353018FF1C12BC489.1.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl
Source: 5B9763FB83E74617D0DB58992800F69B0.1.drString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0
Source: 77EC63BDA74BD0D0E0426DC8F8008506.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: jquery.tmpl.min[1].js.1.drString found in binary or memory: http://github.com/jquery/jquery-tmpl
Source: jquery.ah-placeholder.min[1].js.1.drString found in binary or memory: http://havelog.ayumusato.com
Source: jquery.ah-placeholder.min[1].js.1.drString found in binary or memory: http://havelog.ayumusato.com/develop/javascript/e189-jquery-plugin-placeholder.html
Source: jquery.tmpl.min[1].js.1.drString found in binary or memory: http://jquery.org/license
Source: jquery-ui-1.9.2.custom.min[1].css.1.drString found in binary or memory: http://jqueryui.com
Source: jquery-ui-1.9.2.custom.min[1].css.1.drString found in binary or memory: http://jqueryui.com/themeroller/?ffDefault=Verdana%2CArial%2Csans-serif&fwDefault=normal&fsDefault=1
Source: getGourmetList[1].json.1.drString found in binary or memory: http://kuchikomi.navitime.co.jp/spot/post_image_form?name=
Source: model_1.1.2[1].js.1.drString found in binary or memory: http://local.navitime.hoge/pcstorage/img/top/new/cgm/noimage.png
Source: EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB.1.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1Jg
Source: so_sg[1].js.1.drString found in binary or memory: http://tg.socdm.com
Source: bootstrap.min[1].css.1.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: bootstrap.min[1].js.1.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.txt
Source: jquery.ah-placeholder.min[1].js.1.drString found in binary or memory: http://www.gnu.org/licenses/gpl.html
Source: jstag[1].js.1.dr, jquery.ah-placeholder.min[1].js.1.drString found in binary or memory: http://www.opensource.org/licenses/mit-license.php
Source: 705A76DE71EA2CAEBB8F0907449CE086_B321BB048682DA6FCE7504A354A855010.1.drString found in binary or memory: http://www.symauth.com/cps0
Source: C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF0.1.drString found in binary or memory: http://www.symauth.com/cps0(
Source: 705A76DE71EA2CAEBB8F0907449CE086_B321BB048682DA6FCE7504A354A855010.1.dr, C46E7B0F942663A1EDC8D9D6D7869173_D9B9F37ECE595B0B7B6AA12451D392CF0.1.drString found in binary or memory: http://www.symauth.com/rpa0
Source: gtm[1].js.1.drString found in binary or memory: https://
Source: ~DF8F8BC56498AFCB5E.TMP.0.drString found in binary or memory: https://ads.adjust-net.jp/adserver/ad/ads.js
Source: ~DF8F8BC56498AFCB5E.TMP.0.drString found in binary or memory: https://ads.adjust-net.jp/adserver/ads?med=2000699&site=2001091&frame=2009374&height=250&width=300&t
Source: jquery.ah-placeholder.min[1].js.1.drString found in binary or memory: https://github.com/ahomu/jquery.ah-placeholder
Source: gtm[2].js.1.drString found in binary or memory: https://github.com/krux/postscribe/blob/master/LICENSE.
Source: ~DF8F8BC56498AFCB5E.TMP.0.drString found in binary or memory: https://pagead2.googlesyndication.com/pcs/activeview?xai
Source: ~DF8F8BC56498AFCB5E.TMP.0.drString found in binary or memory: https://securepubads.g.doubleclick.net/pcs/view?xai
Source: getGourmetList[1].json.1.drString found in binary or memory: https://svcstrg2.navitime.jp/imgfile/02301_1400354_02.jpg
Source: so_sg[1].js.1.drString found in binary or memory: https://tg.socdm.com
Source: ~DF8F8BC56498AFCB5E.TMP.0.drString found in binary or memory: https://tpc.googlesyndication.com/pagead/js/r20180702/r20110914/activeview/osd_listener.js
Source: YSImn9dXEug[1].js.1.drString found in binary or memory: https://www.facebook.com/legal/license/Xw9uo4x52zr/
Source: YSImn9dXEug[1].js.1.drString found in binary or memory: https://www.facebook.com/legal/license/YRMpr4GrYU7/
Source: qFkemv11bk_[1].js.1.drString found in binary or memory: https://www.facebook.com/legal/license/qZmK4zWM8-v/
Source: ~DF8F8BC56498AFCB5E.TMP.0.drString found in binary or memory: https://www.facebook.com/plugins/likebox.php?href=https%3A%2F%2Fwww.facebook.com%2FNAVITIME&width&he
Source: ~DF8F8BC56498AFCB5E.TMP.0.drString found in binary or memory: https://www.googletagservices.com/tag/js/gpt.js
Source: ~DF8F8BC56498AFCB5E.TMP.0.drString found in binary or memory: https://www.navitime.co.jp/
Source: ~DF8F8BC56498AFCB5E.TMP.0.drString found in binary or memory: https://www.navitime.co.jp/&0W
Source: ~DF8F8BC56498AFCB5E.TMP.0.drString found in binary or memory: https://www.navitime.co.jp/6https://www.navitime.co.jp/
Source: getGourmetList[1].json.1.drString found in binary or memory: https://www.navitime.co.jp/?ctl=0190&provId=02301&spotId=1400354
Source: getGourmetList[1].json.1.drString found in binary or memory: https://www.navitime.co.jp/?ctl=0190&provId=02301&spotId=1405976n
Source: getGourmetList[1].json.1.drString found in binary or memory: https://www.navitime.co.jp/poi?spt=02301.1400354
Source: getGourmetList[1].json.1.drString found in binary or memory: https://www.navitime.co.jp/poi?spt=02301.1405976n
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49335
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49269
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49236
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49264
Source: unknownNetwork traffic detected: HTTP traffic on port 49177 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49254 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49208
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49177
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49182
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49320
Source: unknownNetwork traffic detected: HTTP traffic on port 49324 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49242 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49235
Source: unknownNetwork traffic detected: HTTP traffic on port 49327 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49258
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49256
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49202
Source: unknownNetwork traffic detected: HTTP traffic on port 49211 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49192 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49211
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49184
Source: unknownNetwork traffic detected: HTTP traffic on port 49243 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49276 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49303 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49203 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49257 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49271
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49221
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49189
Source: unknownNetwork traffic detected: HTTP traffic on port 49310 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49190 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49294 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49193 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49336
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49205
Source: unknownNetwork traffic detected: HTTP traffic on port 49299 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49240
Source: unknownNetwork traffic detected: HTTP traffic on port 49305 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49293
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49248
Source: unknownNetwork traffic detected: HTTP traffic on port 49333 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49306
Source: unknownNetwork traffic detected: HTTP traffic on port 49209 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49210
Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49297 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49275
Source: unknownNetwork traffic detected: HTTP traffic on port 49256 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49207 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49321
Source: unknownNetwork traffic detected: HTTP traffic on port 49182 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49194
Source: unknownNetwork traffic detected: HTTP traffic on port 49189 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49181
Source: unknownNetwork traffic detected: HTTP traffic on port 49201 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49277
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49225
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49226
Source: unknownNetwork traffic detected: HTTP traffic on port 49179 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49237 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49270 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49241
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49206
Source: unknownNetwork traffic detected: HTTP traffic on port 49321 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49202 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49199
Source: unknownNetwork traffic detected: HTTP traffic on port 49309 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49302
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49262
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49257
Source: unknownNetwork traffic detected: HTTP traffic on port 49226 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49236 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49308 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49261 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49303
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
Source: unknownNetwork traffic detected: HTTP traffic on port 49239 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49296
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49315
Source: unknownNetwork traffic detected: HTTP traffic on port 49325 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49219 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49205 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49322
Source: unknownNetwork traffic detected: HTTP traffic on port 49296 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49267 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49198
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49278
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49267
Source: unknownNetwork traffic detected: HTTP traffic on port 49188 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49265
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49200
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49188
Source: unknownNetwork traffic detected: HTTP traffic on port 49223 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49275 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49255
Source: unknownNetwork traffic detected: HTTP traffic on port 49307 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49295 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49187
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49243
Source: unknownNetwork traffic detected: HTTP traffic on port 49293 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49312 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49192
Source: unknownNetwork traffic detected: HTTP traffic on port 49292 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49287
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49207
Source: unknownNetwork traffic detected: HTTP traffic on port 49218 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49224 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49194 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49323 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49285 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49209
Source: unknownNetwork traffic detected: HTTP traffic on port 49269 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49307
Source: unknownNetwork traffic detected: HTTP traffic on port 49271 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49197 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49193
Source: unknownNetwork traffic detected: HTTP traffic on port 49220 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49204
Source: unknownNetwork traffic detected: HTTP traffic on port 49315 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49179
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
Source: unknownNetwork traffic detected: HTTP traffic on port 49302 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49248 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49328
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49305
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49190
Source: unknownNetwork traffic detected: HTTP traffic on port 49264 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49203
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49259
Source: unknownNetwork traffic detected: HTTP traffic on port 49240 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49263
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49327
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49304
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49318
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49312
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49253
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49197
Source: unknownNetwork traffic detected: HTTP traffic on port 49196 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49304 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49266
Source: unknownNetwork traffic detected: HTTP traffic on port 49317 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49186 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49322 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49235 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49324
Source: unknownNetwork traffic detected: HTTP traffic on port 49204 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49325
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49309
Source: unknownNetwork traffic detected: HTTP traffic on port 49306 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49195
Source: unknownNetwork traffic detected: HTTP traffic on port 49255 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49200 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49329
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49237
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49220
Source: unknownNetwork traffic detected: HTTP traffic on port 49227 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49191 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49178
Source: unknownNetwork traffic detected: HTTP traffic on port 49311 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49265 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49247 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49335 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49277 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49308
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49244
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49268
Source: unknownNetwork traffic detected: HTTP traffic on port 49221 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49242
Source: unknownNetwork traffic detected: HTTP traffic on port 49208 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49299
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49295
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49260
Source: unknownNetwork traffic detected: HTTP traffic on port 49328 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49223
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49183
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49323
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49201
Source: unknownNetwork traffic detected: HTTP traffic on port 49286 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49199 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49185 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49245
Source: unknownNetwork traffic detected: HTTP traffic on port 49278 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49210 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49195 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49253 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49224
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49196
Source: unknownNetwork traffic detected: HTTP traffic on port 49336 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49260 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49222 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49268 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49198 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49329 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49186
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49238
Source: unknownNetwork traffic detected: HTTP traffic on port 49184 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49317
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49294
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49298
Source: unknownNetwork traffic detected: HTTP traffic on port 49206 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49219
Source: unknownNetwork traffic detected: HTTP traffic on port 49266 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49180
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49191
Source: unknownNetwork traffic detected: HTTP traffic on port 49187 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49286
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49333
Source: unknownNetwork traffic detected: HTTP traffic on port 49318 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49247
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49246
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49222
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49261
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49292
Source: unknownNetwork traffic detected: HTTP traffic on port 49178 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49276
Source: unknownNetwork traffic detected: HTTP traffic on port 49238 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49246 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49287 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49326 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49218
Source: unknownNetwork traffic detected: HTTP traffic on port 49330 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49241 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49270
Source: unknownNetwork traffic detected: HTTP traffic on port 49181 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49254
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49297
Source: unknownNetwork traffic detected: HTTP traffic on port 49263 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49262 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49239
Source: unknownNetwork traffic detected: HTTP traffic on port 49225 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49183 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49258 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49185
Source: unknownNetwork traffic detected: HTTP traffic on port 49259 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49285
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49330
Source: unknownNetwork traffic detected: HTTP traffic on port 49298 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49245 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49180 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49320 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49244 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49326
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49311
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49310
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49227

System Summary:

barindex
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\54.0.1 (x86 en-US)\Main Install DirectoryJump to behavior
Classification labelShow sources
Source: classification engineClassification label: clean1.win@5/294@64/31
Creates files inside the user directoryShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\~DF4222867D0AA471EE.TMPJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3328 CREDAT:275457 /prefetch:2
Source: unknownProcess created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3328 CREDAT:275457 /prefetch:2Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -newJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0144-ABCDEFFEDCBA}\InprocServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 process2 2 Behavior Graph ID: 67744 URL: https://www.navitime.co.jp Startdate: 12/07/2018 Architecture: WINDOWS Score: 1 6 iexplore.exe 25 53 2->6         started        dnsIp3 14 cs9.wpc.v0cdn.net 152.199.19.161, 443, 49323, 49324 ANSBB-ASNNET-1-AdvancedNetworksServicesIncUS United States 6->14 9 iexplore.exe 4 303 6->9         started        process4 dnsIp5 16 e5529.g.akamaiedge.net 23.32.223.51, 443, 49268, 49269 TELIANETTeliaCarrierSE United States 9->16 18 e7164.g.akamaiedge.net 23.33.75.133, 443, 49308, 49309 TELIANETTeliaCarrierSE United States 9->18 20 87 other IPs or domains 9->20 12 ssvagent.exe 6 9->12         started        process6

Simulations

Behavior and APIs

TimeTypeDescription
11:51:45API Interceptor4130x Sleep call for process: iexplore.exe modified
11:51:46API Interceptor1x Sleep call for process: ssvagent.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
https://www.navitime.co.jp0%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
d3jypenv6sidx1.cloudfront.net0%virustotalBrowse
cs936.wac.thetacdn.net0%virustotalBrowse
tg3.dr.socdm.com0%virustotalBrowse
partnerad.l.doubleclick.net0%virustotalBrowse
pagead46.l.doubleclick.net0%virustotalBrowse
cs9.wac.phicdn.net0%virustotalBrowse
static.criteo.net0%virustotalBrowse
stats.l.doubleclick.net0%virustotalBrowse
e7164.g.akamaiedge.net0%virustotalBrowse
cs9.wpc.v0cdn.net1%virustotalBrowse
e4220.g.akamaiedge.net0%virustotalBrowse
svcstrg2.navitime.jp0%virustotalBrowse
scontent-mxp1-1.xx.fbcdn.net0%virustotalBrowse
ads.adjust-net.jp0%virustotalBrowse
pagead-googlehosted.l.google.com0%virustotalBrowse
cnt.fout.jp0%virustotalBrowse
cas.criteo.com1%virustotalBrowse
a767.dspw65.akamai.net0%virustotalBrowse
tg2.dr.socdm.com0%virustotalBrowse
e8960.d.akamaiedge.net0%virustotalBrowse
pool-gce.dac-yieldone.iponweb.net0%virustotalBrowse
rvip1.ue.cachefly.net0%virustotalBrowse
www3.l.google.com0%virustotalBrowse
cat.nl.eu.criteo.com0%virustotalBrowse
a1363.dscg.akamai.net0%virustotalBrowse
kuchikomi.navitime.co.jp0%virustotalBrowse
e8218.dscb1.akamaiedge.net0%virustotalBrowse
scontent.xx.fbcdn.net0%virustotalBrowse
navitimejapan-d.openx.net0%virustotalBrowse
cdn.globalsigncdn.com.cdn.cloudflare.net0%virustotalBrowse
api.navitime.jp0%virustotalBrowse
e5529.g.akamaiedge.net0%virustotalBrowse
e12271.dscd.akamaiedge.net0%virustotalBrowse
a1621.g.akamai.net0%virustotalBrowse
www-google-analytics.l.google.com0%virustotalBrowse
cdn.digicertcdn.com0%virustotalBrowse
www-googletagmanager.l.google.com0%virustotalBrowse
jpmarket-d.openx.net0%virustotalBrowse
star-z-mini.c10r.facebook.com0%virustotalBrowse
www.navitime.co.jp0%virustotalBrowse
e8960.e2.akamaiedge.net0%virustotalBrowse
bidder.criteo.com0%virustotalBrowse
beacon-eu-ams3.rubiconproject.com0%virustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D0%virustotalBrowse
http://crl.pki.goog/gsr2/gsr2.crl0%virustotalBrowse
http://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCCEfOiz4zTs880%virustotalBrowse
http://crl.pki.goog/GTSGIAG3.crl0%virustotalBrowse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots