Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://cloudfil.es/ly7mR8utBQ5

Overview

General Information

Sample URL:https://cloudfil.es/ly7mR8utBQ5
Analysis ID:708252
Infos:

Detection

HTMLPhisher
Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected HtmlPhish44
Found inlined nop instructions (likely shell or obfuscated code)
Found iframes
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
No HTML title found
Detected potential crypto function
HTTP GET or POST without a user agent
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)

Classification

  • System is w10x64
  • chrome.exe (PID: 5928 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
    • chrome.exe (PID: 1572 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1936 --field-trial-handle=1772,i,13935456055298204775,6851687727719502408,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
    • unarchiver.exe (PID: 2768 cmdline: C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\SARS OUTSTANDING LETTER OF DEMAND.zip MD5: 9DE2E060A2985A232D8B96F9EC847A19)
      • 7za.exe (PID: 5912 cmdline: C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fsnnqwuj.h1e" "C:\Users\user\Downloads\SARS OUTSTANDING LETTER OF DEMAND.zip MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 7004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • chrome.exe (PID: 3560 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3636 --field-trial-handle=1772,i,13935456055298204775,6851687727719502408,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
    • chrome.exe (PID: 6268 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6236 --field-trial-handle=1772,i,13935456055298204775,6851687727719502408,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
    • unarchiver.exe (PID: 1768 cmdline: C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\SARS OUTSTANDING LETTER OF DEMAND (1).zip MD5: 9DE2E060A2985A232D8B96F9EC847A19)
      • 7za.exe (PID: 4852 cmdline: C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\oluilyf2.xu4" "C:\Users\user\Downloads\SARS OUTSTANDING LETTER OF DEMAND (1).zip MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 6420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • unarchiver.exe (PID: 4788 cmdline: C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\SARS OUTSTANDING LETTER OF DEMAND (2).zip MD5: 9DE2E060A2985A232D8B96F9EC847A19)
      • 7za.exe (PID: 7164 cmdline: C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\evppz250.yan" "C:\Users\user\Downloads\SARS OUTSTANDING LETTER OF DEMAND (2).zip MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 5772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • chrome.exe (PID: 760 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" "https://cloudfil.es/ly7mR8utBQ5 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\oluilyf2.xu4\SARS OUTSTANDING LETTER OF DEMAND.htmlJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security
    C:\Users\user\AppData\Local\Temp\evppz250.yan\SARS OUTSTANDING LETTER OF DEMAND.htmlJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security
      C:\Users\user\AppData\Local\Temp\fsnnqwuj.h1e\SARS OUTSTANDING LETTER OF DEMAND.htmlJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security
        No Sigma rule has matched
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results

        Phishing

        barindex
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\oluilyf2.xu4\SARS OUTSTANDING LETTER OF DEMAND.html, type: DROPPED
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\evppz250.yan\SARS OUTSTANDING LETTER OF DEMAND.html, type: DROPPED
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\fsnnqwuj.h1e\SARS OUTSTANDING LETTER OF DEMAND.html, type: DROPPED
        Source: https://cloudfiles.io/HTTP Parser: Iframe src: https://www.googletagmanager.com/ns.html?id=GTM-P8KQL93
        Source: https://cloudfiles.io/HTTP Parser: Iframe src: https://www.youtube.com/embed/1rkTwk6PKdY?autoplay=0&mute=0&controls=0&origin=https%3A%2F%2Fcloudfiles.io&playsinline=1&showinfo=0&rel=0&iv_load_policy=3&modestbranding=1&enablejsapi=1&widgetid=1
        Source: https://cloudfiles.io/HTTP Parser: Iframe src: https://app.hubspot.com/conversations-visitor/20182553/threads/utk/e86f3294fabf4298bfb6731338a898f9?uuid=9cb37ca1f6ae46778bde47f4ac4692ca&mobile=false&mobileSafari=false&hideWelcomeMessage=false&hstc=null&domain=cloudfiles.io&inApp53=false&messagesUtk=e86f3294fabf4298bfb6731338a898f9&url=https%3A%2F%2Fcloudfiles.io%2F&inline=false&isFullscreen=false&globalCookieOptOut=null&isFirstVisitorSession=true&isAttachmentDisabled=false&enableWidgetCookieBanner=false&isInCMS=false
        Source: https://cloudfiles.io/HTTP Parser: Iframe src: https://www.googletagmanager.com/ns.html?id=GTM-P8KQL93
        Source: https://cloudfiles.io/HTTP Parser: Iframe src: https://www.youtube.com/embed/1rkTwk6PKdY?autoplay=0&mute=0&controls=0&origin=https%3A%2F%2Fcloudfiles.io&playsinline=1&showinfo=0&rel=0&iv_load_policy=3&modestbranding=1&enablejsapi=1&widgetid=1
        Source: https://cloudfiles.io/HTTP Parser: Iframe src: https://app.hubspot.com/conversations-visitor/20182553/threads/utk/e86f3294fabf4298bfb6731338a898f9?uuid=9cb37ca1f6ae46778bde47f4ac4692ca&mobile=false&mobileSafari=false&hideWelcomeMessage=false&hstc=null&domain=cloudfiles.io&inApp53=false&messagesUtk=e86f3294fabf4298bfb6731338a898f9&url=https%3A%2F%2Fcloudfiles.io%2F&inline=false&isFullscreen=false&globalCookieOptOut=null&isFirstVisitorSession=true&isAttachmentDisabled=false&enableWidgetCookieBanner=false&isInCMS=false
        Source: https://cloudfiles.io/HTTP Parser: Iframe src: https://www.googletagmanager.com/ns.html?id=GTM-P8KQL93
        Source: https://cloudfiles.io/HTTP Parser: Iframe src: https://www.youtube.com/embed/1rkTwk6PKdY?autoplay=0&mute=0&controls=0&origin=https%3A%2F%2Fcloudfiles.io&playsinline=1&showinfo=0&rel=0&iv_load_policy=3&modestbranding=1&enablejsapi=1&widgetid=1
        Source: https://cloudfiles.io/HTTP Parser: Iframe src: https://app.hubspot.com/conversations-visitor/20182553/threads/utk/e86f3294fabf4298bfb6731338a898f9?uuid=9cb37ca1f6ae46778bde47f4ac4692ca&mobile=false&mobileSafari=false&hideWelcomeMessage=false&hstc=null&domain=cloudfiles.io&inApp53=false&messagesUtk=e86f3294fabf4298bfb6731338a898f9&url=https%3A%2F%2Fcloudfiles.io%2F&inline=false&isFullscreen=false&globalCookieOptOut=null&isFirstVisitorSession=true&isAttachmentDisabled=false&enableWidgetCookieBanner=false&isInCMS=false
        Source: https://cloudfiles.io/HTTP Parser: HTML title missing
        Source: https://cloudfiles.io/HTTP Parser: HTML title missing
        Source: https://cloudfiles.io/HTTP Parser: HTML title missing
        Source: https://cloudfiles.io/HTTP Parser: No <meta name="author".. found
        Source: https://cloudfiles.io/HTTP Parser: No <meta name="author".. found
        Source: https://cloudfiles.io/HTTP Parser: No <meta name="author".. found
        Source: https://cloudfiles.io/HTTP Parser: No <meta name="copyright".. found
        Source: https://cloudfiles.io/HTTP Parser: No <meta name="copyright".. found
        Source: https://cloudfiles.io/HTTP Parser: No <meta name="copyright".. found
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdaterJump to behavior
        Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: unknownHTTPS traffic detected: 76.76.21.21:443 -> 192.168.2.3:49746 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 76.76.21.21:443 -> 192.168.2.3:49922 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 76.76.21.21:443 -> 192.168.2.3:49921 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.186.161:443 -> 192.168.2.3:49934 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.186.182:443 -> 192.168.2.3:49935 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.19.154.83:443 -> 192.168.2.3:49941 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.19.154.83:443 -> 192.168.2.3:49943 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 76.76.21.21:443 -> 192.168.2.3:49958 version: TLS 1.2
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 03020B1Ch12_2_030202C8
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 030211B7h12_2_030202C8
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 03020B1Ch12_2_03020AB7
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 03020B1Ch12_2_030202B9
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 03020B1Ch12_2_03020A7C
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 01210B1Ch17_2_012102C8
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 012111B7h17_2_012102C8
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 01210B1Ch17_2_01210AB7
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 01210B1Ch17_2_012102BC
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 01210B1Ch17_2_01210A7C
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 054A0B1Ch20_2_054A02C8
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 054A11B7h20_2_054A02C8
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 054A0B1Ch20_2_054A02B9
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 054A0B1Ch20_2_054A0A7C
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 054A0B1Ch20_2_054A0AB7
        Source: global trafficHTTP traffic detected: POST",e,d);else if(g.O("USE_NET_AJAX_FOR_PING_TRANSPORT",!1)||d)Iu(a,b,"GET","",d,void 0,f);else{b:{try{var l=new Dga({url:a});if(l.B&&l.u||l.C){var m=oi(g.qi(5,a));var n=!(!m||!m.endsWith("/aclk")||"1"!==Ai(a,"ri"));break b}}catch(p){}n=!1}n?moa(a)?(b&&b(),h=!0):h=!1:h=!1;h||noa(a,b)}};moa=function(a,b){try{if(window.navigator&&window.navigator.sendBeacon&&window.navigator.sendBeacon(a,void 0===b?"":b))return!0}catch(c){}return!1};noa=function(a,b){var c=new Image,d=""+ooa++;dx[d]=c;c.onload=c.onerror=function(){b&&dx[d]&&b();delete dx[d]};c.src=a};ex=function(){this.j=new Map;this.u=!1};fx=function(){if(!ex.j){var a=g.Ia("yt.networkRequestMonitor.instance")||new ex;g.Ha("yt.networkRequestMonitor.instance",a);ex.j=a}return ex.j};hx=function(){gx||(gx=new Hv("yt.offline"));return gx};poa=function(a){if(g.S("offline_error_handling")){var b=hx().get("errors",!0)||{};b[a.message]={name:a.name,stack:a.stack};a.level&&(b[a.message].level=a.level);hx().set("errors",b,2592E3,!0)}};ix=function(){g.Uf.call(this);var a=this;this.u=!1;this.j=lka();this.j.Ra("networkstatus-online",function(){if(a.u&&g.S("offline_error_handling")){var b=hx().get("errors",!0);if(b){for(var c in b)if(b[c]){var d=new g.Zv(c,"sent via offline_errors");d.name=b[c].name;d.stack=b[c].stack;d.level=b[c].level;g.n
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49986
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49863
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49984
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49862
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
        Source: unknownNetwork traffic detected: HTTP traffic on port 49898 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49875 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49990 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49978
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
        Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49976
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
        Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49854
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49974
        Source: unknownNetwork traffic detected: HTTP traffic on port 50085 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49973
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49851
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
        Sou