Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://cloudfil.es/ly7mR8utBQ5

Overview

General Information

Sample URL:https://cloudfil.es/ly7mR8utBQ5
Analysis ID:708252
Infos:

Detection

HTMLPhisher
Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected HtmlPhish44
Found inlined nop instructions (likely shell or obfuscated code)
Found iframes
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
No HTML title found
Detected potential crypto function
HTTP GET or POST without a user agent
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)

Classification

  • System is w10x64
  • chrome.exe (PID: 5928 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
    • chrome.exe (PID: 1572 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1936 --field-trial-handle=1772,i,13935456055298204775,6851687727719502408,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
    • unarchiver.exe (PID: 2768 cmdline: C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\SARS OUTSTANDING LETTER OF DEMAND.zip MD5: 9DE2E060A2985A232D8B96F9EC847A19)
      • 7za.exe (PID: 5912 cmdline: C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\fsnnqwuj.h1e" "C:\Users\user\Downloads\SARS OUTSTANDING LETTER OF DEMAND.zip MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 7004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • chrome.exe (PID: 3560 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3636 --field-trial-handle=1772,i,13935456055298204775,6851687727719502408,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
    • chrome.exe (PID: 6268 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6236 --field-trial-handle=1772,i,13935456055298204775,6851687727719502408,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
    • unarchiver.exe (PID: 1768 cmdline: C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\SARS OUTSTANDING LETTER OF DEMAND (1).zip MD5: 9DE2E060A2985A232D8B96F9EC847A19)
      • 7za.exe (PID: 4852 cmdline: C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\oluilyf2.xu4" "C:\Users\user\Downloads\SARS OUTSTANDING LETTER OF DEMAND (1).zip MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 6420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • unarchiver.exe (PID: 4788 cmdline: C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\SARS OUTSTANDING LETTER OF DEMAND (2).zip MD5: 9DE2E060A2985A232D8B96F9EC847A19)
      • 7za.exe (PID: 7164 cmdline: C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\evppz250.yan" "C:\Users\user\Downloads\SARS OUTSTANDING LETTER OF DEMAND (2).zip MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 5772 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • chrome.exe (PID: 760 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" "https://cloudfil.es/ly7mR8utBQ5 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\oluilyf2.xu4\SARS OUTSTANDING LETTER OF DEMAND.htmlJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security
    C:\Users\user\AppData\Local\Temp\evppz250.yan\SARS OUTSTANDING LETTER OF DEMAND.htmlJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security
      C:\Users\user\AppData\Local\Temp\fsnnqwuj.h1e\SARS OUTSTANDING LETTER OF DEMAND.htmlJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security
        No Sigma rule has matched
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results

        Phishing

        barindex
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\oluilyf2.xu4\SARS OUTSTANDING LETTER OF DEMAND.html, type: DROPPED
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\evppz250.yan\SARS OUTSTANDING LETTER OF DEMAND.html, type: DROPPED
        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\fsnnqwuj.h1e\SARS OUTSTANDING LETTER OF DEMAND.html, type: DROPPED
        Source: https://cloudfiles.io/HTTP Parser: Iframe src: https://www.googletagmanager.com/ns.html?id=GTM-P8KQL93
        Source: https://cloudfiles.io/HTTP Parser: Iframe src: https://www.youtube.com/embed/1rkTwk6PKdY?autoplay=0&mute=0&controls=0&origin=https%3A%2F%2Fcloudfiles.io&playsinline=1&showinfo=0&rel=0&iv_load_policy=3&modestbranding=1&enablejsapi=1&widgetid=1
        Source: https://cloudfiles.io/HTTP Parser: Iframe src: https://app.hubspot.com/conversations-visitor/20182553/threads/utk/e86f3294fabf4298bfb6731338a898f9?uuid=9cb37ca1f6ae46778bde47f4ac4692ca&mobile=false&mobileSafari=false&hideWelcomeMessage=false&hstc=null&domain=cloudfiles.io&inApp53=false&messagesUtk=e86f3294fabf4298bfb6731338a898f9&url=https%3A%2F%2Fcloudfiles.io%2F&inline=false&isFullscreen=false&globalCookieOptOut=null&isFirstVisitorSession=true&isAttachmentDisabled=false&enableWidgetCookieBanner=false&isInCMS=false
        Source: https://cloudfiles.io/HTTP Parser: Iframe src: https://www.googletagmanager.com/ns.html?id=GTM-P8KQL93
        Source: https://cloudfiles.io/HTTP Parser: Iframe src: https://www.youtube.com/embed/1rkTwk6PKdY?autoplay=0&mute=0&controls=0&origin=https%3A%2F%2Fcloudfiles.io&playsinline=1&showinfo=0&rel=0&iv_load_policy=3&modestbranding=1&enablejsapi=1&widgetid=1
        Source: https://cloudfiles.io/HTTP Parser: Iframe src: https://app.hubspot.com/conversations-visitor/20182553/threads/utk/e86f3294fabf4298bfb6731338a898f9?uuid=9cb37ca1f6ae46778bde47f4ac4692ca&mobile=false&mobileSafari=false&hideWelcomeMessage=false&hstc=null&domain=cloudfiles.io&inApp53=false&messagesUtk=e86f3294fabf4298bfb6731338a898f9&url=https%3A%2F%2Fcloudfiles.io%2F&inline=false&isFullscreen=false&globalCookieOptOut=null&isFirstVisitorSession=true&isAttachmentDisabled=false&enableWidgetCookieBanner=false&isInCMS=false
        Source: https://cloudfiles.io/HTTP Parser: Iframe src: https://www.googletagmanager.com/ns.html?id=GTM-P8KQL93
        Source: https://cloudfiles.io/HTTP Parser: Iframe src: https://www.youtube.com/embed/1rkTwk6PKdY?autoplay=0&mute=0&controls=0&origin=https%3A%2F%2Fcloudfiles.io&playsinline=1&showinfo=0&rel=0&iv_load_policy=3&modestbranding=1&enablejsapi=1&widgetid=1
        Source: https://cloudfiles.io/HTTP Parser: Iframe src: https://app.hubspot.com/conversations-visitor/20182553/threads/utk/e86f3294fabf4298bfb6731338a898f9?uuid=9cb37ca1f6ae46778bde47f4ac4692ca&mobile=false&mobileSafari=false&hideWelcomeMessage=false&hstc=null&domain=cloudfiles.io&inApp53=false&messagesUtk=e86f3294fabf4298bfb6731338a898f9&url=https%3A%2F%2Fcloudfiles.io%2F&inline=false&isFullscreen=false&globalCookieOptOut=null&isFirstVisitorSession=true&isAttachmentDisabled=false&enableWidgetCookieBanner=false&isInCMS=false
        Source: https://cloudfiles.io/HTTP Parser: HTML title missing
        Source: https://cloudfiles.io/HTTP Parser: HTML title missing
        Source: https://cloudfiles.io/HTTP Parser: HTML title missing
        Source: https://cloudfiles.io/HTTP Parser: No <meta name="author".. found
        Source: https://cloudfiles.io/HTTP Parser: No <meta name="author".. found
        Source: https://cloudfiles.io/HTTP Parser: No <meta name="author".. found
        Source: https://cloudfiles.io/HTTP Parser: No <meta name="copyright".. found
        Source: https://cloudfiles.io/HTTP Parser: No <meta name="copyright".. found
        Source: https://cloudfiles.io/HTTP Parser: No <meta name="copyright".. found
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdaterJump to behavior
        Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: unknownHTTPS traffic detected: 76.76.21.21:443 -> 192.168.2.3:49746 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 76.76.21.21:443 -> 192.168.2.3:49922 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 76.76.21.21:443 -> 192.168.2.3:49921 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.186.161:443 -> 192.168.2.3:49934 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.186.182:443 -> 192.168.2.3:49935 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.19.154.83:443 -> 192.168.2.3:49941 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.19.154.83:443 -> 192.168.2.3:49943 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 76.76.21.21:443 -> 192.168.2.3:49958 version: TLS 1.2
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 03020B1Ch
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 030211B7h
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 03020B1Ch
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 03020B1Ch
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 03020B1Ch
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 01210B1Ch
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 012111B7h
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 01210B1Ch
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 01210B1Ch
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 01210B1Ch
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 054A0B1Ch
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 054A11B7h
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 054A0B1Ch
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 054A0B1Ch
        Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 054A0B1Ch
        Source: global trafficHTTP traffic detected: POST",e,d);else if(g.O("USE_NET_AJAX_FOR_PING_TRANSPORT",!1)||d)Iu(a,b,"GET","",d,void 0,f);else{b:{try{var l=new Dga({url:a});if(l.B&&l.u||l.C){var m=oi(g.qi(5,a));var n=!(!m||!m.endsWith("/aclk")||"1"!==Ai(a,"ri"));break b}}catch(p){}n=!1}n?moa(a)?(b&&b(),h=!0):h=!1:h=!1;h||noa(a,b)}};moa=function(a,b){try{if(window.navigator&&window.navigator.sendBeacon&&window.navigator.sendBeacon(a,void 0===b?"":b))return!0}catch(c){}return!1};noa=function(a,b){var c=new Image,d=""+ooa++;dx[d]=c;c.onload=c.onerror=function(){b&&dx[d]&&b();delete dx[d]};c.src=a};ex=function(){this.j=new Map;this.u=!1};fx=function(){if(!ex.j){var a=g.Ia("yt.networkRequestMonitor.instance")||new ex;g.Ha("yt.networkRequestMonitor.instance",a);ex.j=a}return ex.j};hx=function(){gx||(gx=new Hv("yt.offline"));return gx};poa=function(a){if(g.S("offline_error_handling")){var b=hx().get("errors",!0)||{};b[a.message]={name:a.name,stack:a.stack};a.level&&(b[a.message].level=a.level);hx().set("errors",b,2592E3,!0)}};ix=function(){g.Uf.call(this);var a=this;this.u=!1;this.j=lka();this.j.Ra("networkstatus-online",function(){if(a.u&&g.S("offline_error_handling")){var b=hx().get("errors",!0);if(b){for(var c in b)if(b[c]){var d=new g.Zv(c,"sent via offline_errors");d.name=b[c].name;d.stack=b[c].stack;d.level=b[c].level;g.n
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49865
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49986
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49864
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49863
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49984
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49862
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49861
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49860
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
        Source: unknownNetwork traffic detected: HTTP traffic on port 49898 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49875 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49852 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49990 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49858
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49857
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49978
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49856
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
        Source: unknownNetwork traffic detected: HTTP traffic on port 49772 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49855
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49976
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
        Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49854
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49853
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49974
        Source: unknownNetwork traffic detected: HTTP traffic on port 50085 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49852
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49973
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49851
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49850
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49971
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49970
        Source: unknownNetwork traffic detected: HTTP traffic on port 49784 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49943 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49848
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49969
        Source: unknownNetwork traffic detected: HTTP traffic on port 49978 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49968
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49846
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49845
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49965
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49843
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49964
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49961
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49960
        Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50028 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49839
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49959
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49837
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
        Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49958