Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Milwaukeetool Payment.hTml

Overview

General Information

Sample Name:Milwaukeetool Payment.hTml
Analysis ID:715060
MD5:148dbfa4a28fb631b5b4180c98daf28d
SHA1:6f731eb3f50a128dab017b2fe83cbb03219a91d4
SHA256:58bb9db8b22c7b91c7c494b9a2d65a40a82cf9a7fc6ab1168e2ef6f105f7b7fb
Infos:

Detection

HTMLPhisher
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected HtmlPhish44
Yara detected obfuscated html page
HTML document with suspicious name
Yara signature match
IP address seen in connection with other malware

Classification

  • System is w10x64
  • chrome.exe (PID: 5772 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
    • chrome.exe (PID: 5940 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=1700,i,2030005579113327324,13011269261470832477,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
  • chrome.exe (PID: 4912 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\Milwaukeetool Payment.hTml MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Milwaukeetool Payment.hTmlSUSP_obfuscated_JS_obfuscatorioDetect JS obfuscation done by the js obfuscator (often malicious)@imp0rtp3
  • 0x156:$c8: while(!![])
  • 0x175:$d1: parseInt(_0x483f24(0x177))/0x1+-parseInt(_0x483f24(0x169))/0x2+parseInt(_0x483f24(0x171))/0x3+-parseInt(_0x483f24(0x175))/0x4+parseInt(_0x483f24(0x163))/0x5+-parseInt(_0x483f24(0x16f))/0x6*(
  • 0x195:$d1: parseInt(_0x483f24(0x169))/0x2+parseInt(_0x483f24(0x171))/0x3+-parseInt(_0x483f24(0x175))/0x4+parseInt(_0x483f24(0x163))/0x5+-parseInt(_0x483f24(0x16f))/0x6*(parseInt(_0x483f24(0x16a))/0x7)+
Milwaukeetool Payment.hTmlJoeSecurity_ObshtmlYara detected obfuscated html pageJoe Security
    Milwaukeetool Payment.hTmlJoeSecurity_HtmlPhish_44Yara detected HtmlPhish_44Joe Security
      No Sigma rule has matched
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results

      Phishing

      barindex
      Source: Yara matchFile source: Milwaukeetool Payment.hTml, type: SAMPLE
      Source: Yara matchFile source: Milwaukeetool Payment.hTml, type: SAMPLE
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdaterJump to behavior
      Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
      Source: unknownDNS traffic detected: queries for: clients2.google.com
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
      Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
      Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
      Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
      Source: global trafficHTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
      Source: unknownHTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __Secure-ENID=6.SE=Md0Ynyf9ahpkx1CxTGF0vY434NJ6ymH-gDI2Tl5Ly-NQYGPjnNfggtiFRMAwx4JRDOC_gavEPcD5cTBJzUgtbJobmBEuJ8xi2UuotxvOZgApoqSIg1b0RP47U08XG8Bz_SExSzKy0ETSsajbToDlYyFsxfI93p7AyRAd-OeIBA0; CONSENT=PENDING+070

      System Summary

      barindex
      Source: Name includes: Milwaukeetool Payment.hTmlInitial sample: payment
      Source: Milwaukeetool Payment.hTml, type: SAMPLEMatched rule: SUSP_obfuscated_JS_obfuscatorio date = 2021-08-25, author = @imp0rtp3, description = Detect JS obfuscation done by the js obfuscator (often malicious), score = , reference = https://obfuscator.io
      Source: classification engineClassification label: mal60.phis.winHTML@28/0@7/6
      Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=1700,i,2030005579113327324,13011269261470832477,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
      Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Users\user\Desktop\Milwaukeetool Payment.hTml
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=1700,i,2030005579113327324,13011269261470832477,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8Jump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\GoogleUpdaterJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdaterJump to behavior
      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath Interception1
      Process Injection
      2
      Masquerading
      OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network Medium1
      Encrypted Channel
      Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
      Process Injection
      LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth3
      Non-Application Layer Protocol
      Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration4
      Application Layer Protocol
      Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer1
      Ingress Tool Transfer
      SIM Card SwapCarrier Billing Fraud
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.