Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
http://www.cpskb0.com/darterp.php?z=hemorrhoid

Overview

General Information

Sample URL:http://www.cpskb0.com/darterp.php?z=hemorrhoid
Analysis ID:715086
Infos:

Detection

Score:0
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

No high impact signatures.

Classification

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis
Some HTTP requests failed (404). It is likely that the sample will exhibit less behavior.
  • System is w10x64_ra
  • chrome.exe (PID: 6000 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.cpskb0.com/darterp.php?z=hemorrhoid MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)
    • chrome.exe (PID: 2312 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1824,i,11055943044610990432,15687841212519678928,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)
  • cleanup
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdater
Source: global trafficHTTP traffic detected: GET /darterp.php?z=hemorrhoid HTTP/1.1Host: www.cpskb0.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.cpskb0.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Referer: http://www.cpskb0.com/darterp.php?z=hemorrhoidAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: unknownDNS traffic detected: queries for: accounts.google.com
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingDate: Mon, 03 Oct 2022 14:07:57 GMTLast-Modified: Mon, 03 Oct 2022 13:07:57 GMTExpires: Mon, 03 Oct 2022 13:37:57 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Cache-Control: max-age=0Pragma: no-cacheContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8e cb 0e 82 30 10 45 7f 65 64 2f 83 86 e5 a4 0b 79 44 12 44 62 ca c2 25 a6 43 20 41 8a b4 68 fc 7b ab dd b8 99 e4 de 7b 72 32 b4 49 cf 89 bc d6 19 1c e5 a9 84 ba 39 94 45 02 c1 16 b1 c8 64 8e 98 ca d4 2f fb 30 42 cc aa 40 50 6f ef a3 bb dc 2a 41 76 b0 23 8b 38 8a a1 d2 16 72 bd 4e 8a d0 97 84 1e b9 69 f5 76 f8 4e fc 11 2e d1 2c 64 cf b0 f0 63 65 63 59 41 73 29 e1 d5 1a 98 9c a8 fb 8a 40 4f 60 fb c1 80 e1 e5 c9 4b 48 38 0b 42 af c3 df 13 1f 46 56 d5 16 bd 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0Eed/yDDb%C Ah{{r2I9Ed/0B@Po*Av#8rNivN.,dcecYAs)@O`KH8BFV0
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 03 Oct 2022 14:07:58 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.132
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.132
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.132
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.132
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.132
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.132
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.132
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.132
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: classification engineClassification label: clean0.win@25/0@5/111
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\GoogleUpdater
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.cpskb0.com/darterp.php?z=hemorrhoid
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1824,i,11055943044610990432,15687841212519678928,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1824,i,11055943044610990432,15687841212519678928,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdater
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception1
Process Injection
2
Masquerading
OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network Medium2
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Process Injection
LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth3
Non-Application Layer Protocol
Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration4
Application Layer Protocol
Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer3
Ingress Tool Transfer
SIM Card SwapCarrier Billing Fraud

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
http://www.cpskb0.com/darterp.php?z=hemorrhoid0%Avira URL Cloudsafe
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://www.cpskb0.com/favicon.ico0%Avira URL Cloudsafe
NameIPActiveMaliciousAntivirus DetectionReputation
accounts.google.com
142.250.185.109
truefalse
    high
    www.cpskb0.com
    104.233.253.189
    truefalse
      unknown
      www.google.com
      172.217.16.132
      truefalse
        high
        clients.l.google.com
        142.250.186.110
        truefalse
          high
          clients2.google.com
          unknown
          unknownfalse
            high
            NameMaliciousAntivirus DetectionReputation
            http://www.cpskb0.com/darterp.php?z=hemorrhoidfalse
              unknown
              http://www.cpskb0.com/darterp.php?z=hemorrhoidfalse
                unknown
                http://www.cpskb0.com/favicon.icofalse
                • Avira URL Cloud: safe
                unknown
                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs
                IPDomainCountryFlagASNASN NameMalicious
                142.250.185.109
                accounts.google.comUnited States
                15169GOOGLEUSfalse
                104.233.253.189
                www.cpskb0.comUnited States
                137443ANCHGLOBAL-AS-APAnchnetAsiaLimitedHKfalse
                142.250.186.68
                unknownUnited States
                15169GOOGLEUSfalse
                142.250.186.35
                unknownUnited States
                15169GOOGLEUSfalse
                34.104.35.123
                unknownUnited States
                15169GOOGLEUSfalse
                239.255.255.250
                unknownReserved
                unknownunknownfalse
                142.250.185.195
                unknownUnited States
                15169GOOGLEUSfalse
                142.250.186.110
                clients.l.google.comUnited States
                15169GOOGLEUSfalse
                142.250.186.132
                unknownUnited States
                15169GOOGLEUSfalse
                IP
                192.168.2.1
                127.0.0.1
                Joe Sandbox Version:36.0.0 Rainbow Opal
                Analysis ID:715086
                Start date and time:2022-10-03 16:07:27 +02:00
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:
                Hypervisor based Inspection enabled:false
                Report type:light
                Cookbook file name:defaultwindowsinteractivecookbook.jbs
                Sample URL:http://www.cpskb0.com/darterp.php?z=hemorrhoid
                Analysis system description:Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
                Number of analysed new started processes analysed:12
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • EGA enabled
                Analysis Mode:stream
                Analysis stop reason:Timeout
                Detection:CLEAN
                Classification:clean0.win@25/0@5/111
                • Exclude process from analysis (whitelisted): SIHClient.exe
                • Excluded IPs from analysis (whitelisted): 20.190.159.75, 40.126.31.69, 20.190.159.68, 40.126.31.67, 20.190.159.4, 40.126.31.73, 20.190.159.71, 20.190.159.64, 142.250.185.195, 34.104.35.123
                • Excluded domains from analysis (whitelisted): fs.microsoft.com, prda.aadg.msidentity.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, clientservices.googleapis.com, www.tm.a.prd.aadg.akadns.net, login.msa.msidentity.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                • Not all processes where analyzed, report is missing behavior information
                No created / dropped files found
                No static file info