Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
http://www.cpskb0.com/darterp.php?z=hemorrhoid

Overview

General Information

Sample URL:http://www.cpskb0.com/darterp.php?z=hemorrhoid
Analysis ID:715086
Infos:

Detection

Score:0
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

No high impact signatures.

Classification

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis
Some HTTP requests failed (404). It is likely that the sample will exhibit less behavior.

Process Tree

  • System is w10x64_ra
  • chrome.exe (PID: 6000 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.cpskb0.com/darterp.php?z=hemorrhoid MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)
    • chrome.exe (PID: 2312 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1824,i,11055943044610990432,15687841212519678928,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdater
Source: global trafficHTTP traffic detected: GET /darterp.php?z=hemorrhoid HTTP/1.1Host: www.cpskb0.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.cpskb0.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Referer: http://www.cpskb0.com/darterp.php?z=hemorrhoidAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: unknownDNS traffic detected: queries for: accounts.google.com
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingDate: Mon, 03 Oct 2022 14:07:57 GMTLast-Modified: Mon, 03 Oct 2022 13:07:57 GMTExpires: Mon, 03 Oct 2022 13:37:57 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Cache-Control: max-age=0Pragma: no-cacheContent-Encoding: gzipData Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8e cb 0e 82 30 10 45 7f 65 64 2f 83 86 e5 a4 0b 79 44 12 44 62 ca c2 25 a6 43 20 41 8a b4 68 fc 7b ab dd b8 99 e4 de 7b 72 32 b4 49 cf 89 bc d6 19 1c e5 a9 84 ba 39 94 45 02 c1 16 b1 c8 64 8e 98 ca d4 2f fb 30 42 cc aa 40 50 6f ef a3 bb dc 2a 41 76 b0 23 8b 38 8a a1 d2 16 72 bd 4e 8a d0 97 84 1e b9 69 f5 76 f8 4e fc 11 2e d1 2c 64 cf b0 f0 63 65 63 59 41 73 29 e1 d5 1a 98 9c a8 fb 8a 40 4f 60 fb c1 80 e1 e5 c9 4b 48 38 0b 42 af c3 df 13 1f 46 56 d5 16 bd 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0Eed/yDDb%C Ah{{r2I9Ed/0B@Po*Av#8rNivN.,dcecYAs)@O`KH8BFV0
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 03 Oct 2022 14:07:58 GMTContent-Type: text/htmlContent-Length: 548Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.132
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.132
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.132
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.132
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.132
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.132
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.132
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.132
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.186.35
Source: classification engineClassification label: clean0.win@25/0@5/111
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\GoogleUpdater
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://www.cpskb0.com/darterp.php?z=hemorrhoid
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1824,i,11055943044610990432,15687841212519678928,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1824,i,11055943044610990432,15687841212519678928,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdater

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception1
Process Injection		2
Masquerading		OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network Medium2
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Process Injection		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth3
Non-Application Layer Protocol		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration4
Application Layer Protocol		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer3
Ingress Tool Transfer		SIM Card SwapCarrier Billing Fraud

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.