Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://www.evernote.com/shard/s443/sh/16f13b8c-02ff-0a26-4836-50c84b9d360b/0d9feaf1d42defc3a56edc7c078ed34b

Overview

General Information

Sample URL:https://www.evernote.com/shard/s443/sh/16f13b8c-02ff-0a26-4836-50c84b9d360b/0d9feaf1d42defc3a56edc7c078ed34b
Analysis ID:756134

Detection

HTMLPhisher
Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected HtmlPhish10
Phishing site detected (based on image similarity)
HTML body contains low number of good links
Invalid T&C link found
None HTTPS page querying sensitive user data (password, username or email)
No HTML title found

Classification

  • System is w10x64_ra
  • chrome.exe (PID: 6268 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.evernote.com/shard/s443/sh/16f13b8c-02ff-0a26-4836-50c84b9d360b/0d9feaf1d42defc3a56edc7c078ed34b MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)
    • chrome.exe (PID: 6432 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1876,i,5793143598287430493,15367685435829181166,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 7BC7B4AEDC055BB02BCB52710132E9E1)
  • cleanup
SourceRuleDescriptionAuthorStrings
35583.3.pages.csvJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security
    No Sigma rule has matched
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    Phishing

    barindex
    Source: Yara matchFile source: 35583.3.pages.csv, type: HTML
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlMatcher: Found strong image similarity, brand: Microsoft image: 35583.3.img.1.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlMatcher: Found strong image similarity, brand: Microsoft image: 67460.4.img.1.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlMatcher: Found strong image similarity, brand: Microsoft image: 35583.3.img.1.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlMatcher: Found strong image similarity, brand: Microsoft image: 67460.4.img.1.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlMatcher: Found strong image similarity, brand: Microsoft image: 35583.3.img.1.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlMatcher: Found strong image similarity, brand: Microsoft image: 67460.4.img.1.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlMatcher: Found strong image similarity, brand: Microsoft image: 35583.3.img.1.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlMatcher: Found strong image similarity, brand: Microsoft image: 67460.4.img.1.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlMatcher: Found strong image similarity, brand: Microsoft image: 35583.3.img.1.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlMatcher: Found strong image similarity, brand: Microsoft image: 67460.4.img.1.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlMatcher: Found strong image similarity, brand: Microsoft image: 35583.3.img.1.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlMatcher: Found strong image similarity, brand: Microsoft image: 67460.4.img.1.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlMatcher: Found strong image similarity, brand: Microsoft image: 35583.3.img.1.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlMatcher: Found strong image similarity, brand: Microsoft image: 67460.4.img.1.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlMatcher: Found strong image similarity, brand: Microsoft image: 35583.3.img.1.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlMatcher: Found strong image similarity, brand: Microsoft image: 67460.4.img.1.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlMatcher: Found strong image similarity, brand: Microsoft image: 35583.3.img.1.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlMatcher: Found strong image similarity, brand: Microsoft image: 67460.4.img.1.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlMatcher: Found strong image similarity, brand: Microsoft image: 35583.3.img.1.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlMatcher: Found strong image similarity, brand: Microsoft image: 67460.4.img.1.gfk.csv EF884BDEDEF280DF97A4C5604058D8DB
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlHTTP Parser: Number of links: 1
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlHTTP Parser: Number of links: 1
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlHTTP Parser: Invalid link: Privacy & Cookies
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlHTTP Parser: Invalid link: Privacy & Cookies
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlHTTP Parser: Has password / email / username input fields
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlHTTP Parser: Has password / email / username input fields
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlHTTP Parser: HTML title missing
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlHTTP Parser: HTML title missing
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlHTTP Parser: No <meta name="author".. found
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlHTTP Parser: No <meta name="author".. found
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlHTTP Parser: No <meta name="copyright".. found
    Source: file:///C:/Users/alfredo/Downloads/message%20html.htmlHTTP Parser: No <meta name="copyright".. found
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdater
    Source: unknownHTTPS traffic detected: 35.190.3.250:443 -> 192.168.2.3:49730 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 185.199.108.153:443 -> 192.168.2.3:49769 version: TLS 1.2
    Source: unknownDNS traffic detected: queries for: accounts.google.com
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
    Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49819
    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49773
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
    Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
    Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49805
    Source: unknownNetwork traffic detected: HTTP traffic on port 49848 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49848
    Source: unknownNetwork traffic detected: HTTP traffic on port 49773 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49819 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49882
    Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49805 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
    Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
    Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownTCP traffic detected without corresponding DNS query: 198.54.119.160
    Source: unknownTCP traffic detected without corresponding DNS query: 198.54.119.160
    Source: unknownTCP traffic detected without corresponding DNS query: 198.54.119.160
    Source: unknownTCP traffic detected without corresponding DNS query: 198.54.119.160
    Source: unknownTCP traffic detected without corresponding DNS query: 198.54.119.160
    Source: unknownTCP traffic detected without corresponding DNS query: 198.54.119.160
    Source: unknownTCP traffic detected without corresponding DNS query: 198.54.119.160
    Source: unknownTCP traffic detected without corresponding DNS query: 198.54.119.160
    Source: unknownTCP traffic detected without corresponding DNS query: 198.54.119.160
    Source: unknownTCP traffic detected without corresponding DNS query: 198.54.119.160
    Source: unknownTCP traffic detected without corresponding DNS query: 198.54.119.160
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownTCP traffic detected without corresponding DNS query: 142.250.74.195
    Source: unknownHTTPS traffic detected: 35.190.3.250:443 -> 192.168.2.3:49730 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 185.199.108.153:443 -> 192.168.2.3:49769 version: TLS 1.2
    Source: classification engineClassification label: mal52.phis.win@33/3@15/209
    Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.evernote.com/shard/s443/sh/16f13b8c-02ff-0a26-4836-50c84b9d360b/0d9feaf1d42defc3a56edc7c078ed34b
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1876,i,5793143598287430493,15367685435829181166,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1876,i,5793143598287430493,15367685435829181166,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\GoogleUpdater
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\alfredo\Downloads\b72f04df-137b-4b17-9464-6169414c94f2.tmp
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdater
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath Interception1
    Process Injection
    3
    Masquerading
    OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network Medium2
    Encrypted Channel
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Process Injection
    LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
    Non-Application Layer Protocol
    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
    Application Layer Protocol
    Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    https://www.evernote.com/shard/s443/sh/16f13b8c-02ff-0a26-4836-50c84b9d360b/0d9feaf1d42defc3a56edc7c078ed34b0%Avira URL Cloudsafe
    https://www.evernote.com/shard/s443/sh/16f13b8c-02ff-0a26-4836-50c84b9d360b/0d9feaf1d42defc3a56edc7c078ed34b1%VirustotalBrowse
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    NameIPActiveMaliciousAntivirus DetectionReputation
    stackpath.bootstrapcdn.com
    104.18.11.207
    truefalse
      high
      accounts.google.com
      142.250.181.237
      truefalse
        high
        dashboard.svc.www.evernote.com
        35.190.3.250
        truefalse
          high
          holligoat.github.io
          185.199.108.153
          truefalse
            unknown
            cdnjs.cloudflare.com
            104.17.24.14
            truefalse
              high
              maxcdn.bootstrapcdn.com
              104.18.11.207
              truefalse
                high
                www.google.com
                142.250.186.36
                truefalse
                  high
                  clients.l.google.com
                  142.250.185.206
                  truefalse
                    high
                    stats.g.doubleclick.net
                    64.233.167.156
                    truefalse
                      high
                      clients2.google.com
                      unknown
                      unknownfalse
                        high
                        code.jquery.com
                        unknown
                        unknownfalse
                          high
                          content.evernote.com
                          unknown
                          unknownfalse
                            high
                            www.evernote.com
                            unknown
                            unknownfalse
                              high
                              NameMaliciousAntivirus DetectionReputation
                              https://www.evernote.com/shard/s443/client/snv/cefalse
                                high
                                https://www.evernote.com/shard/s443/client/snv?noteGuid=16f13b8c-02ff-0a26-4836-50c84b9d360b&noteKey=0d9feaf1d42defc3a56edc7c078ed34b&sn=https%3A%2F%2Fwww.evernote.com%2Fshard%2Fs443%2Fsh%2F16f13b8c-02ff-0a26-4836-50c84b9d360b%2F0d9feaf1d42defc3a56edc7c078ed34b&title=Lexington%2BPublic%2BLibrary%2B%2526%2BLibrary%2BFoundationfalse
                                  high
                                  file:///C:/Users/alfredo/Downloads/message%20html.htmltrue
                                    low
                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs
                                    IPDomainCountryFlagASNASN NameMalicious
                                    88.221.168.234
                                    unknownEuropean Union
                                    16625AKAMAI-ASUSfalse
                                    104.17.24.14
                                    cdnjs.cloudflare.comUnited States
                                    13335CLOUDFLARENETUSfalse
                                    142.250.185.67
                                    unknownUnited States
                                    15169GOOGLEUSfalse
                                    142.250.185.206
                                    clients.l.google.comUnited States
                                    15169GOOGLEUSfalse
                                    34.104.35.123
                                    unknownUnited States
                                    15169GOOGLEUSfalse
                                    64.233.167.156
                                    stats.g.doubleclick.netUnited States
                                    15169GOOGLEUSfalse
                                    216.58.212.131
                                    unknownUnited States
                                    15169GOOGLEUSfalse
                                    23.3.108.212
                                    unknownUnited States
                                    16625AKAMAI-ASUSfalse
                                    198.54.119.160
                                    unknownUnited States
                                    22612NAMECHEAP-NETUSfalse
                                    142.250.185.202
                                    unknownUnited States
                                    15169GOOGLEUSfalse
                                    142.250.181.237
                                    accounts.google.comUnited States
                                    15169GOOGLEUSfalse
                                    104.18.11.207
                                    stackpath.bootstrapcdn.comUnited States
                                    13335CLOUDFLARENETUSfalse
                                    216.239.38.178
                                    unknownUnited States
                                    15169GOOGLEUSfalse
                                    239.255.255.250
                                    unknownReserved
                                    unknownunknownfalse
                                    69.16.175.10
                                    unknownUnited States
                                    20446HIGHWINDS3USfalse
                                    35.190.3.250
                                    dashboard.svc.www.evernote.comUnited States
                                    15169GOOGLEUSfalse
                                    185.199.108.153
                                    holligoat.github.ioNetherlands
                                    54113FASTLYUSfalse
                                    172.217.16.196
                                    unknownUnited States
                                    15169GOOGLEUSfalse
                                    142.250.184.234
                                    unknownUnited States
                                    15169GOOGLEUSfalse
                                    142.250.74.195
                                    unknownUnited States
                                    15169GOOGLEUSfalse
                                    IP
                                    192.168.2.2
                                    192.168.2.1
                                    127.0.0.1
                                    Joe Sandbox Version:36.0.0 Rainbow Opal
                                    Analysis ID:756134
                                    Start date and time:2022-11-29 17:12:37 +01:00
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                    Sample URL:https://www.evernote.com/shard/s443/sh/16f13b8c-02ff-0a26-4836-50c84b9d360b/0d9feaf1d42defc3a56edc7c078ed34b
                                    Analysis system description:Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
                                    Number of analysed new started processes analysed:13
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • EGA enabled
                                    Analysis Mode:stream
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal52.phis.win@33/3@15/209
                                    • Exclude process from analysis (whitelisted): SIHClient.exe
                                    • Excluded IPs from analysis (whitelisted): 88.221.168.234, 216.58.212.131, 34.104.35.123, 216.239.38.178, 216.239.36.178, 216.239.34.178, 216.239.32.178, 23.3.108.212, 142.250.184.234, 69.16.175.10, 69.16.175.42, 142.250.185.202, 142.250.185.195, 142.250.185.67
                                    • Excluded domains from analysis (whitelisted): www.bing.com, fonts.googleapis.com, cds.s5x3j6q5.hwcdn.net, fs.microsoft.com, www.evernote.com.edgekey.net, slscr.update.microsoft.com, ajax.googleapis.com, fonts.gstatic.com, e7641.b.akamaiedge.net, www-alv.google-analytics.com, ctldl.windowsupdate.com, clientservices.googleapis.com, edgedl.me.gvt1.com, login.live.com, www.google-analytics.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtWriteVirtualMemory calls found.
                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                    File Type:HTML document, ASCII text, with very long lines (37045)
                                    Category:dropped
                                    Size (bytes):37526
                                    Entropy (8bit):5.325010756401686
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:394934A01D5206608578A8ACBCC0AE85
                                    SHA1:B3C5FC5006E1E891AF3D5A980EEA1C50880D92E8
                                    SHA-256:94FE4884EBE70DF3F9AFDB50987BA5DA3DFD32379757AAA5C3D9BA3CBDBAA689
                                    SHA-512:E25022A4894C9B4EE41A166E473149C99B26DE37A5DEE3DE565E3467444A28F5A528DA22FC99E64DA08AB7D1DD4D63F3203C23509C17931FC8BB26FEB89631AC
                                    Malicious:false
                                    Reputation:low
                                    Preview:<!DOCTYPE html>.<html>.<script type="text/javascript">.document.write(decodeURIComponent(atob('JTNDaHRtbCUzRSUwQSUwQSUzQ2hlYWQlM0UlMEElMjAlMjAlMjAlMjAlM0NtZXRhJTIwY2hhcnNldCUzRCUyMlVURi04JTIyJTIwbmFtZSUzRCUyMnZpZXdwb3J0JTIyJTIwY29udGVudCUzRCUyMndpZHRoJTNEZGV2aWNlLXdpZHRoJTJDJTIwaW5pdGlhbC1zY2FsZSUzRDEuMCUyQyUyMG1heGltdW0tc2NhbGUlM0QxLjAlMkMlMjBtaW5pbXVtLXNjYWxlJTNEMS4wJTJDJTIwdXNlci1zY2FsYWJsZSUzRG5vJTIyJTNFJTBBJTIwJTIwJTIwJTIwJTNDdGl0bGUlM0VTaGFyaW5nJTIwTGluayUyMFZhbGlkYXRpb24lM0MlMkZ0aXRsZSUzRSUwQSUyMCUyMCUyMCUyMCUzQ2xpbmslMjByZWwlM0QlMjdzdHlsZXNoZWV0JTIwcHJlZmV0Y2glMjclMjBocmVmJTNEJTI3aHR0cHMlM0ElMkYlMkZmb250cy5nb29nbGVhcGlzLmNvbSUyRmNzcyUzRmZhbWlseSUzRE9wZW4lMkJTYW5zJTNBNjAwJTI3JTNFJTBBJTIwJTIwJTIwJTIwJTNDbGluayUyMHJlbCUzRCUyMnN0eWxlc2hlZXQlMjIlMjBocmVmJTNEJTIyaHR0cHMlM0ElMkYlMkZob2xsaWdvYXQuZ2l0aHViLmlvJTJGc2V0JTJGc2hhcmUtcG9pbnQuY3NzJTIyJTNFJTBBJTIwJTIwJTIwJTIwJTNDIS0tJTIwQm9vdHN0cmFwJTIwQ1NTJTIwLS0lM0UlMEElMjAlMjAlMjAlMjAlM0NsaW5rJTIwcmVsJTNEJTIyc3R5bGVzaGVldCUyMiUyMGhyZWYlM0QlM
                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                    File Type:HTML document, ASCII text, with very long lines (37045)
                                    Category:dropped
                                    Size (bytes):37526
                                    Entropy (8bit):5.325010756401686
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:394934A01D5206608578A8ACBCC0AE85
                                    SHA1:B3C5FC5006E1E891AF3D5A980EEA1C50880D92E8
                                    SHA-256:94FE4884EBE70DF3F9AFDB50987BA5DA3DFD32379757AAA5C3D9BA3CBDBAA689
                                    SHA-512:E25022A4894C9B4EE41A166E473149C99B26DE37A5DEE3DE565E3467444A28F5A528DA22FC99E64DA08AB7D1DD4D63F3203C23509C17931FC8BB26FEB89631AC
                                    Malicious:false
                                    Reputation:low
                                    Preview:<!DOCTYPE html>.<html>.<script type="text/javascript">.document.write(decodeURIComponent(atob('JTNDaHRtbCUzRSUwQSUwQSUzQ2hlYWQlM0UlMEElMjAlMjAlMjAlMjAlM0NtZXRhJTIwY2hhcnNldCUzRCUyMlVURi04JTIyJTIwbmFtZSUzRCUyMnZpZXdwb3J0JTIyJTIwY29udGVudCUzRCUyMndpZHRoJTNEZGV2aWNlLXdpZHRoJTJDJTIwaW5pdGlhbC1zY2FsZSUzRDEuMCUyQyUyMG1heGltdW0tc2NhbGUlM0QxLjAlMkMlMjBtaW5pbXVtLXNjYWxlJTNEMS4wJTJDJTIwdXNlci1zY2FsYWJsZSUzRG5vJTIyJTNFJTBBJTIwJTIwJTIwJTIwJTNDdGl0bGUlM0VTaGFyaW5nJTIwTGluayUyMFZhbGlkYXRpb24lM0MlMkZ0aXRsZSUzRSUwQSUyMCUyMCUyMCUyMCUzQ2xpbmslMjByZWwlM0QlMjdzdHlsZXNoZWV0JTIwcHJlZmV0Y2glMjclMjBocmVmJTNEJTI3aHR0cHMlM0ElMkYlMkZmb250cy5nb29nbGVhcGlzLmNvbSUyRmNzcyUzRmZhbWlseSUzRE9wZW4lMkJTYW5zJTNBNjAwJTI3JTNFJTBBJTIwJTIwJTIwJTIwJTNDbGluayUyMHJlbCUzRCUyMnN0eWxlc2hlZXQlMjIlMjBocmVmJTNEJTIyaHR0cHMlM0ElMkYlMkZob2xsaWdvYXQuZ2l0aHViLmlvJTJGc2V0JTJGc2hhcmUtcG9pbnQuY3NzJTIyJTNFJTBBJTIwJTIwJTIwJTIwJTNDIS0tJTIwQm9vdHN0cmFwJTIwQ1NTJTIwLS0lM0UlMEElMjAlMjAlMjAlMjAlM0NsaW5rJTIwcmVsJTNEJTIyc3R5bGVzaGVldCUyMiUyMGhyZWYlM0QlM
                                    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                    File Type:HTML document, ASCII text, with very long lines (37045)
                                    Category:dropped
                                    Size (bytes):37526
                                    Entropy (8bit):5.325010756401686
                                    Encrypted:false
                                    SSDEEP:
                                    MD5:394934A01D5206608578A8ACBCC0AE85
                                    SHA1:B3C5FC5006E1E891AF3D5A980EEA1C50880D92E8
                                    SHA-256:94FE4884EBE70DF3F9AFDB50987BA5DA3DFD32379757AAA5C3D9BA3CBDBAA689
                                    SHA-512:E25022A4894C9B4EE41A166E473149C99B26DE37A5DEE3DE565E3467444A28F5A528DA22FC99E64DA08AB7D1DD4D63F3203C23509C17931FC8BB26FEB89631AC
                                    Malicious:false
                                    Reputation:low
                                    Preview:<!DOCTYPE html>.<html>.<script type="text/javascript">.document.write(decodeURIComponent(atob('JTNDaHRtbCUzRSUwQSUwQSUzQ2hlYWQlM0UlMEElMjAlMjAlMjAlMjAlM0NtZXRhJTIwY2hhcnNldCUzRCUyMlVURi04JTIyJTIwbmFtZSUzRCUyMnZpZXdwb3J0JTIyJTIwY29udGVudCUzRCUyMndpZHRoJTNEZGV2aWNlLXdpZHRoJTJDJTIwaW5pdGlhbC1zY2FsZSUzRDEuMCUyQyUyMG1heGltdW0tc2NhbGUlM0QxLjAlMkMlMjBtaW5pbXVtLXNjYWxlJTNEMS4wJTJDJTIwdXNlci1zY2FsYWJsZSUzRG5vJTIyJTNFJTBBJTIwJTIwJTIwJTIwJTNDdGl0bGUlM0VTaGFyaW5nJTIwTGluayUyMFZhbGlkYXRpb24lM0MlMkZ0aXRsZSUzRSUwQSUyMCUyMCUyMCUyMCUzQ2xpbmslMjByZWwlM0QlMjdzdHlsZXNoZWV0JTIwcHJlZmV0Y2glMjclMjBocmVmJTNEJTI3aHR0cHMlM0ElMkYlMkZmb250cy5nb29nbGVhcGlzLmNvbSUyRmNzcyUzRmZhbWlseSUzRE9wZW4lMkJTYW5zJTNBNjAwJTI3JTNFJTBBJTIwJTIwJTIwJTIwJTNDbGluayUyMHJlbCUzRCUyMnN0eWxlc2hlZXQlMjIlMjBocmVmJTNEJTIyaHR0cHMlM0ElMkYlMkZob2xsaWdvYXQuZ2l0aHViLmlvJTJGc2V0JTJGc2hhcmUtcG9pbnQuY3NzJTIyJTNFJTBBJTIwJTIwJTIwJTIwJTNDIS0tJTIwQm9vdHN0cmFwJTIwQ1NTJTIwLS0lM0UlMEElMjAlMjAlMjAlMjAlM0NsaW5rJTIwcmVsJTNEJTIyc3R5bGVzaGVldCUyMiUyMGhyZWYlM0QlM
                                    No static file info