Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
iata-25May2023.shtml

Overview

General Information

Sample Name:iata-25May2023.shtml
Analysis ID:876166
MD5:38f37466740c0aa09b17fd1f9c260a30
SHA1:d9dc91b0df8a03a5d14ee5de5c6d4385ad9a32cf
SHA256:48cd890109fa77fac8ee43807cd4a5e65fec600b9b7a7ea68be528ac81c4eb6a
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected javascript redirector / loader
IP address seen in connection with other malware

Classification

  • System is w10x64
  • chrome.exe (PID: 5688 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\iata-25May2023.shtml MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
    • chrome.exe (PID: 5148 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1888 --field-trial-handle=1812,i,18360485486545431331,5420382872932820938,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8 MD5: 0FEC2748F363150DC54C1CAFFB1A9408)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: iata-25May2023.shtmlReversingLabs: Detection: 13%

Phishing

barindex
Source: iata-25May2023.shtmlHTTP Parser: Low number of body elements: 1
Source: iata-25May2023.shtmlHTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/iata-25May2023.shtmlHTTP Parser: No favicon
Source: file:///C:/Users/user/Desktop/iata-25May2023.shtmlHTTP Parser: No favicon
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdaterJump to behavior
Source: chrome.exeMemory has grown: Private usage: 1MB later: 33MB
Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
Source: unknownDNS traffic detected: queries for: clients2.google.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
Source: global trafficHTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=104.0.5112.81&lang=en-GB&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmiedaX-Goog-Update-Updater: chromecrx-104.0.5112.81Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: unknownHTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
Source: iata-25May2023.shtmlReversingLabs: Detection: 13%
Source: classification engineClassification label: mal52.phis.winSHTML@24/0@6/7
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\iata-25May2023.shtml
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1888 --field-trial-handle=1812,i,18360485486545431331,5420382872932820938,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1888 --field-trial-handle=1812,i,18360485486545431331,5420382872932820938,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\GoogleUpdaterJump to behavior
Source: iata-25May2023.shtmlStatic file information: File size 3081826 > 1048576
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\GoogleUpdaterJump to behavior
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception1
Process Injection
2
Masquerading
OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local SystemExfiltration Over Other Network Medium1
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Extra Window Memory Injection
1
Process Injection
LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth3
Non-Application Layer Protocol
Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Extra Window Memory Injection
Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration4
Application Layer Protocol
Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer1
Ingress Tool Transfer
SIM Card SwapCarrier Billing Fraud
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.