Loading ...

Analysis Report http://aquarell.spb.ru/hsapPJPwc

Overview

General Information

Joe Sandbox Version:24.0.0 Fire Opal
Analysis ID:96286
Start date:06.12.2018
Start time:22:43:59
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 1m 44s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:http://aquarell.spb.ru/hsapPJPwc
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • EGA enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal56.win@3/11@3/0
Cookbook Comments:
  • Adjust boot time
  • URL browsing timeout or error
Warnings:
Show All
  • Exclude process from analysis (whitelisted): ielowutil.exe, conhost.exe, CompatTelRunner.exe
Errors:
  • URL not reachable

Detection

StrategyScoreRangeReportingDetection
Threshold560 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work
Joe Sandbox was unable to browse the URL (domain or webserver down or HTTPS issue), try to browse the URL again later



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsFile System Logical OffsetsCredential DumpingSystem Service DiscoveryApplication Deployment SoftwareData from Local SystemData CompressedStandard Non-Application Layer Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol1

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://aquarell.spb.ru/hsapPJPwcRootAvira URL Cloud: Label: phishing
Source: http://aquarell.spb.ru/hsapPJPwcAvira URL Cloud: Label: phishing
Multi AV Scanner detection for domain / URLShow sources
Source: http://aquarell.spb.ru/hsapPJPwcvirustotal: Detection: 17%Perma Link
Source: aquarell.spb.ruvirustotal: Detection: 13%Perma Link
Source: http://aquarell.spb.ru/hsapPJPwcvirustotal: Detection: 17%Perma Link

Networking:

barindex
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)Show sources
Source: unknownDNS traffic detected: query: aquarell.spb.ru replaycode: Server failure (2)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: aquarell.spb.ru
Urls found in memory or binary dataShow sources
Source: ~DF8E1A33DF81EF5237.TMP.1.drString found in binary or memory: http://aquarell.spb.ru/hsapPJPwc
Source: {96964192-F9EB-11E8-AADE-9CC1A2A860C6}.dat.1.drString found in binary or memory: http://aquarell.spb.ru/hsapPJPwcRoot

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal56.win@3/11@3/0
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\CRAIGH~1\AppData\Local\Temp\~DFE764432C502BDD91.TMPJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4016 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4016 CREDAT:17410 /prefetch:2Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 96286 URL: http://aquarell.spb.ru/hsapPJPwc Startdate: 06/12/2018 Architecture: WINDOWS Score: 56 13 Multi AV Scanner detection for domain / URL 2->13 15 Antivirus detection for URL or domain 2->15 6 iexplore.exe 2 61 2->6         started        process3 process4 8 iexplore.exe 32 6->8         started        dnsIp5 11 aquarell.spb.ru 8->11

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
http://aquarell.spb.ru/hsapPJPwc18%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
aquarell.spb.ru13%virustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://aquarell.spb.ru/hsapPJPwcRoot100%Avira URL Cloudphishing
http://aquarell.spb.ru/hsapPJPwc18%virustotalBrowse
http://aquarell.spb.ru/hsapPJPwc100%Avira URL Cloudphishing

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.