Automated Malware Analysis Report For
Total Page:16
File Type:pdf, Size:1020Kb
ID: 430663 Cookbook: browseurl.jbs Time: 19:08:03 Date: 07/06/2021 Version: 32.0.0 Black Diamond Table of Contents Table of Contents 2 Analysis Report https://efax-01.simplesite.com/ 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Process Tree 3 Malware Configuration 3 Yara Overview 3 Dropped Files 3 Sigma Overview 3 Signature Overview 3 AV Detection: 4 Phishing: 4 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Domains and IPs 7 Contacted Domains 7 Contacted URLs 7 URLs from Memory and Binaries 7 Contacted IPs 7 Public 7 General Information 8 Simulations 8 Behavior and APIs 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Created / dropped Files 9 Static File Info 32 No static file info 32 Network Behavior 32 Network Port Distribution 32 TCP Packets 32 UDP Packets 32 DNS Queries 32 DNS Answers 32 HTTPS Packets 34 Code Manipulations 42 Statistics 42 Behavior 42 System Behavior 42 Analysis Process: iexplore.exe PID: 2644 Parent PID: 792 43 General 43 File Activities 43 Registry Activities 43 Analysis Process: iexplore.exe PID: 4688 Parent PID: 2644 43 General 43 File Activities 43 Registry Activities 43 Disassembly 43 Copyright Joe Security LLC 2021 Page 2 of 43 Analysis Report https://efax-01.simplesite.com/ Overview General Information Detection Signatures Classification Sample URL: https://efax-01.simpl esite.com/ AAnntttiiivviiirrruuss ddeettteecctttiiioonn fffoorrr UURRLL oorrr ddoomaaiiinn Analysis ID: 430663 YAYanarrtraiav idrdueesttte edccettteeteddc HtHiotttmn lllfPPohrh iiiUsshhR11L00 or domain Infos: PYPhahiirissahh diiinneggt e ssciiitttee d dd eHetttteemcctlttPeedhd i (s((bbhaa1ss0eedd oonn llloogg… Ransomware Most interesting Screenshot: Phishing site detected (based on log HPHThTiMshLLi n bbgoo dsdyiyt e cc odonentttaeaiciinntses d llloo (wwb a nnsuuemdb boeenrrr loofffg … Miner Spreading HHTTMLL tbtiitotlleed ydd ocoeoesns t nanoiontt s m loaawttcc hhn uUUmRRbLLer of mmaallliiiccciiioouusss HHTTMLL tttiiitttlllee ddooeess nnoottt maatttcchh UURRLL malicious Evader Phishing sssuusssppiiiccciiioouusss SHSuTussMppLiiicc iitioiotuluess d fffoorerrms nUUoRRt LLm fffaootuucnhnd dURL suspicious cccllleeaann clean Suspicious form URL found Exploiter Banker HTMLPhisher Spyware Trojan / Bot Adware Score: 60 Range: 0 - 100 Whitelisted: false Confidence: 100% Process Tree System is w10x64 iexplore.exe (PID: 2644 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 4688 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2644 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup Malware Configuration No configs have been found Yara Overview Dropped Files Source Rule Description Author Strings C:\Users\user\AppData\Local\Microsoft\Windows\INet JoeSecurity_HtmlPhish_10 Yara detected Joe Security Cache\IE\PSUEOSZZ\YUYTH2QQ.htm HtmlPhish_10 Sigma Overview No Sigma rule has matched Signature Overview Copyright Joe Security LLC 2021 Page 3 of 43 Click to jump to signature section AV Detection: Antivirus detection for URL or domain Phishing: Yara detected HtmlPhish10 Phishing site detected (based on logo template match) Mitre Att&ck Matrix Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS File and Remote Data from Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Directory Services Local Over Other Channel 2 Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS Application Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Window Desktop Removable Over Application Redirect Phone Wipe Data Lockout Initialization Initialization Discovery Protocol Media Bluetooth Layer Calls/SMS Without Scripts Scripts Protocol 1 Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Query SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information 1 Account Registry Admin Shares Network Exfiltration Layer Track Device Device Device (Windows) Manager Shared Protocol 2 Location Cloud Data Drive Backups Behavior Graph Copyright Joe Security LLC 2021 Page 4 of 43 Hide Legend Behavior Graph Legend: ID: 430663 Process URL: https://efax-01.simplesite.com/ Startdate: 07/06/2021 Signature Architecture: WINDOWS Created File Score: 60 DNS/IP Info Is Dropped efax-01.simplesite.com Is Windows Process Number of created Registry Values started Number of created Files Phishing site detected Antivirus detection Yara detected HtmlPhish10 (based on logo template Visual Basic for URL or domain match) Delphi Java iexplore.exe .Net C# or VB.NET C, C++ or other language 6 62 Is malicious Internet started iexplore.exe 9 159 pages-wildcard.weebly.com weebly.map.fastly.net 199.34.228.54, 443, 49758, 49759 151.101.1.46, 443, 49764, 49765 11 other IPs or domains dropped WEEBLYUS FASTLYUS United States United States C:\Users\user\AppData\Local\...\YUYTH2QQ.htm, HTML Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2021 Page 5 of 43 Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link https://efax-01.simplesite.com/ 0% Virustotal Browse https://efax-01.simplesite.com/ 0% Avira URL Cloud safe Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Source Detection Scanner Label Link weebly.map.fastly.net 0% Virustotal Browse URLs Source Detection Scanner Label Link Copyright Joe Security LLC 2021 Page 6 of 43 Source Detection Scanner Label Link https://securemailoffice365onlinefaxmessages.weebly.com/ 100% SlashNext Fake Login Page type: Phishing & Social Engineering fontforge.sf.net)IoniconsIoniconsMediumMediumFontForge 0% Avira URL Cloud safe fontforge.sf.net) 0% Avira URL Cloud safe https://securemailoffisite.com/ 0% Avira URL Cloud safe hammerjs.github.io/ 0% Avira URL Cloud safe https://www.gstatic.cn/charts/debug/% 0% URL Reputation safe https://www.gstatic.cn/charts/debug/% 0% URL Reputation safe https://www.gstatic.cn/charts/debug/% 0% URL Reputation safe https://fontawesome.comhttps://fontawesome.comFont 0% Avira URL Cloud safe https://www.gstatic.cn/charts/% 0% URL Reputation safe https://www.gstatic.cn/charts/% 0% URL Reputation safe https://www.gstatic.cn/charts/% 0% URL Reputation safe https://www.internalfb.com/intern/invariant/ 0% URL Reputation safe https://www.internalfb.com/intern/invariant/ 0% URL Reputation safe https://www.internalfb.com/intern/invariant/ 0% URL Reputation safe https://www.google.%/ads/ga-audiences? 0% URL Reputation safe https://www.google.%/ads/ga-audiences? 0% URL Reputation safe https://www.google.%/ads/ga-audiences? 0% URL Reputation safe fontforge.sf.net)Created 0% Avira URL Cloud safe Domains and IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation efax-01.simplesite.com 143.204.98.105 true false high css.simplesite.com 143.204.98.33 true false high pages-wildcard.weebly.com 199.34.228.54 true false high scontent.xx.fbcdn.net 31.13.92.14 true false high cdn.simplesite.com 143.204.98.102 true false high sp-2020021412301152490000000a- 44.241.96.221 true false high 1069308460.us-west-2.elb.amazonaws.com www.simplesite.com 143.204.98.111 true false high weebly.map.fastly.net 151.101.1.46 true false 0%, Virustotal, Browse unknown ec.editmysite.com unknown unknown false high securemailoffice365onlinefaxmessages.weebly.co unknown unknown false high m cdn2.editmysite.com unknown unknown false high fpdownload.macromedia.com unknown unknown false high connect.facebook.net unknown unknown false high Contacted URLs Name Malicious Antivirus Detection Reputation https://efax-01.simplesite.com/ false high https://securemailoffice365onlinefaxmessages.weebly.com/ false SlashNext: Fake Login Page type: Phishing & high Social Engineering URLs from Memory and Binaries Contacted IPs Public IP Domain Country Flag ASN ASN Name Malicious 31.13.92.14 scontent.xx.fbcdn.net Ireland 32934 FACEBOOKUS false 151.101.1.46 weebly.map.fastly.net United States 54113 FASTLYUS false 199.34.228.54 pages- United States 27647 WEEBLYUS false wildcard.weebly.com 143.204.98.105 efax-01.simplesite.com United States 16509 AMAZON-02US false Copyright Joe Security LLC 2021 Page 7 of 43 IP Domain Country Flag ASN ASN Name Malicious 44.241.96.221 sp- United States 16509 AMAZON-02US false 2020021412301152490000 000a-1069308460.us- west- 2.elb.amazonaws.com 143.204.98.33 css.simplesite.com United States 16509 AMAZON-02US false 143.204.98.111 www.simplesite.com United States 16509 AMAZON-02US false 143.204.98.102 cdn.simplesite.com United States 16509 AMAZON-02US false General Information Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 430663 Start date: 07.06.2021 Start time: 19:08:03 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 20s Hypervisor based Inspection enabled: false Report type: light Cookbook