ID: 342769 Cookbook: browseurl.jbs Time: 18:01:25 Date: 21/01/2021 Version: 31.0.0 Red Diamond Table of Contents Table of Contents 2 Analysis Report http://www.godaddy.com/sso.secureserver-ins- servicecenter?tr 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Compliance: 5 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 Contacted URLs 8 URLs from Memory and Binaries 8 Contacted IPs 10 Public 11 General Information 11 Simulations 12 Behavior and APIs 12 Joe Sandbox View / Context 13 IPs 13 Domains 13 ASN 13 JA3 Fingerprints 13 Dropped Files 13 Created / dropped Files 13 Static File Info 46 No static file info 46 Network Behavior 46 Network Port Distribution 46 TCP Packets 46 UDP Packets 48 DNS Queries 49 DNS Answers 50 HTTPS Packets 51 Code Manipulations 52 Statistics 52 Behavior 52 System Behavior 53 Analysis Process: iexplore.exe PID: 5972 Parent PID: 792 53 Copyright null 2021 Page 2 of 54 General 53 File Activities 53 Registry Activities 53 Analysis Process: iexplore.exe PID: 2592 Parent PID: 5972 53 General 54 File Activities 54 Registry Activities 54 Disassembly 54 Copyright null 2021 Page 3 of 54 Analysis Report http://www.godaddy.com/sso.secureser…ver-ins-servicecenter?tr Overview General Information Detection Signatures Classification Sample URL: www.godaddy.com/s No high impact signatures. so.secureserver-ins-servic ecenter?tr Analysis ID: 342769 Most interesting Screenshot: Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Score: 0 Range: 0 - 100 Whitelisted: false Confidence: 80% Startup System is w10x64 iexplore.exe (PID: 5972 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 2592 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5972 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup Malware Configuration No configs have been found Yara Overview No yara matches Sigma Overview No Sigma rule has matched Signature Overview Copyright null 2021 Page 4 of 54 • Compliance • Networking • System Summary Click to jump to signature section There are no malicious signatures, click here to show all signatures . Compliance: Uses new MSVCR Dlls Uses secure TLS version for HTTPS connections Mitre Att&ck Matrix Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS File and Remote Data from Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Directory Services Local Over Other Channel 2 Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS Application Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Window Desktop Removable Over Application Redirect Phone Wipe Data Lockout Initialization Initialization Discovery Protocol Media Bluetooth Layer Calls/SMS Without Scripts Scripts Protocol 1 Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Query SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information Account Registry Admin Shares Network Exfiltration Layer Track Device Device Device (Windows) Manager Shared Protocol 2 Location Cloud Data Drive Backups Behavior Graph Copyright null 2021 Page 5 of 54 Hide Legend Behavior Graph Legend: ID: 342769 Process URL: http://www.godaddy.com/sso.... Signature Startdate: 21/01/2021 Created File Architecture: WINDOWS DNS/IP Info Score: 0 Is Dropped Is Windows Process Number of created Registry Values img6.wsimg.com started Number of created Files Visual Basic Delphi iexplore.exe Java .Net C# or VB.NET C, C++ or other language 2 62 Is malicious Internet started iexplore.exe 6 199 sni1gl.wpc.gammacdn.net dzlgdtxcws9pb.cloudfront.net 152.199.21.175, 443, 49764, 49765 143.204.6.224, 443, 49735, 49736 14 other IPs or domains EDGECASTUS AMAZON-02US United States United States Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright null 2021 Page 6 of 54 Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link www.godaddy.com/sso.secureserver-ins-servicecenter?tr 0% Avira URL Cloud safe Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches URLs Source Detection Scanner Label Link https://accounts.firefox.com.cn/signup?entrypoint=mozilla.org-firefox- 0% URL Reputation safe desktop&form_type=button&utm_s https://accounts.firefox.com.cn/signup?entrypoint=mozilla.org-firefox- 0% URL Reputation safe desktop&form_type=button&utm_s Copyright null 2021 Page 7 of 54 Source Detection Scanner Label Link https://accounts.firefox.com.cn/signup?entrypoint=mozilla.org-firefox- 0% URL Reputation safe desktop&form_type=button&utm_s https://ch.godaddcom/en-us/edgenew/servicecenter?trRoot 0% Avira URL Cloud safe https://accounts.firefox.com.cn/signup?entrypoint=mozilla.org- 0% URL Reputation safe globalnav&form_type=button&utm_source= https://accounts.firefox.com.cn/signup?entrypoint=mozilla.org- 0% URL Reputation safe globalnav&form_type=button&utm_source= https://accounts.firefox.com.cn/signup?entrypoint=mozilla.org- 0% URL Reputation safe globalnav&form_type=button&utm_source= https://accounts.firefox.com.cn/ 0% URL Reputation safe https://accounts.firefox.com.cn/ 0% URL Reputation safe https://accounts.firefox.com.cn/ 0% URL Reputation safe https://www.mozilla.or 0% URL Reputation safe https://www.mozilla.or 0% URL Reputation safe https://www.mozilla.or 0% URL Reputation safe https://scottjehl.github.io/picturefill/ 0% Avira URL Cloud safe https://www.mozilla.or/upgrade-your-browserservicecenter?trx 0% Avira URL Cloud safe https://ch.godaddRoot 0% Avira URL Cloud safe https://www.google.%/ads/ga-audiences 0% URL Reputation safe https://www.google.%/ads/ga-audiences 0% URL Reputation safe https://www.google.%/ads/ga-audiences 0% URL Reputation safe https://www.microsoft. 0% URL Reputation safe https://www.microsoft. 0% URL Reputation safe https://www.microsoft. 0% URL Reputation safe https://www.microsoftedgeinsider.com 0% URL Reputation safe https://www.microsoftedgeinsider.com 0% URL Reputation safe https://www.microsoftedgeinsider.com 0% URL Reputation safe https://ch.godaddg/en-US/firefox/new/servicecenter?trRoot 0% Avira URL Cloud safe Domains and IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation sni1gl.wpc.gammacdn.net 152.199.21.175 true false unknown dzlgdtxcws9pb.cloudfront.net 143.204.6.224 true false high firefox.com 44.236.48.31 true false high img1.wsimg.com unknown unknown false high www.firefox.com unknown unknown false high assets.adobedtm.com unknown unknown false high www.godaddy.com unknown unknown false high dc.services.visualstudio.com unknown unknown false high ch.godaddy.com unknown unknown false high ajax.aspnetcdn.com unknown unknown false high img6.wsimg.com unknown unknown false high Contacted URLs Name Malicious Antivirus Detection Reputation https://ch.godaddy.com/upgrade-your-browser false high URLs from Memory and Binaries Name Source Malicious Antivirus Detection Reputation https://outlook.live.com/owa/ edge[1].htm.3.dr false high https://img1.wsimg.com/wrhs/browser-deprecation- upgrade-your-browser[1].htm.3.dr false high warning/Safari.png launch-EN7b3d710ac67a4a1195648 false high https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/649 458258f97dd.min[1].js.3.dr ac20bb7ce/RC929a5d988f01430b8db16b1888926c4 https://img1.wsimg.com/wrhs/browser-deprecation- upgrade-your-browser[1].htm.3.dr false high warning/Firefox.png https://ajax.aspnetcdn.com/ajax/jquery/jquery- edge[1].htm.3.dr false high 3.3.1.min.js Copyright null 2021 Page 8 of 54 Name Source Malicious Antivirus Detection Reputation https://accounts.firefox.com.cn/signup? new[1].htm.3.dr false URL Reputation: safe unknown entrypoint=mozilla.org-firefox- URL Reputation: safe desktop&form_type=button&utm_s URL Reputation: safe https://products.office.com/en-us/academic/compare- edge[1].htm.3.dr false high office-365-education-plans https://ch.godaddcom/en-us/edgenew/servicecenter? {D8AE6A30-5C55-11EB-90E4-ECF4B false Avira URL Cloud: safe unknown trRoot B862DED}.dat.1.dr https://accounts.firefox.com.cn/signup? new[1].htm.3.dr false URL Reputation: safe unknown entrypoint=mozilla.org- URL Reputation: safe globalnav&form_type=button&utm_source= URL Reputation: safe https://firefox.com/set_hsts.gif new[1].htm.3.dr false high https://accounts.firefox.com/signup? new[1].htm.3.dr false high entrypoint=mozilla.org-firefox- desktop&form_type=button&utm_sour https://careers.mozilla.org new[1].htm.3.dr false high RC3832877df1a545d7a1b4ddb8df0b false high https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/649 9113-source.min[1].js.3.dr ac20bb7ce/RC3832877df1a545d7a1b4ddb8df0b911
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages54 Page
-
File Size-