ID: 294294 Cookbook: browseurl.jbs Time: 08:08:43 Date: 07/10/2020 Version: 30.0.0 Red Diamond Table of Contents Table of Contents 2 Analysis Report https://mms6.yshua.co.za/ 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Yara Overview 4 Sigma Overview 4 Signature Overview 4 Mitre Att&ck Matrix 5 Behavior Graph 5 Screenshots 6 Thumbnails 6 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 7 Domains and IPs 8 Contacted Domains 8 Contacted URLs 8 URLs from Memory and Binaries 8 Contacted IPs 9 Public 10 General Information 10 Simulations 11 Behavior and APIs 11 Joe Sandbox View / Context 11 IPs 12 Domains 12 ASN 12 JA3 Fingerprints 12 Dropped Files 12 Created / dropped Files 12 Static File Info 42 No static file info 42 Network Behavior 42 TCP Packets 42 DNS Queries 43 DNS Answers 44 HTTP Request Dependency Graph 44 Code Manipulations 44 Statistics 44 Behavior 44 System Behavior 44 Analysis Process: iexplore.exe PID: 6600 Parent PID: 792 45 General 45 File Activities 45 Registry Activities 45 Analysis Process: iexplore.exe PID: 6644 Parent PID: 6600 45 General 45 Copyright null 2020 Page 2 of 46 File Activities 45 Registry Activities 46 Disassembly 46 Copyright null 2020 Page 3 of 46 Analysis Report https://mms6.yshua.co.za/ Overview General Information Detection Signatures Classification Sample URL: https://mms6.yshua. co.za/ HHTTMLL tttiiitttlllee ddooeess nnoottt maatttcchh UURRLL Analysis ID: 294294 HTML title does not match URL Most interesting Screenshot: Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss Score: 0 suspicious cccllleeaann Range: 0 - 100 clean Exploiter Banker Whitelisted: false Confidence: 80% Spyware Trojan / Bot Adware Startup System is w10x64 iexplore.exe (PID: 6600 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 6644 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6600 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup Malware Configuration No configs have been found Yara Overview No yara matches Sigma Overview No Sigma rule has matched Signature Overview Copyright null 2020 Page 4 of 46 • Phishing • Networking • System Summary • Malware Analysis System Evasion Click to jump to signature section There are no malicious signatures, click here to show all signatures . Mitre Att&ck Matrix Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS Security Remote Data from Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Software Services Local Over Other Channel 2 Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Process LSASS File and Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Injection 1 Memory Directory Desktop Removable Over Application Redirect Phone Wipe Data Lockout Initialization Initialization Discovery 1 Protocol Media Bluetooth Layer Calls/SMS Without Scripts Scripts Protocol 2 Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Query SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information Account Registry Admin Shares Network Exfiltration Layer Track Device Device Device (Windows) Manager Shared Protocol 3 Location Cloud Data Drive Backups Local At (Windows) Logon Script Logon Binary Padding NTDS System Distributed Input Scheduled Ingress SIM Card Carrier Accounts (Mac) Script Network Component Capture Transfer Tool Swap Billing (Mac) Configuration Object Model Transfer 1 Fraud Discovery Behavior Graph Copyright null 2020 Page 5 of 46 Hide Legend Behavior Graph Legend: ID: 294294 Process URL: https://mms6.yshua.co.za/ Signature Startdate: 07/10/2020 Created File Architecture: WINDOWS DNS/IP Info Score: 0 Is Dropped Is Windows Process Number of created Registry Values mms6.yshua.co.za started Number of created Files Visual Basic Delphi iexplore.exe Java .Net C# or VB.NET C, C++ or other language 2 84 Is malicious Internet started iexplore.exe 6 182 www-php-net.ax4z.com mms6.yshua.co.za 185.85.0.29 51.89.237.153, 443, 49712, 49713 4 other IPs or domains SOPRADO-ANYDE OVHFR Germany France Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright null 2020 Page 6 of 46 Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link https://mms6.yshua.co.za/ 0% Virustotal Browse https://mms6.yshua.co.za/ 0% Avira URL Cloud safe Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Source Detection Scanner Label Link www-php-net.ax4z.com 0% Virustotal Browse URLs Source Detection Scanner Label Link startbootstrap.com) 0% Avira URL Cloud safe getbootstrap.com) 0% Avira URL Cloud safe Copyright null 2020 Page 7 of 46 Source Detection Scanner Label Link https://harmonizely.com/phplist-hosted/ 0% Avira URL Cloud safe fontello.comFont 0% URL Reputation safe fontello.comFont 0% URL Reputation safe fontello.comFont 0% URL Reputation safe https://harmonizely.com/phplist-hosted/demo 0% Avira URL Cloud safe www.codrops.com 0% Avira URL Cloud safe Domains and IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation www.phplist.com 198.58.126.42 true false high www-php-net.ax4z.com 185.85.0.29 true false 0%, Virustotal, Browse unknown fontawesome-cdn.fonticons.netdna-cdn.com 23.111.9.35 true false high mms6.yshua.co.za 51.89.237.153 true false high use.fontawesome.com unknown unknown false high www.php.net unknown unknown false high Contacted URLs Name Malicious Antivirus Detection Reputation https://mms6.yshua.co.za/ false high https://mms6.yshua.co.za/?p=unsubscribe false high www.php.net/ false high https://www.php.net/ false high https://www.phplist.com/poweredby false high https://www.phplist.com/ false high www.phplist.com/ false high https://mms6.yshua.co.za/?p=subscribe false high phplist.com/ false high www.mysql.com/ false high URLs from Memory and Binaries Name Source Malicious Antivirus Detection Reputation B21T2WDW.htm.2.dr false high https://mycyberuniverse.com/images/elements/flags/square/en -gb.png fontawesome.io font-awesome.min[1].css.2.dr false high https://www.phplist.com/knowledgebase/eu-gdpr/ B21T2WDW.htm.2.dr false high https://www.phplist.com/ ~DFB8FF40DA42A368D5.TMP.1.dr false high https://t.me/phplist B21T2WDW.htm.2.dr false high tinyurl.com/executeFunctionByName jqBootstrapValidation[1].js.2.dr false high https://phplist.com/knowledgebase B21T2WDW.htm.2.dr false high https://www.php.net/favicon.ico6 imagestore.dat.2.dr false high phplist.com/ ~DFB8FF40DA42A368D5.TMP.1.dr false high www.amazon.com/ msapplication.xml.1.dr false high python.org cached[1].js0.2.dr false high https://phplist.com/blog B21T2WDW.htm.2.dr false high https://news.hosted.phplist.com/lists/? B21T2WDW.htm.2.dr false high p=asubscribe&id=2 www.twitter.com/ msapplication.xml5.1.dr false high B21T2WDW.htm.2.dr false high https://mycyberuniverse.com/images/elements/flags/square/ru. png startbootstrap.com) agency[1].js.2.dr false Avira URL Cloud: safe low https://mastodon.social/ B21T2WDW.htm.2.dr false high https://fontawesome.com/license/free all[1].css.2.dr false high https://www.php.net/m/ ~DFB8FF40DA42A368D5.TMP.1.dr false high https://fontawesome.com all[1].css.2.dr false high https://mms6.yshua.co.za/ ~DFB8FF40DA42A368D5.TMP.1.dr false high www.opensource.org/licenses/mit-license.php cbpAnimatedHeader[1].js.2.dr false high Copyright null 2020 Page 8 of 46 Name Source Malicious Antivirus Detection Reputation https://github.com/twbs/bootstrap/graphs/contributors) bootstrap.min[1].js.2.dr false high https://use.fontawesome.com/releases/v5.6.1/css/all.css B21T2WDW.htm.2.dr false high getbootstrap.com) bootstrap.min[1].css.2.dr false Avira URL Cloud: safe low www.phplist.com/poweredby WQXMTB3A.htm.2.dr, P5823OC0.ht false high m.2.dr https://www.php.net/ ~DFB8FF40DA42A368D5.TMP.1.dr false high opensource.org/licenses/MIT). popper.min[1].js.2.dr false high stackoverflow.com/questions/359788/how-to-execute-a- jqBootstrapValidation[1].js.2.dr false high javascript-function-when-i-have-its-name- www.reddit.com/ msapplication.xml4.1.dr false high ReactiveRaven.github.com/jqBootstrapValidation/ jqBootstrapValidation[1].js.2.dr false high https://bugs.php.net/bug.php?id=74493 cached[1].js0.2.dr false high https://www.phplist.com/blog/ B21T2WDW.htm.2.dr false high https://mms6.yshua.co.za/8Subscribe ~DFB8FF40DA42A368D5.TMP.1.dr false high www.apache.org/licenses/LICENSE-2.0 cached[2].css.2.dr false high www.mysql.com/ ~DFB8FF40DA42A368D5.TMP.1.dr false high www.nytimes.com/ msapplication.xml3.1.dr false high https://harmonizely.com/phplist-hosted/ B21T2WDW.htm.2.dr false Avira URL Cloud: safe unknown opensource.org/licenses/mit-license.php jqBootstrapValidation[1].js.2.dr false high https://www.php.net/m/co ~DFB8FF40DA42A368D5.TMP.1.dr false high https://mms6.yshua.co.za/T ~DFB8FF40DA42A368D5.TMP.1.dr false high phplist.com/com/poweredbycribeH