ID: 347 Sample Name: Audio_804.htm Cookbook: defaultwindowsinteractivecookbook.jbs Time: 16:30:09 Date: 25/08/2021 Version: 33.0.0 White Diamond Table of Contents Table of Contents 2 Windows Analysis Report Audio_804.htm 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Process Tree 3 Yara Overview 3 Sigma Overview 3 Jbx Signature Overview 3 Phishing: 4 Mitre Att&ck Matrix 4 Screenshots 4 Thumbnails 4 Antivirus, Machine Learning and Genetic Malware Detection 5 Initial Sample 5 Dropped Files 5 Unpacked PE Files 5 Domains 5 URLs 6 Domains and IPs 6 Contacted Domains 6 Contacted URLs 6 Contacted IPs 6 Public 6 Private 7 General Information 7 Created / dropped Files 8 Static File Info 39 General 39 File Icon 39 Copyright Joe Security LLC 2021 Page 2 of 39 Windows Analysis Report Audio_804.htm Overview General Information Detection Signatures Classification Sample Audio_804.htm Name: PPhhiiisshhiiinngg ssiiitttee ddeettteeccttteedd (((bbaasseedd oonn fffaavv… Analysis ID: 347 YPYaharrirsaah ddineegttte esccittteed dd HeHttttemclltlPPehdhii is(sbhha11s00ed on fav MD5: e952e02f0014846… YYaarrraa ddeettteeccttteedd CHCatamppttltcPchhaais PhP1hh0iiisshh SHA1: Ransomware 5618b4895079e0… Yara detected Captcha Phish HYHTaTrMaL Ld bebotoeddcyyt e ccdoo nCntttaapiiinntscs h llloaow wP nhnuiusmhbbeerrr oofff … Miner Spreading SHA256: 2d8edc328f9ba84… IHInnTvvaMalliLidd bTTo&&dCCy lcliinonknk tffaooiununsnd dlow number of mmaallliiiccciiioouusss IIInnvvaallliiidd TT&&CC llliiinnkk fffoouunndd malicious Most interesting Screenshot: Evader Phishing sssuusssppiiiccciiioouusss SISnuuvssappliiidicc iiioTou&ussC ff foloirnrrmk fUUoRuRnLLd fffoouunndd suspicious cccllleeaann clean NSNouo s HHpTiTcMioLuL s ttti iittftlloleer mfffoo uuUnnRddL found Exploiter Banker No HTML title found Captcha Phish Spyware Trojan / Bot HTMLPhisher Adware Score: 64 Range: 0 - 100 Whitelisted: false Confidence: 100% Process Tree System is start chrome.exe (PID: 7648 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation --single-argument C:\Users\eyup\Desktop\Audio _804.htm MD5: 2A7452F3E3165FECBFCCAD71B04E5C37) chrome.exe (PID: 7844 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle= 1708,16046178134959786270,2934930332338490908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:8 MD5: 2A7452F3E3165FECBFCCAD71B04E5C37) cleanup Yara Overview No yara matches Sigma Overview No Sigma rule has matched Jbx Signature Overview • Phishing • Compliance • Software Vulnerabilities • Networking • System Summary Copyright Joe Security LLC 2021 Page 3 of 39 Click to jump to signature section Phishing: Phishing site detected (based on favicon image match) Yara detected HtmlPhish10 Yara detected Captcha Phish Mitre Att&ck Matrix Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Impact Valid Windows Path Process Masquerading 1 OS System Remote Data from Exfiltration Encrypted Eavesdrop on Remotely Modify Accounts Management Interception Injection 1 Credential Service Services Local Over Other Channel 2 Insecure Track Device System Instrumentation Dumping Discovery System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Extra Process LSASS Application Remote Data from Exfiltration Non- Exploit SS7 to Remotely Device Accounts Task/Job Logon Window Injection 1 Memory Window Desktop Removable Over Application Redirect Phone Wipe Data Lockout Initialization Memory Discovery Protocol Media Bluetooth Layer Calls/SMS Without Scripts Injection 1 Protocol 1 Authorization Domain At (Linux) Logon Script Logon Obfuscated Files Security Query SMB/Windows Data from Automated Application Exploit SS7 to Obtain Delete Accounts (Windows) Script or Information 1 Account Registry Admin Shares Network Exfiltration Layer Track Device Device Device (Windows) Manager Shared Protocol 2 Location Cloud Data Drive Backups Local At (Windows) Logon Script Logon Extra Window NTDS System Distributed Input Scheduled Protocol SIM Card Carrier Accounts (Mac) Script Memory Network Component Capture Transfer Impersonation Swap Billing (Mac) Injection 1 Configuration Object Model Fraud Discovery Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Copyright Joe Security LLC 2021 Page 4 of 39 Antivirus, Machine Learning and Genetic Malware Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches Copyright Joe Security LLC 2021 Page 5 of 39 URLs No Antivirus matches Domains and IPs Contacted Domains Name IP Active Malicious Antivirus Detection Reputation stackpath.bootstrapcdn.com 104.18.10.207 true false high gstaticadssl.l.google.com 142.250.186.99 true false high accounts.google.com 142.250.105.84 true false high www.google.com 142.250.184.196 true false high clients.l.google.com 216.58.212.174 true false high bm.jb-voice.online 23.254.225.193 true false unknown googlehosted.l.googleusercontent.com 64.233.177.132 true false high clients2.googleusercontent.com unknown unknown false high clients2.google.com unknown unknown false high Contacted URLs Name Malicious Antivirus Detection Reputation file:///C:/Users/eyup/Desktop/Audio_804.htm true low https://bm.jb-voice.online/main/ true unknown https://www.google.com/recaptcha/api2/bframe?hl=en&v=Eyd0Dt8h04h7r-D86uAD1JP-&k= false high 6Le94fcbAAAAABywQgCe83EvePvALoj4UwC4ClAa&cb=m2u6y7vjiuq8 https://bm.jb-voice.online/main/main.php true unknown Contacted IPs No. of IPs < 25% 25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs Public IP Domain Country Flag ASN ASN Name Malicious 142.250.184.196 www.google.com United States 15169 GOOGLEUS false 104.18.10.207 stackpath.bootstrapcdn.co United States 13335 CLOUDFLARENETUS false m Copyright Joe Security LLC 2021 Page 6 of 39 IP Domain Country Flag ASN ASN Name Malicious 142.250.186.170 unknown United States 15169 GOOGLEUS false 142.250.105.84 accounts.google.com United States 15169 GOOGLEUS false 216.58.212.142 unknown United States 15169 GOOGLEUS false 142.250.185.227 unknown United States 15169 GOOGLEUS false 169.254.95.3 unknown Reserved 6966 USDOSUS false 142.250.181.227 unknown United States 15169 GOOGLEUS false 239.255.255.250 unknown Reserved unknown unknown false 23.254.225.193 bm.jb-voice.online United States 54290 HOSTWINDSUS false 143.204.98.115 unknown United States 16509 AMAZON-02US false 64.233.177.132 googlehosted.l.googleuser United States 15169 GOOGLEUS false content.com 142.250.184.227 unknown United States 15169 GOOGLEUS false 216.58.212.174 clients.l.google.com United States 15169 GOOGLEUS false 142.250.186.99 gstaticadssl.l.google.com United States 15169 GOOGLEUS false 142.250.74.195 unknown United States 15169 GOOGLEUS false 104.16.19.94 unknown United States 13335 CLOUDFLARENETUS false 209.85.226.8 unknown United States 15169 GOOGLEUS false 142.250.186.138 unknown United States 15169 GOOGLEUS false Private IP 192.168.2.2 192.168.2.1 127.0.0.1 General Information Joe Sandbox Version: 33.0.0 White Diamond Analysis ID: 347 Start date: 25.08.2021 Start time: 16:30:09 Joe Sandbox Product: CloudBasic Hypervisor based Inspection enabled: false Report type: light Sample file name: Audio_804.htm Cookbook file name: defaultwindowsinteractivecookbook.jbs Number of analysed new started processes 14 analysed: Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: EGA enabled Analysis Mode: stream Detection: MAL Classification: mal64.phis.winHTM@29/141@6/218 Warnings: Show All Exclude process from analysis (whitelisted): CompPkgSrv.exe Created / dropped Files have been reduced to 100 Excluded IPs from analysis (whitelisted): 142.250.74.195, 216.58.212.142, 209.85.226.8, 142.250.185.227, 142.250.186.170, 20.190.160.136, 20.190.160.8, 20.190.160.67, 20.190.160.73, 20.190.160.6, 20.190.160.71, 20.190.160.69, 20.190.160.129, 93.184.220.29, 20.190.160.134, 20.190.160.75, 20.190.160.132, 20.199.120.182, 204.79.197.200, 13.107.21.200, 20.50.102.62, 142.250.184.227 Excluded domains from analysis (whitelisted): ssl.gstatic.com, cs9.wac.phicdn.net, www.tm.lg.prod.aadmsa.akadns.net, clientservices.googleapis.com, arc.msn.com, r3.sn-5hnekn76.gvt1.com, www.tm.a.prd.aadg.trafficmanager.net, wns.notify.trafficmanager.net, redirector.gvt1.com, ocsp.digicert.com, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, www.gstatic.com, www.bing.com, client.wns.windows.com, content-autofill.googleapis.com, fonts.gstatic.com, dual-a-0001.a-msedge.net, www.tm.a.prd.aadg.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, r3---sn-5hnekn76.gvt1.com, a-0001.a-afdentry.net.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtSetInformationFile calls found. Copyright Joe Security LLC 2021 Page 7 of 39 Created / dropped Files C:\Users\eyup\AppData\Local\Google\Chrome\User Data\69be466d-1ca8-4062-b354-199db9a22de9.tmp