ID: 221959 Cookbook: browseurl.jbs Time: 01:40:49 Date: 12/04/2020 Version: 28.0.0 Lapis Lazuli Table of Contents Table of Contents 2 Analysis Report https://secure.squarespace.com/checkout? cartToken=xKmJuuAeIV_pT_mGVeP_207Cfayeeo5_PLmffJMU 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification Spiderchart 5 Analysis Advice 6 Mitre Att&ck Matrix 6 Signature Overview 7 Phishing: 7 Networking: 7 System Summary: 7 Malware Configuration 7 Behavior Graph 8 Simulations 8 Behavior and APIs 8 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Sigma Overview 9 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 11 Created / dropped Files 11 Domains and IPs 37 Contacted Domains 37 URLs from Memory and Binaries 37 Contacted IPs 40 Public 40 Static File Info 40 No static file info 40 Network Behavior 40 Network Port Distribution 41 TCP Packets 41 UDP Packets 42 DNS Queries 43 DNS Answers 44 HTTPS Packets 46 Code Manipulations 51 Copyright Joe Security LLC 2020 Page 2 of 52 Statistics 51 Behavior 51 System Behavior 51 Analysis Process: iexplore.exe PID: 4808 Parent PID: 696 51 General 51 File Activities 51 Registry Activities 51 Analysis Process: iexplore.exe PID: 1976 Parent PID: 4808 52 General 52 File Activities 52 Registry Activities 52 Disassembly 52 Copyright Joe Security LLC 2020 Page 3 of 52 Analysis Report https://secure.squarespace.com/checko…ut?cartToken=xKmJuuAeIV_pT_mGVeP_207Cfayeeo5_PLmffJMU Overview General Information Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 221959 Start date: 12.04.2020 Start time: 01:40:49 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 10s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: https://secure.squarespace.com/checkout? cartToken=xKmJuuAeIV_pT_mGVeP_207Cfayeeo5_P LmffJMU Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 4 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: EGA enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean2.win@3/92@15/7 Cookbook Comments: Adjust boot time Enable AMSI Browsing link: https://www.theresmyrideapp.com/ Warnings: Show All Exclude process from analysis (whitelisted): ielowutil.exe, WMIADAP.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 172.227.108.117, 23.210.248.89, 2.20.212.168, 2.22.154.170, 2.18.68.82, 23.37.33.211, 152.199.19.161, 8.241.122.254, 67.26.75.254, 67.26.139.254, 8.241.9.126, 8.248.123.254 Excluded domains from analysis (whitelisted): e6653.dscf.akamaiedge.net, fs.microsoft.com, p.typekit.net-v3.edgekey.net, t.paypal.com- a.edgekey.net, ie9comview.vo.msecnd.net, e5308.x.akamaiedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, www.paypal.com- a.edgekey.net, fs- wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, www.paypalobjects.com-b.edgekey.net, e9215.x.akamaiedge.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, go.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, e5308.b.akamaiedge.net, auto.au.download.windowsupdate.com.c.footprint.n et, prod.fs.microsoft.com.akadns.net, use.typekit.net-v3.edgekey.net, e6653.f.akamaiedge.net, cs9.wpc.v0cdn.net Report size getting too big, too many NtDeviceIoControlFile calls found. Detection Strategy Score Range Reporting Whitelisted Detection Copyright Joe Security LLC 2020 Page 4 of 52 Strategy Score Range Reporting Whitelisted Detection Threshold 2 0 - 100 false Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 4 0 - 5 false Classification Spiderchart Copyright Joe Security LLC 2020 Page 5 of 52 Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis Mitre Att&ck Matrix Remote Privilege Defense Credential Lateral Command Network Service Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Drive-by Graphical User Winlogon Process Masquerading 1 Credential File and Application Data from Data Standard Eavesdrop on Remotely Compromise 1 Interface 1 Helper DLL Injection 1 Dumping Directory Deployment Local Compressed Cryptographic Insecure Track Device Discovery 1 Software System Protocol 2 Network Without Communication Authorization Replication Service Port Accessibility Process Network Application Remote Data from Exfiltration Standard Exploit SS7 to Remotely Through Execution Monitors Features Injection 1 Sniffing Window Services Removable Over Other Non- Redirect Phone Wipe Data Removable Discovery Media Network Application Calls/SMS Without Media Medium Layer Authorization Protocol 1 Copyright Joe Security LLC 2020 Page 6 of 52 Remote Privilege Defense Credential Lateral Command Network Service Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects External Windows Accessibility Path Rootkit Input Query Windows Data from Automated Standard Exploit SS7 to Obtain Remote Management Features Interception Capture Registry Remote Network Exfiltration Application Track Device Device Services Instrumentation Management Shared Layer Location Cloud Drive Protocol 2 Backups Signature Overview Click to jump to signature section Phishing: Form action URLs do not match main URL Found iframes HTML body contains low number of good links No HTML title found Unusual large HTML page META author tag missing META copyright tag missing Networking: Found strings which match to known social media urls Performs DNS lookups Urls found in memory or binary data Uses HTTPS System Summary: Classification label Creates files inside the user directory Creates temporary files Reads ini files Spawns processes Found graphical window changes (likely an installer) Uses new MSVCR Dlls Malware Configuration No configs have been found Copyright Joe Security LLC 2020 Page 7 of 52 Behavior Graph Hide Legend Behavior Graph Legend: ID: 221959 Process URL: https://secure.squarespace.... Signature Startdate: 12/04/2020 Created File Architecture: WINDOWS DNS/IP Info Score: 2 Is Dropped Is Windows Process Number of created Registry Values static.squarespace.map.fastly.net assets.squarespace.com started Number of created Files Visual Basic Delphi iexplore.exe Java .Net C# or VB.NET C, C++ or other language 3 84 Is malicious Internet started iexplore.exe 6 130 stripecdn.map.fastly.net static.squarespace.map.fastly.net 151.101.0.176, 443, 49754, 49755 151.101.0.237, 443, 49747, 49748 20 other IPs or domains unknown unknown United States United States Simulations Behavior and APIs No simulations Antivirus, Machine Learning and Genetic Malware Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Copyright Joe Security LLC 2020 Page 8 of 52 Source Detection Scanner Label Link static.squarespace.map.fastly.net 0% Virustotal Browse squarespace.map.fastly.net 0% Virustotal Browse prod.squarespace.map.fastly.net 0% Virustotal Browse stripecdn.map.fastly.net 0% Virustotal Browse images.squarespace-cdn.com 1% Virustotal Browse www.theresmyrideapp.com 0% Virustotal Browse URLs Source Detection Scanner Label Link https://www.theresmyrideapp.com/ckout? 0% Avira URL Cloud safe cartToken=xKmJuuAeIV_pT_mGVeP_207Cfayeeo5_PLmffJMUb www.southype.com/Commerce/tosSt 0% Avira URL Cloud safe https://images.squarespace-cdn.com/content/v1/5cc30c5c51f4d443e3a3d4e3/1583855478371- 0% Avira URL Cloud safe 4UYWCQ83BUK9NIY www.southype.com/Commerce/tos 0% Virustotal Browse www.southype.com/Commerce/tos 0% Avira URL Cloud safe https://www.theresmyrideapp.com/ 0% Virustotal Browse https://www.theresmyrideapp.com/ 0% Avira URL Cloud safe https://www.theresmyripace.com/checkout? 0% Avira URL Cloud safe cartToken=xKmJuuAeIV_pT_mGVeP_207Cfayeeo5_PLmffJMUdeapp.com/ https://www.theresmyrideapp.com/ckout? 0% Avira URL Cloud safe cartToken=xKmJuuAeIV_pT_mGVeP_207Cfayeeo5_PLmffJMU https://www.theresmyrideapp.com/(Ride 0% Avira URL Cloud safe opengraphprotocol.org/schema/ 0% Virustotal Browse opengraphprotocol.org/schema/ 0% URL Reputation safe https://www.theresmyrideapp.com 0% Virustotal Browse https://www.theresmyrideapp.com 0% Avira URL Cloud safe www.wikipedia.com/ 0% Virustotal Browse www.wikipedia.com/ 0% URL Reputation safe https://images.squarespace-cdn.com/content/v1/5cc30c5c51f4d443e3a3d4e3/1557087029466- 0% Avira URL Cloud safe FQD0L94DORA7E10 Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Sigma Overview No Sigma rule has matched Copyright Joe Security LLC 2020 Page 9 of 52 Joe Sandbox View / Context IPs No context Domains No context ASN No context