ID: 192622 Cookbook: browseurl.jbs Time: 06:32:17 Date: 28/11/2019 Version: 28.0.0 Lapis Lazuli Table of Contents Table of Contents 2 Analysis Report https://chrome.google.com/webstore/detail/crossbrowsertesting- local/ldabplgpogjknofonmccpbgeoolbcbfm 4 Overview 4 General Information 4 Detection 5 Confidence 5 Classification 5 Analysis Advice 6 Mitre Att&ck Matrix 6 Signature Overview 7 Phishing: 7 Networking: 7 System Summary: 7 Malware Analysis System Evasion: 7 HIPS / PFW / Operating System Protection Evasion: 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 10 Unpacked PEs 10 Sigma Overview 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 11 Created / dropped Files 11 Domains and IPs 38 Contacted Domains 38 URLs from Memory and Binaries 38 Contacted IPs 41 Public 42 Static File Info 42 No static file info 42 Network Behavior 42 UDP Packets 42 Code Manipulations 43 Statistics 43 Behavior 43 Copyright Joe Security LLC 2019 Page 2 of 44 System Behavior 43 Analysis Process: iexplore.exe PID: 3304 Parent PID: 700 43 General 43 File Activities 43 Registry Activities 44 Analysis Process: iexplore.exe PID: 944 Parent PID: 3304 44 General 44 File Activities 44 Registry Activities 44 Disassembly 44 Copyright Joe Security LLC 2019 Page 3 of 44 Analysis Report https://chrome.google.com/webstore/detail/crossb rowsertesting-local/ldabplgpogjknofonmccpbgeoolbcbfm Overview General Information Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 192622 Start date: 28.11.2019 Start time: 06:32:17 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 6m 48s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: browseurl.jbs Sample URL: https://chrome.google.com/webstore/detail/crossbrowse rtesting-local/ldabplgpogjknofonmccpbgeoolbcbfm Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 6 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: EGA enabled Analysis stop reason: Timeout Detection: MAL Classification: mal48.phis.win@3/94@0/13 Cookbook Comments: Adjust boot time Enable AMSI Browsing link: https://chrome. google.com/webstore/category/extensions Browsing link: https://account s.google.com/ServiceLogin?cont inue=https%3A%2F%2Fchrome.goog le.com%2Fwebstore%2Fdetail%2Fc rossbrowsertesting-local%2Flda bplgpogjknofonmccpbgeoolbcbfm& amp;service=chromewebstore&sarp=1 Browsing link: https://chrome. google.com/webstore/category/apps Browsing link: http://crossbrowsertesting.com/ Browsing link: https://chrome. google.com/webstore/report/lda bplgpogjknofonmccpbgeoolbcbfm?hl=en- US&gl=GB Browsing link: https://smartbear.com/privacy Browsing link: https://chrome. google.com/webstore/detail/blheli- configurator/mejfjggmbnocnfibbibmoogocnjbcjnk Browsing link: https://chrome. google.com/webstore/detail/google-apps- script/eoieeedlomnegifmaghhjnghhmcldobl Browsing link: https://chrome. google.com/webstore/detail/javascript- editor/enhkeonpomkliaedmafeniofidolfmdd Copyright Joe Security LLC 2019 Page 4 of 44 Warnings: Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): dllhost.exe, ielowutil.exe, conhost.exe, CompatTelRunner.exe Excluded IPs from analysis (whitelisted): 8.241.121.254, 67.27.235.126, 8.248.119.254, 8.253.95.249, 8.248.123.254, 104.103.90.39, 172.217.23.206, 172.217.23.195 Excluded domains from analysis (whitelisted): e11290.dspg.akamaiedge.net, go.microsoft.com, www3.l.google.com, audownload.windowsupdate.nsatc.net, go.microsoft.com.edgekey.net, chrome.google.com, ctldl.windowsupdate.com, auto.au.download.windowsupdate.com.c.footprint.n et, www.gstatic.com Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtReadFile calls found. Detection Strategy Score Range Reporting Whitelisted Threat Detection Audio Threshold 48 0 - 100 false Phisher Confidence Strategy Score Range Further Analysis Required? Confidence Threshold 5 0 - 5 false Classification Copyright Joe Security LLC 2019 Page 5 of 44 Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--") Mitre Att&ck Matrix Privilege Defense Credential Lateral Command Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Impact Valid Accounts Command-Line Winlogon Process Web Service 1 Credential Process Application Data from Data Web Data Interface 1 Helper DLL Injection 2 Dumping Discovery 1 Deployment Local System Compressed Service 1 Destruction Software Replication Graphical User Port Accessibility Masquerading 1 Network Security Remote Data from Exfiltration Fallback Data Through Interface 2 Monitors Features Sniffing Software Services Removable Over Other Channels Encrypted for Removable Discovery 1 Media Network Impact Media Medium External Windows Accessibility Path Process Input File and Windows Data from Automated Custom Disk Structure Remote Management Features Interception Injection 2 Capture Directory Remote Network Exfiltration Cryptographic Wipe Services Instrumentation Discovery 1 Management Shared Drive Protocol Copyright Joe Security LLC 2019 Page 6 of 44 Signature Overview • Phishing • Networking • System Summary • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion Click to jump to signature section Phishing: Yara detected Audio Phisher Found iframes HTML title does not match URL Unusual large HTML page META author tag missing META copyright tag missing Networking: Social media urls found in memory data Found strings which match to known social media urls Urls found in memory or binary data System Summary: Classification label Creates files inside the user directory Creates temporary files Reads ini files Sample might require command line arguments Spawns processes Found GUI installer (many successful clicks) Found graphical window changes (likely an installer) Uses new MSVCR Dlls Malware Analysis System Evasion: May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) HIPS / PFW / Operating System Protection Evasion: May try to detect the Windows Explorer process (often used for injection) Behavior Graph Copyright Joe Security LLC 2019 Page 7 of 44 Hide Legend Legend: Behavior Graph Process ID: 192622 URL: https://chrome.google.com/w... Signature Startdate: 28/11/2019 Created File Architecture: WINDOWS DNS/IP Info Score: 48 Is Dropped Is Windows Process Yara detected Audio Number of created Registry Values started Phisher Number of created Files Visual Basic Delphi iexplore.exe Java .Net C# or VB.NET 10 87 C, C++ or other language Is malicious started Internet iexplore.exe 5 496 104.20.35.153 172.217.23.193 unknown unknown 11 other IPs or domains dropped dropped United States United States C:\Users\user\AppData\Local\...\9L14CHP1.htm, HTML C:\Users\user\AppData\Local\...\WMS9QF0R.htm, HTML Simulations Behavior and APIs No simulations Antivirus, Machine Learning and Genetic Malware Detection Initial Sample No Antivirus matches Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains No Antivirus matches URLs Copyright Joe Security LLC 2019 Page 8 of 44 Source Detection Scanner Label Link www.merlin.com.pl/favicon.ico 0% Virustotal Browse www.merlin.com.pl/favicon.ico 0% URL Reputation safe www.dailymail.co.uk/ 0% Virustotal Browse www.dailymail.co.uk/ 0% URL Reputation safe https://static1.smartbear.co/crossbrowsertesting/media/images/homepage-tour/visual- 0% Avira URL Cloud safe testing/multiple- busca.igbusca.com.br//app/static/images/favicon.ico 0% Virustotal Browse busca.igbusca.com.br//app/static/images/favicon.ico 0% URL Reputation safe www.etmall.com.tw/favicon.ico 0% Virustotal Browse www.etmall.com.tw/favicon.ico 0% URL Reputation safe it.search.dada.net/favicon.ico 0% Virustotal Browse it.search.dada.net/favicon.ico 0% URL Reputation safe https://www.meowplayground.com 0% Virustotal Browse https://www.meowplayground.com 0% Avira URL Cloud safe cgi.search.biglobe.ne.jp/favicon.ico 0% Virustotal Browse cgi.search.biglobe.ne.jp/favicon.ico 0% Avira URL Cloud safe buscar.ozu.es/ 0% Virustotal Browse buscar.ozu.es/ 0% Avira URL Cloud safe search.auction.co.kr/ 0% Virustotal Browse search.auction.co.kr/ 0% URL Reputation safe www.pchome.com.tw/favicon.ico 0% Virustotal Browse www.pchome.com.tw/favicon.ico 0% Avira URL Cloud safe crl.pki.goog/gsr2/gsr2.crl0? 0% Virustotal Browse crl.pki.goog/gsr2/gsr2.crl0? 0% URL Reputation safe search.yahoo.co.jp/favicon.ico