Edit tour

Windows Analysis Report
https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html

Overview

General Information

Sample URL:	https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html
Analysis ID:	1364094

Detection

HTMLPhisher

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected HtmlPhish10

Phishing site detected (based on image similarity)

Creates files inside the system directory

HTML body contains low number of good links

HTML body contains password input but no form action

HTML title does not match URL

Invalid 'forgot password' link found

Invalid T&C link found

Stores files to the Windows start menu directory

Uses insecure TLS / SSL version for HTTPS connection

Classification

×

Process Tree

System is w10x64_ra

chrome.exe (PID: 4388 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 6736 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1920,i,14616401802645140220,14558350504782336419,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author	Strings
0.2.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
0.1.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• Phishing
• Compliance
• Software Vulnerabilities
• Networking
• System Summary
• Boot Survival

Click to jump to signature section

Show All Signature Results

Phishing

Yara detected HtmlPhish10

Source: Yara match	File source: 0.2.pages.csv, type: HTML
Source: Yara match	File source: 0.1.pages.csv, type: HTML

Phishing site detected (based on image similarity)

Source: https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html

Matcher: Found strong image similarity, brand: MICROSOFT

Source: https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html

HTTP Parser: Number of links: 0

Source: https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html

HTTP Parser: <input type="password" .../> found but no <form action="...

Source: https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html

HTTP Parser: Title: Authenticating ... does not match URL

Source: https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html

HTTP Parser: Invalid link: Forgot password?

Source: https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html	HTTP Parser: Invalid link: Terms of use
Source: https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html	HTTP Parser: Invalid link: Privacy & cookies
Source: https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html	HTTP Parser: Invalid link: Terms of use
Source: https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html	HTTP Parser: Invalid link: Privacy & cookies

Source: https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html

HTTP Parser: <input type="password" .../> found

Source: https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html	HTTP Parser: No favicon
Source: https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html	HTTP Parser: No favicon
Source: https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html	HTTP Parser: No favicon

Source: https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html	HTTP Parser: No <meta name="author".. found
Source: https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html	HTTP Parser: No <meta name="author".. found

Source: https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html	HTTP Parser: No <meta name="copyright".. found
Source: https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html	HTTP Parser: No <meta name="copyright".. found

Source: unknown

HTTPS traffic detected: 173.222.162.7:443 -> 192.168.2.18:49737 version: TLS 1.0

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries

Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.18:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.18:49756 version: TLS 1.2

Source: chrome.exe

Memory has grown: Private usage: 17MB later: 26MB

Source: unknown

HTTPS traffic detected: 173.222.162.7:443 -> 192.168.2.18:49737 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.7
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.7
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.7
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.7
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.7
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.7
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.7
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.7
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.7
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.7
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.7
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86

Source: unknown

DNS traffic detected: queries for: cloudflare-ipfs.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.18:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.18:49756 version: TLS 1.2

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\chrome_BITS_4388_1513840618

Source: classification engine

Classification label: mal52.phis.win@14/26@18/165

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\Chrome\Application\Dictionaries

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1920,i,14616401802645140220,14558350504782336419,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 --field-trial-handle=1920,i,14616401802645140220,14558350504782336419,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Process Injection	13 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	1 Extra Window Memory Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html	0%	Avira URL Cloud	safe

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
part-0013.t-0009.t-msedge.net	13.107.213.41	true	false		unknown
a.nel.cloudflare.com	35.190.80.1	true	false		high
thirdmandomavis.com	104.21.2.93	true	false		unknown
accounts.google.com	192.178.50.77	true	false		high
d2vgu95hoyrpkh.cloudfront.net	18.64.174.30	true	false		high
cs837.wac.edgecastcdn.net	192.229.173.207	true	false		high
cloudflare-ipfs.com	104.17.64.14	true	false		unknown
www.google.com	142.250.64.164	true	false		high
clients.l.google.com	142.250.217.174	true	false		high
clients1.google.com	unknown	unknown	false		high
clients2.google.com	unknown	unknown	false		high
www.w3schools.com	unknown	unknown	false		high
cdn.socket.io	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
13.107.246.41	unknown	United States		8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
1.1.1.1	unknown	Australia		13335	CLOUDFLARENETUS	false
192.178.50.35	unknown	United States		15169	GOOGLEUS	false
18.64.174.30	d2vgu95hoyrpkh.cloudfront.net	United States		3	MIT-GATEWAYSUS	false
192.178.50.77	accounts.google.com	United States		15169	GOOGLEUS	false
142.250.217.227	unknown	United States		15169	GOOGLEUS	false
142.250.64.238	unknown	United States		15169	GOOGLEUS	false
104.21.2.93	thirdmandomavis.com	United States		13335	CLOUDFLARENETUS	false
172.217.15.202	unknown	United States		15169	GOOGLEUS	false
142.250.64.164	www.google.com	United States		15169	GOOGLEUS	false
142.250.217.174	clients.l.google.com	United States		15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved		unknown	unknown	false
192.229.173.207	cs837.wac.edgecastcdn.net	United States		15133	EDGECASTUS	false
13.107.213.41	part-0013.t-0009.t-msedge.net	United States		8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
35.190.80.1	a.nel.cloudflare.com	United States		15169	GOOGLEUS	false
104.17.64.14	cloudflare-ipfs.com	United States		13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.18
192.168.2.5

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1364094
Start date and time:	2023-12-18 18:55:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.phis.win@14/26@18/165

Warnings

Exclude process from analysis (whitelisted): SIHClient.exe
Excluded IPs from analysis (whitelisted): 192.178.50.35
Excluded domains from analysis (whitelisted): clientservices.googleapis.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://cloudflare-ipfs.com/ipfs/bafybeigrupzkuqubfheficav3favlvovhpofvfsuyb5vu2kcu3jfo7gw6q/smi.html

Created / dropped Files

Chrome Cache Entry: 68

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 7390
Category:	dropped
Size (bytes):	2407
Entropy (8bit):	7.900400471609788
Encrypted:	false
SSDEEP:
MD5:	9D372E951D45A26EDE2DC8B417AAE4F8
SHA1:	84F97A777B6C33E2947E6D0BD2BFCFFEC601785A
SHA-256:	4E9C9141705E9A4D83514CEE332148E1E92126376D049DAED9079252FA9F9212
SHA-512:	78F5AA71EA44FF18BA081288F13AD118DB0E1B9C8D4D321ED40DCAB29277BD171BBB25BA7514566BBD4E25EA416C066019077FAA43E6ED781A29ADB683D218E2
Malicious:	false
Reputation:	low
Preview:	...........Y=s.8......mr...f.y....8.R...l.Nk.l..?....{$.l\|e'zM.3...............S(..........O./......Mn.e..O..7.O.?=..?........../...~yy._t....8.a........~.....+..$..*..z..\....~..Jx\|............\|y...=................./.3....kN2...H...;<sy....H..?2..q5.0.0....f......L.^..v.W.L..7XCm8.I...6\.p.....O/%sX..I.......u............yE......$q....1/.....W....Zg...w..-..v....x...N)........R....c.W5.=...{_1_...+.#.......e...K..:..b.Ec...!...".I1../2X.....].i.sAF;^.1....1/UM.[r..d...>RX..U...<..1...V.\|.......X.jX:..0...9..F.KsT...{.6,.._Q..9.b...Q)..0.R.t.u.JN..u$V.%X.9k..t.."..Q.........y.V.Z$7.q.{......k.......W....5.x..K.."y...=......4...h\|!....r.."v\f`..c+.......b..hc.jn....0.&G..m.=.@..6../......6....tM^.&3.$......~.....m2...wFs..#5.Hy..?...r.p.O.X.'n...Z8L......7.;..QWGnr.sY..n...3.Jfq..+{m....\...X.q...0...0...........}}d...33.....Q...F$.8..v..UH&.H........0.q..n...q...F.Y7...u..B>..J.A.....$.,....w......Z..oe..w..%....$[+.......d...

Chrome Cache Entry: 70

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (47391)
Category:	downloaded
Size (bytes):	145246
Entropy (8bit):	4.527507962793524
Encrypted:	false
SSDEEP:
MD5:	9797E36917710C861A16E8D9504C0C41
SHA1:	B023AD3BC3A82DF06D39B47B2AA2667EABD53D19
SHA-256:	E55D7C45487B52D4C9B68BE452AC0995A6B6CF184464C03098FA4396F81BF474
SHA-512:	CDBCB31D786CDEED8862F8CCD6D31AC12ECD4B507623C1A36942F177C6D4D564A2800A4963B414870E5A32E5BBBB7FFE4E3F03D69DD3C220AEF4F68017EA9826
Malicious:	false
Reputation:	low
URL:	https://thirdmandomavis.com/js.js
Preview:	function _0x1ffb(_0x50acfb, _0x3edc94) {. const _0x22ce95 = _0x10f0();. return _0x1ffb = function (_0x2857a7, _0x248658) {. _0x2857a7 = _0x2857a7 - (0x72a + 0x111d + 0x5b3 * -0x4);. let _0x23a93f = _0x22ce95[_0x2857a7];. return _0x23a93f;. }, _0x1ffb(_0x50acfb, _0x3edc94);.}.const _0x274b4c = _0x1ffb;.(function (_0x3ff153, _0x59125f) {. const _0xc67fa = _0x1ffb, _0x40a9d9 = _0x3ff153();. while (!![]) {. try {. const _0x289c23 = -parseInt(_0xc67fa(0x4a9)) / (0x2 * 0x69b + 0x1de * 0x1 + -0xf13) * (-parseInt(_0xc67fa(0x69a)) / (0xd0f + 0x1 * 0x1bd1 + -0x28de * 0x1)) + parseInt(_0xc67fa(0x3c4)) / (-0x14fe + 0xfa2 + 0x5 * 0x113) + -parseInt(_0xc67fa(0x411)) / (-0x1de1 + 0x1 * 0x670 + 0x1775) * (-parseInt(_0xc67fa(0x479)) / (-0x1565 + -0x9c6 + 0x1f30)) + parseInt(_0xc67fa(0x389)) / (-0x1ba8 + -0x98 * -0x17 + 0xe06) * (parseInt(_0xc67fa(0x53e)) / (0x167 * -0x1b + 0x6d9 * -0x2 + 0x3396)) + parseInt(_0xc67fa(0x3a6)) / (0x2571 + 0xa3a + -0x2d

Chrome Cache Entry: 72

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 250
Category:	dropped
Size (bytes):	199
Entropy (8bit):	6.766983163126765
Encrypted:	false
SSDEEP:
MD5:	21B761F2B1FD37F587D7222023B09276
SHA1:	F7A416C8907424F9A9644753E3A93D4D63AE640E
SHA-256:	72D4161C18A46D85C5566273567F791976431EFEF49510A0E3DD76FEC92D9393
SHA-512:	77745F60804D421B34DE26F8A216CEE27C440E469FD786A642757CCEDBC4875D5196431897D80137BD3E20B01104BA76DEC7D8E75771D8A9B5F14B66F2A9B7C0
Malicious:	false
Reputation:	low
Preview:	..........u....0.._%2k.8?....w..k..!.M.."b5<.M.bD..c..l.:..}...@.8p.sn.j...%".B...J..6...c..^..?...2d...R..w.<%..}..}s..ir0/.......:8).(.......^u...0..U..I.F....{]...[-......~..F.P_.....G.....

Chrome Cache Entry: 73

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1864
Category:	downloaded
Size (bytes):	673
Entropy (8bit):	7.6596900876595075
Encrypted:	false
SSDEEP:
MD5:	0E176276362B94279A4492511BFCBD98
SHA1:	389FE6B51F62254BB98939896B8C89EBEFFE2A02
SHA-256:	9A2C174AE45CAC057822844211156A5ED293E65C5F69E1D211A7206472C5C80C
SHA-512:	8D61C9E464C8F3C77BF1729E32F92BBB1B426A19907E418862EFE117DBD1F0A26FCC3A6FE1D1B22B836853D43C964F6B6D25E414649767FBEA7FE10D2048D7A1
Malicious:	false
Reputation:	low
URL:	https://aadcdn.msauth.net/shared/1.0/content/images/backgrounds/2_11d9e3bcdfede9ce5ce5ace2d129f1c4.svg
Preview:	...........U.n.0....}i..P..C..7l/..d........n...G....yl. .E.......Tu.F.........?$.i.s..s...C..wi$.....r....CT.U.FuS..r.e.~...G.q.....~M..mu}.0.=..&.~.e.WLX.....X..%p..i......7+.........?......WN..%>...$..c..}N....Y4?..x.1......#v...Gal9.!.9.A.u..b..>..".#A2"+...<qc.v....)3...x.p&..K.&..T.r.'....J.T....Q..=..H).X...<.r...KkX........)5i4.+.h.....5.<..5.^O.eC%V^....Nx.E..;..52..h....C"I./.`..O...f..r..n.h.r]}.G^..D.7..i.].}.G.].....{....oW............h.4...}~=6u..k...=.X..+z}.4.].....YS5..J......)......m....w.......~}.C.b_..[.u..9_7.u.u.....y.ss....:_yQ<{..K.V_Z....c.G.N.a...?/..%. .-..K.td....4...5.(.e.`G7..]t?.3..\..... ....G.H...

Chrome Cache Entry: 74

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 513
Category:	downloaded
Size (bytes):	276
Entropy (8bit):	7.316609873335077
Encrypted:	false
SSDEEP:
MD5:	4E3510919D29D18EEB6E3E8B2687D2F5
SHA1:	31522A9EC576A462C3F1FFA65C010D4EB77E9A85
SHA-256:	1707BE1284617ACC0A66A14448207214D55C3DA4AAF25854E137E138E089257E
SHA-512:	DFAD29E3CF9E51D1749961B47382A5151B1F3C98DEABF2B63742EB6B7F7743EE9B605D646A730CF3E087D4F07E43107C8A01FF5F68020C7BF933EBA370175682
Malicious:	false
Reputation:	low
URL:	https://logincdn.msauth.net/shared/1.0/content/images/arrow_left_a9cc2824ef3517b6c4160dcf8ff7d410.svg
Preview:	...........Q=o. ..+.......=t....E.k["...../g;n.,....{.......2....e.......J).8..).5.....>,.ih...^s...&M.Ta..m........C.N5.G.!.-...}.9.~........u.3..@i..qK.U.......E.........S.......A.....6...G..g...,f3g.5F..I...G@<..L.:`.N&.?R....d..(.7._....z.L.......s....

Chrome Cache Entry: 76

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	52
Entropy (8bit):	4.627854381394605
Encrypted:	false
SSDEEP:
MD5:	74BF1D6E7C3AB38866E25147A2573602
SHA1:	BB33B71B2B7383F8A2FB3749CB549D040C69BE1C
SHA-256:	0BAAA51510C3DF5B875723E23E64EC5FEA0FBB8985851E008A9AA559F9C52284
SHA-512:	D6531642195291DD38A09DFA396CA58BDFFC189FAB55BC9A5307580542CB022F946E04F225192AFFBF6CA914A587B96122259986078F1FEC835DFBCD75FB48B3
Malicious:	false
Reputation:	low
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xNDkSHgmOUCg3VQsHNRIFDZFhlU4SBQ01hlQcEgUNkWGVTg==?alt=proto
Preview:	CiMKCw2RYZVOGgQICRgBCgcNNYZUHBoACgsNkWGVThoECAkYAQ==

Chrome Cache Entry: 78

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Unicode text, UTF-8 (with BOM) text
Category:	downloaded
Size (bytes):	23427
Entropy (8bit):	5.112735417225198
Encrypted:	false
SSDEEP:
MD5:	BA0537E9574725096AF97C27D7E54F76
SHA1:	BD46B47D74D344F435B5805114559D45979762D5
SHA-256:	4A7611BC677873A0F87FE21727BC3A2A43F57A5DED3B10CE33A0F371A2E6030F
SHA-512:	FC43F1A6B95E1CE005A8EFCDB0D38DF8CC12189BEAC18099FD97C278D254D5DA4C24556BD06515D9D6CA495DDB630A052AEFC0BB73D6ED15DEBC0FB1E8E208E7
Malicious:	false
Reputation:	low
URL:	https://www.w3schools.com/w3css/4/w3.css
Preview:	./* W3.CSS 4.15 December 2020 by Jan Egil and Borge Refsnes /.html{box-sizing:border-box},:before,:after{box-sizing:inherit}./* Extract from normalize.css by Nicolas Gallagher and Jonathan Neal git.io/normalize */.html{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}.article,aside,details,figcaption,figure,footer,header,main,menu,nav,section{display:block}summary{display:list-item}.audio,canvas,progress,video{display:inline-block}progress{vertical-align:baseline}.audio:not([controls]){display:none;height:0}[hidden],template{display:none}.a{background-color:transparent}a:active,a:hover{outline-width:0}.abbr[title]{border-bottom:none;text-decoration:underline;text-decoration:underline dotted}.b,strong{font-weight:bolder}dfn{font-style:italic}mark{background:#ff0;color:#000}.small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}.sub{bottom:-0.25em}sup{top:-0.5em}figure{margin:1em 40px}img{border-style:none}.code,kbd,p

Chrome Cache Entry: 79

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (45667)
Category:	downloaded
Size (bytes):	45806
Entropy (8bit):	5.207605835316031
Encrypted:	false
SSDEEP:
MD5:	80F5B8C6A9EEAC15DE93E5A112036A06
SHA1:	F7174635137D37581B11937FC90E9CB325077BCE
SHA-256:	0401DE33701F1CAD16ECF952899D23990B6437D0A5B7335524EDF6BDFB932542
SHA-512:	B976A5F02202439D94C6817D037C813FA1945C6BB93762284D97FF61718C5B833402F372562034663A467FDBAA46990DE24CB1E356392340E64D034E4BA1B4E4
Malicious:	false
Reputation:	low
URL:	https://cdn.socket.io/4.6.0/socket.io.min.js
Preview:	/!. Socket.IO v4.6.0. * (c) 2014-2023 Guillermo Rauch. * Released under the MIT License.. */.!function(t,e){"object"==typeof exports&&"undefined"!=typeof module?module.exports=e():"function"==typeof define&&define.amd?define(e):(t="undefined"!=typeof globalThis?globalThis:t\|\|self).io=e()}(this,(function(){"use strict";function t(e){return t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(t){return typeof t}:function(t){return t&&"function"==typeof Symbol&&t.constructor===Symbol&&t!==Symbol.prototype?"symbol":typeof t},t(e)}function e(t,e){if(!(t instanceof e))throw new TypeError("Cannot call a class as a function")}function n(t,e){for(var n=0;n<e.length;n++){var r=e[n];r.enumerable=r.enumerable\|\|!1,r.configurable=!0,"value"in r&&(r.writable=!0),Object.defineProperty(t,r.key,r)}}function r(t,e,r){return e&&n(t.prototype,e),r&&n(t,r),Object.defineProperty(t,"prototype",{writable:!1}),t}function i(){return i=Object.assign?Object.assign.bind():function(t){for(var e=

Chrome Cache Entry: 80

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	gzip compressed data, max speed, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 3651
Category:	downloaded
Size (bytes):	1435
Entropy (8bit):	7.8613342322590265
Encrypted:	false
SSDEEP:
MD5:	9F368BC4580FED907775F31C6B26D6CF
SHA1:	E393A40B3E337F43057EEE3DE189F197AB056451
SHA-256:	7ECBBA946C099539C3D9C03F4B6804958900E5B90D48336EEA7E5A2ED050FA36
SHA-512:	0023B04D1EEC26719363AED57C95C1A91244C5AFF0BB53091938798FB16E230680E1F972D166B633C1D2B314B34FE0B9D7C18442410DB7DD6024E279AAFD61B0
Malicious:	false
Reputation:	low
URL:	https://aadcdn.msauth.net/shared/1.0/content/images/microsoft_logo_564db913a7fa0ca42727161c6d031bef.svg
Preview:	...........WMo.7..+..uV.HJ...{..........&..v...(Q.F.....aW.Q.\|..~.\|{~...b{8...zv.....8\|...b.gxb.y{.x<\lS...p...p..l7...o.}.v.....t.........r..r.\|9?.......HP...r.4.aGA.j....7.!....K.n.B.Z.C.]....kj..A..p...xI...b..I!K..><.B..O....#...$.]h.bU.;.Y...).r.u....g.-w.2..vPh....q....4_..N\..@y).t{.2pj.f..4h.....NC.....x.R..P..9.....".4.`%N..&...a.@.......fS)A4.F..8e9KHE....8d.CR.K..g..Q.......a....f.....dgN.N.k..#w..........,.".%..I.q.Y.R]..7.!.:.Ux...T.qI..{..,b..2..B...Bh...[o..[4....dZ.z.!.l....E.9$..Y.'...M.,p..$..8Ns3.B.....{.....H..Se3....%.Ly...VP{.Bh.D.+....p..(..`....t....U.e....2......j...%..0.f<...q...B.k..N....03...8....l.....bS...vh..8..Q..LWXW..C.......3..Pr.V.l...^=VX\,d9f.Y;1!w.d,.qvs....f;.....Zhrr.,.U....6.Y....+Zd.R...but....".....4.L...z........L.Q......)....,.].Y.&....*ZsIVG.^...#...e..r....Z..F..c..... .QDCmV..1.~...J9..b_Oov\..X.R..._.TqH.q.5G.0{ZphQ..k...s..\.../.Dp..d`#......8.#Y...Mb.j.Q......=n4.c....p.[.SI.....0.N.

Chrome Cache Entry: 82

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	14
Entropy (8bit):	3.378783493486176
Encrypted:	false
SSDEEP:
MD5:	D0FBDA9855D118740F1105334305C126
SHA1:	BC3023B36063A7681DB24681472B54FA11F0D4EC
SHA-256:	A469AB4CA4E55BF547566E9EBFA1B809C933207E9D558156BC0C4252B17533FE
SHA-512:	41171C08CA31B832C6E64C553702D38ADF805CE4FEC552B71659558A419C02589CF9332F40288FB450E6C52297EFA7903999F39DD48EFA20EDB92C7D8E3BD42B
Malicious:	false
Reputation:	low
URL:	https://cloudflare-ipfs.com/favicon.ico
Preview:	Page not found

Static File Info

⊘No static file info