Windows
Analysis Report
http://flycass.com
Overview
Detection
Score: | 1 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 60% |
Signatures
Classification
Analysis Advice
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis |
Some HTTP requests failed (404). It is likely that the sample will exhibit less behavior. |
- System is w10x64_ra
- chrome.exe (PID: 6092 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://f lycass.com / MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) - chrome.exe (PID: 5568 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2068 --fi eld-trial- handle=180 4,i,107132 4065181625 4837,11547 0308460823 11965,2621 44 --disab le-feature s=Optimiza tionGuideM odelDownlo ading,Opti mizationHi nts,Optimi zationHint sFetching, Optimizati onTargetPr ediction / prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
- cleanup
- • Phishing
- • Compliance
- • Networking
- • System Summary
- • Boot Survival
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | File created: |
Source: | Classification label: |
Source: | File created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Window detected: |
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 Registry Run Keys / Startup Folder | 1 Process Injection | 11 Masquerading | OS Credential Dumping | System Service Discovery | Remote Services | Data from Local System | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 Registry Run Keys / Startup Folder | 1 Process Injection | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | 3 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | Obfuscated Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | 4 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | Binary Padding | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | 3 Ingress Tool Transfer | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
accounts.google.com | 173.194.219.84 | true | false | high | |
flycass.com | 69.39.83.152 | true | false | unknown | |
www.google.com | 64.233.177.104 | true | false | high | |
protonmail.com | 185.70.42.12 | true | false | high | |
clients.l.google.com | 64.233.185.102 | true | false | high | |
clients1.google.com | unknown | unknown | false | high | |
clients2.google.com | unknown | unknown | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false | unknown | ||
false | unknown | ||
false | unknown | ||
false |
| unknown | |
false | unknown | ||
false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
64.233.185.102 | clients.l.google.com | United States | 15169 | GOOGLEUS | false | |
64.233.185.101 | unknown | United States | 15169 | GOOGLEUS | false | |
64.233.177.104 | www.google.com | United States | 15169 | GOOGLEUS | false | |
74.125.136.94 | unknown | United States | 15169 | GOOGLEUS | false | |
1.1.1.1 | unknown | Australia | 13335 | CLOUDFLARENETUS | false | |
239.255.255.250 | unknown | Reserved | unknown | unknown | false | |
69.39.83.152 | flycass.com | United States | 12129 | 123NETUS | false | |
64.233.185.94 | unknown | United States | 15169 | GOOGLEUS | false | |
173.194.219.84 | accounts.google.com | United States | 15169 | GOOGLEUS | false |
IP |
---|
192.168.2.16 |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1388329 |
Start date and time: | 2024-02-07 14:30:20 +01:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Sample URL: | http://flycass.com |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | stream |
Analysis stop reason: | Timeout |
Detection: | CLEAN |
Classification: | clean1.win@14/12@12/87 |
- Exclude process from analysis
(whitelisted): SIHClient.exe - Excluded IPs from analysis (wh
itelisted): 74.125.136.94, 34. 104.35.123 - Excluded domains from analysis
(whitelisted): edgedl.me.gvt1 .com, clientservices.googleapi s.com - Not all processes where analyz
ed, report is missing behavior information - VT rate limit hit for: http:/
/flycass.com
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2673 |
Entropy (8bit): | 3.9876906628628923 |
Encrypted: | false |
SSDEEP: | |
MD5: | AB7AA05B1BC3187ED3B4FC0305492676 |
SHA1: | F928622487034FF03F13E420A8FB40572185A646 |
SHA-256: | F7F82293FA76E0AA231AE760DAE885A5D41CE1EFB0A898864FFC8A7D7235BCBE |
SHA-512: | 19C4B5C6BC5E5369BF285B2D88F54BBCC52A705E5CAC409DADFF00D421213CA4EBAAD06F704B84DB72C80CE668F7E1E6715ADEA2C2CBEA9167840C9F9AC3CD10 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2675 |
Entropy (8bit): | 4.0007707716184 |
Encrypted: | false |
SSDEEP: | |
MD5: | E3385DF5923570B217B8EE1B85C0A461 |
SHA1: | B85F5D70057AF08315CE25A79A58975931CAC142 |
SHA-256: | 3CB141A9E59B5097660D135C2AE6547F63F631D57F9B045A359284D454460003 |
SHA-512: | 4710AE77842C8E3DE03916A639D0564F6769CE25C88B49F7C14A926CC7314CD95F399F57D0605F6E189A27B30B9227E207F6DAFB78AE809D2CAAE4B7D16606CF |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2689 |
Entropy (8bit): | 4.009154532724949 |
Encrypted: | false |
SSDEEP: | |
MD5: | 8A805541FD386196FAC5B833EE5E6C7C |
SHA1: | 01EB8A285DA524FC1F3C090F4AE5DA22D5136CE9 |
SHA-256: | 3CBF943979B85C548280BABC92687B044B77B05F8DB35D046434BF3078119F8B |
SHA-512: | 56DBD93FDDAEE9758F69263E7E66974B3506639A6FD820FCE7E681B8A4E92D7CEDA8C3C3894745BC620434CA122984D1C2C94563AC0F783320F896C7B49A062B |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2677 |
Entropy (8bit): | 3.996371321676227 |
Encrypted: | false |
SSDEEP: | |
MD5: | 64DE5BE04F4ABEA70DB1D09A80CBDF87 |
SHA1: | 88C850046EBC9EFADF73602477BA5A292E678D05 |
SHA-256: | FD6347FE0D8EF7C0A519D9E434A9AA92A84805D71A3268F2652078C0C2E7352E |
SHA-512: | 9372277F6D6BEBD4AD962F9F1A414F48163A123C105B352F8756110B1EEDAC0114E373C65ACF922133B48F19D997C43B76351C8ED273EC36518C24E0E23F0AD3 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2677 |
Entropy (8bit): | 3.9897235300702922 |
Encrypted: | false |
SSDEEP: | |
MD5: | E8B4F1AC0AB593395CA2672D367FC526 |
SHA1: | 5CA93D4BE89F6310730A76F58A37A983F0B0CEB6 |
SHA-256: | A49ED3415F26F5EB2713BF06608858303002A77EF872216352D88AC31A2DB36E |
SHA-512: | 75468CBC95A1825DD76148C858B99537B0C0C3D209A45BD0348BCB099012C207CC07739418D7398B645D8805D195784466683BECF9A3C589C605DF6D26674E0A |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2679 |
Entropy (8bit): | 3.9980596653115956 |
Encrypted: | false |
SSDEEP: | |
MD5: | D190F53E5D4FEA7F082A9CA4D90E0534 |
SHA1: | 96D139EE034C9B2250239A02FFDE0C9CE27EE7D0 |
SHA-256: | 017E969179A8803FB2E4D6ECA6F36D5BE4090556553080211F8F7BD59049209C |
SHA-512: | 58FE4999EBB70E5040CE76E487829B003B5137CC8A3E071D1ED56116310075E1C9DCCF2ACA27194E00032E3D704BD7803068C2C3D93A3F6151181084F820E3D0 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | downloaded |
Size (bytes): | 753 |
Entropy (8bit): | 4.873410984975494 |
Encrypted: | false |
SSDEEP: | |
MD5: | 864497DB824DFC0B2E51010A90B95064 |
SHA1: | 1141B44FFA7196BE0CD119531A582D9499357A6D |
SHA-256: | 50B2B20EF2D82E903D1DC313790AB6FBB332A5072245F1FC17EA15155EFFC5C1 |
SHA-512: | 191B9EB62E2F219036E5D749DA3313A8CDB5776377CD2B843F3F7C2B0E12ABB294E58E72968FF9A8632C3A2BD4AD9615AC38B5115FD8657628DD9F8C2B92E7C5 |
Malicious: | false |
Reputation: | unknown |
URL: | http://flycass.com/ |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | downloaded |
Size (bytes): | 4464 |
Entropy (8bit): | 5.1776303192470055 |
Encrypted: | false |
SSDEEP: | |
MD5: | B82BBC16B90B301F782FF4B4D30B641A |
SHA1: | 5B36B68FB25BC1054DF1457290903115AA308D74 |
SHA-256: | BE1CE3A0727FADDA920A5BDB9FECE69B136973F037D76DE81FA93D3B6E370A18 |
SHA-512: | BF15A5288E41E128937B8EDF13EE5EC6F1E7C5CB0BE02EADA9205295AACACFD6A89F43C6A8C92D046F845ADE65AE8008269FB584E6AAFD0660A9784F93FE649C |
Malicious: | false |
Reputation: | unknown |
URL: | http://flycass.com/how_to_back_files.html |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | downloaded |
Size (bytes): | 209 |
Entropy (8bit): | 5.143049113812332 |
Encrypted: | false |
SSDEEP: | |
MD5: | 18FFB59B61525F781CF9251045BE575D |
SHA1: | BD7318B00B15B7A1C8A48524419FA2E5C27A5B6D |
SHA-256: | B6682CAB65D3243B5B75EFB7279DBF49491957484780F2BA0A87632CC0E25642 |
SHA-512: | A032F853ABD9492232E1183D1CB1D14110B623F2E9DEC56B7B64DD576A0317DDA8D51125763E11D6642433C5364B2BD10A994EE4F1514629A4950BBAB3ABA499 |
Malicious: | false |
Reputation: | unknown |
URL: | http://flycass.com/favicon.ico |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | downloaded |
Size (bytes): | 1520 |
Entropy (8bit): | 6.535761466029431 |
Encrypted: | false |
SSDEEP: | |
MD5: | 43E5260E808131C093039B07EB3F5604 |
SHA1: | 90621D327C6C22F3D3EF1FF289941A6CD4C44006 |
SHA-256: | ADE47BEB194AD3F379EB4E4F8530E1B2407F93E4A2ABEEC590B6AF47D37DE6EA |
SHA-512: | D9D39AC82E88EDE43699F689741038F5435DAF412D2EE80598A08BB2EE87980C16783D62FC736AC1C021FCC4BE9260F107BD50DC4322EDFC11E189B1AC8C1AA1 |
Malicious: | false |
Reputation: | unknown |
URL: | http://flycass.com/flycass.css.infected |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | downloaded |
Size (bytes): | 1408 |
Entropy (8bit): | 6.330925145410468 |
Encrypted: | false |
SSDEEP: | |
MD5: | A3DE2DDD4DB2228C6DC3D64284C42F6C |
SHA1: | 7CBF732394BB61CF53006D8D9FBCF38DA501F139 |
SHA-256: | B2CA1D3F610F97B12F0E5FB03B7F6BEC65B32AEFA20FB92F19CE30139CBE03D6 |
SHA-512: | 052D1721A22647F6FBF240576572F0A22F5BB057D62BE368A5F04EC6410CA5569583FE14DEDA52CFEE16231F695CFEB3D654A15F84C9BA9F3E08FD341D80EBD8 |
Malicious: | false |
Reputation: | unknown |
URL: | http://flycass.com/flycass.css.old.infected |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | downloaded |
Size (bytes): | 1424 |
Entropy (8bit): | 6.343935115327474 |
Encrypted: | false |
SSDEEP: | |
MD5: | C1D1BF6B90328B45D18B1D83F6642DFE |
SHA1: | CC0D19E6A5A1C70A1A7721AC34D215123A7FAA12 |
SHA-256: | AF8464974E1FA329FFBDBCAE02F03D5DBB0B6F2EF6D704AEC458B653DDF4D7D9 |
SHA-512: | B1B1887B2F6365000ABAA806C1A86F83AAC15B9E6B6BA3355CFACCCB5655D70128D9324D92F5C888C4247AD851A7A0B353B40722F7AD312A414746CBAA586F75 |
Malicious: | false |
Reputation: | unknown |
URL: | http://flycass.com/fixairports.php.infected |
Preview: |