Edit tour

Windows Analysis Report
http://www.splendidcare.sa.com/Juwqdh/xacwk5957irfeugd/FW2HGOqFbIVQssWaWxsuPFbxoA78Qv8umKJQmKBGMM0/enpkwYwNDdxjXCgjy64rbJkHYw5eTv2C-VSAAV3Fufzkb2cfb573zE5R9OTtHCML20yl9BXVgVz_5eGAS31RGQ

Overview

General Information

Sample URL:	http://www.splendidcare.sa.com/Juwqdh/xacwk5957irfeugd/FW2HGOqFbIVQssWaWxsuPFbxoA78Qv8umKJQmKBGMM0/enpkwYwNDdxjXCgjy64rbJkHYw5eTv2C-VSAAV3Fufzkb2cfb573zE5R9OTtHCML20yl9BXVgVz_5eGAS31RGQ
Analysis ID:	1466700
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected phishing page

HTML body with high number of embedded images detected

HTML page contains hidden URLs or javascript code

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64native

chrome.exe (PID: 8024 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 464953824E644F10FFDC9E093FD18F94)

chrome.exe (PID: 5164 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1700,18058039625578469226,10548155103771464637,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 /prefetch:8 MD5: 464953824E644F10FFDC9E093FD18F94)

chrome.exe (PID: 3000 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1700,18058039625578469226,10548155103771464637,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7116 /prefetch:8 MD5: 464953824E644F10FFDC9E093FD18F94)

chrome.exe (PID: 2248 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://www.splendidcare.sa.com/Juwqdh/xacwk5957irfeugd/FW2HGOqFbIVQssWaWxsuPFbxoA78Qv8umKJQmKBGMM0/enpkwYwNDdxjXCgjy64rbJkHYw5eTv2C-VSAAV3Fufzkb2cfb573zE5R9OTtHCML20yl9BXVgVz_5eGAS31RGQ" MD5: 464953824E644F10FFDC9E093FD18F94)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected phishing page

Source: http://www.splendidcare.sa.com	LLM: Score: 8 brands: Reasons: The URL 'http://www.splendidcare.sa.com' is suspicious because it uses a subdomain structure that is often associated with phishing sites. The image shows a 'Human Verification Check' page, which is a common social engineering technique used to mislead users into thinking they need to verify their identity. This type of page is often used to redirect users to malicious sites. The presence of a 'Skip Verification and Enter Website Now' button is another red flag, as it encourages users to bypass the verification process, which can lead to phishing attacks. There is no clear indication of a legitimate brand associated with this site, and the domain does not match any known legitimate domains. Therefore, based on these observations, the site is likely a phishing site. DOM: 0.3.pages.csv
Source: http://www.splendidcare.sa.com	LLM: Score: 8 brands: Reasons: The URL 'http://www.splendidcare.sa.com' is suspicious because it uses a subdomain structure that is often associated with phishing sites. The image shows a 'Human Verification Check' page, which is a common social engineering technique used to mislead users into thinking they need to verify their identity. This is often used to redirect users to malicious sites. The presence of a 'Skip Verification and Enter Website Now' button is another red flag, as it encourages users to click on a potentially harmful link. There is no prominent login form or CAPTCHA, but the use of social engineering techniques and the suspicious domain strongly suggest that this is a phishing site. DOM: 0.4.pages.csv

Source: https://gotropislim.com/	HTTP Parser: Total embedded image size: 16168
Source: https://gotropislim.com/#hero	HTTP Parser: Total embedded image size: 16168

Source: http://www.splendidcare.sa.com/clicks/bpage/topslim.php?sid=1035569&h=FW2HGOqFbIVQssWaWxsuPFbxoA78Qv8umKJQmKBGMM0/enpkwYwNDdxjXCgjy64rbJkHYw5eTv2C-VSAAV3Fufzkb2cfb573zE5R9OTtHCML20yl9BXVgVz_5eGAS31RGQ

HTTP Parser: Base64 decoded: http://www.splendidcare.sa.com/clicks/bpage/topslim.php?sid=1035569&h=FW2HGOqFbIVQssWaWxsuPFbxoA78Qv8umKJQmKBGMM0/enpkwYwNDdxjXCgjy64rbJkHYw5eTv2C-VSAAV3Fufzkb2cfb573zE5R9OTtHCML20yl9BXVgVz_5eGAS31RGQ

Source: http://www.splendidcare.sa.com/clicks/bpage/topslim.php?sid=1035569&h=FW2HGOqFbIVQssWaWxsuPFbxoA78Qv8umKJQmKBGMM0/enpkwYwNDdxjXCgjy64rbJkHYw5eTv2C-VSAAV3Fufzkb2cfb573zE5R9OTtHCML20yl9BXVgVz_5eGAS31RGQ	HTTP Parser: No favicon
Source: http://www.splendidcare.sa.com/clicks/bpage/topslim.php?sid=1035569&h=FW2HGOqFbIVQssWaWxsuPFbxoA78Qv8umKJQmKBGMM0/enpkwYwNDdxjXCgjy64rbJkHYw5eTv2C-VSAAV3Fufzkb2cfb573zE5R9OTtHCML20yl9BXVgVz_5eGAS31RGQ	HTTP Parser: No favicon
Source: http://www.splendidcare.sa.com/clicks/bpage/topslim.php?sid=1035569&h=FW2HGOqFbIVQssWaWxsuPFbxoA78Qv8umKJQmKBGMM0/enpkwYwNDdxjXCgjy64rbJkHYw5eTv2C-VSAAV3Fufzkb2cfb573zE5R9OTtHCML20yl9BXVgVz_5eGAS31RGQ	HTTP Parser: No favicon
Source: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/uf02t/0x4AAAAAAADnOjc0PNeA8qVm/light/normal	HTTP Parser: No favicon
Source: http://www.splendidcare.sa.com/clicks/bpage/topslim.php?sid=1035569&h=FW2HGOqFbIVQssWaWxsuPFbxoA78Qv8umKJQmKBGMM0/enpkwYwNDdxjXCgjy64rbJkHYw5eTv2C-VSAAV3Fufzkb2cfb573zE5R9OTtHCML20yl9BXVgVz_5eGAS31RGQ&__cf_chl_tk=Qo3onJpX2NN9iqTg6AK3IKQV7zteuSapwy7jedCnmwA-1719993703-0.0.1.1-2537	HTTP Parser: No favicon
Source: https://player.vimeo.com/video/864134318?h=e3208bb7c4&background=1&autoplay=1&title=0&byline=0&wmode=transparent&autopause=0	HTTP Parser: No favicon
Source: https://player.vimeo.com/video/864134318?h=e3208bb7c4&background=1&autoplay=1&title=0&byline=0&wmode=transparent&autopause=0	HTTP Parser: No favicon
Source: https://player.vimeo.com/video/864134318?h=e3208bb7c4&background=1&autoplay=1&title=0&byline=0&wmode=transparent&autopause=0	HTTP Parser: No favicon
Source: https://player.vimeo.com/video/864134318?h=e3208bb7c4&background=1&autoplay=1&title=0&byline=0&wmode=transparent&autopause=0	HTTP Parser: No favicon
Source: https://player.vimeo.com/video/864134318?h=e3208bb7c4&background=1&autoplay=1&title=0&byline=0&wmode=transparent&autopause=0	HTTP Parser: No favicon
Source: https://player.vimeo.com/video/864134318?h=e3208bb7c4&background=1&autoplay=1&title=0&byline=0&wmode=transparent&autopause=0	HTTP Parser: No favicon
Source: https://player.vimeo.com/video/864134318?h=e3208bb7c4&background=1&autoplay=1&title=0&byline=0&wmode=transparent&autopause=0	HTTP Parser: No favicon
Source: https://player.vimeo.com/video/864134318?h=e3208bb7c4&background=1&autoplay=1&title=0&byline=0&wmode=transparent&autopause=0	HTTP Parser: No favicon
Source: https://player.vimeo.com/video/864134318?h=e3208bb7c4&background=1&autoplay=1&title=0&byline=0&wmode=transparent&autopause=0	HTTP Parser: No favicon
Source: https://player.vimeo.com/video/864351157?h=75b1f32070&background=1&autoplay=1&title=0&byline=0&wmode=transparent&autopause=0	HTTP Parser: No favicon
Source: https://player.vimeo.com/video/864351157?h=75b1f32070&background=1&autoplay=1&title=0&byline=0&wmode=transparent&autopause=0	HTTP Parser: No favicon
Source: https://player.vimeo.com/video/864351157?h=75b1f32070&background=1&autoplay=1&title=0&byline=0&wmode=transparent&autopause=0	HTTP Parser: No favicon
Source: https://player.vimeo.com/video/864351157?h=75b1f32070&background=1&autoplay=1&title=0&byline=0&wmode=transparent&autopause=0	HTTP Parser: No favicon
Source: https://player.vimeo.com/video/864351157?h=75b1f32070&background=1&autoplay=1&title=0&byline=0&wmode=transparent&autopause=0	HTTP Parser: No favicon
Source: https://player.vimeo.com/video/864351157?h=75b1f32070&background=1&autoplay=1&title=0&byline=0&wmode=transparent&autopause=0	HTTP Parser: No favicon
Source: https://player.vimeo.com/video/864351157?h=75b1f32070&background=1&autoplay=1&title=0&byline=0&wmode=transparent&autopause=0	HTTP Parser: No favicon
Source: https://player.vimeo.com/video/864351157?h=75b1f32070&background=1&autoplay=1&title=0&byline=0&wmode=transparent&autopause=0	HTTP Parser: No favicon
Source: https://player.vimeo.com/video/864351157?h=75b1f32070&background=1&autoplay=1&title=0&byline=0&wmode=transparent&autopause=0	HTTP Parser: No favicon
Source: https://player.vimeo.com/video/864351157?h=75b1f32070&background=1&autoplay=1&title=0&byline=0&wmode=transparent&autopause=0	HTTP Parser: No favicon
Source: https://widget.trustpilot.com/trustboxes/53aa8807dec7e10d38f59f32/index.html?templateId=53aa8807dec7e10d38f59f32&businessunitId=58d40fc70000ff00059f1303#locale=en-US&styleHeight=130px&styleWidth=100%25&theme=light	HTTP Parser: No favicon
Source: https://widget.trustpilot.com/trustboxes/53aa8807dec7e10d38f59f32/index.html?templateId=53aa8807dec7e10d38f59f32&businessunitId=58d40fc70000ff00059f1303#locale=en-US&styleHeight=130px&styleWidth=100%25&theme=light	HTTP Parser: No favicon

Source: classification engine

Classification label: mal48.phis.win@38/0@0/39

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1700,18058039625578469226,10548155103771464637,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://www.splendidcare.sa.com/Juwqdh/xacwk5957irfeugd/FW2HGOqFbIVQssWaWxsuPFbxoA78Qv8umKJQmKBGMM0/enpkwYwNDdxjXCgjy64rbJkHYw5eTv2C-VSAAV3Fufzkb2cfb573zE5R9OTtHCML20yl9BXVgVz_5eGAS31RGQ"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1700,18058039625578469226,10548155103771464637,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7116 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1700,18058039625578469226,10548155103771464637,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1700,18058039625578469226,10548155103771464637,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7116 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
http://www.splendidcare.sa.com/Juwqdh/xacwk5957irfeugd/FW2HGOqFbIVQssWaWxsuPFbxoA78Qv8umKJQmKBGMM0/enpkwYwNDdxjXCgjy64rbJkHYw5eTv2C-VSAAV3Fufzkb2cfb573zE5R9OTtHCML20yl9BXVgVz_5eGAS31RGQ	3%	Virustotal		Browse
http://www.splendidcare.sa.com/Juwqdh/xacwk5957irfeugd/FW2HGOqFbIVQssWaWxsuPFbxoA78Qv8umKJQmKBGMM0/enpkwYwNDdxjXCgjy64rbJkHYw5eTv2C-VSAAV3Fufzkb2cfb573zE5R9OTtHCML20yl9BXVgVz_5eGAS31RGQ	0%	Avira URL Cloud	safe

Name	Malicious	Reputation
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/uf02t/0x4AAAAAAADnOjc0PNeA8qVm/light/normal	false	unknown
https://gotropislim.com/#hero	false	unknown
https://widget.trustpilot.com/trustboxes/53aa8807dec7e10d38f59f32/index.html?templateId=53aa8807dec7e10d38f59f32&businessunitId=58d40fc70000ff00059f1303#locale=en-US&styleHeight=130px&styleWidth=100%25&theme=light	false	unknown
http://www.splendidcare.sa.com/clicks/bpage/topslim.php?sid=1035569&h=FW2HGOqFbIVQssWaWxsuPFbxoA78Qv8umKJQmKBGMM0/enpkwYwNDdxjXCgjy64rbJkHYw5eTv2C-VSAAV3Fufzkb2cfb573zE5R9OTtHCML20yl9BXVgVz_5eGAS31RGQ	true	unknown
https://player.vimeo.com/video/864351157?h=75b1f32070&background=1&autoplay=1&title=0&byline=0&wmode=transparent&autopause=0	false	unknown
https://app.campaignrefinery.com/unsubscribe?c=5b3fb967-1467-4f75-a434-25b537201ad8&b=54d49514-f843-4e2e-94e5-8be2d989695e&f=3d8d1c90-1d43-4590-8dd4-f4a952d057cc	false	unknown
https://www.digistore24.com/	false	unknown
https://gotropislim.com/	false	unknown
https://player.vimeo.com/video/864134318?h=e3208bb7c4&background=1&autoplay=1&title=0&byline=0&wmode=transparent&autopause=0	false	unknown
http://www.splendidcare.sa.com/clicks/bpage/topslim.php?sid=1035569&h=FW2HGOqFbIVQssWaWxsuPFbxoA78Qv8umKJQmKBGMM0/enpkwYwNDdxjXCgjy64rbJkHYw5eTv2C-VSAAV3Fufzkb2cfb573zE5R9OTtHCML20yl9BXVgVz_5eGAS31RGQ&__cf_chl_tk=Qo3onJpX2NN9iqTg6AK3IKQV7zteuSapwy7jedCnmwA-1719993703-0.0.1.1-2537	true	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.110.180.34	unknown	United States	15169	GOOGLEUS	false
34.107.117.83	unknown	United States	15169	GOOGLEUS	false
157.240.249.35	unknown	United States	32934	FACEBOOKUS	false
54.230.18.36	unknown	United States	16509	AMAZON-02US	false
142.250.111.84	unknown	United States	15169	GOOGLEUS	false
142.250.191.238	unknown	United States	15169	GOOGLEUS	false
142.251.165.154	unknown	United States	15169	GOOGLEUS	false
52.84.18.58	unknown	United States	16509	AMAZON-02US	false
31.25.12.21	unknown	United Kingdom	56367	TEQGB	false
35.244.212.226	unknown	United States	15169	GOOGLEUS	false
142.250.190.66	unknown	United States	15169	GOOGLEUS	false
172.67.154.9	unknown	United States	13335	CLOUDFLARENETUS	false
54.225.7.157	unknown	United States	14618	AMAZON-AESUS	false
35.190.80.1	unknown	United States	15169	GOOGLEUS	false
162.247.243.39	unknown	United States	13335	CLOUDFLARENETUS	false
31.25.12.17	unknown	United Kingdom	56367	TEQGB	false
104.17.24.14	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.190.35	unknown	United States	15169	GOOGLEUS	false
142.250.191.227	unknown	United States	15169	GOOGLEUS	false
34.120.202.204	unknown	United States	15169	GOOGLEUS	false
151.101.192.217	unknown	United States	54113	FASTLYUS	false
216.239.32.181	unknown	United States	15169	GOOGLEUS	false
157.240.249.8	unknown	United States	32934	FACEBOOKUS	false
146.75.82.109	unknown	Sweden	30051	SCCGOVUS	false
23.33.29.89	unknown	United States	13367	COMCAST-13367US	false
23.33.29.83	unknown	United States	13367	COMCAST-13367US	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.21.44.135	unknown	United States	13335	CLOUDFLARENETUS	false
31.25.12.51	unknown	United Kingdom	56367	TEQGB	false
162.159.128.61	unknown	United States	13335	CLOUDFLARENETUS	false
162.247.243.29	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.190.106	unknown	United States	15169	GOOGLEUS	false
52.85.247.89	unknown	United States	16509	AMAZON-02US	false
104.17.2.184	unknown	United States	13335	CLOUDFLARENETUS	false
172.217.2.40	unknown	United States	15169	GOOGLEUS	false
142.250.191.164	unknown	United States	15169	GOOGLEUS	false
172.217.4.206	unknown	United States	15169	GOOGLEUS	false
142.250.191.163	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.11.20

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1466700
Start date and time:	2024-07-03 09:59:37 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://www.splendidcare.sa.com/Juwqdh/xacwk5957irfeugd/FW2HGOqFbIVQssWaWxsuPFbxoA78Qv8umKJQmKBGMM0/enpkwYwNDdxjXCgjy64rbJkHYw5eTv2C-VSAAV3Fufzkb2cfb573zE5R9OTtHCML20yl9BXVgVz_5eGAS31RGQ
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.phis.win@38/0@0/39
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Browse: https://gotropislim.com/?aff=crazycashliorry&cam=1035569#hero Browse: http://email.r1.ignitedrops.com/c/eJxMj0lu3DAQRU9D7dggi8VpoUXiRh8gFwjIqmJbgFtSKCmAbx_0gNjb_96vgTqXvYwq_lQA--cqCkC5Hwqg9qUwlW2_J_D2Pfk98VPzMQd8wkK0HPMXsibaV4-WeS_0hQKY4J01T7rJn0Nmkv_4se9Vlb_ybeaLxPPAY0uhhjDIaEOyGSMmN7yPDSRzpuo5s0WDPqO3IVJhrBZNGaYRDDiDNoNzybgTs2k1hUDeS2UShabb03Sdp124L-t2ouU2fIzv-75ujxsuCi5lXU9UbmuZrnOXNs3SP--igssxb0fdqE9VlLuQcmdfXas5RG0xRI0tel3QoQZfvYtgbOGkINS7iozZW9QtodMoIDqjeJ2qAOeUQ_aiIDTlzo4TW8pGW76rPhudmFE3LNkDGx-Jhj6uyzGzdIsKzfVWpo_HP_v49utfAAAA___MtI4-?aff=crazycashliorry&cam=1035569 Browse: https://www.digistore24.com/

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, CompPkgSrv.exe, TextInputHost.exe, svchost.exe
Not all processes where analyzed, report is missing behavior information
Skipping network analysis since amount of network traffic is too extensive

Input	Output
URL: http://www.splendidcare.sa.com/clicks/bpage/topslim.php?sid=1035569&h=FW2HGOqFbIVQssWaWxsuPFbxoA78Qv8umKJQmKBGMM0/enpkwYwNDdxjXCgjy64rbJkHYw5eTv2C-VSAAV3Fufzkb2cfb573zE5R9OTtHCML20yl9BXVgVz_5eGAS31RGQ Model: Perplexity: mixtral-8x7b-instruct	{"loginform": false,"urgency": true,"captcha": false,"reasons": ["The text 'Check You will Be Auto Redirect To The Website in 5 Seconds Skip Verification and Enter Website Now' creates a sense of urgency as it suggests immediate redirection to the website.","There is no explicit mention of sensitive information request in the text or title.","No CAPTCHA or anti-robot detection mechanism was found in the text or title."]}
Title: Human Verification OCR: Human Verification Check You will Be Auto Redirect To The Website in 5 Seconds Skip Verification and Enter Website Now
URL: http://www.splendidcare.sa.com/clicks/bpage/topslim.php?sid=1035569&h=FW2HGOqFbIVQssWaWxsuPFbxoA78Qv8umKJQmKBGMM0/enpkwYwNDdxjXCgjy64rbJkHYw5eTv2C-VSAAV3Fufzkb2cfb573zE5R9OTtHCML20yl9BXVgVz_5eGAS31RGQ Model: Perplexity: mixtral-8x7b-instruct	{"loginform": false,"urgency": true,"captcha": false,"reasons": ["The text 'Check You will Be Auto Redirect To The Website in Seconds Skip Verification and Enter Website Now' creates a sense of urgency as it suggests that the user should skip the verification process and enter the website quickly.","There is no mention of any form of login form in the given text or title.","There is no CAPTCHA or any other anti-robot detection mechanism mentioned in the given text or title."]}
Title: Human Verification OCR: Human Verification Check You will Be Auto Redirect To The Website in Seconds Skip Verification and Enter Website Now
URL: http://www.splendidcare.sa.com Model: gpt-4o	```json{ "phishing_score": 8, "brands": null, "phishing": true, "suspicious_domain": true, "has_prominent_loginform": false, "has_captcha": false, "setechniques": true, "has_suspicious_link": true, "legitmate_domain": "unknown", "reasons": "The URL 'http://www.splendidcare.sa.com' is suspicious because it uses a subdomain structure that is often associated with phishing sites. The image shows a 'Human Verification Check' page, which is a common social engineering technique used to mislead users into thinking they need to verify their identity. This type of page is often used to redirect users to malicious sites. The presence of a 'Skip Verification and Enter Website Now' button is another red flag, as it encourages users to bypass the verification process, which can lead to phishing attacks. There is no clear indication of a legitimate brand associated with this site, and the domain does not match any known legitimate domains. Therefore, based on these observations, the site is likely a phishing site."}

URL: http://www.splendidcare.sa.com Model: gpt-4o	```json{ "phishing_score": 8, "brands": null, "phishing": true, "suspicious_domain": true, "has_prominent_loginform": false, "has_captcha": false, "setechniques": true, "has_suspicious_link": true, "legitmate_domain": "unknown", "reasons": "The URL 'http://www.splendidcare.sa.com' is suspicious because it uses a subdomain structure that is often associated with phishing sites. The image shows a 'Human Verification Check' page, which is a common social engineering technique used to mislead users into thinking they need to verify their identity. This is often used to redirect users to malicious sites. The presence of a 'Skip Verification and Enter Website Now' button is another red flag, as it encourages users to click on a potentially harmful link. There is no prominent login form or CAPTCHA, but the use of social engineering techniques and the suspicious domain strongly suggest that this is a phishing site."}

URL: https://gotropislim.com/ Model: Perplexity: mixtral-8x7b-instruct	{"loginform": false,"urgency": false,"captcha": false,"reasons": ["The webpage does not contain a login form, as there is no explicit request for sensitive information such as passwords, email addresses, usernames, phone numbers, or credit card numbers.","The text of the webpage does not create a sense of urgency, as it does not contain phrases such as 'click here to view document', 'to view secured document click here', or 'submit your findings here'.","The webpage does not contain a CAPTCHA or any other anti-robot detection mechanism."]}
Title: Caribbean Flush Dissolves Fat While You Sleep OCR: Dissolves Fat While You Sleep 4) TAP FOR SOUND Scientific References WomenMIealth HARVARD Journa10fObesity JOHNS HOPKINS MEDICAL SCHOOL SCHOOL of MEDICINE

Target ID:	0
Start time:	04:01:39
Start date:	03/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff765320000
File size:	2'509'656 bytes
MD5 hash:	464953824E644F10FFDC9E093FD18F94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	04:01:39
Start date:	03/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1700,18058039625578469226,10548155103771464637,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 /prefetch:8
Imagebase:	0x7ff765320000
File size:	2'509'656 bytes
MD5 hash:	464953824E644F10FFDC9E093FD18F94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	04:01:41
Start date:	03/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://www.splendidcare.sa.com/Juwqdh/xacwk5957irfeugd/FW2HGOqFbIVQssWaWxsuPFbxoA78Qv8umKJQmKBGMM0/enpkwYwNDdxjXCgjy64rbJkHYw5eTv2C-VSAAV3Fufzkb2cfb573zE5R9OTtHCML20yl9BXVgVz_5eGAS31RGQ"
Imagebase:	0x7ff765320000
File size:	2'509'656 bytes
MD5 hash:	464953824E644F10FFDC9E093FD18F94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	04:02:01
Start date:	03/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1700,18058039625578469226,10548155103771464637,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7116 /prefetch:8
Imagebase:	0x7ff765320000
File size:	2'509'656 bytes
MD5 hash:	464953824E644F10FFDC9E093FD18F94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://www.splendidcare.sa.com/Juwqdh/xacwk5957irfeugd/FW2HGOqFbIVQssWaWxsuPFbxoA78Qv8umKJQmKBGMM0/enpkwYwNDdxjXCgjy64rbJkHYw5eTv2C-VSAAV3Fufzkb2cfb573zE5R9OTtHCML20yl9BXVgVz_5eGAS31RGQ

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Phishing

System Summary

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 8024, Parent PID: 6860

General

Chronological Activities

Analysis Process: chrome.exePID: 5164, Parent PID: 8024

General

Chronological Activities

Analysis Process: chrome.exePID: 2248, Parent PID: 6860

General

Chronological Activities

Analysis Process: chrome.exePID: 3000, Parent PID: 8024

General

Chronological Activities

Disassembly

Windows Analysis Report
http://www.splendidcare.sa.com/Juwqdh/xacwk5957irfeugd/FW2HGOqFbIVQssWaWxsuPFbxoA78Qv8umKJQmKBGMM0/enpkwYwNDdxjXCgjy64rbJkHYw5eTv2C-VSAAV3Fufzkb2cfb573zE5R9OTtHCML20yl9BXVgVz_5eGAS31RGQ