Windows
Analysis Report
https://sesworld.com.au:443/it/mount/
Overview
Detection
Score: | 64 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64_ra
chrome.exe (PID: 2992 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t https:// sesworld.c om.au/it/m ount/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4) chrome.exe (PID: 6756 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =1796 --fi eld-trial- handle=199 6,i,500558 2365850163 615,345631 8901898958 29,262144 --disable- features=O ptimizatio nGuideMode lDownloadi ng,Optimiz ationHints ,Optimizat ionHintsFe tching,Opt imizationT argetPredi ction /pre fetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
- cleanup
- • Phishing
- • Compliance
- • Networking
- • System Summary
- • Boot Survival
Click to jump to signature section
Phishing |
---|
Source: | LLM: | ||
Source: | LLM: | ||
Source: | LLM: |
Source: | HTTP Parser: |
Source: | HTTP Parser: |
Source: | Matcher: |
Source: | HTTP Parser: |
Source: | HTTP Parser: |
Source: | HTTP Parser: |
Source: | HTTP Parser: |
Source: | HTTP Parser: |
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | HTTP Parser: | ||
Source: | HTTP Parser: | ||
Source: | HTTP Parser: |
Source: | Directory created: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | UDP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: | ||
Source: | DNS traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Classification label: |
Source: | File created: |
Source: | File created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Window detected: |
Source: | Directory created: |
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: | ||
Source: | File created: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | 1 Scripting | Valid Accounts | Windows Management Instrumentation | 1 Scripting | 1 Process Injection | 3 Masquerading | OS Credential Dumping | System Service Discovery | Remote Services | Data from Local System | 2 Encrypted Channel | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 Registry Run Keys / Startup Folder | 1 Registry Run Keys / Startup Folder | 1 Process Injection | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Non-Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Deobfuscate/Decode Files or Information | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Application Layer Protocol | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
code.jquery.com | 151.101.194.137 | true | false | unknown | |
cdnjs.cloudflare.com | 104.17.25.14 | true | false | unknown | |
challenges.cloudflare.com | 104.18.94.41 | true | false | unknown | |
www.google.com | 142.250.181.228 | true | false | unknown | |
stellarbyteae.ru | 172.67.129.11 | true | true | unknown | |
sesworld.com.au | 192.250.235.25 | true | true | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true | unknown | ||
true | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
142.250.185.78 | unknown | United States | 15169 | GOOGLEUS | false | |
104.17.24.14 | unknown | United States | 13335 | CLOUDFLARENETUS | false | |
172.67.129.11 | stellarbyteae.ru | United States | 13335 | CLOUDFLARENETUS | true | |
1.1.1.1 | unknown | Australia | 13335 | CLOUDFLARENETUS | false | |
216.58.206.74 | unknown | United States | 15169 | GOOGLEUS | false | |
173.194.76.84 | unknown | United States | 15169 | GOOGLEUS | false | |
104.18.94.41 | challenges.cloudflare.com | United States | 13335 | CLOUDFLARENETUS | false | |
151.101.2.137 | unknown | United States | 54113 | FASTLYUS | false | |
104.21.2.94 | unknown | United States | 13335 | CLOUDFLARENETUS | false | |
239.255.255.250 | unknown | Reserved | unknown | unknown | false | |
142.250.181.228 | www.google.com | United States | 15169 | GOOGLEUS | false | |
142.250.185.195 | unknown | United States | 15169 | GOOGLEUS | false | |
151.101.194.137 | code.jquery.com | United States | 54113 | FASTLYUS | false | |
142.250.184.206 | unknown | United States | 15169 | GOOGLEUS | false | |
192.250.235.25 | sesworld.com.au | United States | 36454 | CNSV-LLCUS | true | |
104.17.25.14 | cdnjs.cloudflare.com | United States | 13335 | CLOUDFLARENETUS | false | |
142.250.186.99 | unknown | United States | 15169 | GOOGLEUS | false |
IP |
---|
192.168.2.17 |
192.168.2.16 |
192.168.2.4 |
Joe Sandbox version: | 40.0.0 Tourmaline |
Analysis ID: | 1510217 |
Start date and time: | 2024-09-12 17:32:23 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Sample URL: | https://sesworld.com.au:443/it/mount/ |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 12 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | stream |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal64.phis.win@14/6@22/148 |
- Exclude process from analysis
(whitelisted): svchost.exe - Excluded IPs from analysis (wh
itelisted): 142.250.185.195, 1 73.194.76.84, 142.250.185.78, 34.104.35.123, 216.58.206.74, 172.217.23.106, 142.250.186.10 6, 216.58.212.170, 142.250.185 .138, 142.250.185.170, 142.250 .185.74, 142.250.185.106, 142. 250.184.202, 142.250.185.202, 142.250.186.74, 142.250.185.23 4, 172.217.16.202, 216.58.212. 138, 172.217.18.10, 216.58.206 .42, 199.232.210.172 - Excluded domains from analysis
(whitelisted): clients2.googl e.com, accounts.google.com, ed gedl.me.gvt1.com, content-auto fill.googleapis.com, ctldl.win dowsupdate.com, clientservices .googleapis.com, clients.l.goo gle.com - Not all processes where analyz
ed, report is missing behavior information - VT rate limit hit for: https:
//sesworld.com.au:443/it/mount /
Input | Output |
---|---|
URL: https://sesworld.com.au/it/mount/ Model: jbxai | { "brand":["Joyce Morgan"], "contains_trigger_text":true, "prominent_button_name":"Submit", "text_input_field_labels":["Enter your email address to proceed"], "pdf_icon_visible":false, "has_visible_captcha":false, "has_urgent_text":false, "has_visible_qrcode":false} |
URL: https://sesworld.com.au/it/mount/ Model: jbxai | { "phishing_score":8, "brands":["Joyce Morgan"], "brand_matches_associated_domain":false, "reasons":"The domain'sesworld.com.au' does not match the brand name 'Joyce Morgan', and the domain name does not seem to be directly related to the brand. This raises concerns about the legitimacy or authenticity of the message.", "brand_matches":[false], "url_match":true} |
URL: https://sesworld.com.au/it/mount/ Model: jbxai | { "brand":["Joyce Morgan"], "contains_trigger_text":true, "prominent_button_name":"Submit", "text_input_field_labels":["Enter your email address to proceed"], "pdf_icon_visible":false, "has_visible_captcha":false, "has_urgent_text":false, "has_visible_qrcode":false} |
URL: https://sesworld.com.au/mount/it/ Model: jbxai | { "brand":["Globi"], "contains_trigger_text":true, "prominent_button_name":"Next", "text_input_field_labels":["Email, phone, or Skype", "No account? Create one! Can't access your account?"], "pdf_icon_visible":false, "has_visible_captcha":false, "has_urgent_text":false, "has_visible_qrcode":false} |
URL: https://sesworld.com.au/mount/it/ Model: jbxai | { "brand":["Microsoft"], "contains_trigger_text":false, "prominent_button_name":"Sign in", "text_input_field_labels":["Email, phone, or Skype", "Password", "Sign-in options"], "pdf_icon_visible":false, "has_visible_captcha":false, "has_urgent_text":false, "has_visible_qrcode":false} |
URL: https://sesworld.com.au/mount/it/ Model: jbxai | { "phishing_score":10, "brands":["Microsoft"], "brand_matches_associated_domain":false, "reasons":"The domain'sesworld.com.au' does not match the legitimate domain associated with Microsoft, which is'microsoft.com'. The presence of a Microsoft logo and sign-in form does not necessarily indicate a legitimate website, as phishing sites often mimic legitimate websites to trick users into revealing sensitive information.", "brand_matches":[false], "url_match":true} |
URL: https://sesworld.com.au/mount/it/ Model: jbxai | { "phishing_score":8, "brands":["Sign in"], "brand_matches_associated_domain":false, "reasons":"The domain'sesworld.com.au' does not match the brand name 'Sign in' displayed on the webpage, which is a potential security risk. The presence of a country-code top-level domain '.com.au' suggests that the website is targeted towards Australian users, but the brand name does not indicate any association with a specific Australian service. The minimalistic design of the webpage is effective in guiding the user's attention towards the sign-in field, but this does not necessarily indicate legitimacy.", "brand_matches":[false], "url_match":true} |
URL: https://sesworld.com.au/mount/it/ Model: jbxai | { "brand":["Microsoft"], "contains_trigger_text":false, "prominent_button_name":"Next", "text_input_field_labels":["username", "password"], "pdf_icon_visible":false, "has_visible_captcha":false, "has_urgent_text":false, "has_visible_qrcode":false} |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2673 |
Entropy (8bit): | 3.9867005441217542 |
Encrypted: | false |
SSDEEP: | |
MD5: | 955A3B3BB25C047AAC1AB4AA5426DAF7 |
SHA1: | C75C3E290D45DF57DB67C8FF19AE7146BA3AA946 |
SHA-256: | 316EA3BC6D772D5E1F474555D15517AA9BD5CFF809397FFDAEB995E92586CDA9 |
SHA-512: | 19E82C6657D0D54FE5F40C85B1ACB86A54517BC31907FDD3CB382F7D90943E499E1215353671B5A155683B9DCC4F15F8C509AD7ACF60278A9D2C72286F57BBCD |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2675 |
Entropy (8bit): | 4.000148624601767 |
Encrypted: | false |
SSDEEP: | |
MD5: | 19F3FD822908087F47E9E4A4859EFA6E |
SHA1: | F33DBD1A81BBFCF967868EFAABAC6D5D0EEC29D8 |
SHA-256: | 5EBC496C142DA7A5135065E9D3AC1232AFB5268BC4C8B2417612C2D5911D78DE |
SHA-512: | 77268174CD03B9B8FCB49C5697556FBE6E5F999A3514C205E9BB112835852F1BEC758317FD238AFD8ECE3E7A41A2F6A775B163D52CD39B8957871D7E3810DFD7 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2689 |
Entropy (8bit): | 4.010176009814871 |
Encrypted: | false |
SSDEEP: | |
MD5: | 42BDA2BF6BA74FB21DB3B140910559C6 |
SHA1: | B375895C5CEF0323F2ACEBE7E8D8B326871F41CE |
SHA-256: | 2622E90875F1346FC632A37852159976DD0E771A5699DDA0945D991938EC3270 |
SHA-512: | CC3C7511BD6C7F4A1CA7963948586E0105B600428884EDA5BAE318B5347495A55C976089DE6B08678DA7FEDF0F26C3B57656699A86237BACF24FF287CB6DDB2F |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2677 |
Entropy (8bit): | 4.001034619651623 |
Encrypted: | false |
SSDEEP: | |
MD5: | 094CFF00903614FB244D032169465DD7 |
SHA1: | 8C3E599A6D36A38629A3145E6C2A6419BC93F1C8 |
SHA-256: | F201B6B711F1DE83C0CEBED66E97A1DB17F4E847A64E574F6D636DF45B290C9C |
SHA-512: | 785944A3D43487E1AD456519E4FDB0E73A1ED8D10B0A4809A99FB5AA4368EFECA6131F8FB5C9E8E53B2159193E5DB0ED25462771F15288C11ABF8F9A553FFD24 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2677 |
Entropy (8bit): | 3.990917978707283 |
Encrypted: | false |
SSDEEP: | |
MD5: | F56773167385D5A03156BAA8BEE92C56 |
SHA1: | AD56F094F1FF36498D029399F9DFAA0501ED2903 |
SHA-256: | 1E196A35F6CE0397CA81917BEC5DC85C5A5019A1ED8A02BC1D15BC529033F559 |
SHA-512: | D815BFC138B59F9E9B3C431363C3C928836F0C3524BF02F915B5076273BBFEB590A73DCA4122F3CC0C97BD547850ACDACBD2E1F601848A0295E6A23A12F50065 |
Malicious: | false |
Reputation: | unknown |
Preview: |
Process: | C:\Program Files\Google\Chrome\Application\chrome.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 2679 |
Entropy (8bit): | 3.9978892561512223 |
Encrypted: | false |
SSDEEP: | |
MD5: | A592A46897A29CF2A8112310188FB0FA |
SHA1: | 8ABA8D48667D0176D7DD431C9678849E076B158D |
SHA-256: | 1039714F260945B1B7131984A525E1D493346C80934797839565C599CC9099D2 |
SHA-512: | 264DADD1F6DB019F3F08647FBF9AD12E3F276408641205E5B7A3A0D869CC19645A65302A77A2AE701B5AAB6CF37D88611B2329242E24EA8E3A67E72C49508823 |
Malicious: | false |
Reputation: | unknown |
Preview: |