Edit tour

Windows Analysis Report
https://5qc68jhomepl.blob.core.windows.net/9x0f8/index.html

Overview

General Information

Sample URL:	https://5qc68jhomepl.blob.core.windows.net/9x0f8/index.html
Analysis ID:	1573100
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Classification

Process Tree

System is w10x64

chrome.exe (PID: 6036 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 4296 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1896,i,9149607101538544285,17673565549527435464,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6496 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://5qc68jhomepl.blob.core.windows.net/9x0f8/index.html" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

HTTP traffic detected: HTTP/1.1 403 Forbiddenx-amz-request-id: R51MKM1H4ZG7YBT6x-amz-id-2: rERn4QjkLF6354XUGcKCvOanku2x34a1hn9COU8UYiegCNF3epFuNnGt6TqNb6QThy0O/WoE9Cg=Content-Type: application/xmlTransfer-Encoding: chunkedDate: Wed, 11 Dec 2024 13:35:33 GMTServer: AmazonS3Connection: close

Source: https://5qc68jhomepl.blob.core.windows.net/9x0f8/index.html	HTTP Parser: No favicon
Source: https://serwerf3jzj8psi6.s3.us-east-1.amazonaws.com/index.html	HTTP Parser: No favicon

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.58.101
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.58.101
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.58.101
Source: unknown	TCP traffic detected without corresponding DNS query: 217.20.58.101
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /index.html HTTP/1.1Host: serwerf3jzj8psi6.s3.us-east-1.amazonaws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://5qc68jhomepl.blob.core.windows.net/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: serwerf3jzj8psi6.s3.us-east-1.amazonaws.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://serwerf3jzj8psi6.s3.us-east-1.amazonaws.com/index.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: serwerf3jzj8psi6.s3.us-east-1.amazonaws.com
Source: global traffic	DNS traffic detected: DNS query: poczta-homepl.serwer-p8313.website

Source: chromecache_43.2.dr	String found in binary or memory: https://poczta-homepl.serwer-p8313.website/index.php
Source: chromecache_44.2.dr	String found in binary or memory: https://serwerf3jzj8psi6.s3.us-east-1.amazonaws.com/index.html

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1896,i,9149607101538544285,17673565549527435464,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://5qc68jhomepl.blob.core.windows.net/9x0f8/index.html"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1896,i,9149607101538544285,17673565549527435464,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Source	Detection	Scanner	Label	Link
https://serwerf3jzj8psi6.s3.us-east-1.amazonaws.com/favicon.ico	0%	Avira URL Cloud	safe
https://poczta-homepl.serwer-p8313.website/index.php	100%	Avira URL Cloud	phishing

Name	IP	Active	Malicious	Reputation
poczta-homepl.serwer-p8313.website	54.183.66.131	true	false	unknown
www.google.com	142.250.181.68	true	false	high
s3-r-w.us-east-1.amazonaws.com	52.217.41.32	true	false	high
serwerf3jzj8psi6.s3.us-east-1.amazonaws.com	unknown	unknown	false	unknown

IP	Domain	Country	ASN	ASN Name	Malicious
52.217.41.32	s3-r-w.us-east-1.amazonaws.com	United States	16509	AMAZON-02US	false
54.183.66.131	poczta-homepl.serwer-p8313.website	United States	16509	AMAZON-02US	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.181.68	www.google.com	United States	15169	GOOGLEUS	false

IP
192.168.2.17
192.168.2.7
192.168.2.4
192.168.2.5

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1573100
Start date and time:	2024-12-11 14:34:24 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://5qc68jhomepl.blob.core.windows.net/9x0f8/index.html
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.win@23/8@6/8
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text
Category:	downloaded
Size (bytes):	226
Entropy (8bit):	5.288394584522058
Encrypted:	false
SSDEEP:	6:JiMVBdgqZj8DHgWdzRiAU2uvxV16QTHRl4KRIOaXx/mXg6n:MMHdVBMHgWdzR056cl46aX5mw6
MD5:	859A6FE9D2799E46CFBE1DBFAAA0BC02
SHA1:	C04A2E4893C1F45E64D834F0AB8C39E7C945C828
SHA-256:	82445245F21FED3F3A938B29EDDE2D94B9E4F8D4FC2117DD8C14F7D8EC6E97EB
SHA-512:	D76A1D6E12949A2328859F1C2B7315E0D7D71A50A6744DC990B6FFDE580064C585F401F369CC5F2268B06BD1F798AD0BB29F609584FC0F9CAB9ACD85522AFE02
Malicious:	false
Reputation:	low
URL:	https://5qc68jhomepl.blob.core.windows.net/favicon.ico
Preview:	.<?xml version="1.0" encoding="utf-8"?><Error><Code>OutOfRangeInput</Code><Message>One of the request inputs is out of range..RequestId:49584c51-901e-006e-6ed1-4be656000000.Time:2024-12-11T13:35:32.2264683Z</Message></Error>

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 11, 2024 14:35:21.806946039 CET	49675	443	192.168.2.4	173.222.162.32
Dec 11, 2024 14:35:27.804953098 CET	49737	443	192.168.2.4	142.250.181.68
Dec 11, 2024 14:35:27.804997921 CET	443	49737	142.250.181.68	192.168.2.4
Dec 11, 2024 14:35:27.805089951 CET	49737	443	192.168.2.4	142.250.181.68
Dec 11, 2024 14:35:27.805340052 CET	49737	443	192.168.2.4	142.250.181.68
Dec 11, 2024 14:35:27.805356026 CET	443	49737	142.250.181.68	192.168.2.4
Dec 11, 2024 14:35:29.503688097 CET	443	49737	142.250.181.68	192.168.2.4
Dec 11, 2024 14:35:29.503976107 CET	49737	443	192.168.2.4	142.250.181.68
Dec 11, 2024 14:35:29.503985882 CET	443	49737	142.250.181.68	192.168.2.4
Dec 11, 2024 14:35:29.505059958 CET	443	49737	142.250.181.68	192.168.2.4
Dec 11, 2024 14:35:29.505176067 CET	49737	443	192.168.2.4	142.250.181.68
Dec 11, 2024 14:35:29.512998104 CET	49737	443	192.168.2.4	142.250.181.68
Dec 11, 2024 14:35:29.513211012 CET	443	49737	142.250.181.68	192.168.2.4
Dec 11, 2024 14:35:29.557280064 CET	49737	443	192.168.2.4	142.250.181.68
Dec 11, 2024 14:35:29.557297945 CET	443	49737	142.250.181.68	192.168.2.4
Dec 11, 2024 14:35:29.605884075 CET	49737	443	192.168.2.4	142.250.181.68
Dec 11, 2024 14:35:32.327212095 CET	49742	443	192.168.2.4	52.217.41.32
Dec 11, 2024 14:35:32.327269077 CET	443	49742	52.217.41.32	192.168.2.4
Dec 11, 2024 14:35:32.327409983 CET	49742	443	192.168.2.4	52.217.41.32
Dec 11, 2024 14:35:32.327749014 CET	49743	443	192.168.2.4	52.217.41.32
Dec 11, 2024 14:35:32.327789068 CET	443	49743	52.217.41.32	192.168.2.4
Dec 11, 2024 14:35:32.327956915 CET	49742	443	192.168.2.4	52.217.41.32
Dec 11, 2024 14:35:32.327971935 CET	443	49742	52.217.41.32	192.168.2.4
Dec 11, 2024 14:35:32.328088045 CET	49743	443	192.168.2.4	52.217.41.32
Dec 11, 2024 14:35:32.328250885 CET	49743	443	192.168.2.4	52.217.41.32
Dec 11, 2024 14:35:32.328262091 CET	443	49743	52.217.41.32	192.168.2.4
Dec 11, 2024 14:35:33.757411957 CET	443	49742	52.217.41.32	192.168.2.4
Dec 11, 2024 14:35:33.757797003 CET	49742	443	192.168.2.4	52.217.41.32
Dec 11, 2024 14:35:33.757859945 CET	443	49742	52.217.41.32	192.168.2.4
Dec 11, 2024 14:35:33.758605003 CET	443	49743	52.217.41.32	192.168.2.4
Dec 11, 2024 14:35:33.758893013 CET	443	49742	52.217.41.32	192.168.2.4
Dec 11, 2024 14:35:33.758966923 CET	49742	443	192.168.2.4	52.217.41.32
Dec 11, 2024 14:35:33.758991003 CET	443	49742	52.217.41.32	192.168.2.4
Dec 11, 2024 14:35:33.759058952 CET	49742	443	192.168.2.4	52.217.41.32
Dec 11, 2024 14:35:33.762960911 CET	49742	443	192.168.2.4	52.217.41.32
Dec 11, 2024 14:35:33.763051033 CET	443	49742	52.217.41.32	192.168.2.4
Dec 11, 2024 14:35:33.763334036 CET	49743	443	192.168.2.4	52.217.41.32
Dec 11, 2024 14:35:33.763351917 CET	443	49743	52.217.41.32	192.168.2.4
Dec 11, 2024 14:35:33.763710976 CET	49742	443	192.168.2.4	52.217.41.32
Dec 11, 2024 14:35:33.763726950 CET	443	49742	52.217.41.32	192.168.2.4
Dec 11, 2024 14:35:33.764532089 CET	443	49743	52.217.41.32	192.168.2.4
Dec 11, 2024 14:35:33.764667988 CET	49743	443	192.168.2.4	52.217.41.32
Dec 11, 2024 14:35:33.764682055 CET	443	49743	52.217.41.32	192.168.2.4
Dec 11, 2024 14:35:33.764803886 CET	49743	443	192.168.2.4	52.217.41.32
Dec 11, 2024 14:35:33.766038895 CET	49743	443	192.168.2.4	52.217.41.32
Dec 11, 2024 14:35:33.766268969 CET	443	49743	52.217.41.32	192.168.2.4
Dec 11, 2024 14:35:33.807086945 CET	49742	443	192.168.2.4	52.217.41.32
Dec 11, 2024 14:35:33.807243109 CET	49743	443	192.168.2.4	52.217.41.32
Dec 11, 2024 14:35:33.807261944 CET	443	49743	52.217.41.32	192.168.2.4
Dec 11, 2024 14:35:33.853327990 CET	49743	443	192.168.2.4	52.217.41.32
Dec 11, 2024 14:35:34.258070946 CET	443	49742	52.217.41.32	192.168.2.4
Dec 11, 2024 14:35:34.258306026 CET	443	49742	52.217.41.32	192.168.2.4
Dec 11, 2024 14:35:34.258452892 CET	49742	443	192.168.2.4	52.217.41.32
Dec 11, 2024 14:35:34.289151907 CET	49742	443	192.168.2.4	52.217.41.32
Dec 11, 2024 14:35:34.289172888 CET	443	49742	52.217.41.32	192.168.2.4
Dec 11, 2024 14:35:34.345972061 CET	49743	443	192.168.2.4	52.217.41.32
Dec 11, 2024 14:35:34.387326956 CET	443	49743	52.217.41.32	192.168.2.4
Dec 11, 2024 14:35:34.684042931 CET	443	49743	52.217.41.32	192.168.2.4
Dec 11, 2024 14:35:34.684178114 CET	443	49743	52.217.41.32	192.168.2.4
Dec 11, 2024 14:35:34.684274912 CET	49743	443	192.168.2.4	52.217.41.32
Dec 11, 2024 14:35:34.685313940 CET	49743	443	192.168.2.4	52.217.41.32
Dec 11, 2024 14:35:34.685353041 CET	443	49743	52.217.41.32	192.168.2.4
Dec 11, 2024 14:35:34.815476894 CET	49744	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:35:34.815502882 CET	443	49744	54.183.66.131	192.168.2.4
Dec 11, 2024 14:35:34.815550089 CET	49744	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:35:34.815952063 CET	49744	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:35:34.815963984 CET	443	49744	54.183.66.131	192.168.2.4
Dec 11, 2024 14:35:34.816373110 CET	49745	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:35:34.816411972 CET	443	49745	54.183.66.131	192.168.2.4
Dec 11, 2024 14:35:34.816464901 CET	49745	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:35:34.816730976 CET	49745	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:35:34.816747904 CET	443	49745	54.183.66.131	192.168.2.4
Dec 11, 2024 14:35:39.072695017 CET	80	49723	217.20.58.101	192.168.2.4
Dec 11, 2024 14:35:39.076736927 CET	49723	80	192.168.2.4	217.20.58.101
Dec 11, 2024 14:35:39.076736927 CET	49723	80	192.168.2.4	217.20.58.101
Dec 11, 2024 14:35:39.190229893 CET	443	49737	142.250.181.68	192.168.2.4
Dec 11, 2024 14:35:39.190300941 CET	443	49737	142.250.181.68	192.168.2.4
Dec 11, 2024 14:35:39.190468073 CET	49737	443	192.168.2.4	142.250.181.68
Dec 11, 2024 14:35:39.197367907 CET	80	49723	217.20.58.101	192.168.2.4
Dec 11, 2024 14:35:39.621237040 CET	49737	443	192.168.2.4	142.250.181.68
Dec 11, 2024 14:35:39.621275902 CET	443	49737	142.250.181.68	192.168.2.4
Dec 11, 2024 14:35:52.927826881 CET	80	49724	217.20.58.101	192.168.2.4
Dec 11, 2024 14:35:52.927999020 CET	49724	80	192.168.2.4	217.20.58.101
Dec 11, 2024 14:35:52.928072929 CET	49724	80	192.168.2.4	217.20.58.101
Dec 11, 2024 14:35:53.047840118 CET	80	49724	217.20.58.101	192.168.2.4
Dec 11, 2024 14:36:04.822757959 CET	49744	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:04.822885990 CET	49745	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:04.822906971 CET	443	49744	54.183.66.131	192.168.2.4
Dec 11, 2024 14:36:04.822969913 CET	49744	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:04.823084116 CET	443	49745	54.183.66.131	192.168.2.4
Dec 11, 2024 14:36:04.823139906 CET	49745	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:06.013839006 CET	49753	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:06.013883114 CET	443	49753	54.183.66.131	192.168.2.4
Dec 11, 2024 14:36:06.014019012 CET	49753	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:06.014281034 CET	49754	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:06.014318943 CET	443	49754	54.183.66.131	192.168.2.4
Dec 11, 2024 14:36:06.014432907 CET	49754	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:06.014579058 CET	49753	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:06.014590979 CET	443	49753	54.183.66.131	192.168.2.4
Dec 11, 2024 14:36:06.014761925 CET	49754	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:06.014774084 CET	443	49754	54.183.66.131	192.168.2.4
Dec 11, 2024 14:36:27.085151911 CET	49783	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:27.085201979 CET	443	49783	54.183.66.131	192.168.2.4
Dec 11, 2024 14:36:27.085283995 CET	49783	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:27.085494041 CET	49783	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:27.085506916 CET	443	49783	54.183.66.131	192.168.2.4
Dec 11, 2024 14:36:27.729044914 CET	49784	443	192.168.2.4	142.250.181.68
Dec 11, 2024 14:36:27.729110956 CET	443	49784	142.250.181.68	192.168.2.4
Dec 11, 2024 14:36:27.729191065 CET	49784	443	192.168.2.4	142.250.181.68
Dec 11, 2024 14:36:27.729420900 CET	49784	443	192.168.2.4	142.250.181.68
Dec 11, 2024 14:36:27.729433060 CET	443	49784	142.250.181.68	192.168.2.4
Dec 11, 2024 14:36:29.427134037 CET	443	49784	142.250.181.68	192.168.2.4
Dec 11, 2024 14:36:29.427753925 CET	49784	443	192.168.2.4	142.250.181.68
Dec 11, 2024 14:36:29.427787066 CET	443	49784	142.250.181.68	192.168.2.4
Dec 11, 2024 14:36:29.428913116 CET	443	49784	142.250.181.68	192.168.2.4
Dec 11, 2024 14:36:29.429267883 CET	49784	443	192.168.2.4	142.250.181.68
Dec 11, 2024 14:36:29.429457903 CET	443	49784	142.250.181.68	192.168.2.4
Dec 11, 2024 14:36:29.482245922 CET	49784	443	192.168.2.4	142.250.181.68
Dec 11, 2024 14:36:34.838974953 CET	49800	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:34.839019060 CET	443	49800	54.183.66.131	192.168.2.4
Dec 11, 2024 14:36:34.839107990 CET	49800	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:34.839369059 CET	49800	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:34.839381933 CET	443	49800	54.183.66.131	192.168.2.4
Dec 11, 2024 14:36:36.023253918 CET	49753	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:36.023469925 CET	49754	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:36.023570061 CET	443	49753	54.183.66.131	192.168.2.4
Dec 11, 2024 14:36:36.023643970 CET	49753	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:36.023657084 CET	443	49754	54.183.66.131	192.168.2.4
Dec 11, 2024 14:36:36.023713112 CET	49754	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:39.117054939 CET	443	49784	142.250.181.68	192.168.2.4
Dec 11, 2024 14:36:39.117104053 CET	443	49784	142.250.181.68	192.168.2.4
Dec 11, 2024 14:36:39.117153883 CET	49784	443	192.168.2.4	142.250.181.68
Dec 11, 2024 14:36:39.619431019 CET	49784	443	192.168.2.4	142.250.181.68
Dec 11, 2024 14:36:39.619468927 CET	443	49784	142.250.181.68	192.168.2.4
Dec 11, 2024 14:36:41.050863981 CET	49816	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:41.050901890 CET	443	49816	54.183.66.131	192.168.2.4
Dec 11, 2024 14:36:41.050970078 CET	49816	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:41.051183939 CET	49816	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:41.051194906 CET	443	49816	54.183.66.131	192.168.2.4
Dec 11, 2024 14:36:42.564536095 CET	49822	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:42.564588070 CET	443	49822	54.183.66.131	192.168.2.4
Dec 11, 2024 14:36:42.564682007 CET	49822	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:42.564894915 CET	49822	443	192.168.2.4	54.183.66.131
Dec 11, 2024 14:36:42.564905882 CET	443	49822	54.183.66.131	192.168.2.4

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 11, 2024 14:35:23.268094063 CET	53	53788	1.1.1.1	192.168.2.4
Dec 11, 2024 14:35:23.310648918 CET	53	55182	1.1.1.1	192.168.2.4
Dec 11, 2024 14:35:26.089129925 CET	53	63975	1.1.1.1	192.168.2.4
Dec 11, 2024 14:35:27.666707039 CET	62992	53	192.168.2.4	1.1.1.1
Dec 11, 2024 14:35:27.666754007 CET	49843	53	192.168.2.4	1.1.1.1
Dec 11, 2024 14:35:27.803607941 CET	53	62992	1.1.1.1	192.168.2.4
Dec 11, 2024 14:35:27.803733110 CET	53	49843	1.1.1.1	192.168.2.4
Dec 11, 2024 14:35:32.018529892 CET	54044	53	192.168.2.4	1.1.1.1
Dec 11, 2024 14:35:32.018882036 CET	63119	53	192.168.2.4	1.1.1.1
Dec 11, 2024 14:35:32.299144030 CET	53	63119	1.1.1.1	192.168.2.4
Dec 11, 2024 14:35:32.326391935 CET	53	54044	1.1.1.1	192.168.2.4
Dec 11, 2024 14:35:34.325158119 CET	61797	53	192.168.2.4	1.1.1.1
Dec 11, 2024 14:35:34.325510979 CET	50127	53	192.168.2.4	1.1.1.1
Dec 11, 2024 14:35:34.813090086 CET	53	50127	1.1.1.1	192.168.2.4
Dec 11, 2024 14:35:34.814809084 CET	53	61797	1.1.1.1	192.168.2.4
Dec 11, 2024 14:35:38.469259977 CET	138	138	192.168.2.4	192.168.2.255
Dec 11, 2024 14:35:42.977056980 CET	53	59266	1.1.1.1	192.168.2.4
Dec 11, 2024 14:36:01.992031097 CET	53	64140	1.1.1.1	192.168.2.4
Dec 11, 2024 14:36:04.460644960 CET	53	58027	1.1.1.1	192.168.2.4
Dec 11, 2024 14:36:23.165323973 CET	53	51700	1.1.1.1	192.168.2.4
Dec 11, 2024 14:36:24.585926056 CET	53	54840	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
2024-12-11 13:35:33 UTC	736	OUT	GET /index.html HTTP/1.1 Host: serwerf3jzj8psi6.s3.us-east-1.amazonaws.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-Dest: document Referer: https://5qc68jhomepl.blob.core.windows.net/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-11 13:35:34 UTC	413	IN	HTTP/1.1 200 OK x-amz-id-2: hYX1h26RvGkp9yBz2ruyOGWZ28B3h/asTVcZbhYMnhNNC7P7ExenyxaenLeiHm7wUhKT/wXM4BA= x-amz-request-id: R51WRCZCVK07DCKT Date: Wed, 11 Dec 2024 13:35:35 GMT Last-Modified: Wed, 11 Dec 2024 11:12:10 GMT ETag: "27c945c9e99f208e84d6004d0ce9c5ef" x-amz-server-side-encryption: AES256 Accept-Ranges: bytes Content-Type: text/html Content-Length: 466 Server: AmazonS3 Connection: close
2024-12-11 13:35:34 UTC	466	IN	Data Raw: ff fe 3c 00 68 00 74 00 6d 00 6c 00 3e 00 0d 00 0a 00 3c 00 68 00 65 00 61 00 64 00 3e 00 0d 00 0a 00 3c 00 6d 00 65 00 74 00 61 00 20 00 68 00 74 00 74 00 70 00 2d 00 65 00 71 00 75 00 69 00 76 00 3d 00 22 00 43 00 6f 00 6e 00 74 00 65 00 6e 00 74 00 2d 00 54 00 79 00 70 00 65 00 22 00 20 00 63 00 6f 00 6e 00 74 00 65 00 6e 00 74 00 3d 00 22 00 74 00 65 00 78 00 74 00 2f 00 68 00 74 00 6d 00 6c 00 3b 00 20 00 63 00 68 00 61 00 72 00 73 00 65 00 74 00 3d 00 69 00 73 00 6f 00 2d 00 38 00 38 00 35 00 39 00 2d 00 31 00 22 00 20 00 2f 00 3e 00 0d 00 0a 00 3c 00 74 00 69 00 74 00 6c 00 65 00 3e 00 3c 00 2f 00 74 00 69 00 74 00 6c 00 65 00 3e 00 0d 00 0a 00 3c 00 62 00 6f 00 64 00 79 00 3e 00 0d 00 0a 00 3c 00 6d 00 65 00 74 00 61 00 20 00 68 00 74 00 74 00 70 Data Ascii: <html><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><title></title><body><meta http

Timestamp	Bytes transferred	Direction	Data
2024-12-11 13:35:34 UTC	652	OUT	GET /favicon.ico HTTP/1.1 Host: serwerf3jzj8psi6.s3.us-east-1.amazonaws.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://serwerf3jzj8psi6.s3.us-east-1.amazonaws.com/index.html Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-12-11 13:35:34 UTC	285	IN	HTTP/1.1 403 Forbidden x-amz-request-id: R51MKM1H4ZG7YBT6 x-amz-id-2: rERn4QjkLF6354XUGcKCvOanku2x34a1hn9COU8UYiegCNF3epFuNnGt6TqNb6QThy0O/WoE9Cg= Content-Type: application/xml Transfer-Encoding: chunked Date: Wed, 11 Dec 2024 13:35:33 GMT Server: AmazonS3 Connection: close
2024-12-11 13:35:34 UTC	254	IN	Data Raw: 66 33 0d 0a 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0a 3c 45 72 72 6f 72 3e 3c 43 6f 64 65 3e 41 63 63 65 73 73 44 65 6e 69 65 64 3c 2f 43 6f 64 65 3e 3c 4d 65 73 73 61 67 65 3e 41 63 63 65 73 73 20 44 65 6e 69 65 64 3c 2f 4d 65 73 73 61 67 65 3e 3c 52 65 71 75 65 73 74 49 64 3e 52 35 31 4d 4b 4d 31 48 34 5a 47 37 59 42 54 36 3c 2f 52 65 71 75 65 73 74 49 64 3e 3c 48 6f 73 74 49 64 3e 72 45 52 6e 34 51 6a 6b 4c 46 36 33 35 34 58 55 47 63 4b 43 76 4f 61 6e 6b 75 32 78 33 34 61 31 68 6e 39 43 4f 55 38 55 59 69 65 67 43 4e 46 33 65 70 46 75 4e 6e 47 74 36 54 71 4e 62 36 51 54 68 79 30 4f 2f 57 6f 45 39 43 67 3d 3c 2f 48 6f 73 74 49 64 3e 3c 2f 45 72 72 6f 72 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: f3<?xml version="1.0" encoding="UTF-8"?><Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>R51MKM1H4ZG7YBT6</RequestId><HostId>rERn4QjkLF6354XUGcKCvOanku2x34a1hn9COU8UYiegCNF3epFuNnGt6TqNb6QThy0O/WoE9Cg=</HostId></Error>0

Target ID:	0
Start time:	08:35:17
Start date:	11/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	2
Start time:	08:35:21
Start date:	11/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=1896,i,9149607101538544285,17673565549527435464,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	3
Start time:	08:35:27
Start date:	11/12/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://5qc68jhomepl.blob.core.windows.net/9x0f8/index.html"
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://5qc68jhomepl.blob.core.windows.net/9x0f8/index.html

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 42

Chrome Cache Entry: 43

Chrome Cache Entry: 44

Chrome Cache Entry: 45

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 6036, Parent PID: 2120

General

Chronological Activities

Analysis Process: chrome.exePID: 4296, Parent PID: 6036

General

Chronological Activities

Analysis Process: chrome.exePID: 6496, Parent PID: 2120

General

Chronological Activities

Disassembly

Windows Analysis Report
https://5qc68jhomepl.blob.core.windows.net/9x0f8/index.html

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre