Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Dec 23 20:00:10 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Category:	dropped
Dump:	Docs.lnk.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Dec 23 20:00:10 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	3.98901072698485
Encrypted:	false
Size:	2673
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Category:	dropped
Dump:	Gmail.lnk.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Dec 23 20:00:10 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	4.005918548021191
Encrypted:	false
Size:	2675
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Category:	dropped
Dump:	Google Drive.lnk.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	4.012781938410025
Encrypted:	false
Size:	2689
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Category:	dropped
Dump:	Sheets.lnk.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Dec 23 20:00:10 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	4.002260652146828
Encrypted:	false
Size:	2677
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Category:	dropped
Dump:	Slides.lnk.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Dec 23 20:00:10 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	3.9926788877738275
Encrypted:	false
Size:	2677
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Category:	dropped
Dump:	YouTube.lnk.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Mon Dec 23 20:00:10 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Entropy:	4.00271163680095
Encrypted:	false
Size:	2679
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

URLs

Name

Malicious

https://u48917305.ct.sendgrid.net/ls/click?upn=u001.ztQPJiWtq2gO8V-2Ftd7SxY9UCAq3VScTPSloeIw5UEMPd6e3nbPRvJ98moPTqmrdQ1eNbvwZHJ-2BEb4HrooVFNCTltmXW6SgRONKSmPzdFoWfDQT97cczFZ0vj7M2xBd2izDTi-2BL-2BoVqB8yVzV2GW7vOPvy3s9yVghrOS5vs-2BSnWyzJMkXQxVEReq4oLCDet7QAOvo_JkpSD-2Bg6VoLAQppUKMb-2BxDh4v4nbOeQFT31aoN-2FLkhvFCzY6wdlGM7RTNIi47OKR1tTaghG8tTKssArDNPSXAfX9wO6nsZ2FHn-2FunyaOti-2FaII-2FnbKYDXJOImW-2Bs9f4tYnWj8rqO7L0kp4KNRHBDo0iHoL8DEOGc8GMtzqzsIqERel6-2FxJyY4DBnsnUTOc2I4HCPKA6lxcCEXMtxEA1-2FnQ-3D-3D

Details

Filetype:

URL

Filename:

Signature Hits	Behavior Group	Mitre Attack
AI detected phishing page	Phishing	Extra Window Memory Injection
Yara detected HtmlPhish10	Phishing	Extra Window Memory Injection
AI detected suspicious URL	Phishing	Browser Extensions Extra Window Memory Injection
HTML page contains obfuscated javascript	Phishing	Extra Window Memory Injection
HTML body contains low number of good links	Phishing
HTML body contains password input but no form action	Phishing	Extra Window Memory Injection
HTML body with high number of embedded images detected	Phishing	Extra Window Memory Injection
HTML page contains hidden javascript code	Phishing	Extra Window Memory Injection
HTML title does not match URL	Phishing	Extra Window Memory Injection
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Allocates a big amount of memory (probably used for heap spraying)	Software Vulnerabilities	Extra Window Memory Injection
Classification label	System Summary	Extra Window Memory Injection
Connects to IPs without corresponding DNS lookups	Networking	Extra Window Memory Injection
Creates files inside the program directory	System Summary
Creates files inside the user directory	System Summary	Masquerading
Downloads files from webservers via HTTP	Networking	Extra Window Memory Injection Ingress Tool Transfer
HTML body contains password input	Phishing	Extra Window Memory Injection
META author tag missing	Phishing
META copyright tag missing	Phishing
Performs DNS lookups	Networking	Non-Application Layer Protocol Application Layer Protocol
Spawns processes	System Summary	Process Injection
Uses HTTPS	Networking
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis		Encrypted Channel
Creates a directory in C:\Program Files	Compliance, System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary

https://b1.kikjsds2.sa.com/.ufc/ko/index.html#sean_bolser@fd.org

Details

Name:	https://b1.kikjsds2.sa.com/.ufc/ko/index.html#sean_bolser@fd.org
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	browser

Signature Hits	Behavior Group	Mitre Attack
AI detected phishing page	Phishing
HTML page contains obfuscated javascript	Phishing
HTML body contains low number of good links	Phishing
HTML body contains password input but no form action	Phishing
HTML body with high number of embedded images detected	Phishing
HTML page contains hidden javascript code	Phishing
HTML title does not match URL	Phishing
HTML body contains password input	Phishing
META author tag missing	Phishing
META copyright tag missing	Phishing

https://b1.kikjsds2.sa.com/.ufc/ko/index.html?email=%5B%5B-Email-%5D%5D&domain=US%5Cyou_suck_badguyz%40hotmail.com&password=Y0lo69420%21%21&passwordText=#sean_bolser@fd.org

Details

Name:	https://b1.kikjsds2.sa.com/.ufc/ko/index.html?email=%5B%5B-Email-%5D%5D&domain=US%5Cyou_suck_badguyz%40hotmail.com&password=Y0lo69420%21%21&passwordText=#sean_bolser@fd.org
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	browser

Signature Hits	Behavior Group	Mitre Attack
AI detected suspicious URL	Phishing	Browser Extensions
HTML page contains obfuscated javascript	Phishing

http://gdgp.chinaxinge.com/wx/wx_callback.asp?gourl=https://globaljubileemission.org/mov/tkjllpwxlz/c2Vhbl9ib2xzZXJAZmQub3Jn

59.110.245.35

https://globaljubileemission.org/mov/tkjllpwxlz/c2Vhbl9ib2xzZXJAZmQub3Jn

Details

Name:	https://globaljubileemission.org/mov/tkjllpwxlz/c2Vhbl9ib2xzZXJAZmQub3Jn
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	browser

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

Domains

Name

Malicious

b1.kikjsds2.sa.com

212.28.188.11

east.exch091.serverdata.net

64.78.27.34

code.jquery.com

151.101.66.137

sjumyf5cfmmxl0qyv4rihlza8xxbovck.yundunwaf2.com

59.110.245.35

cdnjs.cloudflare.com

104.17.25.14

maxcdn.bootstrapcdn.com

104.18.10.207

u48917305.ct.sendgrid.net

167.89.115.147

www.google.com

142.250.181.68

globaljubileemission.org

198.251.89.144

gdgp.chinaxinge.com

unknown

IPs

Domain

Country

Malicious

212.28.188.11

b1.kikjsds2.sa.com

Italy

104.17.24.14

unknown

United States

172.217.19.238

unknown

United States

1.1.1.1

unknown

Australia

104.18.10.207

maxcdn.bootstrapcdn.com

United States

167.89.115.147

u48917305.ct.sendgrid.net

United States

64.78.27.34

east.exch091.serverdata.net

United States

172.217.17.35

unknown

United States

172.217.17.46

unknown

United States

59.110.245.35

sjumyf5cfmmxl0qyv4rihlza8xxbovck.yundunwaf2.com

China

192.168.2.16

unknown

239.255.255.250

unknown

Reserved

198.251.89.144

globaljubileemission.org

United States

151.101.66.137

code.jquery.com

United States

172.217.21.35

unknown

United States

64.233.161.84

unknown

United States

142.250.181.68

www.google.com

United States

151.101.194.137

unknown

United States

142.250.181.10

unknown

United States

104.17.25.14

cdnjs.cloudflare.com

United States

There are 10 hidden IPs, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Files

URLs

Domains

IPs