Joe Sandbox Cloud Basic Analysis Report
Play interactive tourEdit tour

Analysis Report exchangeserver_frontend_httpproxy_owa_auth_signin.aspx

Overview

General Information

Sample Name:exchangeserver_frontend_httpproxy_owa_auth_signin.aspx
Analysis ID:366002
MD5:0061d327e1ddbb82cc7dbab58834585a
SHA1:b03c388e21ebdd5721abec17cb71e2b9bb76555d
SHA256:1462db256a9646f4c35f49f626a9042d0f993b0e11508d824348e3eacec9bb56
Infos:

Most interesting Screenshot:

Errors
  • Nothing to analyse, Joe Sandbox has not found any analysis process or sample
  • Corrupt sample or wrongly selected analyzer. Details: 80040153

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
exchangeserver_frontend_httpproxy_owa_auth_signin.aspxIronTiger_ASPXSpyASPXSpy detection. It might be used by other fraudstersCyber Safety Solutions, Trend Micro
  • 0xa60b:$str2: IIS Spy
exchangeserver_frontend_httpproxy_owa_auth_signin.aspxIronPanda_Webshell_JSPIron Panda Malware JSPFlorian Roth
  • 0xd7ed:$s1: Bin_ExecSql("exec master..xp_cmdshell'bcp \"select safile from " + db + "..bin_temp\" queryout \"" + Bin_TextBox_SaveP
  • 0xc0fd:$s2: tc.Text="<a href=\"javascript:Bin_PostBack('zcg_ClosePM','"+Bin_ToBase64(de.Key.ToString())+"')\">Close</a>";
  • 0xd25f:$s3: Bin_ExecSql("IF OBJECT_ID('bin_temp')IS NOT NULL DROP TABLE bin_temp");
  • 0xd2af:$s3: Bin_ExecSql("IF OBJECT_ID('bin_temp')IS NOT NULL DROP TABLE bin_temp");
exchangeserver_frontend_httpproxy_owa_auth_signin.aspxwebshell_asp_generic_evalGeneric ASP webshell which uses any eval/exec function directly on user inputArnim Rupp
  • 0x137c5:$payload_and_input2: execute(request(
  • 0x13873:$payload_and_input2: execute(request(
  • 0x13ab4:$payload_and_input2: execute(request(
  • 0x13c3d:$payload_and_input2: execute(request(
  • 0x0:$tagasp_short: <%
  • 0x7f:$tagasp_short: <%
  • 0xa2:$tagasp_short: <%
  • 0xd1:$tagasp_short: <%
  • 0xfd:$tagasp_short: <%
  • 0x122:$tagasp_short: <%
  • 0x14d:$tagasp_short: <%
  • 0x179:$tagasp_short: <%
  • 0x1a8:$tagasp_short: <%
  • 0x1d1:$tagasp_short: <%
  • 0x1f6:$tagasp_short: <%
  • 0x223:$tagasp_short: <%
  • 0x24e:$tagasp_short: <%
  • 0x286:$tagasp_short: <%
  • 0x2b8:$tagasp_short: <%
  • 0x2e7:$tagasp_short: <%
  • 0x31f:$tagasp_short: <%
exchangeserver_frontend_httpproxy_owa_auth_signin.aspxwebshell_csharp_genericWebshell in c#Arnim Rupp
  • 0x1240:$input_http: Request.
  • 0x129b:$input_http: Request.
  • 0x171a:$input_http: Request.
  • 0x1744:$input_http: Request.
  • 0x176f:$input_http: Request.
  • 0x2e21:$input_http: Request.
  • 0x2e59:$input_http: Request.
  • 0x2eac:$input_http: Request.
  • 0x4506:$input_http: Request.
  • 0x5a8e:$input_http: Request.
  • 0x5ae9:$input_http: Request.
  • 0x5b13:$input_http: Request.
  • 0x5bbe:$input_http: Request.
  • 0x9750:$input_http: Request.
  • 0xfca8:$input_http: Request.
  • 0x10485:$input_form1: <asp:
  • 0x104e5:$input_form1: <asp:
  • 0x10742:$input_form1: <asp:
  • 0x107bb:$input_form1: <asp:
  • 0x10835:$input_form1: <asp:
  • 0x108ad:$input_form1: <asp:
exchangeserver_frontend_httpproxy_owa_auth_signin.aspxwebshell_generic_os_stringstypical webshell stringsArnim Rupp
  • 0x0:$tagasp_short: <%
  • 0x7f:$tagasp_short: <%
  • 0xa2:$tagasp_short: <%
  • 0xd1:$tagasp_short: <%
  • 0xfd:$tagasp_short: <%
  • 0x122:$tagasp_short: <%
  • 0x14d:$tagasp_short: <%
  • 0x179:$tagasp_short: <%
  • 0x1a8:$tagasp_short: <%
  • 0x1d1:$tagasp_short: <%
  • 0x1f6:$tagasp_short: <%
  • 0x223:$tagasp_short: <%
  • 0x24e:$tagasp_short: <%
  • 0x286:$tagasp_short: <%
  • 0x2b8:$tagasp_short: <%
  • 0x2e7:$tagasp_short: <%
  • 0x31f:$tagasp_short: <%
  • 0x348:$tagasp_short: <%
  • 0x37d:$tagasp_short: <%
  • 0x3a7:$tagasp_short: <%
  • 0x416:$tagasp_short: <%
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: exchangeserver_frontend_httpproxy_owa_auth_signin.aspxString found in binary or memory: http://www.rootkit.net.cn

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: exchangeserver_frontend_httpproxy_owa_auth_signin.aspx, type: SAMPLEMatched rule: ASPXSpy detection. It might be used by other fraudsters Author: Cyber Safety Solutions, Trend Micro
Source: exchangeserver_frontend_httpproxy_owa_auth_signin.aspx, type: SAMPLEMatched rule: Detect ASPXSpy Author: xylitol@temari.fr
Source: exchangeserver_frontend_httpproxy_owa_auth_signin.aspx, type: SAMPLEMatched rule: IronTiger_ASPXSpy author = Cyber Safety Solutions, Trend Micro, description = ASPXSpy detection. It might be used by other fraudsters, reference = http://goo.gl/T5fSJC
Source: exchangeserver_frontend_httpproxy_owa_auth_signin.aspx, type: SAMPLEMatched rule: IronPanda_Webshell_JSP date = 2015-09-16, author = Florian Roth, description = Iron Panda Malware JSP, reference = https://goo.gl/E4qia9, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = 3be95477e1d9f3877b4355cff3fbcdd3589bb7f6349fd4ba6451e1e9d32b7fa6
Source: exchangeserver_frontend_httpproxy_owa_auth_signin.aspx, type: SAMPLEMatched rule: webshell_asp_generic_eval date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = a1df4cfb978567c4d1c353e988915c25c19a0e4a
Source: exchangeserver_frontend_httpproxy_owa_auth_signin.aspx, type: SAMPLEMatched rule: webshell_csharp_generic date = 2021/01/11, author = Arnim Rupp, description = Webshell in c#, license = https://creativecommons.org/licenses/by-nc/4.0/, hash = b6721683aadc4b4eba4f081f2bc6bc57adfc0e378f6d80e2bfa0b1e3e57c85c7
Source: exchangeserver_frontend_httpproxy_owa_auth_signin.aspx, type: SAMPLEMatched rule: webshell_generic_os_strings date = 2021/01/12, author = Arnim Rupp, description = typical webshell strings, license = https://creativecommons.org/licenses/by-nc/4.0/, score = , hash = 543b1760d424aa694de61e6eb6b3b959dee746c2
Source: exchangeserver_frontend_httpproxy_owa_auth_signin.aspx, type: SAMPLEMatched rule: Backdoor_WebShell_asp date = 2019-02-26, author = xylitol@temari.fr, description = Detect ASPXSpy
Source: classification engineClassification label: mal48.winASPX@0/0@0/0

Mitre Att&ck Matrix

No Mitre Att&ck techniques found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 366002 Sample: exchangeserver_frontend_htt... Startdate: 10/03/2021 Architecture: WINDOWS Score: 48 5 Malicious sample detected (through community Yara rule) 2->5

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.rootkit.net.cn0%VirustotalBrowse
http://www.rootkit.net.cn0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://www.rootkit.net.cnexchangeserver_frontend_httpproxy_owa_auth_signin.aspxfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:31.0.0 Emerald
Analysis ID:366002
Start date:10.03.2021
Start time:09:54:02
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 1m 47s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:exchangeserver_frontend_httpproxy_owa_auth_signin.aspx
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.winASPX@0/0@0/0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Unable to launch sample, stop analysis
Warnings:
  • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe
Errors:
  • Nothing to analyse, Joe Sandbox has not found any analysis process or sample
  • Corrupt sample or wrongly selected analyzer. Details: 80040153

Simulations

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:HTML document, ASCII text, with very long lines
Entropy (8bit):5.493144485168071
TrID:
  • Microsoft ASP.NET Web Form (20509/1) 26.12%
  • HyperText Markup Language (12001/1) 15.29%
  • HyperText Markup Language (12001/1) 15.29%
  • HyperText Markup Language (11501/1) 14.65%
  • HyperText Markup Language (11501/1) 14.65%
File name:exchangeserver_frontend_httpproxy_owa_auth_signin.aspx
File size:92962
MD5:0061d327e1ddbb82cc7dbab58834585a
SHA1:b03c388e21ebdd5721abec17cb71e2b9bb76555d
SHA256:1462db256a9646f4c35f49f626a9042d0f993b0e11508d824348e3eacec9bb56
SHA512:bcebe35c3a524fb253e1595116fe9f9b5396be06d63f90b1bb9c187475930bfb943074fa2910448c3d14b4d7f48ab68b2fd4669e7b7dd59e92f9bb4c4188cdf3
SSDEEP:1536:L9UToBXN7aC5zimqgFagDDDPLFWGB7AL8X7OyXI7PdxUFbEoM/ct73G8r6zWS52v:+oBXN7a+jqGvyL8X7OyXI7PdxUFbEoMm
File Content Preview:<%@ Page Language="C#" Debug="false" trace="false" validateRequest="false" EnableViewStateMac="false" EnableViewState="true"%>.<%@ import Namespace="System.IO"%>.<%@ import Namespace="System.IO.Compression"%>.<%@ import Namespace="System.Diagnostics"%>.<%

File Icon

Icon Hash:74f0e4e4e4e4e0e4

Network Behavior

No network behavior found

Code Manipulations

Statistics

System Behavior

Disassembly