Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 31 16:47:15 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Category:	dropped
Dump:	Docs.lnk.0.dr
ID:	dr_5
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 31 16:47:15 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Entropy:	3.9901602229317636
Encrypted:	false
Size:	2677
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Category:	dropped
Dump:	Gmail.lnk.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 31 16:47:15 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Entropy:	4.005937876759027
Encrypted:	false
Size:	2679
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:54:41 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Category:	dropped
Dump:	Google Drive.lnk.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:54:41 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Entropy:	4.013640931248565
Encrypted:	false
Size:	2693
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 31 16:47:14 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Category:	dropped
Dump:	Sheets.lnk.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 31 16:47:14 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Entropy:	4.00424710470785
Encrypted:	false
Size:	2681
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Category:	dropped
Dump:	Slides.lnk.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 31 16:47:15 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Entropy:	3.991927050764045
Encrypted:	false
Size:	2681
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 31 16:47:14 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide

dropped

Details

File:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Category:	dropped
Dump:	YouTube.lnk.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Oct 31 16:47:14 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Entropy:	4.004661658836566
Encrypted:	false
Size:	2683
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder

URLs

Name

Malicious

https://swhvsghw.blob.core.windows.net/debhje/bhde.html

Details

Filetype:	URL
Filename:	https://swhvsghw.blob.core.windows.net/debhje/bhde.html

Signature Hits	Behavior Group	Mitre Attack
Detected non-DNS traffic on DNS port	Networking
HTML body contains low number of good links	Phishing
HTML page contains hidden javascript code	Phishing
HTML title does not match URL	Phishing
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Suspicious form URL found	Phishing	Obfuscated Files or Information
Classification label	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Creates files inside the program directory	System Summary
Creates files inside the user directory	System Summary	Masquerading
Found iframes	Phishing	Drive-by Compromise
HTML page is missing a favicon	Phishing
META author tag missing	Phishing
META copyright tag missing	Phishing
Performs DNS lookups	Networking	Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection
Uses HTTPS	Networking	Application Layer Protocol
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis		Encrypted Channel
Creates a directory in C:\Program Files	Compliance, System Summary
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary

https://grandprizetrail.com/z/v2/ipad-magic-key/?affid=1309&subAff=&c1=1857&c2=INMe08d2a2f443dcb9&c3=&c4=&c7=&c8=&c9=&c10=&c11=&c12=&c13=&click_id=ae731d0ef96e4f1982cf9cdd0db267e6

Details

Name:	https://grandprizetrail.com/z/v2/ipad-magic-key/?affid=1309&subAff=&c1=1857&c2=INMe08d2a2f443dcb9&c3=&c4=&c7=&c8=&c9=&c10=&c11=&c12=&c13=&click_id=ae731d0ef96e4f1982cf9cdd0db267e6
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	browser

Signature Hits	Behavior Group	Mitre Attack
HTML body contains low number of good links	Phishing
HTML title does not match URL	Phishing
Suspicious form URL found	Phishing	Obfuscated Files or Information
Found iframes	Phishing	Drive-by Compromise
HTML page is missing a favicon	Phishing
META author tag missing	Phishing
META copyright tag missing	Phishing

https://www.technojoyhaven.com/smart-watch/GKP-2CL/checkout.php?AFFID=18&C1=68&C2=wbd0quo2gmvun995jsi5vq4q&C3=&C4=&C5=5d75cf61654a4d578d9e9caaf73a5f8a&click_id=4c14e7ecc86746fc985839b1e1c74e31

Details

Name:	https://www.technojoyhaven.com/smart-watch/GKP-2CL/checkout.php?AFFID=18&C1=68&C2=wbd0quo2gmvun995jsi5vq4q&C3=&C4=&C5=5d75cf61654a4d578d9e9caaf73a5f8a&click_id=4c14e7ecc86746fc985839b1e1c74e31
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	browser

Signature Hits	Behavior Group	Mitre Attack
HTML body contains low number of good links	Phishing
HTML title does not match URL	Phishing
META author tag missing	Phishing
META copyright tag missing	Phishing

Domains

Name

Malicious

android.l.google.com

216.58.212.174

grandprizetrail.com

172.67.213.156

stun4.l.google.com

74.125.250.129

a.nel.cloudflare.com

35.190.80.1

cdn.pushnami.com

18.244.18.49

stun3.l.google.com

74.125.250.129

trc.pushnami.com

52.71.167.26

psp.pushnami.com

34.199.24.114

pushrev.pushbroker.com

188.114.97.3

mobile-gtalk.l.google.com

74.125.206.188

www.workjamtech.com

103.191.132.68

insightsandmarkets.com

188.114.96.3

tracknshosp.com

188.114.97.3

t4.catalystquasar.com

188.114.96.3

www.nadstrackify.com

104.21.75.26

videos.techtreasureworld.com

66.135.0.127

pushlite.pushbroker.com

188.114.96.3

clipresource.com

104.21.31.175

www.swagtrk.com

35.241.26.240

www.google.com

142.250.185.68

kaxo.linkcollectiveads.com

188.114.96.3

api.pushnami.com

13.32.99.54

www.technojoyhaven.com

104.21.27.249

www.dmj52yrtk.com

34.110.166.184

There are 14 hidden domains, click here to show them.

IPs

Domain

Country

Malicious

142.250.186.67

unknown

United States

52.71.167.26

trc.pushnami.com

United States

192.168.2.17

unknown

192.168.2.16

unknown

13.32.99.63

unknown

United States

34.199.24.114

psp.pushnami.com

United States

18.244.18.49

cdn.pushnami.com

United States

18.238.243.120

unknown

United States

103.191.132.68

www.workjamtech.com

unknown

34.110.166.184

www.dmj52yrtk.com

United States

35.190.80.1

a.nel.cloudflare.com

United States

216.58.212.174

android.l.google.com

United States

172.217.18.10

unknown

United States

74.125.250.129

stun4.l.google.com

United States

142.250.185.68

www.google.com

United States

1.1.1.1

unknown

Australia

108.177.15.84

unknown

United States

104.21.37.219

unknown

United States

172.217.16.206

unknown

United States

44.215.174.252

unknown

United States

142.250.186.163

unknown

United States

57.150.87.129

unknown

Belgium

172.67.213.156

grandprizetrail.com

United States

172.217.18.3

unknown

United States

13.32.99.54

api.pushnami.com

United States

3.212.247.119

unknown

United States

142.250.185.234

unknown

United States

104.21.27.249

www.technojoyhaven.com

United States

216.58.206.42

unknown

United States

74.125.206.188

mobile-gtalk.l.google.com

United States

66.135.0.127

videos.techtreasureworld.com

United States

142.250.186.106

unknown

United States

142.250.185.170

unknown

United States

239.255.255.250

unknown

Reserved

188.114.97.3

pushrev.pushbroker.com

European Union

188.114.96.3

insightsandmarkets.com

European Union

142.250.186.142

unknown

United States

104.21.31.175

clipresource.com

United States

142.250.186.42

unknown

United States

104.21.75.26

www.nadstrackify.com

United States

142.250.185.74

unknown

United States

35.241.26.240

www.swagtrk.com

United States

There are 32 hidden IPs, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
https://swhvsghw.blob.core.windows.net/debhje/bhde.html

Files

URLs

Domains

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Reporthttps://swhvsghw.blob.core.windows.net/debhje/bhde.html

Files

URLs

Domains

IPs

IOC Report
https://swhvsghw.blob.core.windows.net/debhje/bhde.html