Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Voicemail Joesecurity.html

Overview

General Information

Sample name:Voicemail Joesecurity.html
Analysis ID:3814623
MD5:9d016ab8220e27fd0205f76729a61d50
SHA1:d62ea8a112c397e978c8b0291a8b749a9c73ce24
SHA256:0ee17d4c18a356e2f3c4ff86d98d1e4ecba4c7bbdb4223473b8d7749c13ebf4c
Infos:

Detection

HTMLPhisher
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Phishing site detected (based on favicon image match)
Yara detected HtmlPhish10
HTML document with suspicious name
HTML document with suspicious title
HTML file submission containing password form
HTML sample is only containing javascript code
Phishing site detected (based on image similarity)
HTML body contains low number of good links
HTML body contains password input but no form action
HTML title does not match URL
IP address seen in connection with other malware
Invalid 'forgot password' link found
Invalid T&C link found
JA3 SSL client fingerprint seen in connection with other malware
None HTTPS page querying sensitive user data (password, username or email)

Classification

  • System is w10x64_21h1_office
  • chrome.exe (PID: 3424 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\Voicemail Joesecurity.html" MD5: A98D71EB1BEC5D38549B2155A3E54008)
    • chrome.exe (PID: 168 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1652,479082519016449695,11651376723694011380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 /prefetch:8 MD5: A98D71EB1BEC5D38549B2155A3E54008)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
0.2.pages.csvJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security
    0.0.pages.csvJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security
      No Sigma rule has matched
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results

      Phishing

      barindex
      Source: file:///C:/Users/user/Desktop/Voicemail%20Joesecurity.htmlMatcher: Template: microsoft matched with high similarity
      Source: Yara matchFile source: 0.2.pages.csv, type: HTML
      Source: Yara matchFile source: 0.0.pages.csv, type: HTML
      Source: file:///C:/Users/user/Desktop/Voicemail%20Joesecurity.htmlTab title: Sign in to your account
      Source: Voicemail Joesecurity.htmlHTTP Parser: <script>var email ="jim.halpert@joesecurity.org";</script><html> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Sign in to your account</title> <meta http-equiv="X-UA-Compatible" content="IE=edge">...
      Source: file:///C:/Users/user/Desktop/Voicemail%20Joesecurity.htmlMatcher: Found strong image similarity, brand: JBXCLOUD
      Source: Voicemail Joesecurity.htmlHTTP Parser: Number of links: 0
      Source: file:///C:/Users/user/Desktop/Voicemail%20Joesecurity.htmlHTTP Parser: Number of links: 0
      Source: Voicemail Joesecurity.htmlHTTP Parser: <input type="password" .../> found but no <form action="...
      Source: file:///C:/Users/user/Desktop/Voicemail%20Joesecurity.htmlHTTP Parser: <input type="password" .../> found but no <form action="...
      Source: Voicemail Joesecurity.htmlHTTP Parser: Title: Sign in to your account does not match URL
      Source: file:///C:/Users/user/Desktop/Voicemail%20Joesecurity.htmlHTTP Parser: Title: Sign in to your account does not match URL
      Source: Voicemail Joesecurity.htmlHTTP Parser: Invalid link: Forgotten my password
      Source: file:///C:/Users/user/Desktop/Voicemail%20Joesecurity.htmlHTTP Parser: Invalid link: Forgotten my password
      Source: Voicemail Joesecurity.htmlHTTP Parser: Invalid link: Terms of use
      Source: Voicemail Joesecurity.htmlHTTP Parser: Invalid link: Privacy & cookies
      Source: file:///C:/Users/user/Desktop/Voicemail%20Joesecurity.htmlHTTP Parser: Invalid link: Terms of use
      Source: file:///C:/Users/user/Desktop/Voicemail%20Joesecurity.htmlHTTP Parser: Invalid link: Privacy & cookies
      Source: file:///C:/Users/user/Desktop/Voicemail%20Joesecurity.htmlHTTP Parser: Invalid link: Terms of use
      Source: file:///C:/Users/user/Desktop/Voicemail%20Joesecurity.htmlHTTP Parser: Invalid link: Privacy & cookies
      Source: file:///C:/Users/user/Desktop/Voicemail%20Joesecurity.htmlHTTP Parser: Has password / email / username input fields
      Source: Voicemail Joesecurity.htmlHTTP Parser: <input type="password" .../> found
      Source: file:///C:/Users/user/Desktop/Voicemail%20Joesecurity.htmlHTTP Parser: <input type="password" .../> found
      Source: Voicemail Joesecurity.htmlHTTP Parser: No <meta name="author".. found
      Source: file:///C:/Users/user/Desktop/Voicemail%20Joesecurity.htmlHTTP Parser: No <meta name="author".. found
      Source: file:///C:/Users/user/Desktop/Voicemail%20Joesecurity.htmlHTTP Parser: No <meta name="author".. found
      Source: Voicemail Joesecurity.htmlHTTP Parser: No <meta name="copyright".. found
      Source: file:///C:/Users/user/Desktop/Voicemail%20Joesecurity.htmlHTTP Parser: No <meta name="copyright".. found
      Source: file:///C:/Users/user/Desktop/Voicemail%20Joesecurity.htmlHTTP Parser: No <meta name="copyright".. found
      Source: unknownHTTPS traffic detected: 23.212.194.8:443 -> 192.168.2.3:49722 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.212.194.8:443 -> 192.168.2.3:49723 version: TLS 1.2
      Source: Joe Sandbox ViewIP Address: 13.224.103.60 13.224.103.60
      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
      Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
      Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
      Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
      Source: unknownTCP traffic detected without corresponding DNS query: 20.190.177.23
      Source: unknownTCP traffic detected without corresponding DNS query: 20.54.232.160
      Source: unknownTCP traffic detected without corresponding DNS query: 20.54.232.160
      Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
      Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
      Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
      Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
      Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
      Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
      Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
      Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
      Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
      Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
      Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
      Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
      Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
      Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
      Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
      Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
      Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
      Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
      Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
      Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
      Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
      Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
      Source: unknownTCP traffic detected without corresponding DNS query: 23.212.194.8
      Source: unknownTCP traffic detected without corresponding DNS query: 23.212.194.8
      Source: unknownTCP traffic detected without corresponding DNS query: 23.212.194.8
      Source: unknownTCP traffic detected without corresponding DNS query: 23.212.194.8
      Source: unknownTCP traffic detected without corresponding DNS query: 23.212.194.8
      Source: unknownTCP traffic detected without corresponding DNS query: 23.212.194.8
      Source: unknownTCP traffic detected without corresponding DNS query: 23.212.194.8
      Source: unknownTCP traffic detected without corresponding DNS query: 23.212.194.8
      Source: unknownTCP traffic detected without corresponding DNS query: 23.212.194.8
      Source: unknownTCP traffic detected without corresponding DNS query: 23.212.194.8
      Source: unknownTCP traffic detected without corresponding DNS query: 23.212.194.8
      Source: unknownTCP traffic detected without corresponding DNS query: 23.212.194.8
      Source: unknownTCP traffic detected without corresponding DNS query: 23.212.194.8
      Source: unknownTCP traffic detected without corresponding DNS query: 23.212.194.8
      Source: unknownTCP traffic detected without corresponding DNS query: 23.212.194.8
      Source: unknownTCP traffic detected without corresponding DNS query: 23.212.194.8
      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
      Source: unknownTCP traffic detected without corresponding DNS query: 51.104.162.168
      Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
      Source: unknownTCP traffic detected without corresponding DNS query: 51.104.162.168
      Source: unknownTCP traffic detected without corresponding DNS query: 51.104.162.168
      Source: global trafficHTTP traffic detected: GET /json/?fields=status,country,regionName,city,query HTTP/1.1Host: ip-api.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Accept: */*Origin: nullAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
      Source: global trafficHTTP traffic detected: GET /json/?fields=status,country,regionName,city,query HTTP/1.1Host: ip-api.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Accept: */*Origin: nullAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
      Source: global trafficHTTP traffic detected: GET /json/?fields=status,country,regionName,city,query HTTP/1.1Host: ip-api.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36Accept: */*Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
      Source: global trafficDNS traffic detected: DNS query: aadcdn.msftauth.net
      Source: global trafficDNS traffic detected: DNS query: clou93794b4749hoxet.pages.dev
      Source: global trafficDNS traffic detected: DNS query: logo.clearbit.com
      Source: global trafficDNS traffic detected: DNS query: ip-api.com
      Source: Voicemail Joesecurity.htmlString found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/cdnbundles/converged.v2.login.min_ziytf8dzt9eg1s6-ohhle
      Source: Voicemail Joesecurity.htmlString found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/backgrounds/2_bc3d32a696895f78c19df6c717586a5d
      Source: Voicemail Joesecurity.htmlString found in binary or memory: https://aadcdn.msftauth.net/shared/1.0/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico
      Source: Voicemail Joesecurity.htmlString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js
      Source: Voicemail Joesecurity.htmlString found in binary or memory: https://clou93794b4749hoxet.pages.dev/404.js
      Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
      Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
      Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49685
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684
      Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
      Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710
      Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49675
      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49685 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
      Source: unknownHTTPS traffic detected: 23.212.194.8:443 -> 192.168.2.3:49722 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 23.212.194.8:443 -> 192.168.2.3:49723 version: TLS 1.2

      System Summary

      barindex
      Source: Name includes: Voicemail Joesecurity.htmlInitial sample: voicemail
      Source: classification engineClassification label: mal76.phis.winHTML@20/0@4/6
      Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "C:\Users\user\Desktop\Voicemail Joesecurity.html"
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1652,479082519016449695,11651376723694011380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 /prefetch:8
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1652,479082519016449695,11651376723694011380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 /prefetch:8Jump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
      Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior

      Stealing of Sensitive Information

      barindex
      Source: file:///C:/Users/user/Desktop/Voicemail%20Joesecurity.htmlHTTP Parser: file:///C:/Users/user/Desktop/Voicemail%20Joesecurity.html
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management InstrumentationPath Interception1
      Process Injection
      1
      Process Injection
      OS Credential DumpingSystem Service DiscoveryRemote ServicesData from Local System2
      Encrypted Channel
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable Media2
      Non-Application Layer Protocol
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive3
      Application Layer Protocol
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
      Ingress Tool Transfer
      Traffic DuplicationData Destruction
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet