Close

What is happening here? DNShijack? Man in the browser? vendor issue?

Samantha H BorregoSamantha H Borrego wrote 08/04/2019 at 12:18 • 6 min read • Like

From: Samantha Borrego

Date: 3 August 2019 at 20:10:56 BST
Subject: hybrid analysis corrupted account and scans? 

Im having some serious issues with both using and the scan results 

So i copy and paste a report directly into email as i have been having issue using my account USER: dorkingbeauty1 
email: henriplayz56@gmail.com

Its almost as if the hybrid-analysis version has been back dated.

I cant access or download any other associated files for any scan

no visiuslisation or runtime

My event logs show until recently that im using  a private 10.x.x.c ip which i am NOT and when I pasted a copied text from scan results into email a whole  bunch of emoji's coincidentally placed in some if the areas like download file or submit to scan  which are things i can no longer do.

Using BT Home Hub no local server as indicated in event logs 

 no pc no mac no linux!

Other strange behaviours whilst using my hybrid account:

even when logged in to my account im being forced through capatcha for every single scan, often 4 or 5 completeions when correct.

Sometimes the VT box remains grey and mostly if you access the link it just directs me to a very basic virus total page and no scan has been done. 

If a url/file has been previously scanned by someone else then it displays in hybrid as the new date as in real time, when you access the link to vt it generates the previous scan with the date of the previous scan.  The icon is also always fuzzy and unclear at the bottom of the summary page which indicates the file type. 

if you hit the rescan it just regenerates the previous scan changing the date, as its done in seconds and could not possible have completed a multiple host scan in 10 seconds

metadefender option is a waste of time now to almost the same actions as vt

Here is the exact copied text from a scan yesterday to which i have emailed all the info here from my email and directly via hybrid the an example scan and tweeted the various vendor hybrid, crowdstrike vt and sent to kaspersky and secure list and have receive no responses other than one generic email from vt.

 Im becoming more concerned by the silence as it seems very strange 

http://mind-timeshare.... m!alicious
This report is generated Threat Score: 90/100 from a file or URL AV Detection: Marked as clean submitted to this webservice on Labeled as: Unrated site August 3rd 2019
! Overview  Downloads  External Reports
 Re-analyze & Hash Not Seen Before # Report Abuse
Incident Response  Risk Assessment
Network Behavior
Contacts 5 domains and 4 hosts.
$ View all details
% MITRE ATT&CKTM Techniques Detecti on
This report has 2 indicators that were mapped to 4 attack techniques and 4 tactics.
$ View all details
Indicators
 Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
18:26:22 (CEST)
and action script Default browser analysis
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1 with custom datetime July 21st 2018 00:20
Falcon Sandbox v8.30 © Hybrid Analysis - " learn more
Malicious Indicators
Network Related
3
Malicious artifacts seen in the context of the input URL
Multiple malicious artifacts seen in the context of different hosts
Malicious artifacts seen in the context of a contacted host
Suspicious Indicators
Network Related
3
All indicators are available only in the private webservice or standalone version
Sends traffic on typical HTTP outbound port, but without HTTP header
Uses a User Agent typical for browsers, although no browser was ever launched
Hiding 1 Suspicious Indicators
Informative
Anti-Reverse Engineering
15
Creates guarded memory regions (anti- debugging trick to avoid memory dumping)
External Systems
Sample was identified as clean by Antivirus
All indicators are available only in the private
engines
webservice or standalone version
General
Contacts domains
Contacts server
Creates mutants
Drops files marked as clean
Opened the service control manager
Process launched with changed environment
Spawns new processes
Spawns new processes that are not known child processes
Installation/Persistance
Creates new processes
Dropped files
Network Related
Found potential URL in binary/memory
Unusual Characteristics
Drops cabinet archive files
Installs hooks/patches the running process
Session Details
No relevant data available.
Screenshots
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 4 processes in total.
rundll32.exe "%WINDIR%\System32\iefra me.dll",OpenURL C:\4d56da86889e53ad8e9 2460bc0dcbd6f262e9f71b8f60c7705bfe5ab feb8b534.url (PID: 1620)
iexplore.exe http://mindtimeshare.m e/ (PID: 3728)
iexplore.exe SCODEF:3728 CR EDAT:275457 /prefetch:2 (PID: 404 0) & Hash Seen Before
iexplore.exe SCODEF:3728 CR EDAT:1717254 /prefetch:2 (PID: 1184 ) & Hash Seen Before
Network Analysis
DNS Requests
 Download DNS Requests (CSV)
Domain
crl.identrust.c om
 OSINT isrg.trustid.oc
sp.identrust.c om
 OSINT mindtimesha
re.me
ocsp.int-x3.le tsencrypt.org
 OSINT
Address Registrar
192.35.177.64 - TTL: 2926
23.63.252.187 - TTL: 1
Country
United States
United States
United States
United States
Details
United
United States
States
United States
United States
United States
Contacted Hosts
 Download Contacted Hosts (CSV)
IP Address
Port/Protocol
172.217.4.195
GMT
ocsp.pki.goog 192.0.78.24
80
Process
- iexplore.exe
PID: 4040
OSINT  OSINT
TTL: 180 TCP
192.0.78.24
 OSINT
443
TCP
iexplore.exe PID: 4040
iexplore.exe PID: 4040
iexplore.exe PID: 1184
192.35.177.64 80
 OSINT
172.217.4.195
 OSINT
TCP
80
TCP
Contacted Countries
Endpoint
192.0.78.24:80 HTTP Traffic
(mindtimeshare.me)
192.35.177.64:80 (crl.identrust.com)
172.217.4.195:80 (ocsp.pki.goog)
172.217.4.195:80 (ocsp.pki.goog)
Request URL
GET /
192.0.78.24 TTL: 299
23.63.75.168 TTL: 6564
-
eNom, Inc.
Organization:
Internet Security
Research Group
Name Server:
A9-
67.AKAM.NET
Creation Date:
Mon, 07 Jul
2014 19:54:04
Associated
! Link ' Twitter ( E-Mail
GET /DSTROOTCAX3CRL. crl
GET /gsr2/ME4wTDBKME gwRjAJBgUrDgMCGg UABBTgXIsxbvr2lBkP
poIEVRE6gHlCnAQU m%2BIHV2ccHsBqBt 5ZtJot39wZhi4CDQH jqTAc%2FHIGOD%2 BaUx0%3D
GET /gsr2/ME4wTDBKME gwRjAJBgUrDgMCGg UABBTgXIsxbvr2lBkP
poIEVRE6gHlCnAQU m%2BIHV2ccHsBqBt 5ZtJot39wZhi4CDQH jqTAc%2FHIGOD%2 BaUx0%3D
172.217.4.195:80 GET /GTSGIAG3/MFEwTz Extracted Strings
BNMEswSTAJBgUrDg MCGgUABBT27bBjYj
$ Search KBmjX2jXWgnQJKEa
psrQQUd8K4UJpndn
All Details: On Of axLcKG0IOgfqZ%2B
 Download All Memory Strings (2.4KiB) uksCEB%2BYmJ7otX
(ocsp.pki.goog)
All Strings (146)
oZeIlLKB066U8%3D
Interesting (26)
GET /GTSGIAG3/MFEwTz BNMEswSTAJBgUrDg
172.217.4.195:80 (ocsp.pki.goog)
rundll32.exe (1)
screen_0.png (4)
crl.identrust.com
Extracted Files HashFileVersionHighPart
Unicode based on Runtime Data (iexplore.exe )
 Displaying 40 extracted file(s). The HashFileVersionLowPart
Ansi based on PCAP Processing (PCAP)
version and XML/JSON reports.
http://mindtimeshare.me
Ansi based on Submission Context (Input)
http://mindtimeshare.me/
ACnsilbeaasendonSubmissionContext(Input) http_.._'.._'mindtimechare.me._'
1
Ansi based on Image Processing (screen_2.png)
 urlblockindex_1_.bin information
 Download File (38B)  Submit for analysis Ansi based on Image Processing (screen_2.png)
 VirusTotal Report  Metadefender Report isrg.trustid.ocsp.identrust.com
& Hash Seen Before
Ansi based on PCAP Processing (PCAP)
LSasizteProcessed
Unicode based on Runtime Data (iexplore.exe )
16B (16 bytes)
Type
mindtimeshare.me
Ansi based on PCAP Processing (PCAP)
data
AV Scan Result
MCGgUABBT27bBjYj PCAP (14)KBmjX2jXWgnQJKEa
screen_4.png (8)
screen_2.png (49)
iexplore.exe:1184 (1)
Input (2) iexplore.exe (2)
"%WINDIR%\System32\ieframe.dll",OpenURL C:\4d56d
a86889e53ad8e92460bc0dcbd6f262e9f71b8f60c7705
bfe5abfeb8b534.url
Ansi based on Process Commandline (rundll32.exe)
CompatibilityFlags
Unicode based on Runtime Data (iexplore.exe )
crl.identrust.com
Ansi based on PCAP Processing (PCAP)
FullScreen
Unicode based on Runtime Data (iexplore.exe )
GET / HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Wind ows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoAccept -Encoding: gzip, deflateHost: mindtimeshare.meDNT: 1Co nnection: Keep-Alive
Ansi based on PCAP Processing (PCAP)
GET /DSTROOTCAX3CRL.crl HTTP/1.1Connection: Keep-
AliveAccept: */*User-Agent: Microsoft-CryptoAPI/6.1Host:
remaining 24 file(s) are available in the full Unicode based on Runtime Data (iexplore.exe )
psrQQUd8K4UJpndn axLcKG0IOgfqZ%2B
iexplore.exe:3728 (63)
uksCEB%2BYmJ7otX oZeIlLKB066U8%3D
iexplore.exe:4040 (2)
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.
0/65
0) like Gecko
AMnsiDba5sedonPCAPProcessing(PCAP) fa518e3dfae8ca3a0e495460fd60c791
NTPOnlinePortalVer
USniHcoAde1based on Runtime Data (iexplore.exe ) e4f30e49120657d37267c0162fd4a08934800c69
ocsp.int-x3.letsencrypt.org
Ansi based on PCAP Processing (PCAP)
SHA256
rc.f.EN.. 775853600060162c4b4e5f883f9fd5a278e61c471b
Ansi based on Image Processing (screen_2.png)
3ee1826396b6d129499aa7 recommend
Ansi based on Image Processing (screen_2.png)
SCODEF:3728 CREDAT:1717254 /prefetch:2 AInnsi bfaoserdmonaPtroicveess CSomemleancdtlinioe (niexplore.exe)
SCODEF:3728 CREDAT:275457 /prefetch:2
1
& Hash Seen Before {00000000-0000-0000-0000-00000000000
Ansi based on Process Commandline (iexplore.exe)
 httpErrorPagesScripts_1_ Version
 Download File (2KiB)  Submit for analysis Unicode based on Runtime Data (iexplore.exe )
0} Size
Unicode based on Runtime Data (iexplore.exe )
8.5KiB (8714 bytes)
Type
{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Unicode based on Runtime Data (iexplore.exe )
text
Description
{3EE2F207-8C6B-11E8-973E-3C0027581F02}
UTF-8 Unicode (with BOM) text, with CRLF line term inators
MD5
3f57b781cb3ef114dd0b665151571b7b
SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c
SHA256
46e019fa34465f4ed096a9665d1827b54553931ad8 2e98be01edb1ddbc94d3ad
Unicode based on Runtime Data (iexplore.exe )
Informative
 5F6O1BJT.txt
 Download File (149B)
& Hash Not Seen Before
Size
161B (161 bytes)
Type
text
Description
ASCII text
Runtime Process
iexplore.exe (PID: 1184)
MD5
38
f78be999b3c6282eede02adfe8782de0b5bc4df60 253df27690901b17da8a968
84ef1bcf2a6afc023f48b93c9b2515d7
SHA1
 Submit for analysis
a502d9534f3dad1b6df25643fbfe3cadd2acaa33
SHA256
 DKRWYF84.txt
 Download Unavailable
& Hash Not Seen Before
Size
399B (399 bytes)
Runtime Process
iexplore.exe (PID: 1184)
MD5
 Submit for analysis
09b2dc29e4ec84d55ca7ef01783210fc
SHA1
815b4cb6c9bbfe7e0a1dfa5fb52d010adb4388bf
SHA256
4f995529cf524765e998aadb4745370a83212cd81c7 f147c55b74c167b3119cf
 0G8GR0LC.htm
 Download Unavailable
& Hash Seen Before
Size
162B (162 bytes)
Type
html
Description
 Submit for analysis
HTML document, ASCII text, with CRLF line terminat ors
Runtime Process
iexplore.exe (PID: 4040)
MD5
4f8e702cc244ec5d4de32740c0ecbd97
SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff
SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab726 13cf8a39a00c3e11a8492a
 242D23DDBD947BF510369DC41BEA052E
 Download Unavailable & Hash Not Seen Before
Size
268B (268 bytes)
Runtime Process
iexplore.exe (PID: 3728)
MD5
 Submit for analysis
db3cdce4886b864b116cef5efa294510
SHA1
5d6703a98f9c7b306f19259b670e1e34ccc99bc7
SHA256
58f4a399080a9a86d2718b36be088bb621f14e358 03e8b46a763fd8d15a213b5
 2856786A80F7407460319F6665E92A12
 Download Unavailable & Hash Seen Before
Size
57KiB (58032 bytes)
Type
data
Runtime Process
iexplore.exe (PID: 4040)
MD5
 Submit for analysis
1d35a552eed9c30545d431d6ff30d639
SHA1
4516828cf4c23c4bc2cbbe2183f8509109866a58
SHA256
71a5e793265a1c09400eb930ea0a3039f755c6a80 464fb82000278f964e8e69a
 57C8EDB95DF3F0AD4EE2DC2B8CFD4157
 Download Unavailable & Hash Not Seen Before
Size
342B (342 bytes)
Runtime Process
iexplore.exe (PID: 4040)
MD5
 Submit for analysis
dc08f9b6525e2af9becf0fc85574003b
SHA1
cee6058d1f9ab47fbd23795846da55261966fbc2
SHA256
12c5294affff34b96cd5cf2c507a8dad1ee8a2bb9ec14 25e82d91d8050d6bd1d
 644B8874112055B5E195ECB0E8F243A4
 Download Unavailable & Hash Not Seen Before
Size
244B (244 bytes)
Type
data
Runtime Process
iexplore.exe (PID: 4040)
MD5
 Submit for analysis
0b5a98bc355a437acba7fc1df991e2f2
SHA1
c0127862e7c2768f1cd2b2021c56e641fceac7d1
SHA256
101f05d35aa7157e9e875c9fd53605dcbee3e62e07 0795066d81d51c99da17e3
 6BADA8974A10C4BD62CC921D13E43B18_D981 7BD5013875AD517DA73475345203
 Download Unavailable & Hash Seen Before
Size
1.5KiB (1507 bytes)
Runtime Process
iexplore.exe (PID: 4040)
MD5
 Submit for analysis
a0355dd7a1fee19bf1a1e1b7b626f964
SHA1
0842786d7ba8284adc027831c844a32bda6d47a0
SHA256
310a10c1e4880bb58e62d92a036403dc3ac209e1ff 4f934548e721c9ac79d99a
 82CB34DD3343FE727DF8890D352E0D8F
 Download Unavailable & Hash Not Seen Before
Size
224B (224 bytes)
Runtime Process
iexplore.exe (PID: 4040)
MD5
 Submit for analysis
585ade7a9850868cee5d1703eda7e8c5
SHA1
67f0c9201aeae83ccd784017c70309f9f9782f64
SHA256
d732524aa36379e43ec715962676fa8b9c493fca13d 24bc1d6739bfd1f31e62b
 9B1AFF2228BE28187B86174B49CEA165
 Download Unavailable & Hash Not Seen Before
Size
574B (574 bytes)
Type
data
Runtime Process
iexplore.exe (PID: 4040)
MD5
 Submit for analysis
1ddb2802a9190474c57f240e8a36347d
SHA1
e159929160677979be752ba102b3e31e274ae910
SHA256
75dfa76bcc34877332f39728fb5ea99d16eeb7c774bc 70e808a5cef2b02edf64
 CFE86DBBE02D859DC92F1E17E0574EE8_FDB 452422670E72EDD3FB3D65568F821
 Download Unavailable & Hash Seen Before
Size
468B (468 bytes)
Runtime Process
iexplore.exe (PID: 1184)
MD5
 Submit for analysis
5be872b3fe0bb6f31385f91f811e9586
SHA1
1192231bcb9ee73e9f619d433cdb66dddd9ae7f7
SHA256
db0ad6191770bff9043482b68acf62a4e25d4390a 03274cfbe413675dd8c9cf5
 E49827401028F7A0F97B5576C77A26CB_7CE9 5D8DCA26FE957E7BD7D76F353B08
 Download Unavailable & Hash Seen Before
Size
1.4KiB (1398 bytes)
Runtime Process
iexplore.exe (PID: 4040)
MD5
 Submit for analysis
ac344442947b98a7a463faee72ea7867
SHA1
8bdfe3832f381b3cc32c94c4fdc679c003a078c9
SHA256
ce00b5e4f134de299211406f593d6d61438d1e6f01e c55a201cc205d6a7e101f
 0177A2B8C3D6561744552D69E6BD54B0_4BCF 1A3569F4A008C96D5FC9C62E8FB9
 Download Unavailable & Hash Not Seen Before
Size
498B (498 bytes)
Runtime Process
iexplore.exe (PID: 3728)
MD5
 Submit for analysis
eb4b5b6802295d416b7bf74c57092398
SHA1
4b40a5901b6dc0ba6f14ee604f27c32bd87f6233
SHA256
fd237225d1d2465e1400d8faa0d2cd9403f52bb1f11c 24793a52fdbc7b993ace
 50D6B15D9F2DCE1EDBB0C098625FBE47_281 AC807DE0FEF15F2CA9911FE760A9B
 Download Unavailable & Hash Not Seen Before
Size
486B (486 bytes)
Runtime Process
iexplore.exe (PID: 3728)
MD5
 Submit for analysis
954d856502b60537a20d0575c8017a95
SHA1
1b93c609ed8bdceceaae0dc63e4670bb48c07cf4
SHA256
fb29133300efe979f7fe35304e6865f637d2893ce0 3250ded03b954da69c84cb
 8FE2C641C99CFA6687FA8D31B7D528A1
 Download Unavailable & Hash Not Seen Before
Size
268B (268 bytes)
Type
data
Runtime Process
iexplore.exe (PID: 3728)
MD5
 Submit for analysis
cdf75bfba93f47735c97400db89028c2
SHA1
b936f4ac919fcbaa614825705219be2e246407f1
SHA256
af59931462beb7ce075b86fb3ecb1d8ba14116be71911 22cdb001135aa83b33b
 96385D66FC0D184E05CF52F82EF524C0_287 698F2D749EE3051A44D93967F4231
 Download Unavailable & Hash Not Seen Before
Size
1.8KiB (1831 bytes)
Runtime Process
iexplore.exe (PID: 3728)
MD5
 Submit for analysis
55ada4ba9c16f17a03a75207ce3a7eb1
SHA1
e5d07dec4f83c898e18f44eeccb430e4831f8cb6
SHA256
87ff410a9e2786cdf10a642c765c37ca035aab8009

Like

Discussions