Analysis Report AccountStatements.html

Overview

General Information

Sample Name:	AccountStatements.html
Analysis ID:	321119
MD5:	c7f8f17bcf5d2656dd7f818969736342
SHA1:	4e2bf200592a5803b81eca7416ca514aae86188b
SHA256:	9df63134e160a49558a811b07b551c828dd733be30d970fee5f4656a8e7006ff
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected HtmlPhish_10

HTML body contains low number of good links

HTML title does not match URL

JA3 SSL client fingerprint seen in connection with other malware

None HTTPS page querying sensitive user data (password, username or email)

Suspicious form URL found

Classification

Signatures

Phishing:

Yara detected HtmlPhish_10

Source: Yara match

File source: AccountStatements.html, type: SAMPLE

HTML body contains low number of good links

Source: file:///C:/Users/user/Desktop/AccountStatements.html	HTTP Parser: Number of links: 1
Source: file:///C:/Users/user/Desktop/AccountStatements.html	HTTP Parser: Number of links: 1

HTML title does not match URL

Source: file:///C:/Users/user/Desktop/AccountStatements.html	HTTP Parser: Title: Accounting - Invoicing System does not match URL
Source: file:///C:/Users/user/Desktop/AccountStatements.html	HTTP Parser: Title: Accounting - Invoicing System does not match URL

None HTTPS page querying sensitive user data (password, username or email)

Source: file:///C:/Users/user/Desktop/AccountStatements.html	HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/AccountStatements.html	HTTP Parser: Has password / email / username input fields

Suspicious form URL found

Source: file:///C:/Users/user/Desktop/AccountStatements.html	HTTP Parser: Form action: https://coco-fleur.net/hell/oracle.php
Source: file:///C:/Users/user/Desktop/AccountStatements.html	HTTP Parser: Form action: https://coco-fleur.net/hell/oracle.php

Source: file:///C:/Users/user/Desktop/AccountStatements.html	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/AccountStatements.html	HTTP Parser: No <meta name="author".. found

Source: file:///C:/Users/user/Desktop/AccountStatements.html	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/AccountStatements.html	HTTP Parser: No <meta name="copyright".. found

Networking:

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Source: msapplication.xml0.2.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xfa035836,0x01d6bf72</date><accdate>0xfa035836,0x01d6bf72</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.2.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xfa035836,0x01d6bf72</date><accdate>0xfa035836,0x01d6bf72</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.2.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xfa081cf7,0x01d6bf72</date><accdate>0xfa081cf7,0x01d6bf72</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.2.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xfa081cf7,0x01d6bf72</date><accdate>0xfa081cf7,0x01d6bf72</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.2.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xfa0a7f3b,0x01d6bf72</date><accdate>0xfa0a7f3b,0x01d6bf72</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.2.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xfa0a7f3b,0x01d6bf72</date><accdate>0xfa0a7f3b,0x01d6bf72</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: atcocorp.okta.com

Source: initLoginPage.pack.34c59a55bb3a42c88a91a86c33d95ad4[1].js.3.dr	String found in binary or memory: http://github.com/kriskowal/q/raw/master/LICENSE
Source: initLoginPage.pack.34c59a55bb3a42c88a91a86c33d95ad4[1].js.3.dr	String found in binary or memory: http://jquery.com/
Source: initLoginPage.pack.34c59a55bb3a42c88a91a86c33d95ad4[1].js.3.dr	String found in binary or memory: http://jquery.org/license
Source: initLoginPage.pack.34c59a55bb3a42c88a91a86c33d95ad4[1].js.3.dr	String found in binary or memory: http://sizzlejs.com/
Source: initLoginPage.pack.34c59a55bb3a42c88a91a86c33d95ad4[1].js.3.dr	String found in binary or memory: http://typingdna.com
Source: msapplication.xml.2.dr	String found in binary or memory: http://www.amazon.com/
Source: initLoginPage.pack.34c59a55bb3a42c88a91a86c33d95ad4[1].js.3.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: initLoginPage.pack.34c59a55bb3a42c88a91a86c33d95ad4[1].js.3.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.
Source: msapplication.xml1.2.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.2.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.2.dr	String found in binary or memory: http://www.nytimes.com/
Source: initLoginPage.pack.34c59a55bb3a42c88a91a86c33d95ad4[1].js.3.dr	String found in binary or memory: http://www.opensource.org/licenses/mit-license.html
Source: msapplication.xml4.2.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.2.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.2.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.2.dr	String found in binary or memory: http://www.youtube.com/
Source: initLoginPage.pack.34c59a55bb3a42c88a91a86c33d95ad4[1].js.3.dr	String found in binary or memory: https://api.typingdna.com/scripts/typingdna.js
Source: AccountStatements.html	String found in binary or memory: https://atcocorp.okta.com/assets/js/mvc/loginpage/initLoginPage.pack.34c59a55bb3a42c88a91a86c33d95ad
Source: AccountStatements.html	String found in binary or memory: https://atcocorp.okta.com/assets/loginpage/css/okta-login-page.min.0f4b9922bfa70975cc884fea7cbd71fa.
Source: AccountStatements.html	String found in binary or memory: https://coco-fleur.net/hell/oracle.php
Source: initLoginPage.pack.34c59a55bb3a42c88a91a86c33d95ad4[1].js.3.dr	String found in binary or memory: https://github.com/gabceb
Source: initLoginPage.pack.34c59a55bb3a42c88a91a86c33d95ad4[1].js.3.dr	String found in binary or memory: https://github.com/gabceb/jquery-browser-plugin
Source: initLoginPage.pack.34c59a55bb3a42c88a91a86c33d95ad4[1].js.3.dr	String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: AccountStatements.html	String found in binary or memory: https://s.cafebazaar.ir/1/icons/com.adobe.reader_512x512.png
Source: AccountStatements.html	String found in binary or memory: https://support.okta.com/help/articles/Knowledge_Article/24532952-Platforms---Browser-and-OS-Support
Source: initLoginPage.pack.34c59a55bb3a42c88a91a86c33d95ad4[1].js.3.dr	String found in binary or memory: https://typingdna.com/scripts/typingdna.js

Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: classification engine

Classification label: mal48.phis.winHTML@3/20@2/2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF4287DA41F4BBBE37.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5276 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5276 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.166.104.3	unknown	Iran (ISLAMIC Republic Of)		202319	CAFEBAZAARIR	false
18.209.113.162	unknown	United States		14618	AMAZON-AESUS	false

Contacted Domains

Name	IP	Active
ok4-crtr-tls12-nlb-29367a8e4bb80716.elb.us-east-1.amazonaws.com	18.209.113.162	true
b5d75f750c811003839a64fb243bafc0.cdn.cafebazaar.cloud	185.166.104.3	true
s.cafebazaar.ir	unknown	unknown
atcocorp.okta.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
file:///C:/Users/user/Desktop/AccountStatements.html	true		low

ID:	321119
Product:	CloudBasic
Start time:	11:24:35
Start date:	20.11.2020
Sample:	AccountStatements.html
Cookbook:	defaultwindowshtmlcookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	c7f8f17bcf5d2656dd7f818969736342
SHA1:	4e2bf200592a5803b81eca7416ca514aae86188b
SHA256:	9df63134e160a49558a811b07b551c828dd733be30d970fee5f4656a8e7006ff
Filetype:	HyperText Markup Language (12001/1) 18.75%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{240BA7A7-2B66-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	A42D1E5E4A60A9C5A03B4EFCDF3B4E34	8FE049280A3DFEAD45FE80A7B9590EE742442B41	D31DE5CA76DC4976281A841BD424D7554AAEFB9DEBCBB23BAE9D09229AE94E86
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{240BA7A9-2B66-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	9DC4BCB7081235C9F392632AF3328D8A	1E4F3BCEC8B61CA9B96CD3B2B353C74B834C7887	515F8BEE87E447D33ECC47190817EBD92F31E71F41F14BCCE8315F63C1333FDB
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{240BA7AA-2B66-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	0B9204BA6C10D023DE82A0116857495F	94D560B69AA4D5947F9575F7808400AE62A9E454	F1C89F71B4893ED26FBBD6CED7ED8BE927F2F1F337E410F4F50AF6045EC166B5
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	509B5AFDEC4575A80FB651C480FD1960	E3F12DE55EFA0997C479032F6A1B68590BBE6AE8	F4A734ACA3A92414AB7BDD983FE14985C2928214057CFEB02C1340BA409764FE
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	165A6763696C451283AAFA2AD57CF562	3DAE3ECAF255F0268F2209353988085F6F921147	88CC97B0A8BBA3DE16E596B715AA7B57D34E3B6294A89A6B5BE1F68FB967D2BA
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	F95EFECFB6972F371E18ABD1B9FD5330	D84EE22535D82164EDBF4AB82F9DCDB42C523167	57376A3E17C604C67B0A45434FC9222A2B8CF4101F5D7D92A26146DD421AA0C7
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	DD9A7368BD744B094D7251327C60B0AE	E3499593A9D39CF532B4B03CB83AB4A8DEDE9096	299CFA27E964E6F620D4591CDDE7792A658B08C4E447A2DC164C2A6F60D79636
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	EB5DBC3C8954DD8971EF81A7E6FA37AE	77EDCDEDE5B3093C1D560876AE86099C43A56527	FD73939D0D5E847411EB14FBF603C3A07A07AF1F55946A7C2E18FDD115412BC7
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	2CE25666A3F18C66E85A7470CC9FB711	451C57D3B0440F2138ADA7E12105F477E87EDC90	2D50BADE6C790D8190155490C94E1ACDFC5E27A7FABE1E89505C2B8C87984C48
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	F7487ECD5E4BFB0D64D9268FC329C5FC	2AD73573C44DD198047FA2CC3E9CC0BF1BF39FA3	53D55DC18104DD6489616B797E1CE011E629977C4DB90BF0ABE4E2292E8387FD
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	431547C0ED45DA7E6D24E78EE7AB4317	AB4F991CF8FF7C13788A66F344BB5157DF71687F	3F08F470A0153E8C2CA090F5533E5D523B8BB075659E00481E5E132B49D004ED
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	51B6D7B1861FA1FB9A2D172373665239	2190E2A3D214E52699BE6D30D8E3417BBE35EF55	2249CF281AF3BF23CD6BADD854D33740B0C2D08CB022E0331626FCC8CF3D2D92
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\initLoginPage.pack.34c59a55bb3a42c88a91a86c33d95ad4[1].js	UTF-8 Unicode text, with very long lines, with LF, NEL line terminators	34C59A55BB3A42C88A91A86C33D95AD4	4088F167420BAC4998CCB587D457E5C7FF2449A2	B726C44EA8FADDDDE110ED14D066683B04AC08A783BC5222A61FD19C7E17F731
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\okta-login-page.min.0f4b9922bfa70975cc884fea7cbd71fa[1].css	ASCII text, with very long lines	0F4B9922BFA70975CC884FEA7CBD71FA	7CBA770F43B261873D62ADCC13BDB54593D4962D	911311420D6C570FBF9F376D1104B6F9153F20413348D78262BDA9D18E80E7F6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\okticon.fe8b3f5e8c2e13114d5bfb04e4731fb9[1].eot	Embedded OpenType (EOT), okticon family	FE8B3F5E8C2E13114D5BFB04E4731FB9	1EF1599F613C58C4C76256895CB7F7254DFC8277	DC03EE881DDF90986F148256F31CB2768EDE9AAFC884F9FC9CDAA72020439407
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\checkbox-sign-in-widget.7846b2f8c6d0a7ca69fdd3d3c294e92d[1].png	PNG image data, 50 x 1155, 8-bit/color RGBA, non-interlaced	7846B2F8C6D0A7CA69FDD3D3C294E92D	E0BB021FFDF93C68FEF44DE2A3B08F378B6FB50A	40810B0318131F9BA52C83A17E633A0AC476ADE66EA8A914D6C4980571397665
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\com.adobe.reader_512x512[1].png	PNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced	E9FCE767A2C9639961C81D53B8E750E6	B0FEFF6AA36A8D744049AEEAC1CF81D4530F2AFF	4894969469E1726DD161DC3C53D4064BC38696C31F77D8D5D961FA425F166A50
C:\Users\user\AppData\Local\Temp\~DF21C372744A71BF0C.TMP	data	C92B77A77F8C2CA4D99A69C138A0EFDF	9050CAB87A091009702BB38809A3B539B7AE698E	894684A11C0344E8FEF79ADEA9742B5FC24E69BC73BE90D29F21D8E9BF9EF13F
C:\Users\user\AppData\Local\Temp\~DF4287DA41F4BBBE37.TMP	data	C6258003DE1F0CDA75B07DCA21FC15E5	D9EF5245FB9DEACE7346297B814FFBA996648D8A	2348A1B3DAADC23232AA545E4C17299B532D056AF16AFCD02C4C5208DCFAB4F3
C:\Users\user\AppData\Local\Temp\~DFD3AF8564A5B2005B.TMP	data	7CA5128708F5C068CF5A5DFDF0AADF59	00A75257A4EBAC9F54E2C1662CD79C288F5D56AB	6CC9737E92127F9879581D10F115AF85102D3C7831A621C441999CB9299DF1EA

Analysis Report AccountStatements.html

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing:

Networking:

System Summary:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs