Analysis Report Payment conflict- aptiv 082920134110.htm

Overview

General Information

Sample Name:	Payment conflict- aptiv 082920134110.htm
Analysis ID:	321240
MD5:	3f7d70ccc4f96a097a583691dd149f7b
SHA1:	3c5695cc2d60c55cc28716b73a494d05bb8d1cc1
SHA256:	bb5a0ae3ec35fc0084ad4e530a8904d2918120d7c18ccad3259436c4ed3a8a0b
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Phishing site detected (based on favicon image match)

Yara detected HtmlPhish_10

Yara detected obfuscated html page

Obfuscated HTML file found

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: https://jutebagbd.com/i1uwpq/qey6392/authorize_client_id:1gylt35o-e7u6-gwvj-v4zg-4cutdk8lh6wq_atv4duzi6osgxypq0fb5rw3m819ckje27lhn17o6jhs8cike4mfx3gytv905dbrqzwunpla2nws6vafbkoy9x0jq8mu3lzdth1pcir52g74e?data=ZW9pbi5tdWxkb3duZXlAYXB0aXYuY29t	SlashNext: Label: Fake Login Page type: Phishing & Social Engineering
Source: https://jutebagbd.com/i1uwpq/qey6392/authorize_client_id:1gylt35o-e7u6-gwvj-v4zg-4cutdk8lh6wq_atv4duzi6osgxypq0fb5rw3m819ckje27lhn17o6jhs8cike4mfx3gytv905dbrqzwunpla2nws6vafbkoy9x0jq8mu3lzdth1pcir52g74e?data=ZW9pbi5tdWxkb3duZXlAYXB0aXYuY29t	UrlScan: Label: phishing brand: microsoft			Perma Link

Multi AV Scanner detection for domain / URL

Source: jutebagbd.com

Virustotal: Detection: 9%

Perma Link

Phishing:

Phishing site detected (based on favicon image match)

Source: https://jutebagbd.com/i1uwpq/qey6392/authorize_client_id:1gylt35o-e7u6-gwvj-v4zg-4cutdk8lh6wq_atv4duzi6osgxypq0fb5rw3m819ckje27lhn17o6jhs8cike4mfx3gytv905dbrqzwunpla2nws6vafbkoy9x0jq8mu3lzdth1pcir52g74e?data=ZW9pbi5tdWxkb3duZXlAYXB0aXYuY29t

Matcher: Template: microsoft matched with high similarity

Yara detected HtmlPhish_10

Source: Yara match	File source: 820094.pages.csv, type: HTML
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\authorize_client_id_1gylt35o-e7u6-gwvj-v4zg-4cutdk8lh6wq_atv4duzi6osgxypq0fb5rw3m819ckje27lhn17o6jhs8cike4mfx3gytv905dbrqzwunpla2nws6vafbkoy9x0jq8mu3lzdth1pcir52g74e[1].htm, type: DROPPED

Yara detected obfuscated html page

Source: Yara match

File source: Payment conflict- aptiv 082920134110.htm, type: SAMPLE

Networking:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS traffic detected: queries for: jutebagbd.com

Source: authorize_client_id_1gylt35o-e7u6-gwvj-v4zg-4cutdk8lh6wq_atv4duzi6osgxypq0fb5rw3m819ckje27lhn17o6jhs8cike4mfx3gytv905dbrqzwunpla2nws6vafbkoy9x0jq8mu3lzdth1pcir52g74e[1].htm.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/opensans/v16/mem5YaGs126MiZpBA-UN_r8OUuhs.ttf)
Source: {F19D7E13-2B48-11EB-90EB-ECF4BBEA1588}.dat.1.dr	String found in binary or memory: https://jutebagbd.com//Desktop/Payment%20conflict-%20aptiv%20082920134110.htmi1uwpq/qey6392/authoriz
Source: qey6392[1].htm.2.dr	String found in binary or memory: https://jutebagbd.com/i1uwpq/qey6392/?eoin.muldowney
Source: ~DF377151FFA9B95D32.TMP.1.dr	String found in binary or memory: https://jutebagbd.com/i1uwpq/qey6392/authorize_client_id:1gylt35o-e7u6-gwvj-v4zg-4cutdk8lh6wq_atv4du
Source: imagestore.dat.2.dr	String found in binary or memory: https://jutebagbd.com/i1uwpq/qey6392/images/favicon.ico~

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: classification engine

Classification label: mal84.phis.evad.winHTM@3/20@2/1

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F19D7E11-2B48-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF1E46B92F2D8AF763.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6864 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6864 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Data Obfuscation:

Obfuscated HTML file found

Source: Payment conflict- aptiv 082920134110.htm	Initial file: Did not found title: "HTML Meta Tag" in HTML/HTM content
Source: Payment conflict- aptiv 082920134110.htm	Initial file: Did not found title: "HTML Meta Tag" in HTML/HTM content

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.54.116.10	unknown	United States		22612	NAMECHEAP-NETUS	true

Contacted Domains

Name	IP	Active
jutebagbd.com	198.54.116.10	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://jutebagbd.com/i1uwpq/qey6392/authorize_client_id:1gylt35o-e7u6-gwvj-v4zg-4cutdk8lh6wq_atv4duzi6osgxypq0fb5rw3m819ckje27lhn17o6jhs8cike4mfx3gytv905dbrqzwunpla2nws6vafbkoy9x0jq8mu3lzdth1pcir52g74e?data=ZW9pbi5tdWxkb3duZXlAYXB0aXYuY29t	true	100%, UrlScan, Browse SlashNext: Fake Login Page type: Phishing & Social Engineering	unknown

ID:	321240
Product:	CloudBasic
Start time:	16:55:42
Start date:	20.11.2020
Sample:	Payment conflict- aptiv 082920134110.htm
Cookbook:	defaultwindowshtmlcookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	3f7d70ccc4f96a097a583691dd149f7b
SHA1:	3c5695cc2d60c55cc28716b73a494d05bb8d1cc1
SHA256:	bb5a0ae3ec35fc0084ad4e530a8904d2918120d7c18ccad3259436c4ed3a8a0b
Filetype:	HyperText Markup Language (31031/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F19D7E11-2B48-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	FF71E3E4C4C964BEBCDA7146A4D3A926	7F24D65D20299E4CFF514FCED65E8237F5A7EDD8	D555FCC8B55D23AF7538D54369C5788E88B232FF1961AB12A08CE2F952BBAF08
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F19D7E13-2B48-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	94048C8BA166F93F4A61FAA747B5296C	D3B73FADB471EF472A6A72BA2178333E2484A463	35F214354B35C4371A34443B1383EAD887EDD7770F2B38684D652831810AEE63
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F7BE4967-2B48-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	DFB1CF6F4C4DF4BFF9C7185EDEBF9E8A	1DB54C8F0A01F70E2B0227EBAA6A6CFC7751CB95	B3BA3000148A4B927E65B593D2E8376FED9D224CF2F9E060325F34708F4AB150
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat	data	16103D406B2BFBEA69E43D7D9F61295C	11A00FDCBB65A2E757E7F258884610078BA626DC	AE81A2A753E7A8C2829E00BE5DBBCDCFFDE188887365F3443ED04EA77A7F6A44
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\favicon[1].ico	MS Windows icon resource - 1 icon, 16x16, 32 bits/pixel	7CDD5A7E87E82D145E7F82358F9EBD04	265104CAD00300E4094F8CE6A9EDC86E54812EAD	5D91563B6ACD54468AE282083CF9EE3D2C9B2DAA45A8DE9CB661C2195B9F6CBF
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\qey6392[1].htm	HTML document, ASCII text	4AF542FB3CC2F6B86F5DCA7E60466027	47A9EFDC893FAEFD36D6A00D902A2D5452DF776E	25CD5DCF947D7E7083945F1220356591BABBAE7B3B30AB401117AE1A5A4585E9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\sigin[1].png	PNG image data, 108 x 32, 8-bit/color RGBA, non-interlaced	681B83E88BA6AACCC72705FBF9F2257B	D69957C47026108511225160BE9BD15788D26E14	F32A760F15530284447282AF5C7D0825BABF8BC4739E073928F6128830819F7A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\style[1].css	ASCII text, with very long lines, with no line terminators	9F94F80A5DC09BB962778175292195BC	A7F2E32B422AC9654F39EA870E403599791FCE1C	1CF4B3AD7ABF3189E78C1B3BD07308C92A03FA795FDBC5821FCDE24030CFEAD0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\ellipsis_grey[1].svg	SVG Scalable Vector Graphics image	2B5D393DB04A5E6E1F739CB266E65B4C	6A435DF5CAC3D58CCAD655FE022CCF3DD4B9B721	16C3F6531D0FA5B4D16E82ABF066233B2A9F284C068C663699313C09F5E8D6E6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\firstmsg1[1].png	PNG image data, 353 x 41, 8-bit/color RGBA, non-interlaced	B7EA3983E3C2D7E5F61B8D1B42758189	FE0817947CA4BC53152ED9378470675D9AF189FD	7B6CF23AC2454B039DDF4F51B7074636ED5B08B6A1D254A47430C4ACE2A3569D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\ellipsis_white[1].svg	SVG Scalable Vector Graphics image	5AC590EE72BFE06A7CECFD75B588AD73	DDA2CB89A241BC424746D8CF2A22A35535094611	6075736EA9C281D69C4A3D78FF97BB61B9416A5809919BABE5A0C5596F99AAEA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\forgpass[1].png	PNG image data, 121 x 20, 8-bit/color RGB, non-interlaced	B19CAC60E41C79BD974C1080088C6FEF	FFE553D8CA430DD309494E910A989271648A4DDD	E29DB32031DC537AEE9CB557B408395F3324F1E0F744349C0CDF943A3AF39296
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\arrow_left[1].svg	SVG Scalable Vector Graphics image	A9CC2824EF3517B6C4160DCF8FF7D410	8DB9AEBAD84CA6E4225BFDD2458FF3821CC4F064	34F9DB946E89F031A80DFCA7B16B2B686469C9886441261AE70A44DA1DFA2D58
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\authorize_client_id_1gylt35o-e7u6-gwvj-v4zg-4cutdk8lh6wq_atv4duzi6osgxypq0fb5rw3m819ckje27lhn17o6jhs8cike4mfx3gytv905dbrqzwunpla2nws6vafbkoy9x0jq8mu3lzdth1pcir52g74e[1].htm	data	D4D67D2BC8ACD2A7AEE16FB866FCC02C	59AEF1643C39F305E023CD5AE7DA91823A22794B	198179AD42FB8F45F2702EB64E95CB70A8D31ED246AB486A4208F532186DFEF3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\enterpass[1].png	PNG image data, 170 x 29, 8-bit/color RGB, non-interlaced	BD6E291A9A3CC17ED37605E4FF0010CC	6C1EFD74231E3D253E0F51E4656ECED2F3335D71	706DE242E7C3CFC4B16BA8174723F26FB80566C3171E9E795F057476011A5DE1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\inv-big-background[1].png	PNG image data, 1920 x 1080, 8-bit colormap, non-interlaced	62DDD263C8A6A4C9074E205B91182D04	1B56D11B012DD79DD99212EBB54ADCFB60920A9D	A59EA699D353D00FF2999111F9FA11FB73A47EDA7800642609CA230560EA3703
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\passwrd[1].png	PNG image data, 69 x 34, 8-bit/color RGBA, non-interlaced	4F2A1D382216546E2C3BC620497FD4E3	F785EC5967B5666387304F779306F9C3E3359FF4	105C03D3360CDB953585482374B2CC953D090741037502B0609629F5BB0135B7
C:\Users\user\AppData\Local\Temp\~DF1E46B92F2D8AF763.TMP	data	94484FB475CDD76AFA4603DE760F50C6	BDD84075C6CB95B8D8473008634444BB29BA3C6B	1A4915534573817D0C1CFFB714C78FF4FEC7FA8E21E984D0FF6CA1C046A47CA4
C:\Users\user\AppData\Local\Temp\~DF257223D4ED3DBE27.TMP	data	18E69DAC78EDC5E3D79C30EC21E07913	2B2DA9EB3C193E4F81680F036F02A39A7E7C16F7	E4C8801594FD3D8086F4B14DEEAB7A5158D35E0C0BE6AFBD7BC4F31B02758071
C:\Users\user\AppData\Local\Temp\~DF377151FFA9B95D32.TMP	data	7F7ABFCD0A53B51BE6310CE9D402E03E	66A3CC43C049072204C7579D5FFF65AAE7FC382F	EDDD5549C1993228D7DDCE4DCAB79E3BEE25CF5E6A12B85319AA69D549504C30

Analysis Report Payment conflict- aptiv 082920134110.htm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Phishing:

Networking:

System Summary:

Data Obfuscation:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs