Analysis Report http://www.covid19-siparadigm.com

Overview

General Information

Sample URL: http://www.covid19-siparadigm.com
Analysis ID: 367641
Infos:

Most interesting Screenshot:

Detection

Score: 0
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

HTML title does not match URL

Classification

Phishing:

barindex
HTML title does not match URL
Source: https://www.covid19-siparadigm.com/en/login HTTP Parser: Title: Log in! does not match URL
Source: https://www.covid19-siparadigm.com/en/forgot_password HTTP Parser: Title: Forgot password! does not match URL
Source: https://www.covid19-siparadigm.com/en/login HTTP Parser: Title: Log in! does not match URL
Source: https://www.covid19-siparadigm.com/en/login HTTP Parser: Title: Log in! does not match URL
Source: https://www.covid19-siparadigm.com/en/forgot_password HTTP Parser: Title: Forgot password! does not match URL
Source: https://www.covid19-siparadigm.com/en/login HTTP Parser: Title: Log in! does not match URL
Source: https://www.covid19-siparadigm.com/en/login HTTP Parser: No <meta name="author".. found
Source: https://www.covid19-siparadigm.com/en/forgot_password HTTP Parser: No <meta name="author".. found
Source: https://www.covid19-siparadigm.com/en/login HTTP Parser: No <meta name="author".. found
Source: https://www.covid19-siparadigm.com/en/login HTTP Parser: No <meta name="author".. found
Source: https://www.covid19-siparadigm.com/en/forgot_password HTTP Parser: No <meta name="author".. found
Source: https://www.covid19-siparadigm.com/en/login HTTP Parser: No <meta name="author".. found
Source: https://www.covid19-siparadigm.com/en/login HTTP Parser: No <meta name="copyright".. found
Source: https://www.covid19-siparadigm.com/en/forgot_password HTTP Parser: No <meta name="copyright".. found
Source: https://www.covid19-siparadigm.com/en/login HTTP Parser: No <meta name="copyright".. found
Source: https://www.covid19-siparadigm.com/en/login HTTP Parser: No <meta name="copyright".. found
Source: https://www.covid19-siparadigm.com/en/forgot_password HTTP Parser: No <meta name="copyright".. found
Source: https://www.covid19-siparadigm.com/en/login HTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 35.155.101.78:443 -> 192.168.2.3:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.60.216.19:443 -> 192.168.2.3:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.60.216.19:443 -> 192.168.2.3:49713 version: TLS 1.2
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.covid19-siparadigm.comConnection: Keep-Alive
Source: login[1].htm.3.dr String found in binary or memory: src="https://www.facebook.com/tr?id=3692194074184385&ev=PageView equals www.facebook.com (Facebook)
Source: fbevents[1].js0.3.dr String found in binary or memory: (function(a,b,c,d){var e={exports:{}};e.exports;(function(){var f=a.fbq;f.execStart=a.performance&&a.performance.now&&a.performance.now();if(!function(){var b=a.postMessage||function(){};if(!f){b({action:"FB_LOG",logType:"Facebook Pixel Error",logMessage:"Pixel code is not installed correctly on this page"},"*");"error"in console&&console.error("Facebook Pixel Error: Pixel code is not installed correctly on this page");return!1}return!0}())return;f.__fbeventsModules||(f.__fbeventsModules={},f.__fbeventsResolvedModules={},f.getFbeventsModules=function(a){f.__fbeventsResolvedModules[a]||(f.__fbeventsResolvedModules[a]=f.__fbeventsModules[a]());return f.__fbeventsResolvedModules[a]},f.fbIsModuleLoaded=function(a){return!!f.__fbeventsModules[a]},f.ensureModuleRegistered=function(b,a){f.fbIsModuleLoaded(b)||(f.__fbeventsModules[b]=a)});f.ensureModuleRegistered("signalsFBEventsGetIwlUrl",function(){return function(a,b,c,d){var e={exports:{}};e.exports;(function(){"use strict";var a=f.getFbeventsModules("signalsFBEventsGetTier");e.exports=function(b,c){c=a(c);c=c==null?"www.facebook.com":"www."+c+".facebook.com";return"https://"+c+"/signals/iwl.js?pixel_id="+b}})();return e.exports}(a,b,c,d)});f.ensureModuleRegistered("signalsFBEventsGetTier",function(){return function(f,b,c,d){var e={exports:{}};e.exports;(function(){"use strict";var a=/^https:\/\/www\.([A-Za-z0-9\.]+)\.facebook\.com\/tr\/?$/,b=["https://www.facebook.com/tr","https://www.facebook.com/tr/"];e.exports=function(c){if(b.indexOf(c)!==-1)return null;var d=a.exec(c);if(d==null)throw new Error("Malformed tier: "+c);return d[1]}})();return e.exports}(a,b,c,d)});f.ensureModuleRegistered("SignalsFBEvents.plugins.iwlbootstrapper",function(){return function(a,b,c,d){var e={exports:{}};e.exports;(function(){"use strict";var c=f.getFbeventsModules("SignalsFBEventsIWLBootStrapEvent"),d=f.getFbeventsModules("SignalsFBEventsLogging"),g=f.getFbeventsModules("SignalsFBEventsNetworkConfig"),h=f.getFbeventsModules("SignalsFBEventsPlugin"),i=f.getFbeventsModules("signalsFBEventsGetIwlUrl"),j=f.getFbeventsModules("signalsFBEventsGetTier"),k=d.logUserError,l=/^https:\/\/.*\.facebook\.com$/i,m="FACEBOOK_IWL_CONFIG_STORAGE_KEY",n=a.sessionStorage?a.sessionStorage:{getItem:function(a){return null},removeItem:function(a){},setItem:function(a,b){}};e.exports=new h(function(d,e){function h(c,d){var e=b.createElement("script");e.async=!0;e.onload=function(){if(!a.FacebookIWL||!a.FacebookIWL.init)return;var b=j(g.ENDPOINT);b!=null&&a.FacebookIWL.set&&a.FacebookIWL.set("tier",b);d()};a.FacebookIWLSessionEnd=function(){n.removeItem(m),a.close()};e.src=i(c,g.ENDPOINT);b.body&&b.body.appendChild(e)}var o=!1,p=function(a){return!!(e&&e.pixelsByID&&Object.prototype.hasOwnProperty.call(e.pixelsByID,a))};function q(){if(o)return;var b=n.getItem(m);if(!b)return;b=JSON.parse(b);var c=b.pixelID,d=b.graphToken,e=b.sessionStartTime;o=!0;h(c,function(){var b=p(c)?c:null;a.FacebookIWL.init(b,d,e)})}function r(b){if(o)return;h(b,func
Source: unknown DNS traffic detected: queries for: www.covid19-siparadigm.com
Source: chartjs-plugin-datalabels[1].js.3.dr String found in binary or memory: http://chartjs.org/
Source: datatables.min[1].js.3.dr String found in binary or memory: http://datatables.net/tn/
Source: bootstrap-datepicker3.min[1].css.3.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0)
Source: googleAnalytics[1].js.3.dr String found in binary or memory: https://ade.googlesyndication.com/ddm/activity
Source: googleAnalytics[1].js.3.dr String found in binary or memory: https://adservice.google.com/ddm/regclk
Source: analytics[1].js.3.dr String found in binary or memory: https://ampcid.google.com/v1/publisher:getClientId
Source: Sortable[1].js.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=505521
Source: forgot_password[1].htm.3.dr String found in binary or memory: https://cdn.jsdelivr.net/npm/select2
Source: login[1].htm.3.dr String found in binary or memory: https://connect.facebook.net/en_US/fbevents.js
Source: datatables.min[1].js.3.dr String found in binary or memory: https://datatables.net/download
Source: datatables.min[1].js.3.dr String found in binary or memory: https://datatables.net/download/#bs4/dt-1.10.16/af-2.2.2/b-1.5.1/cr-1.4.1/fc-3.2.4/fh-3.1.3/kt-2.3.2
Source: datatables.min[1].js.3.dr String found in binary or memory: https://datatables.net/tn/11
Source: cropper.min[1].js.3.dr String found in binary or memory: https://fengyuanchen.github.io/cropperjs
Source: dore.light.blue[1].css.3.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Cairo:300
Source: css[1].css.3.dr String found in binary or memory: https://fonts.gstatic.com/s/cairo/v9/SLXGc1nY6HkvalIhTp0.woff)
Source: css[1].css.3.dr String found in binary or memory: https://fonts.gstatic.com/s/cairo/v9/SLXLc1nY6HkvalqKbI6L59A.woff)
Source: css[1].css.3.dr String found in binary or memory: https://fonts.gstatic.com/s/cairo/v9/SLXLc1nY6Hkvalqaa46L59A.woff)
Source: css[1].css.3.dr String found in binary or memory: https://fonts.gstatic.com/s/cairo/v9/SLXLc1nY6Hkvalr-ao6L59A.woff)
Source: fullcalendar.min[1].js.3.dr String found in binary or memory: https://fullcalendar.io/
Source: bootstrap.min[1].css.3.dr, bootstrap.bundle.min[1].js.3.dr String found in binary or memory: https://getbootstrap.com/)
Source: owl.carousel.min[1].css.3.dr String found in binary or memory: https://github.com/OwlCarousel2/OwlCarousel2/blob/master/LICENSE
Source: typeahead.bundle[1].js.3.dr String found in binary or memory: https://github.com/bassjobsen/Bootstrap-3-Typeahead
Source: Chart.bundle.min[1].js.3.dr String found in binary or memory: https://github.com/chartjs/Chart.js/blob/master/LICENSE.md
Source: chartjs-plugin-datalabels[1].js.3.dr String found in binary or memory: https://github.com/chartjs/chartjs-plugin-datalabels/blob/master/LICENSE.md
Source: googleAnalytics[1].js.3.dr String found in binary or memory: https://github.com/krux/postscribe/blob/master/LICENSE.
Source: bootstrap-notify.min[1].js.3.dr String found in binary or memory: https://github.com/mouse0270/bootstrap-growl
Source: select2.full.min[1].js.3.dr String found in binary or memory: https://github.com/select2/select2/blob/master/LICENSE.md
Source: bootstrap.min[1].css.3.dr, bootstrap.bundle.min[1].js.3.dr String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.bundle.min[1].js.3.dr String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: bootstrap-datepicker3.min[1].css.3.dr String found in binary or memory: https://github.com/uxsolutions/bootstrap-datepicker)
Source: jquery.validate.min[1].js.3.dr String found in binary or memory: https://jqueryvalidation.org/
Source: googleAnalytics[1].js.3.dr String found in binary or memory: https://pagead2.googlesyndication.com
Source: googleAnalytics[1].js.3.dr String found in binary or memory: https://pagead2.googlesyndication.com/
Source: analytics[1].js.3.dr String found in binary or memory: https://stats.g.doubleclick.net/j/collect
Source: ~DF9417F44143076A8B.TMP.1.dr String found in binary or memory: https://www.covid19-siparadigm.com/en/forgot_password
Source: ~DF9417F44143076A8B.TMP.1.dr String found in binary or memory: https://www.covid19-siparadigm.com/en/login
Source: {9D8214F7-82F5-11EB-90E4-ECF4BB862DED}.dat.1.dr String found in binary or memory: https://www.covid19-siparadigm.com/en/loginRoot
Source: ~DF9417F44143076A8B.TMP.1.dr String found in binary or memory: https://www.covid19-siparadigm.com/en/loginx
Source: imagestore.dat.3.dr String found in binary or memory: https://www.covid19-siparadigm.com/favicon.ico
Source: imagestore.dat.3.dr String found in binary or memory: https://www.covid19-siparadigm.com/favicon.ico~
Source: googleAnalytics[1].js.3.dr String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: analytics[1].js.3.dr String found in binary or memory: https://www.google-analytics.com/gtm/js?id=
Source: analytics[1].js.3.dr String found in binary or memory: https://www.google.%/ads/ga-audiences
Source: googleAnalytics[1].js.3.dr String found in binary or memory: https://www.google.com
Source: googleAnalytics[1].js.3.dr String found in binary or memory: https://www.google.com/travel/flights/click/conversion/
Source: analytics[1].js.3.dr String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=
Source: googleAnalytics[1].js.3.dr String found in binary or memory: https://www.googletraveladservices.com/travel/clk/pagead/conversion/
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 35.155.101.78:443 -> 192.168.2.3:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.60.216.19:443 -> 192.168.2.3:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.60.216.19:443 -> 192.168.2.3:49713 version: TLS 1.2
Source: classification engine Classification label: clean0.win@3/75@4/2
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFD785E640233A2FFA.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5640 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5640 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 367641 URL: http://www.covid19-siparadigm.com Startdate: 11/03/2021 Architecture: WINDOWS Score: 0 11 favicon.ico 2->11 6 iexplore.exe 2 62 2->6         started        process3 process4 8 iexplore.exe 6 106 6->8         started        dnsIp5 13 scontent.xx.fbcdn.net 185.60.216.19, 443, 49712, 49713 FACEBOOKUS Ireland 8->13 15 neovare-alb-285209131.us-west-2.elb.amazonaws.com 35.155.101.78, 443, 49708, 49709 AMAZON-02US United States 8->15 17 3 other IPs or domains 8->17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.60.216.19
 scontent.xx.fbcdn.net Ireland
32934 FACEBOOKUS false
35.155.101.78
 neovare-alb-285209131.us-west-2.elb.amazonaws.com United States
16509 AMAZON-02US false

Contacted Domains

Name IP Active
scontent.xx.fbcdn.net 185.60.216.19 true
neovare-alb-285209131.us-west-2.elb.amazonaws.com 35.155.101.78 true
www.covid19-siparadigm.com unknown unknown
cdn.jsdelivr.net unknown unknown
favicon.ico unknown unknown
connect.facebook.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.covid19-siparadigm.com/en/login false unknown
https://www.covid19-siparadigm.com/en/forgot_password false
    		unknown
    http://www.covid19-siparadigm.com/ false
    • Avira URL Cloud: safe
    		 unknown