Analysis Report BCJOphish040520219700.html

Overview

General Information

Sample Name: BCJOphish040520219700.html
Analysis ID: 404066
MD5: 724cbfa451d94bd57998a09c9956fcab
SHA1: d39571159adc5da02c99350b21a843a80b57233b
SHA256: 713e7b41006aea09ddf4786a43d386b8e6338555d47e97b4a2726af59956e167
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Phishing site detected (based on favicon image match)
Yara detected HtmlPhish10
Yara detected HtmlPhish44
Yara detected obfuscated html page
Obfuscated HTML file found
HTML body contains low number of good links
HTML title does not match URL
IP address seen in connection with other malware
Invalid T&C link found
JA3 SSL client fingerprint seen in connection with other malware
None HTTPS page querying sensitive user data (password, username or email)

Classification

Phishing:

barindex
Phishing site detected (based on favicon image match)
Source: file:///C:/Users/user/Desktop/BCJOphish040520219700.html Matcher: Template: microsoft matched with high similarity
Yara detected HtmlPhish10
Source: Yara match File source: 910646.pages.csv, type: HTML
Yara detected HtmlPhish44
Source: Yara match File source: BCJOphish040520219700.html, type: SAMPLE
Yara detected obfuscated html page
Source: Yara match File source: BCJOphish040520219700.html, type: SAMPLE
HTML body contains low number of good links
Source: file:///C:/Users/user/Desktop/BCJOphish040520219700.html HTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/BCJOphish040520219700.html HTTP Parser: Number of links: 0
HTML title does not match URL
Source: file:///C:/Users/user/Desktop/BCJOphish040520219700.html HTTP Parser: Title: Microsoft | Login does not match URL
Source: file:///C:/Users/user/Desktop/BCJOphish040520219700.html HTTP Parser: Title: Microsoft | Login does not match URL
Invalid T&C link found
Source: file:///C:/Users/user/Desktop/BCJOphish040520219700.html HTTP Parser: Invalid link: Privacy & cookies
Source: file:///C:/Users/user/Desktop/BCJOphish040520219700.html HTTP Parser: Invalid link: Privacy & cookies
None HTTPS page querying sensitive user data (password, username or email)
Source: file:///C:/Users/user/Desktop/BCJOphish040520219700.html HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/BCJOphish040520219700.html HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/BCJOphish040520219700.html HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/BCJOphish040520219700.html HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/BCJOphish040520219700.html HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/BCJOphish040520219700.html HTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49719 version: TLS 1.2

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.18.11.207 104.18.11.207
Source: Joe Sandbox View IP Address: 23.111.9.35 23.111.9.35
Source: Joe Sandbox View IP Address: 23.111.9.35 23.111.9.35
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: msapplication.xml0.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x1e63ffc2,0x01d74144</date><accdate>0x1e63ffc2,0x01d74144</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x1e63ffc2,0x01d74144</date><accdate>0x1e63ffc2,0x01d74144</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x1e6b26e8,0x01d74144</date><accdate>0x1e6b26e8,0x01d74144</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x1e6b26e8,0x01d74144</date><accdate>0x1e6b26e8,0x01d74144</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x1e6d8903,0x01d74144</date><accdate>0x1e6d8903,0x01d74144</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x1e6d8903,0x01d74144</date><accdate>0x1e6d8903,0x01d74144</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: code.jquery.com
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: http://jquery.org/license
Source: popper.min[1].js.2.dr String found in binary or memory: http://opensource.org/licenses/MIT).
Source: msapplication.xml.1.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr String found in binary or memory: http://www.youtube.com/
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=378607
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=449857
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=470258
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=589347
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://bugs.jquery.com/ticket/12359
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://bugs.jquery.com/ticket/13378
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=136851
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=137337
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=29084
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=687787
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://developer.mozilla.org/en-US/docs/CSS/display
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://drafts.csswg.org/cssom/#common-serializing-idioms
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://drafts.csswg.org/cssom/#resolved-values
Source: all[1].css.2.dr String found in binary or memory: https://fontawesome.com
Source: all[1].css.2.dr String found in binary or memory: https://fontawesome.com/license/free
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/archivonarrow/v12/tss0ApVBdCYD5Q7hcxTE1ArZ0bbwiXo.woff)
Source: bootstrap.min[1].js.2.dr, bootstrap.min[1].css.2.dr String found in binary or memory: https://getbootstrap.com)
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://github.com/eslint/eslint/issues/3229
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://github.com/eslint/eslint/issues/6125
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://github.com/jquery/jquery/pull/557)
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://github.com/jquery/sizzle/pull/225
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://github.com/jrburke/requirejs/wiki/Updating-existing-libraries#wiki-anon
Source: bootstrap.min[1].js.2.dr, bootstrap.min[1].css.2.dr String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min[1].js.2.dr String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://html.spec.whatwg.org/#strip-and-collapse-whitespace
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#category-listed
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#concept-fe-disabled
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#concept-option-disabled
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://html.spec.whatwg.org/multipage/scripting.html#selector-disabled
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://html.spec.whatwg.org/multipage/scripting.html#selector-enabled
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://html.spec.whatwg.org/multipage/syntax.html#attributes-2
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://infra.spec.whatwg.org/#strip-and-collapse-ascii-whitespace
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://jquery.com/
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://jquery.org/license
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://jsperf.com/getall-vs-sizzle/2
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://jsperf.com/thor-indexof-vs-for/5
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://promisesaplus.com/#point-48
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://promisesaplus.com/#point-54
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://promisesaplus.com/#point-57
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://promisesaplus.com/#point-59
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://promisesaplus.com/#point-61
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://promisesaplus.com/#point-64
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://promisesaplus.com/#point-75
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://sizzlejs.com/
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://web.archive.org/web/20100324014747/http://blindsignals.com/index.php/2009/07/jquery-delay/
Source: jquery-3.3.1[1].js.2.dr String found in binary or memory: https://web.archive.org/web/20141116233347/http://fluidproject.org/blog/2008/01/09/getting-setting-a
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: classification engine Classification label: mal76.phis.evad.winHTML@3/24@5/3
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{46CC5D3F-AD37-11EB-90E5-ECF4BB570DC9}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFDB291DF1B61879C7.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6424 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6424 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Next
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Next
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Next
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Next
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior

Data Obfuscation:

barindex
Obfuscated HTML file found
Source: BCJOphish040520219700.html Initial file: Did not found title: "Microsoft | Login" in HTML/HTM content
Source: BCJOphish040520219700.html Initial file: Did not found title: "Microsoft | Login" in HTML/HTM content
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404066 Sample: BCJOphish040520219700.html Startdate: 04/05/2021 Architecture: WINDOWS Score: 76 12 cs1100.wpc.omegacdn.net 2->12 14 aadcdn.msftauth.net 2->14 22 Phishing site detected (based on favicon image match) 2->22 24 Yara detected HtmlPhish44 2->24 26 Yara detected HtmlPhish10 2->26 28 2 other signatures 2->28 7 iexplore.exe 1 76 2->7         started        signatures3 process4 process5 9 iexplore.exe 6 41 7->9         started        dnsIp6 16 fontawesome-cdn.fonticons.netdna-cdn.com 23.111.9.35, 443, 49715, 49716 HIGHWINDS2US United States 9->16 18 cdnjs.cloudflare.com 104.16.18.94, 443, 49718, 49719 CLOUDFLARENETUS United States 9->18 20 3 other IPs or domains 9->20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.18.11.207
maxcdn.bootstrapcdn.com United States
13335 CLOUDFLARENETUS false
23.111.9.35
fontawesome-cdn.fonticons.netdna-cdn.com United States
33438 HIGHWINDS2US false
104.16.18.94
cdnjs.cloudflare.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
cs1100.wpc.omegacdn.net 152.199.23.37 true
cdnjs.cloudflare.com 104.16.18.94 true
maxcdn.bootstrapcdn.com 104.18.11.207 true
fontawesome-cdn.fonticons.netdna-cdn.com 23.111.9.35 true
use.fontawesome.com unknown unknown
code.jquery.com unknown unknown
aadcdn.msftauth.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
file:///C:/Users/user/Desktop/BCJOphish040520219700.html true
    low