Analysis Report https://te121491a.emailsys1c.net/mailing/117/4130125/0/e11e3fdf13/index.html

Overview

General Information

Sample URL: https://te121491a.emailsys1c.net/mailing/117/4130125/0/e11e3fdf13/index.html
Analysis ID: 433362
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Yara detected HtmlPhish10
Phishing site detected (based on logo template match)
HTML body contains low number of good links
HTML title does not match URL
Invalid T&C link found

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: https://bayoujanitorial.com/doc0022as/ SlashNext: Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

barindex
Yara detected HtmlPhish10
Source: Yara match File source: 134349.0.links.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\doc0022as[1].htm, type: DROPPED
Phishing site detected (based on logo template match)
Source: https://bayoujanitorial.com/doc0022as/ Matcher: Template: onedrive matched
HTML body contains low number of good links
Source: https://bayoujanitorial.com/doc0022as/ HTTP Parser: Number of links: 0
Source: https://bayoujanitorial.com/doc0022as/ HTTP Parser: Number of links: 0
HTML title does not match URL
Source: https://bayoujanitorial.com/doc0022as/ HTTP Parser: Title: Sharing Link Validation does not match URL
Source: https://bayoujanitorial.com/doc0022as/ HTTP Parser: Title: Sharing Link Validation does not match URL
Invalid T&C link found
Source: https://bayoujanitorial.com/doc0022as/ HTTP Parser: Invalid link: Privacy & Cookies
Source: https://bayoujanitorial.com/doc0022as/ HTTP Parser: Invalid link: Privacy & Cookies
Source: https://bayoujanitorial.com/doc0022as/ HTTP Parser: No <meta name="author".. found
Source: https://bayoujanitorial.com/doc0022as/ HTTP Parser: No <meta name="author".. found
Source: https://bayoujanitorial.com/doc0022as/ HTTP Parser: No <meta name="copyright".. found
Source: https://bayoujanitorial.com/doc0022as/ HTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 185.71.125.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.71.125.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 65.9.66.125:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 65.9.66.125:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.71.125.3:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.241.121.59:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.241.121.59:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown DNS traffic detected: queries for: te121491a.emailsys1c.net
Source: popper.min[1].js.2.dr String found in binary or memory: http://opensource.org/licenses/MIT).
Source: doc0022as[1].htm0.2.dr String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Source: ~DFE21D5024E00E3D1A.TMP.1.dr, doc0022as[1].htm.2.dr String found in binary or memory: https://bayoujanitorial.com/doc0022as/
Source: ~DFE21D5024E00E3D1A.TMP.1.dr String found in binary or memory: https://bayoujanitorial.com/doc0022as/.Sharing
Source: ~DFE21D5024E00E3D1A.TMP.1.dr String found in binary or memory: https://bayoujanitorial.com/doc0022as//117/4130125/0/e11e3fdf13/index.html
Source: ~DFE21D5024E00E3D1A.TMP.1.dr String found in binary or memory: https://bayoujanitorial.com/doc0022as//117/4130125/0/e11e3fdf13/index.htmln
Source: {2EB38427-CACA-11EB-90EB-ECF4BBEA1588}.dat.1.dr String found in binary or memory: https://bayoujanitorialsys1c.net/mailing/117/4130125/0/e11e3fdf13/index.html
Source: index[1].htm.2.dr String found in binary or memory: https://c.emailsys1c.net/mailingassets/8aa5a37e4da81f4d64e4f7d2104ed890fc3fff99.png
Source: doc0022as[1].htm0.2.dr String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
Source: doc0022as[1].htm0.2.dr String found in binary or memory: https://code.jquery.com/jquery-3.2.1.slim.min.js
Source: doc0022as[1].htm0.2.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: css[1].css.2.dr String found in binary or memory: https://fonts.gstatic.com/s/opensans/v20/mem5YaGs126MiZpBA-UNirkOUuhv.woff)
Source: bootstrap.min[1].js.2.dr, bootstrap.min[1].css.2.dr String found in binary or memory: https://getbootstrap.com)
Source: bootstrap.min[2].js.2.dr String found in binary or memory: https://getbootstrap.com/)
Source: bootstrap.min[1].js.2.dr, bootstrap.min[1].css.2.dr String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min[1].js.2.dr String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: doc0022as[1].htm0.2.dr String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css
Source: doc0022as[1].htm0.2.dr String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
Source: doc0022as[1].htm0.2.dr String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js
Source: index[1].htm.2.dr String found in binary or memory: https://te121491a.emailsys1c.net/c/117/4130125/0/0/0/209281/18be3b4950.html?testmail=yes
Source: ~DFE21D5024E00E3D1A.TMP.1.dr String found in binary or memory: https://te121491a.emailsys1c.net/mailing/117/4130125/0/e11e3fdf13/index.html
Source: {2EB38427-CACA-11EB-90EB-ECF4BBEA1588}.dat.1.dr String found in binary or memory: https://te121491a.emailsys1c.net/mailing/117/4130125/0/e11e3fdf13/index.htmlRoot
Source: {2EB38427-CACA-11EB-90EB-ECF4BBEA1588}.dat.1.dr String found in binary or memory: https://te121491al.com/doc0022as//117/4130125/0/e11e3fdf13/index.htmlRoot
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown HTTPS traffic detected: 185.71.125.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.71.125.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 65.9.66.125:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 65.9.66.125:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.71.125.3:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.241.121.59:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.241.121.59:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.18.94:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.11.207:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: classification engine Classification label: mal60.phis.win@3/19@8/5
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2EB38425-CACA-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFB069A4B60C91DAAA.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6812 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6812 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 433362 URL: https://te121491a.emailsys1... Startdate: 11/06/2021 Architecture: WINDOWS Score: 60 15 te121491a.emailsys1c.net 2->15 23 Antivirus detection for URL or domain 2->23 25 Yara detected HtmlPhish10 2->25 27 Phishing site detected (based on logo template match) 2->27 7 iexplore.exe 1 51 2->7         started        signatures3 process4 process5 9 iexplore.exe 2 48 7->9         started        dnsIp6 17 bayoujanitorial.com 162.241.121.59, 443, 49748, 49749 UNIFIEDLAYER-AS-1US United States 9->17 19 te121491a.emailsys1c.net 185.71.125.3, 443, 49734, 49735 MEGASPACE-ASDE Germany 9->19 21 6 other IPs or domains 9->21 13 C:\Users\user\AppData\...\doc0022as[1].htm, HTML 9->13 dropped file7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.18.11.207
 stackpath.bootstrapcdn.com United States
13335 CLOUDFLARENETUS false
185.71.125.3
 te121491a.emailsys1c.net Germany
34624 MEGASPACE-ASDE false
104.16.18.94
 cdnjs.cloudflare.com United States
13335 CLOUDFLARENETUS false
65.9.66.125
 d3rvoh99oxehdi.cloudfront.net United States
16509 AMAZON-02US false
162.241.121.59
 bayoujanitorial.com United States
46606 UNIFIEDLAYER-AS-1US false

Contacted Domains

Name IP Active
stackpath.bootstrapcdn.com 104.18.11.207 true
te121491a.emailsys1c.net 185.71.125.3 true
d3rvoh99oxehdi.cloudfront.net 65.9.66.125 true
bayoujanitorial.com 162.241.121.59 true
cdnjs.cloudflare.com 104.16.18.94 true
maxcdn.bootstrapcdn.com 104.18.11.207 true
code.jquery.com unknown unknown
c.emailsys1c.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://bayoujanitorial.com/doc0022as/ true
  • SlashNext: Fake Login Page type: Phishing & Social Engineering
 unknown
https://te121491a.emailsys1c.net/mailing/117/4130125/0/e11e3fdf13/index.html true
    		unknown