Windows Analysis Report ATT00001.htm

Overview

General Information

Sample Name: ATT00001.htm
Analysis ID: 435311
MD5: 9bf6e3f48d1bb59fc4e688d6cc3e8977
SHA1: 250a41007b2e846ddf2d4b2308784e35747b9cd5
SHA256: 3812cddabc02487974ccf6001f8672ccc3cd39627f4a1b81956d9e7359cc1441
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Phishing site detected (based on favicon image match)
Yara detected HtmlPhish10
HTML body contains low number of good links
HTML title does not match URL
IP address seen in connection with other malware
Invalid T&C link found
JA3 SSL client fingerprint seen in connection with other malware
None HTTPS page querying sensitive user data (password, username or email)

Classification

Phishing:

barindex
Phishing site detected (based on favicon image match)
Source: file:///C:/Users/user/Desktop/ATT00001.htm Matcher: Template: microsoft matched with high similarity
Yara detected HtmlPhish10
Source: Yara match File source: ATT00001.htm, type: SAMPLE
Source: Yara match File source: 082561.pages.csv, type: HTML
HTML body contains low number of good links
Source: file:///C:/Users/user/Desktop/ATT00001.htm HTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/ATT00001.htm HTTP Parser: Number of links: 0
HTML title does not match URL
Source: file:///C:/Users/user/Desktop/ATT00001.htm HTTP Parser: Title: Microsoft | Login does not match URL
Source: file:///C:/Users/user/Desktop/ATT00001.htm HTTP Parser: Title: Microsoft | Login does not match URL
Invalid T&C link found
Source: file:///C:/Users/user/Desktop/ATT00001.htm HTTP Parser: Invalid link: Privacy & cookies
Source: file:///C:/Users/user/Desktop/ATT00001.htm HTTP Parser: Invalid link: Privacy & cookies
None HTTPS page querying sensitive user data (password, username or email)
Source: file:///C:/Users/user/Desktop/ATT00001.htm HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/ATT00001.htm HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/ATT00001.htm HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/ATT00001.htm HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/ATT00001.htm HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/ATT00001.htm HTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.3:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.3:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.3:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.3:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.3:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.3:49719 version: TLS 1.2

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.111.9.35 23.111.9.35
Source: Joe Sandbox View IP Address: 23.111.9.35 23.111.9.35
Source: Joe Sandbox View IP Address: 104.18.10.207 104.18.10.207
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: msapplication.xml0.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xff3899fa,0x01d762e1</date><accdate>0xff3899fa,0x01d762e1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xff3899fa,0x01d762e1</date><accdate>0xff3899fa,0x01d762e1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xff3fc10d,0x01d762e1</date><accdate>0xff3fc10d,0x01d762e1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xff3fc10d,0x01d762e1</date><accdate>0xff3fc10d,0x01d762e1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xff3fc10d,0x01d762e1</date><accdate>0xff3fc10d,0x01d762e1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xff3fc10d,0x01d762e1</date><accdate>0xff3fc10d,0x01d762e1</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: code.jquery.com
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: http://jquery.org/license
Source: popper.min[1].js.3.dr String found in binary or memory: http://opensource.org/licenses/MIT).
Source: msapplication.xml.1.dr String found in binary or memory: http://www.amazon.com/
Source: ATT00001.htm String found in binary or memory: http://www.formtrap.com/enterprise/v8.0/manuals/en/images/fax_erp_1.gif
Source: msapplication.xml1.1.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr String found in binary or memory: http://www.youtube.com/
Source: ATT00001.htm String found in binary or memory: https://aadcdn.msftauth.net/ests/2.1/content/images/favicon_a_eupayfgghqiai7k9sol6lg2.ico
Source: ATT00001.htm String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=378607
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=449857
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=470258
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=589347
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://bugs.jquery.com/ticket/12359
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://bugs.jquery.com/ticket/13378
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=136851
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=137337
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=29084
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=687787
Source: ATT00001.htm String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
Source: ATT00001.htm String found in binary or memory: https://code.jquery.com/jquery-3.1.1.min.js
Source: ATT00001.htm String found in binary or memory: https://code.jquery.com/jquery-3.2.1.slim.min.js
Source: ATT00001.htm String found in binary or memory: https://code.jquery.com/jquery-3.3.1.js
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://developer.mozilla.org/en-US/docs/CSS/display
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://drafts.csswg.org/cssom/#common-serializing-idioms
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://drafts.csswg.org/cssom/#resolved-values
Source: all[1].css.3.dr String found in binary or memory: https://fontawesome.com
Source: all[1].css.3.dr String found in binary or memory: https://fontawesome.com/license/free
Source: ATT00001.htm String found in binary or memory: https://fonts.googleapis.com/css?family=Archivo
Source: css[1].css.3.dr String found in binary or memory: https://fonts.gstatic.com/s/archivonarrow/v12/tss0ApVBdCYD5Q7hcxTE1ArZ0bbwiXo.woff)
Source: bootstrap.min[1].css.3.dr, bootstrap.min[1].js.3.dr String found in binary or memory: https://getbootstrap.com)
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://github.com/eslint/eslint/issues/3229
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://github.com/eslint/eslint/issues/6125
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://github.com/jquery/jquery/pull/557)
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://github.com/jquery/sizzle/pull/225
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://github.com/jrburke/requirejs/wiki/Updating-existing-libraries#wiki-anon
Source: bootstrap.min[1].css.3.dr, bootstrap.min[1].js.3.dr String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min[1].js.3.dr String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://html.spec.whatwg.org/#strip-and-collapse-whitespace
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#category-listed
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#concept-fe-disabled
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#concept-option-disabled
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://html.spec.whatwg.org/multipage/scripting.html#selector-disabled
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://html.spec.whatwg.org/multipage/scripting.html#selector-enabled
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://html.spec.whatwg.org/multipage/syntax.html#attributes-2
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://infra.spec.whatwg.org/#strip-and-collapse-ascii-whitespace
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://jquery.com/
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://jquery.org/license
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://jsperf.com/getall-vs-sizzle/2
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://jsperf.com/thor-indexof-vs-for/5
Source: ATT00001.htm String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css
Source: ATT00001.htm String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://promisesaplus.com/#point-48
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://promisesaplus.com/#point-54
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://promisesaplus.com/#point-57
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://promisesaplus.com/#point-59
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://promisesaplus.com/#point-61
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://promisesaplus.com/#point-64
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://promisesaplus.com/#point-75
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://sizzlejs.com/
Source: ATT00001.htm String found in binary or memory: https://use.fontawesome.com/releases/v5.7.0/css/all.css
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://web.archive.org/web/20100324014747/http://blindsignals.com/index.php/2009/07/jquery-delay/
Source: jquery-3.3.1[1].js.3.dr String found in binary or memory: https://web.archive.org/web/20141116233347/http://fluidproject.org/blog/2008/01/09/getting-setting-a
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.3:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.3:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.3:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.3:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.3:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.111.9.35:443 -> 192.168.2.3:49719 version: TLS 1.2
Source: classification engine Classification label: mal56.phis.winHTM@3/24@5/3
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF789282AEF4B257BF.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1304 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1304 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Next
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Next
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Next
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Next
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 435311 Sample: ATT00001.htm Startdate: 16/06/2021 Architecture: WINDOWS Score: 56 12 cs1100.wpc.omegacdn.net 2->12 14 aadcdn.msftauth.net 2->14 22 Phishing site detected (based on favicon image match) 2->22 24 Yara detected HtmlPhish10 2->24 7 iexplore.exe 2 86 2->7         started        signatures3 process4 process5 9 iexplore.exe 1 42 7->9         started        dnsIp6 16 fontawesome-cdn.fonticons.netdna-cdn.com 23.111.9.35, 443, 49719, 49720 HIGHWINDS2US United States 9->16 18 cdnjs.cloudflare.com 104.16.19.94, 443, 49721, 49722 CLOUDFLARENETUS United States 9->18 20 3 other IPs or domains 9->20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
23.111.9.35
 fontawesome-cdn.fonticons.netdna-cdn.com United States
33438 HIGHWINDS2US false
104.18.10.207
 maxcdn.bootstrapcdn.com United States
13335 CLOUDFLARENETUS false
104.16.19.94
 cdnjs.cloudflare.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
cs1100.wpc.omegacdn.net 152.199.23.37 true
cdnjs.cloudflare.com 104.16.19.94 true
maxcdn.bootstrapcdn.com 104.18.10.207 true
fontawesome-cdn.fonticons.netdna-cdn.com 23.111.9.35 true
use.fontawesome.com unknown unknown
code.jquery.com unknown unknown
aadcdn.msftauth.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
file:///C:/Users/user/Desktop/ATT00001.htm true
    		low