Loading ...

Analysis Report https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_US

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:784482
Start date:10.02.2019
Start time:16:43:13
Joe Sandbox Product:Cloud
Overall analysis duration:0h 4m 14s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_US
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016 Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:7
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.phis.win@3/22@1/1
Cookbook Comments:
  • Adjust boot time
  • Browsing link: https://a1.bedirectip.com/c/myaccount/signin/?country.x=us&locale.x=en_us#
Warnings:
Show All
  • Exclude process from analysis (whitelisted): ielowutil.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold480 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsFile System Logical OffsetsCredential DumpingSystem Service DiscoveryApplication Deployment SoftwareData from Local SystemData Encrypted1Standard Non-Application Layer Protocol2
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol2

Signature Overview

Click to jump to signature section


Phishing:

barindex
Phishing site detected (based on favicon image match)Show sources
Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_USMatcher: Template: paypal matched with high similarity
Phishing site detected (based on logo template match)Show sources
Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_USMatcher: Template: paypal matched
Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=us&locale.x=en_us#Matcher: Template: paypal matched
HTML body contains low number of good linksShow sources
Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_USHTTP Parser: Number of links: 0
Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=us&locale.x=en_us#HTTP Parser: Number of links: 0
HTML title does not match URLShow sources
Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_USHTTP Parser: Title: Log in to your PayPal Account does not match URL
Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=us&locale.x=en_us#HTTP Parser: Title: Log in to your PayPal Account does not match URL
Invalid T&C link foundShow sources
Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_USHTTP Parser: Invalid link: Privacy
Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=us&locale.x=en_us#HTTP Parser: Invalid link: Privacy
META author tag missingShow sources
Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_USHTTP Parser: No <meta name="author".. found
Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=us&locale.x=en_us#HTTP Parser: No <meta name="author".. found
META copyright tag missingShow sources
Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_USHTTP Parser: No <meta name="copyright".. found
Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=us&locale.x=en_us#HTTP Parser: No <meta name="copyright".. found

Networking:

barindex
Found strings which match to known social media urlsShow sources
Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xfd247193,0x01d4c1a2</date><accdate>0xfd247193,0x01d4c1a2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xfd247193,0x01d4c1a2</date><accdate>0xfd247193,0x01d4c1a2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xfd2c0bd1,0x01d4c1a2</date><accdate>0xfd2c0bd1,0x01d4c1a2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xfd2c0bd1,0x01d4c1a2</date><accdate>0xfd2c0bd1,0x01d4c1a2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xfd2ea05a,0x01d4c1a2</date><accdate>0xfd2ea05a,0x01d4c1a2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xfd2ea05a,0x01d4c1a2</date><accdate>0xfd313fa2,0x01d4c1a2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: a1.bedirectip.com
Urls found in memory or binary dataShow sources
Source: msapplication.xml.1.drString found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.drString found in binary or memory: http://www.youtube.com/
Source: {27440B2A-2D96-11E9-AAD2-C2DD1F0DAA95}.dat.1.drString found in binary or memory: https://a1.bedire
Source: {27440B2A-2D96-11E9-AAD2-C2DD1F0DAA95}.dat.1.drString found in binary or memory: https://a1.bedireRoot
Source: {27440B2A-2D96-11E9-AAD2-C2DD1F0DAA95}.dat.1.drString found in binary or memory: https://a1.bedirecom/c/myaccount/signin/?country.x=us&locale.x=en_us#Root
Source: {27440B2A-2D96-11E9-AAD2-C2DD1F0DAA95}.dat.1.drString found in binary or memory: https://a1.bedirectip.
Source: imagestore.dat.2.drString found in binary or memory: https://a1.bedirectip.com/c/lib/img//favicon.ico
Source: imagestore.dat.2.drString found in binary or memory: https://a1.bedirectip.com/c/lib/img//favicon.ico~
Source: {27440B2A-2D96-11E9-AAD2-C2DD1F0DAA95}.dat.1.drString found in binary or memory: https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_US
Source: {27440B2A-2D96-11E9-AAD2-C2DD1F0DAA95}.dat.1.drString found in binary or memory: https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_US:Log
Source: {27440B2A-2D96-11E9-AAD2-C2DD1F0DAA95}.dat.1.drString found in binary or memory: https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_USRoot
Source: {27440B2A-2D96-11E9-AAD2-C2DD1F0DAA95}.dat.1.drString found in binary or memory: https://a1.bedirectip.com/c/myaccount/signin/?country.x=us&locale.x=en_us
Source: {27440B2A-2D96-11E9-AAD2-C2DD1F0DAA95}.dat.1.dr, ~DFA772B320B06DA1E1.TMP.1.drString found in binary or memory: https://a1.bedirectip.com/c/myaccount/signin/?country.x=us&locale.x=en_us#
Source: L-Z118[1].css.2.drString found in binary or memory: https://www.paypalobjects.com/webstatic/i/consumer/onboarding/sprite_form_2x.png);
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49820
Source: unknownNetwork traffic detected: HTTP traffic on port 49820 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49822 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49822

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal48.phis.win@3/22@1/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\JAYJAY~1\AppData\Local\Temp\~DF507ECA6DD8AA1305.TMPJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1840 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1840 CREDAT:17410 /prefetch:2Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
Sample Distance (10 = nearest)
10 9 8 7 6 5 4 3 2 1
Samplename Analysis ID SHA256 Similarity

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 784482 URL: https://a1.bedirectip.com/c/myaccount/signin/?country.x=U... Startdate: 10/02/2019 Architecture: WINDOWS Score: 48 13 Phishing site detected (based on favicon image match) 2->13 15 Phishing site detected (based on logo template match) 2->15 6 iexplore.exe 4 86 2->6         started        process3 process4 8 iexplore.exe 2 37 6->8         started        dnsIp5 11 a1.bedirectip.com 145.239.6.124, 443, 49820, 49821 OVHFR France 8->11

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLinkDownload
https://a1.bedire0%Avira URL CloudsafeDownload File
https://a1.bedirectip.com/c/lib/img//favicon.ico~0%Avira URL CloudsafeDownload File
https://a1.bedirectip.0%Avira URL CloudsafeDownload File
https://a1.bedireRoot0%Avira URL CloudsafeDownload File
https://a1.bedirectip.com/c/lib/img//favicon.ico0%Avira URL CloudsafeDownload File

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.