Analysis Report https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_US

Overview

General Information

Joe Sandbox Version:	25.0.0 Tiger's Eye
Analysis ID:	784482
Start date:	10.02.2019
Start time:	16:43:13
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 4m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_US
Analysis system description:	Windows 10 64 bit (version 1803) with Office 2016 Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	EGA enabled HDC enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.phis.win@3/22@1/1
Cookbook Comments:	Adjust boot time Browsing link: https://a1.bedirectip.com/c/myaccount/signin/?country.x=us&locale.x=en_us#
Warnings:	Show All Exclude process from analysis (whitelisted): ielowutil.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe

Detection

Strategy	Score	Range	Reporting	Whitelisted	Detection
Threshold	48	0 - 100	Report FP / FN	false

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Windows Remote Management	Winlogon Helper DLL	Port Monitors	File System Logical Offsets	Credential Dumping	System Service Discovery	Application Deployment Software	Data from Local System	Data Encrypted1	Standard Non-Application Layer Protocol2
Replication Through Removable Media	Service Execution	Port Monitors	Accessibility Features	Binary Padding	Network Sniffing	Application Window Discovery	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Standard Application Layer Protocol2

Signature Overview

Click to jump to signature section

Phishing:

Phishing site detected (based on favicon image match)

Show sources

Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_US

Matcher: Template: paypal matched with high similarity

Phishing site detected (based on logo template match)

Show sources

Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_US	Matcher: Template: paypal matched
Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=us&locale.x=en_us#	Matcher: Template: paypal matched

HTML body contains low number of good links

Show sources

Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_US	HTTP Parser: Number of links: 0
Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=us&locale.x=en_us#	HTTP Parser: Number of links: 0

HTML title does not match URL

Show sources

Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_US	HTTP Parser: Title: Log in to your PayPal Account does not match URL
Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=us&locale.x=en_us#	HTTP Parser: Title: Log in to your PayPal Account does not match URL

Invalid T&C link found

Show sources

Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_US	HTTP Parser: Invalid link: Privacy
Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=us&locale.x=en_us#	HTTP Parser: Invalid link: Privacy

META author tag missing

Show sources

Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_US	HTTP Parser: No <meta name="author".. found
Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=us&locale.x=en_us#	HTTP Parser: No <meta name="author".. found

META copyright tag missing

Show sources

Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_US	HTTP Parser: No <meta name="copyright".. found
Source: https://a1.bedirectip.com/c/myaccount/signin/?country.x=us&locale.x=en_us#	HTTP Parser: No <meta name="copyright".. found

Networking:

Found strings which match to known social media urls

Show sources

Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xfd247193,0x01d4c1a2</date><accdate>0xfd247193,0x01d4c1a2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xfd247193,0x01d4c1a2</date><accdate>0xfd247193,0x01d4c1a2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xfd2c0bd1,0x01d4c1a2</date><accdate>0xfd2c0bd1,0x01d4c1a2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xfd2c0bd1,0x01d4c1a2</date><accdate>0xfd2c0bd1,0x01d4c1a2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xfd2ea05a,0x01d4c1a2</date><accdate>0xfd2ea05a,0x01d4c1a2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xfd2ea05a,0x01d4c1a2</date><accdate>0xfd313fa2,0x01d4c1a2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: a1.bedirectip.com

Urls found in memory or binary data

Show sources

Source: msapplication.xml.1.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr	String found in binary or memory: http://www.youtube.com/
Source: {27440B2A-2D96-11E9-AAD2-C2DD1F0DAA95}.dat.1.dr	String found in binary or memory: https://a1.bedire
Source: {27440B2A-2D96-11E9-AAD2-C2DD1F0DAA95}.dat.1.dr	String found in binary or memory: https://a1.bedireRoot
Source: {27440B2A-2D96-11E9-AAD2-C2DD1F0DAA95}.dat.1.dr	String found in binary or memory: https://a1.bedirecom/c/myaccount/signin/?country.x=us&locale.x=en_us#Root
Source: {27440B2A-2D96-11E9-AAD2-C2DD1F0DAA95}.dat.1.dr	String found in binary or memory: https://a1.bedirectip.
Source: imagestore.dat.2.dr	String found in binary or memory: https://a1.bedirectip.com/c/lib/img//favicon.ico
Source: imagestore.dat.2.dr	String found in binary or memory: https://a1.bedirectip.com/c/lib/img//favicon.ico~
Source: {27440B2A-2D96-11E9-AAD2-C2DD1F0DAA95}.dat.1.dr	String found in binary or memory: https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_US
Source: {27440B2A-2D96-11E9-AAD2-C2DD1F0DAA95}.dat.1.dr	String found in binary or memory: https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_US:Log
Source: {27440B2A-2D96-11E9-AAD2-C2DD1F0DAA95}.dat.1.dr	String found in binary or memory: https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_USRoot
Source: {27440B2A-2D96-11E9-AAD2-C2DD1F0DAA95}.dat.1.dr	String found in binary or memory: https://a1.bedirectip.com/c/myaccount/signin/?country.x=us&locale.x=en_us
Source: {27440B2A-2D96-11E9-AAD2-C2DD1F0DAA95}.dat.1.dr, ~DFA772B320B06DA1E1.TMP.1.dr	String found in binary or memory: https://a1.bedirectip.com/c/myaccount/signin/?country.x=us&locale.x=en_us#
Source: L-Z118[1].css.2.dr	String found in binary or memory: https://www.paypalobjects.com/webstatic/i/consumer/onboarding/sprite_form_2x.png);

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822

System Summary:

Classification label

Show sources

Source: classification engine

Classification label: mal48.phis.win@3/22@1/1

Creates files inside the user directory

Show sources

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\JAYJAY~1\AppData\Local\Temp\~DF507ECA6DD8AA1305.TMP

Jump to behavior

Reads ini files

Show sources

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1840 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1840 CREDAT:17410 /prefetch:2	Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dll

Jump to behavior

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious

Simulations

Behavior and APIs

No simulations

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Download
https://a1.bedire	0%	Avira URL Cloud	safe	Download File
https://a1.bedirectip.com/c/lib/img//favicon.ico~	0%	Avira URL Cloud	safe	Download File
https://a1.bedirectip.	0%	Avira URL Cloud	safe	Download File
https://a1.bedireRoot	0%	Avira URL Cloud	safe	Download File
https://a1.bedirectip.com/c/lib/img//favicon.ico	0%	Avira URL Cloud	safe	Download File

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report https://a1.bedirectip.com/c/myaccount/signin/?country.x=US&locale.x=en_US

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

Phishing:

Networking:

System Summary:

Signature Similarity

Similar Samples

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots

Thumbnails