IOC Report
https://jira.flywire.tech/plugins/servlet/desk/portal/34

Files

File Path

Type

Category

Malicious

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Oct 12 09:36:44 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Oct 12 09:36:44 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Oct 12 09:36:44 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Oct 12 09:36:44 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Sat Oct 12 09:36:44 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide

dropped

Chrome Cache Entry: 103

Web Open Font Format (Version 2), CFF, length 42632, version 2.0

downloaded

Chrome Cache Entry: 72

Web Open Font Format (Version 2), TrueType, length 105804, version 1.0

downloaded

Chrome Cache Entry: 73

ASCII text, with very long lines (65460)

downloaded

Chrome Cache Entry: 74

JSON data

dropped

Chrome Cache Entry: 75

HTML document, Unicode text, UTF-8 text, with very long lines (7540)

downloaded

Chrome Cache Entry: 76

ASCII text, with very long lines (51741)

downloaded

Chrome Cache Entry: 80

Unicode text, UTF-8 text, with very long lines (49026), with LF, NEL line terminators

dropped

Chrome Cache Entry: 81

Web Open Font Format, CFF, length 20600, version 1.0

downloaded

Chrome Cache Entry: 82

GIF image data, version 89a, 38 x 38

downloaded

Chrome Cache Entry: 83

MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel

dropped

Chrome Cache Entry: 84

PNG image data, 362 x 120, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 85

Web Open Font Format (Version 2), TrueType, length 98868, version 1.0

downloaded

Chrome Cache Entry: 86

JSON data

dropped

Chrome Cache Entry: 87

ASCII text, with very long lines (65460)

dropped

Chrome Cache Entry: 88

ASCII text, with very long lines (40099)

downloaded

Chrome Cache Entry: 90

ASCII text, with no line terminators

downloaded

Chrome Cache Entry: 91

PNG image data, 420 x 144, 8-bit/color RGBA, non-interlaced

downloaded

Chrome Cache Entry: 92

ASCII text

downloaded

Chrome Cache Entry: 93

PNG image data, 50 x 1155, 8-bit/color RGBA, non-interlaced

downloaded

Chrome Cache Entry: 94

HTML document, ASCII text, with very long lines (451), with no line terminators

downloaded

Chrome Cache Entry: 95

PNG image data, 140 x 140, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 98

ASCII text, with very long lines (7276)

downloaded

Chrome Cache Entry: 99

PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced

dropped

There are 20 hidden files, click here to show them.

URLs

Name

IP

Malicious

https://jira.flywire.tech/plugins/servlet/desk/portal/34

Details

Filetype:	URL
Filename:	https://jira.flywire.tech/plugins/servlet/desk/portal/34

Signature Hits	Behavior Group	Mitre Attack
HTML body contains low number of good links	Phishing
HTML page contains hidden javascript code	Phishing
Stores files to the Windows start menu directory	Boot Survival	Registry Run Keys / Startup Folder
Classification label	System Summary
Connects to IPs without corresponding DNS lookups	Networking
Creates files inside the user directory	System Summary	Masquerading
Found iframes	Phishing	Drive-by Compromise
HTML page is missing a favicon	Phishing
META author tag missing	Phishing
META copyright tag missing	Phishing
Performs DNS lookups	Networking	Non-Application Layer Protocol Application Layer Protocol
Spawns processes	System Summary	Process Injection
Uses HTTPS	Networking
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis		Encrypted Channel
Uses secure TLS version for HTTPS connections	Compliance, Networking
Found graphical window changes (likely an installer)	System Summary

https://flywire.okta.com/oauth2/v1/authorize?client_id=0oam8v0n7en8Yj7ON0x7&redirect_uri=https%3A%2F%2Fflywire.cloudflareaccess.com%2Fcdn-cgi%2Faccess%2Fcallback&response_type=code&scope=openid%20groups%20profile%20email&state=19b80ec91e7d08e7bf25bee8b40416b0206bd1199e66bd0afb080829a4ae4c0b.JTdCJTIyaWF0JTIyJTNBMTcyODcyOTQwNSUyQyUyMmF1dGhEb21haW4lMjIlM0ElMjJmbHl3aXJlLmNsb3VkZmxhcmVhY2Nlc3MuY29tJTIyJTJDJTIyaG9zdG5hbWUlMjIlM0ElMjJqaXJhLmZseXdpcmUudGVjaCUyMiUyQyUyMnJlZGlyZWN0VVJMJTIyJTNBJTIyJTJGcGx1Z2lucyUyRnNlcnZsZXQlMkZkZXNrJTJGcG9ydGFsJTJGMzQlMjIlMkMlMjJhdWQlMjIlM0ElMjI3MTZjMTYyOGRiMDU2ODNjYTNiYzRlNDY3OTdkMzQ0YmQ3M2Q4ZTE1MjZjODE5OWQ2NGRlZjAwNjBjMWE0YTI0JTIyJTJDJTIyaXNTYW1lU2l0ZU5vbmVDb21wYXRpYmxlJTIyJTNBdHJ1ZSUyQyUyMmlzSURQVGVzdCUyMiUzQWZhbHNlJTJDJTIyaXNSZWZyZXNoJTIyJTNBZmFsc2UlMkMlMjJub25jZSUyMiUzQSUyMm5BcWY1eGVLZzE3eWJLR09wJTIyJTJDJTIyaWRwSWQlMjIlM0ElMjI0NTI5YzBiNS04ZGYwLTQ1ZjktYjUyZi1jMjVjMWM2ZWQ4ZGElMjIlMkMlMjJzZXJ2aWNlX3Rva2VuX2lkJTIyJTNBJTIyJTIyJTJDJTIyc2VydmljZV90b2tlbl9zdGF0dXMlMjIlM0FmYWxzZSUyQyUyMmF1dGhfc3RhdHVzJTIyJTNBJTIyTk9ORSUyMiUyQyUyMmlzX3dhcnAlMjIlM0FmYWxzZSUyQyUyMmlzX2dhdGV3YXklMjIlM0FmYWxzZSUyQyUyMm10bHNfYXV0aCUyMiUzQSU3QiUyMmNlcnRfaXNzdWVyX3NraSUyMiUzQSUyMiUyMiUyQyUyMmNlcnRfcHJlc2VudGVkJTIyJTNBZmFsc2UlMkMlMjJjZXJ0X3NlcmlhbCUyMiUzQSUyMiUyMiUyQyUyMmNlcnRfaXNzdWVyX2RuJTIyJTNBJTIyJTIyJTJDJTIyYXV0aF9zdGF0dXMlMjIlM0ElMjJOT05FJTIyJTdEJTJDJTIyYXBwU2Vzc2lvbkhhc2glMjIlM0ElMjIzMmYwN2UxZTY1ZmQ1ZTFkMDgxMjQyNDMyZWQ1MWJiOWMwYjE0OWJkN2Q2YTE5MWJlYTcyNDQ5ZWU3MzQwMjI1JTIyJTdE

Details

Name:	https://flywire.okta.com/oauth2/v1/authorize?client_id=0oam8v0n7en8Yj7ON0x7&redirect_uri=https%3A%2F%2Fflywire.cloudflareaccess.com%2Fcdn-cgi%2Faccess%2Fcallback&response_type=code&scope=openid%20groups%20profile%20email&state=19b80ec91e7d08e7bf25bee8b40416b0206bd1199e66bd0afb080829a4ae4c0b.JTdCJTIyaWF0JTIyJTNBMTcyODcyOTQwNSUyQyUyMmF1dGhEb21haW4lMjIlM0ElMjJmbHl3aXJlLmNsb3VkZmxhcmVhY2Nlc3MuY29tJTIyJTJDJTIyaG9zdG5hbWUlMjIlM0ElMjJqaXJhLmZseXdpcmUudGVjaCUyMiUyQyUyMnJlZGlyZWN0VVJMJTIyJTNBJTIyJTJGcGx1Z2lucyUyRnNlcnZsZXQlMkZkZXNrJTJGcG9ydGFsJTJGMzQlMjIlMkMlMjJhdWQlMjIlM0ElMjI3MTZjMTYyOGRiMDU2ODNjYTNiYzRlNDY3OTdkMzQ0YmQ3M2Q4ZTE1MjZjODE5OWQ2NGRlZjAwNjBjMWE0YTI0JTIyJTJDJTIyaXNTYW1lU2l0ZU5vbmVDb21wYXRpYmxlJTIyJTNBdHJ1ZSUyQyUyMmlzSURQVGVzdCUyMiUzQWZhbHNlJTJDJTIyaXNSZWZyZXNoJTIyJTNBZmFsc2UlMkMlMjJub25jZSUyMiUzQSUyMm5BcWY1eGVLZzE3eWJLR09wJTIyJTJDJTIyaWRwSWQlMjIlM0ElMjI0NTI5YzBiNS04ZGYwLTQ1ZjktYjUyZi1jMjVjMWM2ZWQ4ZGElMjIlMkMlMjJzZXJ2aWNlX3Rva2VuX2lkJTIyJTNBJTIyJTIyJTJDJTIyc2VydmljZV90b2tlbl9zdGF0dXMlMjIlM0FmYWxzZSUyQyUyMmF1dGhfc3RhdHVzJTIyJTNBJTIyTk9ORSUyMiUyQyUyMmlzX3dhcnAlMjIlM0FmYWxzZSUyQyUyMmlzX2dhdGV3YXklMjIlM0FmYWxzZSUyQyUyMm10bHNfYXV0aCUyMiUzQSU3QiUyMmNlcnRfaXNzdWVyX3NraSUyMiUzQSUyMiUyMiUyQyUyMmNlcnRfcHJlc2VudGVkJTIyJTNBZmFsc2UlMkMlMjJjZXJ0X3NlcmlhbCUyMiUzQSUyMiUyMiUyQyUyMmNlcnRfaXNzdWVyX2RuJTIyJTNBJTIyJTIyJTJDJTIyYXV0aF9zdGF0dXMlMjIlM0ElMjJOT05FJTIyJTdEJTJDJTIyYXBwU2Vzc2lvbkhhc2glMjIlM0ElMjIzMmYwN2UxZTY1ZmQ1ZTFkMDgxMjQyNDMyZWQ1MWJiOWMwYjE0OWJkN2Q2YTE5MWJlYTcyNDQ5ZWU3MzQwMjI1JTIyJTdE
TargetID:	0
From Memory:	false
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Source:	browser

Signature Hits	Behavior Group	Mitre Attack
META author tag missing	Phishing

Domains

Name

IP

Malicious

d14fm7q9i1ewz3.cloudfront.net

18.245.86.88

www.google.com

142.250.181.228

Details

Name:	www.google.com
IP:	142.250.181.228
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

jira.flywire.tech

104.18.42.244

Details

Name:	jira.flywire.tech
IP:	104.18.42.244
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTML page contains hidden javascript code	Phishing
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
Spawns processes	System Summary	Process Injection

a9fda6e8074f1dfbe.awsglobalaccelerator.com

99.83.213.230

flywire.cloudflareaccess.com

104.19.195.29

Details

Name:	flywire.cloudflareaccess.com
IP:	104.19.195.29
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTML page contains hidden javascript code	Phishing
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

d37qf8t9pe6csu.cloudfront.net

108.138.7.107

flywire.okta.com

unknown

ok2static.oktacdn.com

unknown

login.okta.com

unknown

Details

Name:	login.okta.com
TargetID:	1
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe

Signature Hits	Behavior Group	Mitre Attack
Found iframes	Phishing	Drive-by Compromise
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

IPs

IP

Domain

Country

Malicious

142.250.186.46

unknown

United States

18.245.86.88

d14fm7q9i1ewz3.cloudfront.net

United States

1.1.1.1

unknown

Australia

18.245.86.45

unknown

United States

99.83.213.230

a9fda6e8074f1dfbe.awsglobalaccelerator.com

United States

104.18.42.244

jira.flywire.tech

United States

216.58.206.67

unknown

United States

192.168.2.16

unknown

unknown

104.19.195.29

flywire.cloudflareaccess.com

United States

75.2.87.65

unknown

United States

216.58.206.46

unknown

United States

13.227.219.44

unknown

United States

239.255.255.250

unknown

Reserved

142.250.181.228

www.google.com

United States

142.250.186.42

unknown

United States

108.138.7.107

d37qf8t9pe6csu.cloudfront.net

United States

127.0.0.1

unknown

unknown

142.250.186.99

unknown

United States

66.102.1.84

unknown

United States

There are 9 hidden IPs, click here to show them.