Static Analysis of wish-you.co

Hello.

Recently wish-you.co became viral on the Philippines when Filipino Facebook users started sending their own customized New Year’s Greetings to their Facebook Friends.

Note: This Analysis is focused on the web application of wish-you.co to see if there is anything malicious.

wish-you.co landing page

Bruteforcing the Subdomain, gives us 3 results.

144.217.211.126 – old.wish-you.co 
104.31.93.16 – http://www.wish-you.co      
104.31.93.16 – wish-you.co                

dnscan subdomain bruteforce

Upon Checking 144.217.211.126 on threatcrowd, wish-you.co uses 2 proxy ip’s from cloudflare which is 104.24.106.228 and 104.24.107.228

this means that, under the ip address of 104.24.106.228 and 104.24.107.228 several websites are also using the same ip address mentioned above.

if one of those websites are malicious, the ip address 104.24.106.228 and 104.24.107.228 will be automatically flagged as malicious by Online Scanners.

I tried looking for suspicious javascript files (.js) used by the web application but i couldn’t find any.

The Web Application also uses Deep Links for mobile users to share their WishCard on whatsapp and Facebook Messenger.

if you clicked share, this will basically open a hyperlink called whatsapp:// and fb-messenger:// and will open whatsapp and fb-messenger for you to share the WishCard you Created.

<a class="footerbtn" href="whatsapp://send?text=πŸ‘Œ *testing* *Send You a Surprising message* 🎁 %0AOpen this %0A πŸ‘‡πŸ‘‡ %0A my-msg.co/?n=testing %0A"><img width="25px" height="25px" src="wp.png" /><b style="font-size: 15px;"> Click here to share on Whatsapp </b> <img width="25px" height="25px" src="wp.png" /></a>
<a href="fb-messenger://share/?link=http%3A%2F%2Fwish-you.co/2020/?n=test%26t=fm" data-os="Facebook Messenger"><img src="../wow/messenger.png" style="animation: tada 2s infinite;margin-top:5px;height: 50px;width:50px;"></a>


Going Back to 144.217.211.126, to have more information about wish-you.co i decided to bruteforce the web directory using dirsearch.

dirsearch directory bruteforce

However i was only able to find a directory called “mysql”

Checking the contents of http://144.217.211.126/mysql

By Visiting http://144.217.211.126/mysql/composer.json this gives us the idea that the directory “/mysql” is PHPMyAdmin.

Google Analytics

Google Adsense

Conclusion

During this static analysis, i didn’t find wish-you.co to be malicious why?

1.) There are no Malicious Javascript Files used in the Web Application.
a.) innerhtml.cc is being called by http://wish-you.co/2020/ready.php

As of December 31 2019


2.) wish-you.co only ask for your name, and it uses Deeplinks to share the Wishcard you created.
3.) You find the IP Address 104.31.92.16 and 104.31.92.16 malicious? c’mon dude. We both know that most of the cybercriminals uses CloudFlare for their Protection.
4.) The Web Application doesn’t use CryptoMiners but relies on google Adsense to earn money.
5.) No WhitePaper or Documentation about the said “Unverified Threat Advisory”.


The Web App may not be malicious, but please be more vigilant dont click unknown links, dont open uknown attachments and always update your web browsers, operating system and anti-virus to their latest versions.

Happy Holidays!

Thanks to Rodel Plasabas, For the Heads Up!

You may also want to check out the analysis of JP Lita on wish-you.co https://medium.com/@johnpaticklita/wish-you-com-analysis-3631213294b6