Recently wish-you.co became viral on the Philippines when Filipino Facebook users started sending their own customized New Year’s Greetings to their Facebook Friends.
Note: This Analysis is focused on the web application of wish-you.co to see if there is anything malicious.
Bruteforcing the Subdomain, gives us 3 results.
188.8.131.52 – old.wish-you.co
184.108.40.206 – http://www.wish-you.co
220.127.116.11 – wish-you.co
Upon Checking 18.104.22.168 on threatcrowd, wish-you.co uses 2 proxy ip’s from cloudflare which is 22.214.171.124 and 126.96.36.199
this means that, under the ip address of 188.8.131.52 and 184.108.40.206 several websites are also using the same ip address mentioned above.
if one of those websites are malicious, the ip address 220.127.116.11 and 18.104.22.168 will be automatically flagged as malicious by Online Scanners.
The Web Application also uses Deep Links for mobile users to share their WishCard on whatsapp and Facebook Messenger.
if you clicked share, this will basically open a hyperlink called whatsapp:// and fb-messenger:// and will open whatsapp and fb-messenger for you to share the WishCard you Created.
<a class="footerbtn" href="whatsapp://send?text=👌 *testing* *Send You a Surprising message* 🎁 %0AOpen this %0A 👇👇 %0A my-msg.co/?n=testing %0A"><img width="25px" height="25px" src="wp.png" /><b style="font-size: 15px;"> Click here to share on Whatsapp </b> <img width="25px" height="25px" src="wp.png" /></a>
<a href="fb-messenger://share/?link=http%3A%2F%2Fwish-you.co/2020/?n=test%26t=fm" data-os="Facebook Messenger"><img src="../wow/messenger.png" style="animation: tada 2s infinite;margin-top:5px;height: 50px;width:50px;"></a>
Going Back to 22.214.171.124, to have more information about wish-you.co i decided to bruteforce the web directory using dirsearch.
However i was only able to find a directory called “mysql”
Checking the contents of http://126.96.36.199/mysql
By Visiting http://188.8.131.52/mysql/composer.json this gives us the idea that the directory “/mysql” is PHPMyAdmin.
During this static analysis, i didn’t find wish-you.co to be malicious why?
a.) innerhtml.cc is being called by http://wish-you.co/2020/ready.php
2.) wish-you.co only ask for your name, and it uses Deeplinks to share the Wishcard you created.
3.) You find the IP Address 184.108.40.206 and 220.127.116.11 malicious? c’mon dude. We both know that most of the cybercriminals uses CloudFlare for their Protection.
4.) The Web Application doesn’t use CryptoMiners but relies on google Adsense to earn money.
5.) No WhitePaper or Documentation about the said “Unverified Threat Advisory”.
The Web App may not be malicious, but please be more vigilant dont click unknown links, dont open uknown attachments and always update your web browsers, operating system and anti-virus to their latest versions.
Thanks to Rodel Plasabas, For the Heads Up!
You may also want to check out the analysis of JP Lita on wish-you.co https://medium.com/@johnpaticklita/wish-you-com-analysis-3631213294b6