Jilly Juice - Jillian Epperly Reports & Reviews (8)
Jilly Juice - Jillian Epperly Contacts
Jilly Juice - Jillian Epperly associated photos:
View Photos
Website: |
www.jillyjuice.com
|
E-mails: |
Sign in to see |
Social networks:
If you know any contact information for Jilly Juice - Jillian Epperly, help other victims by adding it!
Add new contacts
Scammer's email [email protected]
Country United States
Type of a scam Counterfeit Product
Initial means of contact Not applicable
Jilly Juice - Tradecraft
Subtext: Sodium Poisoning
Bad Actor: Jillian Mai Thi Epperly
Rogue Website: JillyJuice[]com
Tradecraft: Trojan.PDF.Agent
SHA256 Hash: 965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9
Topics: Racketeering, Computer Fraud and Abuse, Conspiracy, Quackery, Health Fraud, Deceptive Practice.
Tools used for Secret Knowledge: Falcon Sandbox, Blacklight, Virustotal, Cornell University
Smoking Gun Proof: https://www.hybrid-analysis.com/sample/965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb95...⇄ />
Consumer Protections:
https://www.amazon.com/Jilly-Juice-Protocol-Weaponized-Mainstreaming/product-rev...⇄ /> https://www.amazon.com/product-reviews/1716943590/ref=cm_cr_arp_d_viewopt_srt?ie...⇄ /> https://www.buzzfeednews.com/article/nidhisubbaraman/facebook-jilly-juice-cabbag...⇄ /> https://www.nzherald.co.nz/lifestyle/news/article.cfm?c_id=6&objectid=12138355
https://www.bbb.org/us/oh/canton/profile/health-and-medical-products/jilly-juice...⇄ /> https://montrealgazette.com/opinion/columnists/the-right-chemistry-beware-of-sel...⇄ />
Youtube Page:
https://www.youtube.com/user/maithimouse
https://archive.is/wxVTR
FACEBOOK:
https://archive.fo/https://www.facebook.com/JillianEpperly
https://www.facebook.com/JillianEpperly
This is a file compiled on Jillian Mai-Thi Epperly.
Background Information is also inserted into this file.
Website Reviews:
https://www.trustpilot.com/review/jillyjuice.com
https://www.sitejabber.com/reviews/jillyjuice.com
Consumer Fraud Collection:
https://archive.li/https://www.facebook.com/exposingtheliescandidaweaponizedfung...⇄ />
FACEBOOK:
https://archive.fo/https://www.facebook.com/JillianEpperly
WOT Score Card:
https://www.mywot.com/scorecard/jillyjuice.com
BBB Reviews:
https://www.bbb.org/us/oh/canton/profile/health-and-medical-products/jilly-juice...⇄ />
Whois Record for Jillyjuice[dot]com
https://whois.domaintools.com/jillyjuice.com
Virustotal Passive DNS Replication
https://www.virustotal.com/#/ip-address/162.144.36.65
Product of a Honeypot Token On Jillian's Website, Email and other things below. A Scam-Baiting/Social Engineering method was used in order to extract the entire layout of where her server is and the IP's in which Email is sent. This reverse engineering analysis also shows that Jillian deceptively tampers with EXIF Metadataa to give a false impression to her viewers about her photos that she takes of herself. She used Adobe Photoshop to cloak adverse health effects on her own body from her lethal health hazard.
--------------------------------------
Received: from server.jillyjuice.com (server.jillyjuice.com [162.144.36.65])
by node6 (Haraka/2.8.16) with ESMTP id 55385CCF-E87B-4B53-85B4-3F6180D659BC.1
envelope-from ;
Tue, 7th Apr 2018 15:10:34 -0900
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=jillyjuice.com; s=default; h=Content-Type:MIME-Version:Message-ID:From:Date
:Subject:To:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID:
Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
List-Subscribe:List-Post:List-Owner:List-Archive;
bh=697w/BkQw+V/7dBrMBg354Onr0pXoGZ0fmyZm/7g0Wg=; b=DbtlbzwGlVStPCmLPTz4tvThC2
HdnpfK8s/M7xbE0SmsgFKhgFQREAZtK3ETEVIfAgsl7Kpc7YJvY04+1DXVsmiTv6u/cq88DjLGndc
k1esD8gJXUceGjgcePDnwkpl1uFQdNWDvB124Kez8GnbUQHc7aPf4+5/siN8ouvFhtiaB90NhpTUb
UKoN5Ng2nG6mF4MpGUHk0l5RGfHMbcl5RPSwiyHd1OwC3qIvYvNIAYriPWjASfXGYXRyOcaDriMsC
AOpdrj3GCtBdCpky66LBVjryW4PgeW0zZG97qnAaQBvBSO+wlaElsvmg7lQ6AiC0QVuQ9lIIielVl
kA//o2Mg==;
Received: from jillyjuice by server.jillyjuice.com with local (Exim 4.91)
(envelope-from )
id 7kD9Rs-12378fg-2W
for [email protected]; Tue, 22 Feb 2018 04:35:51 -0600
To: [email protected]
Subject: Thank you for registering for Jilly Juice LLC
X-PHP-Script: www.jillyjuice.com/index.php for 162.144.36.65, 167.114.101.64
X-PHP-Originating-Script: 500:class-phpmailer.php
Date: Tue, 22 Apr 2018 12:17:45 +15748
From: WordPress
Message-ID:
X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-AntiAbuse: Primary Hostname - server.jillyjuice.com
X-AntiAbuse: Originator/Caller UID/GID - [500 500] / [47 12]
X-AntiAbuse: Sender Address Domain - server.jillyjuice.com
X-Get-Message-Sender-Via: server.jillyjuice.com: authenticated_id: jillyjui/from_h
X-Authenticated-Sender: server.jillyjuice.com: [email protected]
X-Source: /opt/cpanel/ea-php70/root/usr/bin/php-cgi
X-Source-Args: /opt/cpanel/ea-php70/root/usr/bin/php-cgi /home/jillyjui/public_html/index.php
X-Source-Dir: jillyjuice.com:/public_html
Output complete without errors.
IPTC
Coded Character Set = 27, 37, 71
Record Version = 0
Original Transmission Reference = uln6HNN0xcq_Qm6Wvs8Z
IPTC Core (Adobe XMP)
Expand All / Collapse All / Show/Hide XMP Source / Show/Hide XMP Legend
EXIF IFD0
Image Width {0x0100} = 720 pixels
Image Length {0x0101} = 720 pixels
Bits Per Sample {0x0102} = 8,8,8
Photometric Interpretation {0x0106} = RGB (2)
Picture Orientation {0x0112} = normal (1)
Samples Per Pixel {0x0115} = 3
X-Resolution {0x011A} = 72/1 ===> 72
Y-Resolution {0x011B} = 72/1 ===> 72
X/Y-Resolution Unit {0x0128} = inch (2)
Software / Firmware Version {0x0131} = Adobe Photoshop CC 2017 (Windows)
Last Modified Date/Time {0x0132} = 2018:05:21 12:45:05
EXIF Sub IFD
EXIF Version {0x9000} = 0221
Colour Space {0xA001} = sRGB (1)
Image Width {0xA002} = 455 pixels
Image Height {0xA003} = 455 pixels
EXIF IFD1
Compression {0x0103} = JPEG compression (6)
X-Resolution {0x011A} = 72/1 ===> 72
Y-Resolution {0x011B} = 72/1 ===> 72
X/Y-Resolution Unit {0x0128} = inch (2)
ImageWidth 720
ImageHeight 720
BitsPerSample 8,8,8
PhotometricInterpretation 2
Orientation 1
SamplesPerPixel 3
XResolution 72
YResolution 72
ResolutionUnit 2
Software Adobe Photoshop CC 2017 (Windows)
ModifyDate 2018:05:21 12:45:05
ColorSpace 1
ExifImageWidth 455
ExifImageHeight 455
HasThumbnail true
ThumbnailWidth 160
ThumbnailHeight 160
ThumbnailType image/jpeg
Quantization Tables
Standard JPEG Table Quality=82
Table 0 (8 bit)
6 4 4 5 4 4 6 5
5 5 6 6 6 7 9 14
9 9 8 8 9 18 13 13
10 14 21 18 22 22 21 18
20 20 23 26 33 28 23 24
31 25 20 20 29 39 29 31
34 35 37 37 37 22 28 41
44 40 36 43 33 36 37 36
Table 1 (8 bit)
6 6 6 9 8 9 17 9
9 17 36 24 20 24 36 36
36 36 36 36 36 36 36 36
36 36 36 36 36 36 36 36
36 36 36 36 36 36 36 36
36 36 36 36 36 36 36 36
36 36 36 36 36 36 36 36
36 36 36 36 36 36 36 36
Structure
SOI
APP0
APP1
APP2
APP13 (IPTC)
APP1
DQT
DQT
SOF0 (Baseline DCT)
DHT
DHT
DHT
DHT
SOS
EOI
String Extraction:
JFIF
Adobe Photoshop CC 2017 (Windows)
2018:05:21 12:45:05
0221
Adobe_CM
Adobe
b34r
7GWgw
dEU6te
Wew3
cYfD9
2prj
McGF
ICC_PROFILE
lcms
mntrRGB XYZ
9acspAPPL
desc
wtpt
bkpt
rTRC
text
curv
DPhotoshop 3.0
8BIM
uln6HNN0xcq_Qm6Wvs8Z
http://ns.adobe.com/xap/1.0/
?xpacket begin="
" id="W5M0MpCehiHzreSzNTczkc9d"?> adobe:docid:photoshop:e3c0e814-5d1a-11e8-8617-9b54fcc26d73
),($+!$%$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
5CFVcst
6Kpx
17qo
Y3Px
eJGuP
mo0D
BuGg
NgUf
tr41
CnVs
uLn8
iJBrFI
rJRp
4s2H
A6Y2
k1C/"W7f
0mK2
LQW2
Jp51
6Aoj
mkdk
EXIF Tool Metadata:
File Name : jillianhead1cudrop-300x300.jpg
File Size : 25 kB
File Permissions : rw-rw-rw-
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Exif Byte Order : Big-endian (Motorola, MM)
Photometric Interpretation : RGB
Orientation : Horizontal (normal)
Samples Per Pixel : 3
X Resolution : 72
Y Resolution : 72
Resolution Unit : inches
Software : Adobe Photoshop CC 2017 (Windows)
Modify Date : 2018:05:21 12:45:05
Exif Version : 0221
Color Space : sRGB
Exif Image Width : 455
Exif Image Height : 455
Compression : JPEG (old-style)
Thumbnail Offset : 416
Thumbnail Length : 5285
Profile CMM Type : lcms
Profile Version : 2.1.0
Profile Class : Display Device Profile
Color Space Data : RGB
Profile Connection Space : XYZ
Profile Date Time : 2012:01:25 03:41:57
Profile File Signature : acsp
Primary Platform : Apple Computer Inc.
CMM Flags : Not Embedded, Independent
Device Manufacturer :
Device Model :
Device Attributes : Reflective, Glossy, Positive, Color
Rendering Intent : Perceptual
Connection Space Illuminant : 0.9642 1 0.82491
Profile Creator : lcms
Profile ID : 0
Profile Description : c2
Profile Copyright : FB
Media White Point : 0.9642 1 0.82491
Media Black Point : 0.01205 0.0125 0.01031
Red Matrix Column : 0.43607 0.22249 0.01392
Green Matrix Column : 0.38515 0.71687 0.09708
Blue Matrix Column : 0.14307 0.06061 0.7141
Red Tone Reproduction Curve : (Binary data 64 bytes, use -b option to extract)
Green Tone Reproduction Curve : (Binary data 64 bytes, use -b option to extract)
Blue Tone Reproduction Curve : (Binary data 64 bytes, use -b option to extract)
Current IPTC Digest : d95b0edccc80f379b250406d7a4e1868
Coded Character Set : UTF8
Application Record Version : 0
Original Transmission Reference : uln6HNN0xcq_Qm6Wvs8Z
XMP Toolkit : Adobe XMP Core 5.6-c138 79.159824, 2016/09/14-01:09:01
Legacy IPTC Digest : D95B0EDCCC80F379B250406D7A4E1868
Transmission Reference : uln6HNN0xcq_Qm6Wvs8Z
Color Mode : RGB
ICC Profile Name : c2
Document ID : adobe:docid:photoshop:a24ec360-5d1e-11e8-8617-9b54fcc26d73
Instance ID : xmp.iid:c6ce409e-0cb5-d640-ab13-45165a3ee49f
Original Document ID : EBF9B2F49126DAA9D7D05E246D617FE6
Format : image/jpeg
Create Date : 2018:05:21 12:15:23-05:00
Metadata Date : 2018:05:21 12:45:05-05:00
Creator Tool : Adobe Photoshop CC 2017 (Windows)
Document Ancestors : adobe:docid:photoshop:e3c0e814-5d1a-11e8-8617-9b54fcc26d73
History Action : saved, saved
History Instance ID : xmp.iid:ae1aef6d-4af2-e64c-a7ac-520ccc2b016a, xmp.iid:c6ce409e-0cb5-d640-ab13-45165a3ee49f
History When : 2018:05:21 12:18:02-05:00, 2018:05:21 12:45:05-05:00
History Software Agent : Adobe Photoshop CC 2017 (Windows), Adobe Photoshop CC 2017 (Windows)
History Changed : /, /
Image Width : 300
Image Height : 300
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 300x300
Megapixels : 0.090
Thumbnail Image : (Binary data 5285 bytes, use -b option to extract)
Jillian's IP address:
64.85.137.178
Country
United States Of America
City
Cleveland
Region
Ohio
Domain Name
Everstream.net
Timezone
04:00
Block
64.85.137.0 - 64.85.137.255
Internet Service Provider
Everstream Llc
Net Speed
DSL
Latitude
41.494619
Longitude
81.675465
Cornell University Walkthrough on Computer Fraud and Abuse:
https://www.law.cornell.edu/uscode/text/18/1030
Blacklight Inspection Results:
https://themarkup.org/blacklight?url=gamesbox.com
https://themarkup.org/blacklight?url=jillyjuice.com
Virustotal Results:
https://www.virustotal.com/gui/file/965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb95089...⇄ />
33
Ad trackers found on this site. This is more than the average of seven that we found on popular sites.
Websites containing advertising tracking technology load Javascript code or small invisible images that are used to either build your advertising profile or to identify you for ad targeting on this site. These techniques are often used in addition to cookies to profile you.
Blacklight detected trackers on this page sending data to companies involved in online advertising. Blacklight detected scripts belonging to LiveIntent Inc., DataXu, and twenty-five other companies.
How We Define This
Survey of Popular Websites
79
Third-party cookies were found. This is more than the average of three that we found on popular sites.
MITRE ATT&CK™ Techniques Detection:
MITRE ATT&CK™ Technique - T1192 - Spearphishing Link
ATT&CK ID T1192
Tactics Initial Access
Description Spearphishing with a link is a specific variant of spearphishing(...)
Source https://attack.mitre.org/techniques/T1192
Suspicious Indicators
PDF file has an embedded URL referencing an URL shortener service
MITRE ATT&CK™ Technique - T1055 - Process Injection
ATT&CK ID T1055
Tactics Defense Evasion, Privilege Escalation
Permissions Required User, Administrator, SYSTEM, root
Description Process injection is a method of executing arbitrary code in the address space of a separate live process(...)
Source https://attack.mitre.org/techniques/T1055
Informative Indicators
Found a string that may be used as part of an injection method
MITRE ATT&CK™ Technique - T1207 - DCShadow
ATT&CK ID T1207
Tactics Defense Evasion
Permissions Required Administrator
Description DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a Domain Controller (DC)(...)
Source https://attack.mitre.org/techniques/T1207
Informative Indicators
Contains object with compressed stream data
MITRE ATT&CK™ Technique - T1055 - Process Injection
ATT&CK ID T1055
Tactics Defense Evasion, Privilege Escalation
Permissions Required User, Administrator, SYSTEM, root
Description Process injection is a method of executing arbitrary code in the address space of a separate live process(...)
Source https://attack.mitre.org/techniques/T1055
Informative Indicators
Found a string that may be used as part of an injection method
MITRE ATT&CK™ Technique - T1010 - Application Window Discovery
ATT&CK ID T1010
Tactics Discovery
Permissions Required User
Description Adversaries may attempt to get a listing of open application windows(...)
Source https://attack.mitre.org/techniques/T1010
Informative Indicators
Scanning for window names
Filename
file
Size
126KiB (128896 bytes)
Type
pdf
Description
PDF document, version 1.5
Document author
Softplicity
Document creator
Softplicity
Document producer
Softplicity
Document pages
5
Architecture
WINDOWS
SHA256
965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9
MD5
2650d2f5fbc419aca85622033f281559
SHA1
0d9a38f61bff2b7b4223d59dbf4b14c823311577
ssdeep
1536:HEuLNsLLO8CWIt5yuYYVCGqnkJIIIXTN1zElCJJ:xLVWIjgYVzGkJIIIXT7zElCJJ
Classification (TrID)
100.0% (.PDF) Adobe Portable Document Format
Malicious Indicators 2
External Systems
Sample was identified as malicious by a trusted Antivirus engine
details
No specific details available
source
External System
relevance
5/10
Sample was identified as malicious by at least one Antivirus engine
details
2/37 Antivirus vendors marked sample as malicious (5% detection rate)
8/61 Antivirus vendors marked sample as malicious (13% detection rate)
source
External System
relevance
8/10
Suspicious Indicators 2
Exploit/Shellcode
Possible heap spraying attempt detected
details
"RdrCEF.exe" issued more than 3000 memory allocations
source
API Call
relevance
10/10
Unusual Characteristics
PDF file has an embedded URL referencing an URL shortener service
details
"http://gamesbox.com" contains URL shortener service "x.co" (Based on: "965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9.bin")
source
String
relevance
10/10
This website uses cookies to enhance your browsing experience. Please note that by continuing to use this site you consent to the terms of our Data Protection Policy.
Logo
Request Info
malicious
Threat Score: 50/100 AV Detection: 39% Labeled as: Trojan.PDF.Agent
file
This report is generated from a file or URL submitted to this webservice on June 25th 2021 01:59:42 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by Falcon Sandbox v8.48.9 © Hybrid Analysis
Incident Response
MITRE ATT&CK™ Techniques Detection
This report has 4 indicators that were mapped to 5 attack techniques and 4 tactics.
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
Malicious Indicators 2
External Systems
Sample was identified as malicious by a trusted Antivirus engine
details
No specific details available
source
External System
relevance
5/10
Sample was identified as malicious by at least one Antivirus engine
details
2/37 Antivirus vendors marked sample as malicious (5% detection rate)
8/61 Antivirus vendors marked sample as malicious (13% detection rate)
source
External System
relevance
8/10
Suspicious Indicators 2
Exploit/Shellcode
Possible heap spraying attempt detected
details
"RdrCEF.exe" issued more than 3000 memory allocations
source
API Call
relevance
10/10
Unusual Characteristics
PDF file has an embedded URL referencing an URL shortener service
details
"http://gamesbox.com" contains URL shortener service "x.co" (Based on: "965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9.bin")
source
String
relevance
10/10
ATT&CK ID
T1192 (Show technique in the MITRE ATT&CK™ matrix)
Informative 10
General
Contains object with compressed stream data
details
Object ID 12 contains compressed stream data: No filters
Object ID 14 contains compressed stream data: No filters
Object ID 18 contains compressed stream data: No filters
Object ID 20 contains compressed stream data: No filters
Object ID 76 contains compressed stream data: No filters
Object ID 84 contains compressed stream data: No filters
Object ID 88 contains compressed stream data: /CIDInit /ProcSet findresource begin
12 dict begin
begincmap
/CIDSystemInfo
> def
/CMapName /F1+0 def
/CMapType 2 def
1 begincodespacerange
endcodespacerange
55 beginb ...
source
Static Parser
relevance
10/10
ATT&CK ID
T1207 (Show technique in the MITRE ATT&CK™ matrix)
Creates mutants
details
"DBWinMutex"
"LocalAcrobat Instance Mutex"
"Sessions1BaseNamedObjectsDBWinMutex"
"com.adobe.acrobat.rna.RdrCefBrowserLock.DC"
"Sessions1BaseNamedObjectscom.adobe.acrobat.rna.RdrCefBrowserLock.DC"
source
Created Mutant
relevance
3/10
PDF file has an embedded URL
details
"http://abstractcentral.com" (Based on: "965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9.bin")
"http://secure-decoration.com" (Based on: "965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9.bin")
"http://abc.net.au" (Based on: "965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9.bin")
"http://adcast.com.br" (Based on: "965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9.bin")
"http://marmalead.com" (Based on: "965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9.bin")
"http://moe.gov.om" (Based on: "965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9.bin")
"http://poembook.ru" (Based on: "965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9.bin")
"http://shokugekinosoma.net" (Based on: "965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9.bin")
"http://cepu.it" (Based on: "965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9.bin")
"http://ebrosur.com" (Based on: "965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9.bin")
"http://bseh.org.in" (Based on: "965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9.bin")
"http://chacott-jp.com" (Based on: "965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9.bin")
"http://newgadget3mai.com" (Based on: "965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9.bin")
"http://boatrace-biwako.jp" (Based on: "965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9.bin")
"http://megogo.ru" (Based on: "965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9.bin")
"http://apnsettings.org" (Based on: "965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9.bin")
"http://9xmovies.org.in" (Based on: "965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9.bin")
"http://teslamotorsinc.sharepoint.com" (Based on: "965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9.bin")
"http://iranic.com" (Based on: "965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9.bin")
"http://ax98.ws" (Based on: "965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9.bin")
source
String
relevance
3/10
Process launched with changed environment
details
Process "RdrCEF.exe" (Show Process) was launched with modified environment variables: "Path"
source
Monitored Target
relevance
10/10
Scanning for window names
details
"AcroRd32.exe" searching for class "AdobeAcrobatSpeedLaunchCmdWnd"
"AcroRd32.exe" searching for class "AdobeReaderSpeedLaunchCmdWnd"
"AcroRd32.exe" searching for window "_AcroAppTimer"
"AcroRd32.exe" searching for class "JFWUI2"
"AcroRd32.exe" searching for class "Acrobat Instance Window Class"
"AcroRd32.exe" searching for class "ACROSEMAPHORE_R18"
"AcroRd32.exe" searching for class "Shell_TrayWnd"
source
API Call
relevance
10/10
ATT&CK ID
T1010 (Show technique in the MITRE ATT&CK™ matrix)
Spawns new processes
details
Spawned process "RdrCEF.exe" with commandline "--backgroundcolor=16448250" (Show Process)
Spawned process "RdrCEF.exe" with commandline "--type=renderer --primordial-pipe-token=E87303C8A13906006E70A6C0 ..." (Show Process)
Spawned process "RdrCEF.exe" with commandline "--type=renderer --primordial-pipe-token=C70C68BAE0FDB7E836EABA23 ..." (Show Process)
source
Monitored Target
relevance
3/10
Installation/Persistence
Dropped files
details
"GlobSettings" has type "ASCII text"
"SharedDataEvents-journal" has type "SQLite Rollback Journal"
"A9Ruxylrn_he3fnv_2mo.tmp" has type "data"
"data_1" has type "data"
"A9Rz6jwtw_he3fnw_2mo.tmp" has type "data"
"Visited Links" has type "data"
"0FDED5CEB68C302B1CDB2BDDD9D0000E76539CB0.crl" has type "data"
"A9Rzf0lii_he3fny_2mo.tmp" has type "Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)"
"SharedDataEvents" has type "SQLite 3.x database"
"A9R7cebx2_he3fnu_2mo.tmp" has type "data"
"CE338828149963DCEA4CD26BB86F0363B4CA0BA5.crl" has type "data"
"IconCacheRdr65536.dat" has type "data"
source
Extracted File
relevance
3/10
Found a string that may be used as part of an injection method
details
"Shell_TrayWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method)
source
String
relevance
4/10
ATT&CK ID
T1055 (Show technique in the MITRE ATT&CK™ matrix)
Touches files in the Windows directory
details
"RdrCEF.exe" touched file "%WINDIR%System32oleaccrc.dll"
"RdrCEF.exe" touched file "%WINDIR%GlobalizationSortingSortDefault.nls"
"RdrCEF.exe" touched file "%WINDIR%System32KBDUS.DLL"
"RdrCEF.exe" touched file "%WINDIR%System32driversetchosts"
"RdrCEF.exe" touched file "%WINDIR%Fontsarial.ttf"
"RdrCEF.exe" touched file "%WINDIR%Fontsariali.ttf"
"RdrCEF.exe" touched file "%WINDIR%FontsARIALNI.TTF"
"RdrCEF.exe" touched file "%WINDIR%Fontsarialbd.ttf"
"RdrCEF.exe" touched file "%WINDIR%FontsARIALNB.TTF"
"RdrCEF.exe" touched file "%WINDIR%Fontsarialbi.ttf"
"RdrCEF.exe" touched file "%WINDIR%FontsARIALNBI.TTF"
"RdrCEF.exe" touched file "%WINDIR%Fontsariblk.ttf"
"RdrCEF.exe" touched file "%WINDIR%Fontssegoeuil.ttf"
"RdrCEF.exe" touched file "%WINDIR%FontsSEGOEUISL.TTF"
"RdrCEF.exe" touched file "%WINDIR%Fontssegoeui.ttf"
"RdrCEF.exe" touched file "%WINDIR%Fontssegoeuii.ttf"
source
API Call
relevance
7/10
Network Related
Found potential URL in binary/memory
File Details
All Details:
file
Filename
file
Size
126KiB (128896 bytes)
Type
pdf
Description
PDF document, version 1.5
Document author
Softplicity
Document creator
Softplicity
Document producer
Softplicity
Document pages
5
Architecture
WINDOWS
SHA256
965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9Copy SHA256 to clipboard
MD5
2650d2f5fbc419aca85622033f281559Copy MD5 to clipboard
SHA1
0d9a38f61bff2b7b4223d59dbf4b14c823311577Copy SHA1 to clipboard
ssdeep
1536:HEuLNsLLO8CWIt5yuYYVCGqnkJIIIXTN1zElCJJ:xLVWIjgYVzGkJIIIXT7zElCJJ Copy ssdeep to clipboard
Resources
Icon
Sample Icon
Visualization
Input File (PortEx)
PE Visualization
Classification (TrID)
100.0% (.PDF) Adobe Portable Document Format
Screenshots
Screenshot
Screenshot
Screenshot
Screenshot
Screenshot
Screenshot
Screenshot
Screenshot
Screenshot
Screenshot
Screenshot
Screenshot
Screenshot
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 4 processes in total.
AcroRd32.exe "C:file.pdf" (PID: 3408)
RdrCEF.exe --backgroundcolor=16448250 (PID: 3544)
RdrCEF.exe --type=renderer --primordial-pipe-token=E87303C8A13906006E70A6C0A7E6794C --lang=en-US --disable-pack-loading --lang=en-US --log-file="%PROGRAMFILES%AdobeAcrobat Reader DCReaderAcroCEFdebug.log" --log-severity=disable --product-version="ReaderServices/18.11.20036 Chrome/59.0.3071.15" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,...⇄ --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-token=E87303C8A13906006E70A6C0A7E6794C --renderer-client-id=2 --mojo-platform-channel-handle=1268 --allow-no-sandbox-job /prefetch:1 (PID: 2596)
RdrCEF.exe --type=renderer --primordial-pipe-token=C70C68BAE0FDB7E836EABA23EB5A4A2A --lang=en-US --disable-pack-loading --lang=en-US --log-file="%PROGRAMFILES%AdobeAcrobat Reader DCReaderAcroCEFdebug.log" --log-severity=disable --product-version="ReaderServices/18.11.20036 Chrome/59.0.3071.15" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,...⇄ --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-token=C70C68BAE0FDB7E836EABA23EB5A4A2A --renderer-client-id=3 --mojo-platform-channel-handle=1348 --allow-no-sandbox-job /prefetch:1 (PID: 4040)
Logged Script Calls Logged Stdout Extracted Streams Memory Dumps
Reduced Monitoring Network Activityy Network Error Multiscan Match
Network Analysis
This report was generated with enabled TOR analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
All Details:
All Strings (339)
Interesting (101)
screen_12.png (162)
965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb9508905488ab82b07bb4e8bf9.bin (91)
AcroRd32.exe (1)
screen_0.png (8)
screen_6.png (36)
RdrCEF.exe (3)
AcroRd32.exe:3408 (35)
GlobSettings (2)
RdrCEF.exe:3544 (1)
!e.com
" application/pdfSoftplicitySoftplicity2018-07-08T22:28:35+02:00Softplicity
id="W5M0MpCehiHzreSzNTczkc9d"?>application/pdfSoftplicitySoftplicity2018-07-08T2...⇄ /> $ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=
(_aT.).
+endstreamendobj79 0 objnullendobj81 0 objstreamendstreamendobj82 0 objstream
Scammer's email [email protected]
Country United States
Type of a scam Counterfeit Product
Initial means of contact Not applicable
Computer Crimes
Health Fraud
Pattern 1: Computer Crimes
------------------------------------
Malvertising [7/16/2019]
https://archive.is/cRsji
Quttera Result Files Analysis
https://archive.is/3ocNL
Virustotal Reverse Engineering Competitive Intelligence
https://www.virustotal.com/gui/url/77b690afe99a61accafb8d249bf3ed52fbbc9fe7bc8f9...⇄ />
IP Address Relations
https://www.virustotal.com/gui/ip-address/198.57.219.8/relations
Threat MD5 Analysis
https://ybin.me/p/fcd6708f5bf87cd1#5Wy6knEH8rd5OffdYGeT/3+aSVajEX0by36pvT3wgDE=<...⇄ /> ------------------------------------
Pattern 2: Health Fraud
Proof of Concept -> BBB Scam Tracker
BBB Scam Tracker Report Incidents from 2018
Date Scam Type Postal Code Dollars Lost Details
Mar 27, 2018 Healthcare/Medicaid/Medicare 44706 $30.00 View
Mar 24, 2018 Healthcare/Medicaid/Medicare V2R 5S5 $150.00 View
Mar 07, 2018 Healthcare/Medicaid/Medicare 30004 $0.00 View
Feb 03, 2018 Healthcare/Medicaid/Medicare 77014 $230.00 View
Jan 29, 2018 Healthcare/Medicaid/Medicare 77477 $0.00 View
Computer Fraud and Abuse Act
18 U.S. Code §1030. Fraud and related activity in connection with computers
18 U.S.C. § 1030(a)(5): Damaging a protected computer (including viruses, worms)
[2019-07-12]
Be advised that Jillian Mai-Thai Epperly is hosting a downloadable trojan browser hijacker on her Jillyjuice website named "DailyRecipeGuide". She is hosting different "Advertisements" to lure website visitors in for reasons of social engineering. She requires you to give consent in order to execute the file. Don't. The file was tested. It isn't safe to execute and isn't safe to visit that website. She has it rigged up with potential "Malvertising". The trojan executable is a browser hijacker that allows her to spy in on your browsing activities. She will be attempting to track your every move if you download and excute that file.
Sandbox Proof of Concept on 7-12-2019:
https://archive.is/X9XGa
https://archive.fo/Xyvxs
https://archive.fo/1qqvS
https://archive.fo/eY1ET
Tencent HABO Intel
https://vtbehaviour.commondatastorage.googleapis.com/f21b2144f01819886d7e1f78a3b...⇄ />
Virustotal Reverse Engineering Intel
https://www.virustotal.com/gui/file/f21b2144f01819886d7e1f78a3b08867f147cc9fa955...⇄ />
Mindspark Domain Information
https://www.virustotal.com/gui/domain/www.mindspark.com/relations
Adversary Algorithm Flow Layout:
1. Initial Access -> Sucker List.
2. Discovery -> Targets of Interest.
3. Technical Information Gathering -> Specific Details on the Mark
4. Pretext -> Invitation to product X through Invitation.
5. Defense Evasion -> Plausible Denial of menacing activities.
6. Spoofing -> Product is masked as a remedy
7. Privilege Escalation -> Ingratiation with the target(s).
8. Credential Access -> Credit Card Numbers, Debit Card Numbers etc, Passwords, Username, Email, Routing Numbers etc.
9. Lateral Movement -> Move from node to node smoothly.
10. Data Exfiltration -> Data of Interest Acquisition.
11. Impact -> Zero-sum.
12. Backdoor -> Return to the environment to direct and administer malevolent activity upon marks previous conformance to the confidence trick.
SHA256: 965e7bbdf3e6a1171a50fcc4f0e5a9ac45b42cb*******488ab82b07bb4e8bf9
Exiftool File Metadata
CreatorTool: Softplicity
FileType: PDF
FileTypeExtension: pdf
Format: application/pdf
Linearized: No
MIMEType: application/pdf
ModifyDate: 2018:07:08 22:28:35+02:00
PDFVersion: 1.5
PageCount: 5
PageLayout: SinglePage
PageMode: UseNone
Phishing Website Contacted from The PDF File Linked with JillyJuice
http: //Hunter () serv-botsalw () ru/
ESET -> Phishing
*checks-user-input
*detect-debug-environment
*direct-cpu-clock-access
*long-sleeps
*pdf runtime-modules
Processes Injected:
(2504) C:Program Files (x86)AdobeReader 9.0ReaderAcroRd32.exe
Commonly Abused Properties:
*Contains 5 page(s).
*Contains 81 object start declaration(s) and 81 object end declaration(s).
*Contains 9 stream object start declaration(s) and 9 stream object end declaration(s).
*This PDF document has a cross reference table (xref).
*Has a pointer to the cross reference table (startxref).
*Has a trailer dictionary containing entries allowing the cross reference table, and thus the file objects, to be read.
WHOIS Records:
Creation Date: 2017-12-28T20:58:46Z
DNSSEC: unsigned
Domain Name: JILLYJUICE.COM
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: NS14.WIXDNS.NET | NS15.WIXDNS.NET
Registrar: Network Solutions, LLC
Registrar Abuse Contact Email: *******@web.com
Registrar Abuse Contact Phone: *******680
Registrar IANA ID: 2
Registrar URL: http://networksolutions.com
Registrar WHOIS Server: whois.networksolutions.com
Registry Domain ID: *******180_DOMAIN_COM-VRSN
Registry Expiry Date: 2023-12-28T20:58:46Z
Updated Date: 2019-06-05T03:05:59Z
*Process Injection
ID: T1055
Sub-techniques: T1055.001, T1055.002, T1055.003, T1055.004, T1055.005, T1055.008, T1055.009, T1055.011, T1055.012, T1055.013, T1055.014
Tactics: Defense Evasion, Privilege Escalation
Platforms: Linux, Windows, macOS
Data Sources: API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Defense Bypassed: Anti-virus, Application control
CAPEC ID: CAPEC-640
Contributors: Anastasios Pingios; Christiaan Beek, @ChristiaanBeek; Ryan Becwar
Version: 1.1
Created: 31 May 2017
Last Modified: 20 June 2020
Malicious Website Advertisement on JillyJuice
https://www.virustotal.com/gui/domain/free.dailyrecipeguide.com/relations
Cash App Archived URL for reasons of Documenting Private Financial Advantage linked with Jillians Illicit Activities:
https://www.virustotal.com/gui/url/a4f55ad1e7578c6442c184fee4b6b31684f21c192b040...⇄ />
2019 Detected technologies:
*Wix (CMS)
*Website React (JavaScript Frameworks)
*Website Google AdSense (Advertising Networks)
2018 Detected technologies:
*WordPress (CMS)
*PHP (Programming Languages)
*Nginx (Web Servers)
*React (JavaScript Frameworks)
*Google AdSense (Advertising Networks)
*Google Analytics (Analytics)
*Twitter Emoji (Twemoji) (Miscellaneous)
*jQuery (JavaScript Libraries)
Scan History:
https://urlscan.io/search/#page.domain%3Awww.jillyjuice.com
Detailed Technology Profile:
https://builtwith.com/detailed/jillyjuice.com
2018 DOM Tree:
https://urlscan.io/result/70b7d872-41b5-42ef-8566-4921b19295ba/dom/
2019 DOM Tree:
https://urlscan.io/result/1e541633-7bf4-4d4c-a3e4-c071c8dd2c9a/
404 URLs. Suspicious Indicators.
https://www.jillyjuice (dot) com/ 404 No Content
https://www.jillyjuice (dot) com/z;a.crossorigin= 404 No Content
https://www.jillyjuice (dot) com/[];c[l]={onLoad:function(b){h.push(b);g&&!x||e(h)},forceLoad:function(){x=!0...⇄ 404 No content
Proof of Concept [18-07-2019]
https://archive.is/zKf5D
Competitive Reverse Engineering Intel on Jillian's Malvertisements
https://www.virustotal.com/gui/file/f425880db443b7eb5895db65d168e6e7d7b1af92f466...⇄ /> https://www.virustotal.com/gui/ip-address/35.244.218.203/relations
https://www.virustotal.com/gui/domain/infragistics.com/relations
https://www.virustotal.com/gui/domain/asp.net/relations
Scammer's address PO BOX 80183, Canton, OH 44708, USA
Scammer's email [email protected]
Type of a scam COVID-19
Scammer's address 1680 Roslyn Ave, Canton, OH 44706, USA
Scammer's email [email protected]
Total money lost $30
Type of a scam Healthcare/Medicaid/Medicare
Epperly is convincing pregnant mothers to consume her 'jillyjuice' recipe to rid the womb of parasites and candida. Epperly also instructs the parents of infants to replace the children's formula or breast milk with her recipe to detox the child. In a gallon of 'Jillyjuice', there are 8 TABLESPOONS of salt, which is equivalent to ~60,000mg Sodium. Epperly recommends upwards a gallon or more every day.
WHO(World Health Organization) strongly recommends <2 g/day sodium (5 g/day salt) in adults and should be monitored for children based on their needs but less than 2,000mg/day. Epperly convinces parents to induce her recipe to children via enema and oral. This is dangerous because it is difficult and likely impossible to gauge how much sodium an adult or child is absorbing through the gut.
Sodium poisoning is real and causes side effects such as seizures, hypernatremia, and loss of consciousness. These serious events have been reported by several victims and their children. We don't know what to do or who to contact in an effort to stop Jillian Epperly from preying on people's fears and misunderstanding of their illnesses.
I have reason to believe and evidence to support the idea that Epperly is an online predator. She has admitted to, and I have proof that Epperly will provide dangerous medical and nutritional advice for $75/hr or $40/half hour.
We have contacted the Ohio Attorney General, Ohio Medical Board, the FDA and other government agencies in hopes that one will step in and prevent Epperly from her practices, which seem very unlawful. Epperly is providing medical and nutritional advice without proper medical education, credentials, and/or certification.
Total money lost $150
Type of a scam Healthcare/Medicaid/Medicare
Scammer's address 1680 Roslyn Ave. SW, Canton, OH 44706, USA
Scammer's email [email protected]
Country United States
Victim Location GA 30004, USA
Type of a scam Healthcare/Medicaid/Medicare
Scammer's address 1680 Roslyn Ave SW Canton OH 44706, Canton, OH 44706, USA
Scammer's email [email protected]
Total money lost $230
Type of a scam Healthcare/Medicaid/Medicare
Jillian Epperly also known as Jillian Burke or Jillian Mai Thi has been running a group through social media, facebook for some time, preying on vulnerable people with health conditions. She claims to have found a way to reverse all health conditions A to Z. Including cancer, HIV, Down syndrome and homosexuality, as well as growing back organs and limbs.
She takes payment for consultations, giving health and diet advise for a fee of $75.
She recently has moved to a purpose built webpage pushing her dangerous protocol which consists of an anti inflammatory diet (AIP diet) with gallons of a high salt and pureed cabbage concoction which she claims to be a ferment, but isnt.
The problem with her 'Juice' is that is it very high in salt, she advises to drink 8 tablespoons of salt a day, which is enough to kill and adult human. She also recommends this as a sole food for babies to replace infant formula or breastfeeding.
Many in her group have had serious side affects and there are a number of her followers who have died. She removes all negative feed back from her groups and web site so others cant see the truth of what is happening.
I became aware of this scam when a good friend of mine and her newborn son were recommended this protocol for candida, and started it in good faith. The pair of them nearly died while Jillian claimed the pains they were suffering were healing symptoms. They had severe kidney issues, and salt poisoning. Chills, fevers, shakes weakness, diarrhea, vomiting and hallucinations.
Jillian is now running this same scam through her paid members wordpress webpage. She is charging $30 for a years access to her page, thinly veiled behind the word donation although her language changes frequently. She is still charging for private consultations despite being totally unlicensed which is illegal.
This woman is charging people to join her club, feeding them false medical facts, and damaging them then cutting them off without refund when they need help. Often doxxing and shunning them making videos to shame them for questioning her, or her no existent qualifications.
Jillian Epperly is dangerous, please help stop her hurting more people
Scammer's website www.jillyjuice.com
Scammer's address 1680 roslyn av, Canton, OH 44706, USA
Scammer's email [email protected]
Country United States
Victim Location TX 77477, USA
Type of a scam Healthcare/Medicaid/Medicare
*** There has been a ripoff report filed against her due to someone dying after they paid Jillian for her coaching. *** *** was encouraged by Jillian and her team to drink a gallon of her recipe per day. There is 4 tablespoons of salt per gallon of "jilly Juice". Jillian Epperly told *** he could heal his cancer with her salty recipe.
Jillian Epperly is selling a recipe that is mostly salt and Jillian intends on selling specific salt on her website. Salt is toxic in high amounts and people are being harmed by the jilly juice protocol.
Many people are being harmed. Seizures are reported among many other painful side effects like bloody stool and uncontrollable vomitting. Children are being subjected to this and have been given enemas. Children have passed what looks like stomach lining after being subjected to this.
Pets are also being harmed. I have seen a report of a dog having a seizure and a cat died after given the recipe.
Jillian tells parents its safe to feed her recipe to infants and that her recipe is better than formula. She insists that mothers are infecting babies via breastmilk and that they have to purge their babies of viruses. Jillian admits her recipe can cause detox in infants.
This link discusses kids on Jillian Epperlys protocol
*** This blog is dedicated to exposing this scam and the pain associated with salt poisoning:
*** *** And someone made a youtube video exposing her
*** Jillian Epperly actively targets,harasses and cyber bullies anyone who speaks out about her protocol. She doxxes them and tries to scare people into silence. I am in fear of my online safety as a result because of Jillians bullying. Please keep my name private.