Overview
overview
10Static
static
10Payload/In...ags.js
windows7-x64
1Payload/In...ags.js
windows10-2004-x64
1Payload/In...zes.js
windows7-x64
1Payload/In...zes.js
windows10-2004-x64
1Payload/In...ces.js
windows7-x64
1Payload/In...ces.js
windows10-2004-x64
1Payload/In...ash.js
windows7-x64
1Payload/In...ash.js
windows10-2004-x64
1Payload/In....dylib
macos-10.15-amd64
1Payload/In...strate
macos-10.15-amd64
1Payload/In...mework
macos-10.15-amd64
1Payload/In...ma.xml
windows7-x64
1Payload/In...ma.xml
windows10-2004-x64
1Payload/In...ma.xml
windows7-x64
1Payload/In...ma.xml
windows10-2004-x64
1Payload/In...ma.xml
windows7-x64
1Payload/In...ma.xml
windows10-2004-x64
1Payload/In...ma.xml
windows7-x64
1Payload/In...ma.xml
windows10-2004-x64
1Payload/In...ma.xml
windows7-x64
1Payload/In...ma.xml
windows10-2004-x64
1Payload/In...ma.xml
windows7-x64
1Payload/In...ma.xml
windows10-2004-x64
1Payload/In....dylib
macos-10.15-amd64
1Payload/In...mework
macos-10.15-amd64
1Payload/In....dylib
macos-10.15-amd64
Payload/In....dylib
macos-10.15-amd64
1Payload/In....dylib
macos-10.15-amd64
1Payload/In....dylib
macos-10.15-amd64
1Payload/In....dylib
macos-10.15-amd64
1Payload/In....dylib
macos-10.15-amd64
1Payload/In...fo.xml
windows7-x64
1Analysis
-
max time kernel
150s -
max time network
261s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-10-2022 17:27
Behavioral task
behavioral1
Sample
Payload/Instagram.app/FBBrowserIntegrityLoggingKit.bundle/html-tags.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
Payload/Instagram.app/FBBrowserIntegrityLoggingKit.bundle/html-tags.js
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Payload/Instagram.app/FBBrowserIntegrityLoggingKit.bundle/images-sizes.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
Payload/Instagram.app/FBBrowserIntegrityLoggingKit.bundle/images-sizes.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Payload/Instagram.app/FBBrowserIntegrityLoggingKit.bundle/resources.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
Payload/Instagram.app/FBBrowserIntegrityLoggingKit.bundle/resources.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Payload/Instagram.app/FBBrowserIntegrityLoggingKit.bundle/sim-hash.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral8
Sample
Payload/Instagram.app/FBBrowserIntegrityLoggingKit.bundle/sim-hash.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Payload/Instagram.app/Frameworks/Chertovski_InstaPlus_hack.dylib
Resource
macos-20220504-en
macos-10.15-amd64
Behavioral task
behavioral10
Sample
Payload/Instagram.app/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
Resource
macos-20220504-en
macos-10.15-amd64
Behavioral task
behavioral11
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/FBSharedFramework
Resource
macos-20220504-en
macos-10.15-amd64
Behavioral task
behavioral12
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectMessageSchema.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral13
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectMessageSchema.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectMetadataSchema.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral15
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectMetadataSchema.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectMutationsSchema.xml
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral17
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectMutationsSchema.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectQuickReplySchema.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral19
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectQuickReplySchema.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectThreadClientStateSchema.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral21
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectThreadClientStateSchema.xml
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectThreadSchema.xml
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral23
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectThreadSchema.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
Payload/Instagram.app/Frameworks/Hackogram.dylib
Resource
macos-20220504-en
macos-10.15-amd64
Behavioral task
behavioral25
Sample
Payload/Instagram.app/Frameworks/IGPyTorchFramework.framework/IGPyTorchFramework
Resource
macos-20220504-en
macos-10.15-amd64
Behavioral task
behavioral26
Sample
Payload/Instagram.app/Frameworks/InstaPlus.dylib
Resource
macos-20220504-en
macos-10.15-amd64
Behavioral task
behavioral27
Sample
Payload/Instagram.app/Frameworks/Magic.dylib
Resource
macos-20220504-en
macos-10.15-amd64
Behavioral task
behavioral28
Sample
Payload/Instagram.app/Frameworks/PlusForInstagram.dylib
Resource
macos-20220504-en
macos-10.15-amd64
Behavioral task
behavioral29
Sample
Payload/Instagram.app/Frameworks/RIPass.dylib
Resource
macos-20220504-en
macos-10.15-amd64
Behavioral task
behavioral30
Sample
Payload/Instagram.app/Frameworks/Rocket.dylib
Resource
macos-20220504-en
macos-10.15-amd64
Behavioral task
behavioral31
Sample
Payload/Instagram.app/Frameworks/libmryipc.dylib
Resource
macos-20220504-en
macos-10.15-amd64
Behavioral task
behavioral32
Sample
Payload/Instagram.app/Info.xml
Resource
win7-20220812-en
windows7-x64
General
-
Target
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectThreadClientStateSchema.xml
-
Size
659B
-
MD5
edc049f2e19347def1618f1db5524c28
-
SHA1
bec895006a6023a879c89210be508971c4fa5738
-
SHA256
3ac3a89e3835494d1604e37cd2c350cb61869b8d2e302818d9ccb91132d68b7c
-
SHA512
ad475cd800d249cc258e8bb924252e53caf0895b25bfd6c20bc4759b3ff5b45990fa75adc4778e143c4bc51465141a0c806999c0a9f7189c52fe54cd5c1811c9
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{964BD7C1-441B-11ED-8C11-42FEA5F7B9B2} = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c0000000002000000000010660000000100002000000040ff9a888eaa549e5f1b3e2f44e1ecc92376c0d54fe6f47d743f4599352b7728000000000e80000000020000200000002eb2de34c3d67cd4095fee7837e20c29faf16929eb4522c789375dae825b0ef4200000002871ba39a8459b887d49fdb6d55f8c51c48d1e16fcfc57c80765159c040ae07e4000000024a73e64e11bb43c6096c5200b10b6c0c4e831dd637b0da78d3d65c1f7564fd8697636b61e7d0fc33dc2da6a0a65729dcbc39826188ab6bfa3686f803836d34e IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0b7b17d28d8d801 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c0000000002000000000010660000000100002000000032d0cb54e22701984537744e9854b75d495b6b0ae49ccdac2fc1be6851631bb5000000000e80000000020000200000008353430048307af59bb8b7099f87616da93f9d8d9451d2c4c6d85258f622457f900000006c7964048e6f7c7a0a0af171e06617f6107ea2eda495a95ce384dcd6394463180d7f955b167257162ab68b0af59de875570f6e7fbd4d876959884af238a3e3ef6dca5f6712bbe9657dc569f03c539d0006d6e915ca18c69c2b5fe1226f1c6ba8db539693a4e73030fa7370a7e812f1072861a9bf918b36d9c9c200bdeae37a00af8b82a2bdf0149008f8f722c9e8f45440000000f100117ef7cd530539d675e89e8b1b22e336814d6063d3a84d35851ab5b637d5d33160ddd179dbb27a8bea8301cdaac1e880d28dc909844f76db508bf59c927f IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371677077" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2040 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2040 IEXPLORE.EXE 2040 IEXPLORE.EXE 520 IEXPLORE.EXE 520 IEXPLORE.EXE 520 IEXPLORE.EXE 520 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1868 wrote to memory of 1928 1868 MSOXMLED.EXE 27 PID 1868 wrote to memory of 1928 1868 MSOXMLED.EXE 27 PID 1868 wrote to memory of 1928 1868 MSOXMLED.EXE 27 PID 1868 wrote to memory of 1928 1868 MSOXMLED.EXE 27 PID 1928 wrote to memory of 2040 1928 iexplore.exe 28 PID 1928 wrote to memory of 2040 1928 iexplore.exe 28 PID 1928 wrote to memory of 2040 1928 iexplore.exe 28 PID 1928 wrote to memory of 2040 1928 iexplore.exe 28 PID 2040 wrote to memory of 520 2040 IEXPLORE.EXE 29 PID 2040 wrote to memory of 520 2040 IEXPLORE.EXE 29 PID 2040 wrote to memory of 520 2040 IEXPLORE.EXE 29 PID 2040 wrote to memory of 520 2040 IEXPLORE.EXE 29
Processes
-
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Payload\Instagram.app\Frameworks\FBSharedFramework.framework\SQLiteSchemas\SQLiteDirectThreadClientStateSchema.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome2⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2040 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:520
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
606B
MD51e4ac53a54f7bee1099af4c54c2706b0
SHA1d977469a3ae5e55ceb3e188ca17696e599fc52cb
SHA25601ee2eab3dd8fb0880aab9ec33e9fb8231aa805f17eb9465928c3331da5db2ab
SHA512099ae6810e4b5bb0466fe84011d6a5d3da35ebf6c6be780728e9be196bc32b3a4ea6cdcb39d617ca823c556d9d3c4b4aa7b610d385c4f18f0a51e33354593c28