Overview
overview
10Static
static
10Payload/In...ags.js
windows7-x64
1Payload/In...ags.js
windows10-2004-x64
1Payload/In...zes.js
windows7-x64
1Payload/In...zes.js
windows10-2004-x64
1Payload/In...ces.js
windows7-x64
1Payload/In...ces.js
windows10-2004-x64
1Payload/In...ash.js
windows7-x64
1Payload/In...ash.js
windows10-2004-x64
1Payload/In....dylib
macos-10.15-amd64
1Payload/In...strate
macos-10.15-amd64
1Payload/In...mework
macos-10.15-amd64
1Payload/In...ma.xml
windows7-x64
1Payload/In...ma.xml
windows10-2004-x64
1Payload/In...ma.xml
windows7-x64
1Payload/In...ma.xml
windows10-2004-x64
1Payload/In...ma.xml
windows7-x64
1Payload/In...ma.xml
windows10-2004-x64
1Payload/In...ma.xml
windows7-x64
1Payload/In...ma.xml
windows10-2004-x64
1Payload/In...ma.xml
windows7-x64
1Payload/In...ma.xml
windows10-2004-x64
1Payload/In...ma.xml
windows7-x64
1Payload/In...ma.xml
windows10-2004-x64
1Payload/In....dylib
macos-10.15-amd64
1Payload/In...mework
macos-10.15-amd64
1Payload/In....dylib
macos-10.15-amd64
Payload/In....dylib
macos-10.15-amd64
1Payload/In....dylib
macos-10.15-amd64
1Payload/In....dylib
macos-10.15-amd64
1Payload/In....dylib
macos-10.15-amd64
1Payload/In....dylib
macos-10.15-amd64
1Payload/In...fo.xml
windows7-x64
1Analysis
-
max time kernel
125s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
04-10-2022 17:27
Behavioral task
behavioral1
Sample
Payload/Instagram.app/FBBrowserIntegrityLoggingKit.bundle/html-tags.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
Payload/Instagram.app/FBBrowserIntegrityLoggingKit.bundle/html-tags.js
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Payload/Instagram.app/FBBrowserIntegrityLoggingKit.bundle/images-sizes.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
Payload/Instagram.app/FBBrowserIntegrityLoggingKit.bundle/images-sizes.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Payload/Instagram.app/FBBrowserIntegrityLoggingKit.bundle/resources.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
Payload/Instagram.app/FBBrowserIntegrityLoggingKit.bundle/resources.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Payload/Instagram.app/FBBrowserIntegrityLoggingKit.bundle/sim-hash.js
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral8
Sample
Payload/Instagram.app/FBBrowserIntegrityLoggingKit.bundle/sim-hash.js
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
Payload/Instagram.app/Frameworks/Chertovski_InstaPlus_hack.dylib
Resource
macos-20220504-en
macos-10.15-amd64
Behavioral task
behavioral10
Sample
Payload/Instagram.app/Frameworks/CydiaSubstrate.framework/CydiaSubstrate
Resource
macos-20220504-en
macos-10.15-amd64
Behavioral task
behavioral11
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/FBSharedFramework
Resource
macos-20220504-en
macos-10.15-amd64
Behavioral task
behavioral12
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectMessageSchema.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral13
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectMessageSchema.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectMetadataSchema.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral15
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectMetadataSchema.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectMutationsSchema.xml
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral17
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectMutationsSchema.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectQuickReplySchema.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral19
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectQuickReplySchema.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectThreadClientStateSchema.xml
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral21
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectThreadClientStateSchema.xml
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectThreadSchema.xml
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral23
Sample
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectThreadSchema.xml
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
Payload/Instagram.app/Frameworks/Hackogram.dylib
Resource
macos-20220504-en
macos-10.15-amd64
Behavioral task
behavioral25
Sample
Payload/Instagram.app/Frameworks/IGPyTorchFramework.framework/IGPyTorchFramework
Resource
macos-20220504-en
macos-10.15-amd64
Behavioral task
behavioral26
Sample
Payload/Instagram.app/Frameworks/InstaPlus.dylib
Resource
macos-20220504-en
macos-10.15-amd64
Behavioral task
behavioral27
Sample
Payload/Instagram.app/Frameworks/Magic.dylib
Resource
macos-20220504-en
macos-10.15-amd64
Behavioral task
behavioral28
Sample
Payload/Instagram.app/Frameworks/PlusForInstagram.dylib
Resource
macos-20220504-en
macos-10.15-amd64
Behavioral task
behavioral29
Sample
Payload/Instagram.app/Frameworks/RIPass.dylib
Resource
macos-20220504-en
macos-10.15-amd64
Behavioral task
behavioral30
Sample
Payload/Instagram.app/Frameworks/Rocket.dylib
Resource
macos-20220504-en
macos-10.15-amd64
Behavioral task
behavioral31
Sample
Payload/Instagram.app/Frameworks/libmryipc.dylib
Resource
macos-20220504-en
macos-10.15-amd64
Behavioral task
behavioral32
Sample
Payload/Instagram.app/Info.xml
Resource
win7-20220812-en
windows7-x64
General
-
Target
Payload/Instagram.app/Frameworks/FBSharedFramework.framework/SQLiteSchemas/SQLiteDirectThreadSchema.xml
-
Size
1KB
-
MD5
024c64dd34e00bcbba12671378f49e2e
-
SHA1
a1061744ec27a8a7e43c73a15728eaee35cf9596
-
SHA256
f6975e6775613d9ef382004e7b437e650803f04a7c821f74209a1070c62d4bdb
-
SHA512
edbcb3ea5c211ae96b91ff440c93429494cf7d126273b184625b7862a852b3132b7d3995221f1314ddd137193c13cdb044a1337245ec2f280b4d3eea65d5fb2e
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a0000000002000000000010660000000100002000000078b97a6db40bc6ac5c8f1b860000e54915aa5d4588c2603e4135bc9d4abb279e000000000e8000000002000020000000a10518e758b4a23d8d1b9058a7cc0a7bc594280a730529e65b4119da87ebd24190000000747057d7f515af05677a1f5c14893aade8e040e1a4ddf8116f6782343590b2e9a8c7c4c82545059c3b0936a7d2489e4fe83103024dedabb387b422f71f698a26a80a3d79cfa97585c06c3128273a73e7954705fb90995766dd423679db1108963be7e34d5cbf8fd769743ab8642184c2a47e4b7c07625e72e10ef19a39f690f8e22095ec3fa3f9a3e71bf6e5ebdac1d4400000009771a75d8e616bad9dd0a5e71421f55432025490769145fb570ba7cca0ce1f88230d6fec1213dd2ce93a580706a3398e163efd88c2c18b8b42060b468888ba55 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371669743" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a0000000002000000000010660000000100002000000099086a9f247fc3228ac3cb23988e7ac63755735f7df7b7c1960e1cf57ac08bcc000000000e8000000002000020000000e2f255bbf841ea5411e6a89fd98338d1079966e966ba26d82779cd1c74711bb0200000002ba71be54a328293acf1ea7c80e4f7cba0214870f97a1d5dda6c90db0a95043a400000007978cc6a42fbef5af0d4c079ad5e2cf637b6fff107d57a14e10f3f48b9c58237675afeb7df7d06ee7a70b367febdc730762895b0a82a584997d2453b12367aa9 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10f79e5817d8d801 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{830424D1-440A-11ED-B63A-76C12A601AFA} = "0" IEXPLORE.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1704 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1704 IEXPLORE.EXE 1704 IEXPLORE.EXE 1724 IEXPLORE.EXE 1724 IEXPLORE.EXE 1724 IEXPLORE.EXE 1724 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1280 wrote to memory of 1728 1280 MSOXMLED.EXE 28 PID 1280 wrote to memory of 1728 1280 MSOXMLED.EXE 28 PID 1280 wrote to memory of 1728 1280 MSOXMLED.EXE 28 PID 1280 wrote to memory of 1728 1280 MSOXMLED.EXE 28 PID 1728 wrote to memory of 1704 1728 iexplore.exe 29 PID 1728 wrote to memory of 1704 1728 iexplore.exe 29 PID 1728 wrote to memory of 1704 1728 iexplore.exe 29 PID 1728 wrote to memory of 1704 1728 iexplore.exe 29 PID 1704 wrote to memory of 1724 1704 IEXPLORE.EXE 30 PID 1704 wrote to memory of 1724 1704 IEXPLORE.EXE 30 PID 1704 wrote to memory of 1724 1704 IEXPLORE.EXE 30 PID 1704 wrote to memory of 1724 1704 IEXPLORE.EXE 30
Processes
-
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Payload\Instagram.app\Frameworks\FBSharedFramework.framework\SQLiteSchemas\SQLiteDirectThreadSchema.xml"1⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome2⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1704 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1724
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
603B
MD5a7b5d6cd783556f597c643d55ad25e39
SHA1b300a046517344fdf893455b1a50fac3f4f1167b
SHA2568e144bebce580f5906a2f9892260ba0845427f529e8de72609477ae544d755f5
SHA512806af31ae40f9a0861eb90d4e70020b6ab1764b21488d48763738b2c3866ed3435a07249bcccb7eef9699d116f4dcb3348f2aeb7c7e2d7d29be8120bb688d59a