Malware Analysis Report

2024-10-19 12:18

Sample ID 230919-1w181acc5t
Target ab02e4cbe64c32b1ca18abd8a727c6e6e5f70d6ccb534da980df2f4210c23d6f.bin
SHA256 ab02e4cbe64c32b1ca18abd8a727c6e6e5f70d6ccb534da980df2f4210c23d6f
Tags
octo banker infostealer ransomware rat trojan evasion stealth
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ab02e4cbe64c32b1ca18abd8a727c6e6e5f70d6ccb534da980df2f4210c23d6f

Threat Level: Known bad

The file ab02e4cbe64c32b1ca18abd8a727c6e6e5f70d6ccb534da980df2f4210c23d6f.bin was found to be: Known bad.

Malicious Activity Summary

octo banker infostealer ransomware rat trojan evasion stealth

Octo

Octo payload

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Makes use of the framework's Accessibility service.

Loads dropped Dex/Jar

Acquires the wake lock.

Requests dangerous framework permissions

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-19 22:00

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-19 22:00

Reported

2023-09-19 22:03

Platform

android-x64-20230831-en

Max time kernel

2943804s

Max time network

138s

Command Line

com.wouldbegan28

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.wouldbegan28/app_DynamicOptDex/HdoCq.json N/A N/A
N/A /data/user/0/com.wouldbegan28/cache/eaaej N/A N/A
N/A /data/user/0/com.wouldbegan28/cache/eaaej N/A N/A

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.wouldbegan28

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 172.217.168.202:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.250.179.136:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 boodycookies41.info udp
US 1.1.1.1:53 www.ip-api.com udp
US 1.1.1.1:53 caramiliudj16.live udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.46:443 android.apis.google.com tcp
US 1.1.1.1:53 boodycookies41.info udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 caramiliudj16.live udp
US 1.1.1.1:53 5a9udxg6l6gd.su udp
US 1.1.1.1:53 alimavij72.vip udp
N/A 185.161.248.142:443 alimavij72.vip tcp
N/A 185.161.248.142:443 alimavij72.vip tcp
NL 142.251.36.42:443 infinitedata-pa.googleapis.com tcp
N/A 185.161.248.142:443 alimavij72.vip tcp
N/A 185.161.248.142:443 alimavij72.vip tcp
N/A 185.161.248.142:443 alimavij72.vip tcp
N/A 185.161.248.142:443 alimavij72.vip tcp
DE 172.217.23.196:443 tcp
NL 142.250.179.142:443 tcp
NL 142.250.179.131:443 tcp
NL 142.250.179.131:443 tcp
US 1.1.1.1:53 g.tenor.com udp
NL 142.251.36.42:443 g.tenor.com tcp
N/A 185.161.248.142:443 alimavij72.vip tcp

Files

/data/data/com.wouldbegan28/app_DynamicOptDex/HdoCq.json

MD5 28170be78b5ad3652a054edf8d5e8b1e
SHA1 7c75f9299e4b979428e6e87130b9d8f186d2330e
SHA256 16f76e47de48686e59d9314a14d0296c6b45e3f81327604d980e662170841234
SHA512 96a824ecccf00a598ef36ac296fc7ad8f64e2788533e8e698d6047a76c5411a48b84fc3023eb58db5857ef9b99e1d4cb71107966636ed7153df74699ba397ed0

/data/data/com.wouldbegan28/app_DynamicOptDex/HdoCq.json

MD5 095439df27d25eafee908d27ed9ef84f
SHA1 e101b69770c6720d1f78abe1a5b8981d1844450a
SHA256 a9dbf65bd41426a28ce92be32f7688498bb6ace5eef5c5525d820ff3de4cff39
SHA512 a4883248ae56db04e9f1ce4917a1d108b78261c86334db12a119abb9bc7b17577d55eb9e933eb2d53cffb3260bb995f9caf0d5a752ba91d1e0295025eff67939

/data/user/0/com.wouldbegan28/app_DynamicOptDex/HdoCq.json

MD5 1b0f40a4711285faa8988c53c198d925
SHA1 740235e31edb1bb69454f99579b4936994dc0cad
SHA256 1c63b4ad699c13b3e88e63fd74869d092f24a16591ab62ee2a514586704c22e8
SHA512 11f5736a43ffe1c9154d44851b5006319b5dd448a8554062da24ee184e02d53233b292c3973ec58158f10dedd55ddf4d862c9a4b1ed86543abf95e52c51eed83

/data/data/com.wouldbegan28/cache/eaaej

MD5 24ac7aeaa9235624fa180eb3ee6067a3
SHA1 2882e07823e18b33bf715bff3d881b87e94d75f0
SHA256 3a3c932c69144c05aba4be0ccb4815c08f77f1a4364894ba72f808564bfe6ddd
SHA512 e204dc2efafd7beb75c3b0d1f1e9dd8ca1c3153fa88c4088cbc25fab1205a1e2784055832f90f33630097d75328176c89aae4b330a080aeaca61d4c2f571ca1d

/data/user/0/com.wouldbegan28/cache/eaaej

MD5 24ac7aeaa9235624fa180eb3ee6067a3
SHA1 2882e07823e18b33bf715bff3d881b87e94d75f0
SHA256 3a3c932c69144c05aba4be0ccb4815c08f77f1a4364894ba72f808564bfe6ddd
SHA512 e204dc2efafd7beb75c3b0d1f1e9dd8ca1c3153fa88c4088cbc25fab1205a1e2784055832f90f33630097d75328176c89aae4b330a080aeaca61d4c2f571ca1d

/data/user/0/com.wouldbegan28/cache/eaaej

MD5 24ac7aeaa9235624fa180eb3ee6067a3
SHA1 2882e07823e18b33bf715bff3d881b87e94d75f0
SHA256 3a3c932c69144c05aba4be0ccb4815c08f77f1a4364894ba72f808564bfe6ddd
SHA512 e204dc2efafd7beb75c3b0d1f1e9dd8ca1c3153fa88c4088cbc25fab1205a1e2784055832f90f33630097d75328176c89aae4b330a080aeaca61d4c2f571ca1d

/data/data/com.wouldbegan28/kl.txt

MD5 13dee5a63abacca9cd3906fa5ee0932c
SHA1 ba2d3700ced23d8e32e42f50426bc8058ab32038
SHA256 e673a94c7e8b9cdea475ca617ccec54ec2f62d2f76aeb28305c0095918d16604
SHA512 f1a7a341aa76f4c28a9712e899def9ee0510b8e61d0be649ff9ccedd33b720f052704edbe0294e134bc97901b97b5416d70752835031f32402f13bea68fab3da

/data/data/com.wouldbegan28/kl.txt

MD5 0d6f82bacfa555e90bb7f317a85354ac
SHA1 36a661bbe5af97573c7ec1afd9d9d7f46dd725e8
SHA256 0954c2e349d589f6f22777b38d2f754021b8c85db2f3371fad833a9d2ea2566d
SHA512 f70f41472658a983db751e54dc32ba7b8e52a254e800d3c1ef1d4bec1f194c26c651dec881f6b2c8f9a5448a7319507a135be2176379464db2a40e5fbd381633

/data/data/com.wouldbegan28/kl.txt

MD5 af6765ca31457ecbaf28e175e068c1e4
SHA1 34fe7d4825caf923949368f0beee29507219a1e6
SHA256 b22737b2d54e153147d70f83b9172e42e7a96286f5949f608799efae16612572
SHA512 971ab99177063742945e685ce95cffda6011704450c50f401e2c85c06686887ae8db0a9cf594f795d8a264f05dcdac1814f1cb959c70af05a15400df2cd866e1

/data/data/com.wouldbegan28/kl.txt

MD5 af6765ca31457ecbaf28e175e068c1e4
SHA1 34fe7d4825caf923949368f0beee29507219a1e6
SHA256 b22737b2d54e153147d70f83b9172e42e7a96286f5949f608799efae16612572
SHA512 971ab99177063742945e685ce95cffda6011704450c50f401e2c85c06686887ae8db0a9cf594f795d8a264f05dcdac1814f1cb959c70af05a15400df2cd866e1

/data/data/com.wouldbegan28/kl.txt

MD5 b6dfef4517f1f25a7a972e511df9f11e
SHA1 f28490bbc050b89245032597e32656273c97d6f6
SHA256 d176797b7c8f6a7e6c290b24abff159a08cc2039625ec5301c0a6dfd2352c4c8
SHA512 6c379f56a5d1924cf0121b1a642c6fa7e4c257577abfca59cec8acdf87df652ca5d88d0135b0eaba4953e661ab4df729312375810cb4dea78ca0890a9fa50b06

/data/data/com.wouldbegan28/cache/oat/eaaej.cur.prof

MD5 a20c01ceeb104b9e08d88e789d92a3fe
SHA1 821b621fc95d8feef3a8e2c6c81429e7ba5d4f9c
SHA256 fb00b4c8ae0ecb7c8097b8f17895f24adf36560abcec8f46543492c37746034e
SHA512 b3692eee73aa5da81bfd39874dd8482525287266f399a14169bc90a7cee3a5ea39f1fc4dd1832ec670311c5e7363de3db80c9f9c55558bd2668a8b8d9d8af9b4

/data/data/com.wouldbegan28/.qcom.wouldbegan28

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral3

Detonation Overview

Submitted

2023-09-19 22:00

Reported

2023-09-19 22:03

Platform

win7-20230831-en

Max time kernel

134s

Max time network

132s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a7140000000000200000000001066000000010000200000005a78deac4ce18ec0af8817bbffa66340bde2f99577cd1a1655946813ec9b7ac6000000000e8000000002000020000000198b4ba4210cc1b999364a98d3aeb024996110e34212ba849f253d5c3b3a918d2000000099101340f029836bd35278fb98dd7809991506ee1df2ba1ac65d0668800553cb400000007d547417f7f98207882afaa0d213fcaba39139b50ac817bfafe4bfbb0818949f4e4629cff91c1c160067baabc901f269bbf3bca4ada05b8b6c1521419e984ae0 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a714000000000020000000000106600000001000020000000c03fd0f422c22d0b6d057856cea57db372863ef80f063637a4827a920aa720d7000000000e800000000200002000000025ee96179b87d491ff795903db346d44f8dc59a4973806aa9c6ae76f217993f19000000018ca14f2f4aa350d11f1ae405f14a14e617365f667e7274fd30d5bd7b565b2b6028945efe9f99a7f7d920ab516f168d822029bcfbc1408fb10dd0c0446d728f1e4362b44d713ab8a6cc468cd48f70140297cf60550d0de14f4e9f38510fd88675a5ced4d20f71ded2c5f6da103b21ab6fd7745fe5a7945b8bca3f2faf14c4e2fc96af0ddc9775f805b0370fa33d23edd400000002c735a93b657b14f685b5496f3cf92ffeb61c654632a05c7b250fb92fccd0ec7eda853be3337c5f2b60df0bc24c8e24336ff568c00523d0aa5926173c1986404 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10a835d444ebd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401322720" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FF5F5E51-5737-11EE-9BFA-76A8121F2E0E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab602D.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\Tar60BC.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7207b96aa4242e0a86cb1b107582b42
SHA1 a8315338c43a1f4f8afcff1ffc74e7cba3dc2710
SHA256 a61753a81caf56dd0852924f85e6a7c504eef58ce959a5994f17d601871f21ee
SHA512 41274179a44e8954c9ec2ffc4bf022320ef29e366c6d6f2843205e48cce7baf48b042526eb72e9cc8b0f5e33ed9f590f603406ae82cdf1ebaf5121dc4b261804

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 71413f7e6cb05b03556b11b31ac9cb8c
SHA1 b289361b8dbcd6b9827ef4bcc424d2d70cafbb6d
SHA256 2b38ab381ed358bade537215130e5cf8e3bf0670cd05427f3661e98015633e2f
SHA512 54a6f4413c28b40387ae564a7892c2c6e73581790db3d93c27e48cc808fe5da8d41b4ad3e4049e1eaa4ab5d5ed93edf5bfeed2999f989be2a84fd06ad24db3f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc8ba350dfaf54b3196a4bf8387fe075
SHA1 3b568adc7f7d4a71dbbebd9b9d9fb3427d637462
SHA256 ae3bfb80f7f9f7832a29500b4ef42503998b27af8bbccb501098cb14c94dffd1
SHA512 52ffc7d41d5de0320dc24c59271e7919ee98c057868cf33e62b40d2d2a4b5492d2ac7ef47bd0ed32b534653f03e3c204bd3a456c367f2a40c5fa6b913c5dd1b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3678d0dec932b6c1aa048ddfdb04c0a6
SHA1 3179912b6f8d73d355c73595e04a9105bd8a3c26
SHA256 812aed34f6a85cae9f9a23049c629d81b2607579228b912726a986175eff5927
SHA512 c5bc7dc3ab9a5a59793404002384bf94ec59bf6d9d0fcaf679f1c76662cd8295291a3c43712be8f4ada5f36cd0208bc17c1f825a8ef130c51976fa75569aadcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 69a1ff1b784fec8262b3c0bcac327166
SHA1 f0fdb50f47d908cc642246ce4d576747756e8447
SHA256 a05e728abf6462fa749144046e7aee72584373d1c2a85236f76c8922c0ea1f11
SHA512 dd56e7aceba6cd77b0c87d2ec3ab5037904767f5ea210f371816b3cb085965e156e09235b35fbf96bdbfe64c9b0ee298d76f8d7122ed0324ac55d60705d7df74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f91dd00a984b0e01da9143e3868690a6
SHA1 032479f52621b63ecc31c8157ba1a13600f86cbb
SHA256 d1d96b410f95809f5131391c085e4ce8b369fe2f3d887c44b94eb19fac1a352c
SHA512 c463bb4fcf9abfd83d90adaae8e687a57e6bb41ae93389c76bfbd9f489611ebcc989902e453411e2153a1fb3a39333fe757170cb33e988442835f4927398ac06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e01a3aa8ca95b59afd582ce86e7d4dd
SHA1 0173e6b96bdb36940f4b73aa03dc7151027ec4f5
SHA256 1efee7ef65479cab112ba228118cd361ac2e6b55871a0a6d5a5b5273cc266ec7
SHA512 f158e18ce8b49aeed59db449192fd46ce91482096291c1feea065272f875e7fa29731e3c7638f46be157c31a5bf73bc981b8757ad4cf2e98d465412400c08014

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d88e4316319151be7ee3ecc15bc75e06
SHA1 4c9d096da4507ecaeaa6f95b2a656aa6619acfbb
SHA256 14004eec0a7c1bb63b8b575ac050e8370188a0d086d942a6a61e2c5d37c259ff
SHA512 83c1b666ef2324b89a3110868ca19350be3c0b97482f4a9f665deb3fb248a4c87d70b4bd20a85c253add0a04e728b9ef1a3018b52e9fdbc93a4c1f65c5637aee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da3cd93dafde6a3c0c6654e793fe4051
SHA1 97426fdd416e3cae2ae63b5b672549a92320522a
SHA256 2a23f33101f0f23a3179c5e57487f825dc14f3db0079d6c7d422fcda551b7b4d
SHA512 3a00557d0a4c5b0995f2744b588f77f9fcc526034d7a90490996e4fe514f2a714df28b3a78700c6d020c7080f82d33c542893b2a99cdbaf1058b65a019f06cda

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 686d86e4f366018c055c3cc4a3bdae97
SHA1 98d6312e31810e09e38f6f4ea5c68163a33079df
SHA256 6e56524e40384e35aaae1414c2063412713f15e632ba0dcf3f337da731b425a5
SHA512 62ac37ea5dd61aea75b629b18e98efdd94fd0b3d6f3eb3a5a2983a6dafd08baf53f4c5cb1dd849f24c6e3ab7342e8baa505c7833661ac0ecb2c15edfddccbc53

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6031ea0d659528630519f861eaccb5a
SHA1 bff80ad8df07a0521d20df7e1bde86461a0dbaad
SHA256 3fec3804bce28f43037786f978d9b9c7778dbc22459a7a9ad3e29350483620c8
SHA512 0482afa1fee9ad9efdb4c116e0142e783cb856492f9d74d770deec9dde0629339bc9bd6a8ee3b497202c43c88c2c4f2becc3869fdefdbb7ecfa3f92850ee273a

Analysis: behavioral4

Detonation Overview

Submitted

2023-09-19 22:00

Reported

2023-09-19 22:03

Platform

win10v2004-20230915-en

Max time kernel

86s

Max time network

128s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3591427575" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e01d3a14bb1f3846b5fc27e9e0ad356000000000020000000000106600000001000020000000e759ae906a55b811ba579835e59a8329c4407955b1cffba82a99eb857438159d000000000e800000000200002000000052cd4e2b9b5cc86601b1cb2689d1f252b914aa8428a6e8d154cdf2f92cfd1238200000006d80f4d2caf97a357d414be8c54d523f7b2c28a34b9e39fdaf14f28a27f5d6de40000000e6070149a37d74556e566d16ee14c2b2d7688ad5464c699275f45ed72b2bb79691e9418ab2ace2a50cdd3291e33e464ac6109a7a5aec49d7fd1891f702d20a4a C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401925829" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058756" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31058756" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40b13bd644ebd901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058756" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{002BA5C7-5738-11EE-941E-C68ECCB5A471} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3572520832" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3572520832" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e01d3a14bb1f3846b5fc27e9e0ad3560000000000200000000001066000000010000200000009b9662168d48c3e4f258d38698228a350a18ef658f239e3e273d2aaffac4bf83000000000e8000000002000020000000c3605f2a1ef0c740411bba295330b1d28783e0d543041ddb8ede4178756f99c52000000001389798a35d7315db776ce99273320edc997a4f20bd6f4a8efef407053beb2240000000e9bf11c36710b6347eec51443ab01e18a0df93f887248dffeccd409ce775a1fd7d4ee82f6de06ec2a09afe8729cc4604bef7f17523ea2f980c0b762e973cae25 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10534cd644ebd901 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3960 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 126.24.238.8.in-addr.arpa udp
US 8.8.8.8:53 126.20.238.8.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MRL3SWXH\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-19 22:00

Reported

2023-09-19 22:03

Platform

android-x86-arm-20230831-en

Max time kernel

2943888s

Max time network

141s

Command Line

com.wouldbegan28

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.wouldbegan28/app_DynamicOptDex/HdoCq.json N/A N/A
N/A /data/user/0/com.wouldbegan28/app_DynamicOptDex/HdoCq.json N/A N/A
N/A /data/user/0/com.wouldbegan28/cache/eaaej N/A N/A
N/A /data/user/0/com.wouldbegan28/cache/eaaej N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.wouldbegan28

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wouldbegan28/app_DynamicOptDex/HdoCq.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.wouldbegan28/app_DynamicOptDex/oat/x86/HdoCq.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.138:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 5a9udxg6l6gd.su udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
N/A 185.161.248.142:443 5a9udxg6l6gd.su tcp
US 1.1.1.1:53 boodycookies41.info udp
N/A 185.161.248.142:443 boodycookies41.info tcp
N/A 185.161.248.142:443 boodycookies41.info tcp
NL 172.217.168.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
N/A 185.161.248.142:443 boodycookies41.info tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.206:443 android.apis.google.com tcp
N/A 185.161.248.142:443 boodycookies41.info tcp
N/A 185.161.248.142:443 boodycookies41.info tcp
N/A 185.161.248.142:443 boodycookies41.info tcp
N/A 185.161.248.142:443 boodycookies41.info tcp

Files

/data/data/com.wouldbegan28/app_DynamicOptDex/HdoCq.json

MD5 28170be78b5ad3652a054edf8d5e8b1e
SHA1 7c75f9299e4b979428e6e87130b9d8f186d2330e
SHA256 16f76e47de48686e59d9314a14d0296c6b45e3f81327604d980e662170841234
SHA512 96a824ecccf00a598ef36ac296fc7ad8f64e2788533e8e698d6047a76c5411a48b84fc3023eb58db5857ef9b99e1d4cb71107966636ed7153df74699ba397ed0

/data/data/com.wouldbegan28/app_DynamicOptDex/HdoCq.json

MD5 095439df27d25eafee908d27ed9ef84f
SHA1 e101b69770c6720d1f78abe1a5b8981d1844450a
SHA256 a9dbf65bd41426a28ce92be32f7688498bb6ace5eef5c5525d820ff3de4cff39
SHA512 a4883248ae56db04e9f1ce4917a1d108b78261c86334db12a119abb9bc7b17577d55eb9e933eb2d53cffb3260bb995f9caf0d5a752ba91d1e0295025eff67939

/data/user/0/com.wouldbegan28/app_DynamicOptDex/HdoCq.json

MD5 1b0f40a4711285faa8988c53c198d925
SHA1 740235e31edb1bb69454f99579b4936994dc0cad
SHA256 1c63b4ad699c13b3e88e63fd74869d092f24a16591ab62ee2a514586704c22e8
SHA512 11f5736a43ffe1c9154d44851b5006319b5dd448a8554062da24ee184e02d53233b292c3973ec58158f10dedd55ddf4d862c9a4b1ed86543abf95e52c51eed83

/data/user/0/com.wouldbegan28/app_DynamicOptDex/HdoCq.json

MD5 526a4842bc4a61473840b08132762d31
SHA1 f7bc29d95c3ca258385dd6cb34720999e444c27a
SHA256 53d9cf6863bcedf16d11517cea53df7bb5acd5b5745674be7dc13eb72eb702c5
SHA512 4ee74bdf871c72c91b9424fa0522b79ecb5364c88e139dc881ea0bb2f304aa7b13cf1ec4fcd991d0962d306e96c9a1acaa4f18895bdaf1fc8b5646568287b35c

/data/data/com.wouldbegan28/cache/eaaej

MD5 24ac7aeaa9235624fa180eb3ee6067a3
SHA1 2882e07823e18b33bf715bff3d881b87e94d75f0
SHA256 3a3c932c69144c05aba4be0ccb4815c08f77f1a4364894ba72f808564bfe6ddd
SHA512 e204dc2efafd7beb75c3b0d1f1e9dd8ca1c3153fa88c4088cbc25fab1205a1e2784055832f90f33630097d75328176c89aae4b330a080aeaca61d4c2f571ca1d

/data/user/0/com.wouldbegan28/cache/eaaej

MD5 24ac7aeaa9235624fa180eb3ee6067a3
SHA1 2882e07823e18b33bf715bff3d881b87e94d75f0
SHA256 3a3c932c69144c05aba4be0ccb4815c08f77f1a4364894ba72f808564bfe6ddd
SHA512 e204dc2efafd7beb75c3b0d1f1e9dd8ca1c3153fa88c4088cbc25fab1205a1e2784055832f90f33630097d75328176c89aae4b330a080aeaca61d4c2f571ca1d

/data/user/0/com.wouldbegan28/cache/eaaej

MD5 24ac7aeaa9235624fa180eb3ee6067a3
SHA1 2882e07823e18b33bf715bff3d881b87e94d75f0
SHA256 3a3c932c69144c05aba4be0ccb4815c08f77f1a4364894ba72f808564bfe6ddd
SHA512 e204dc2efafd7beb75c3b0d1f1e9dd8ca1c3153fa88c4088cbc25fab1205a1e2784055832f90f33630097d75328176c89aae4b330a080aeaca61d4c2f571ca1d

/data/data/com.wouldbegan28/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.wouldbegan28/kl.txt

MD5 dce0dd36a5608ad6a26a97349f37da46
SHA1 648b974da89aaa56be44855f095b7afcf2cd1414
SHA256 a1517ae75b7eb6a7b7c55ab5efe042feaf13268e15b2d1f6848f995ca5bb97c6
SHA512 2efff6e27a530b33cafc823eacf574e6fd02519a5523cbd040043492532de8860f11ae57f733af8eb8f0e908ffb241fb3cce40529a8da1c7813df675d085a5f8

/data/data/com.wouldbegan28/kl.txt

MD5 39247e15f9887de1c9fb1d277c809158
SHA1 cbbb76395657784f81e73cf7f3c2016599c79ff6
SHA256 9e8fa0baaff6e49bc0ccb6554e1f4381060f4d14033914dad5ba2f514cb20287
SHA512 9a36a38d4e3734140eb3529eecf32b1813eca1ef5e18d08523da21196dce43573d189efc380cec4a55f90e6be9382b3e72b4d6811006b87b12343e55cf64d558

/data/data/com.wouldbegan28/kl.txt

MD5 a6d0fefca5493fbf7148fe5f872ed895
SHA1 d38283f6b69a2f45c85970f7b7050d32ca9d9355
SHA256 73b3aa0ba95e972ceac33a339ad2773f6f93d6a33d1a8d2b819b437a3c80d197
SHA512 555ec80062ebb0bf3b139388019974626fbc1a9e497bb5a70bd9e94a7d813b5b00391ddf43aa1609ef4645135880b740fdc3a28bf6f6e5eddf1b5775a3bb782a

/data/data/com.wouldbegan28/kl.txt

MD5 f7c381ef0f8e799ab4d4d1607ce56ae7
SHA1 4330142c6e582557da4978ed2c06450354206732
SHA256 eca949c6722d862552ea13f6752dc9d50962d116b57c0159d584c1ad5b5c6e4b
SHA512 4c20d1028bd979bd5f20895e664a2d2681e3cf1a6eacde74db9fb34f267d56d36976ec77b415203740bfe9fc9d2ffa90036dc43f3156eeefbbdaedc2ccc15a70

/data/data/com.wouldbegan28/cache/oat/eaaej.cur.prof

MD5 d9da5b70c732f93c2585909fc717a0bb
SHA1 b08faaac7650a15864f6750cffe82f2559caf197
SHA256 bda1ae3a890eddb1f82ae98ee2db2f4d633abd9c84664b8eb09b1bdf7433fb10
SHA512 d3af150a336dc5aace2aa52762a8c6dc98de479949b3758064e4af14e9ff90be7c8b81150f083d29e27e8abf6b7262fe093d3c2e1edd008a3873265f5bf9be3d

/data/data/com.wouldbegan28/.qcom.wouldbegan28

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c