Analysis Overview
SHA256
ab02e4cbe64c32b1ca18abd8a727c6e6e5f70d6ccb534da980df2f4210c23d6f
Threat Level: Known bad
The file ab02e4cbe64c32b1ca18abd8a727c6e6e5f70d6ccb534da980df2f4210c23d6f.bin was found to be: Known bad.
Malicious Activity Summary
Octo
Octo payload
Removes its main activity from the application launcher
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
Makes use of the framework's Accessibility service.
Loads dropped Dex/Jar
Acquires the wake lock.
Requests dangerous framework permissions
Reads information about phone network operator.
Requests disabling of battery optimizations (often used to enable hiding in the background).
Removes a system notification.
Uses Crypto APIs (Might try to encrypt user data).
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-19 22:00
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an app to access location in the background. | android.permission.ACCESS_BACKGROUND_LOCATION | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-19 22:00
Reported
2023-09-19 22:03
Platform
android-x64-20230831-en
Max time kernel
2943804s
Max time network
138s
Command Line
Signatures
Octo
Octo payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
| Description | Indicator | Process | Target |
| Framework service call | android.content.pm.IPackageManager.getInstalledApplications | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.wouldbegan28/app_DynamicOptDex/HdoCq.json | N/A | N/A |
| N/A | /data/user/0/com.wouldbegan28/cache/eaaej | N/A | N/A |
| N/A | /data/user/0/com.wouldbegan28/cache/eaaej | N/A | N/A |
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.wouldbegan28
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 172.217.168.202:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.250.179.136:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | boodycookies41.info | udp |
| US | 1.1.1.1:53 | www.ip-api.com | udp |
| US | 1.1.1.1:53 | caramiliudj16.live | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.251.36.46:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | boodycookies41.info | udp |
| US | 1.1.1.1:53 | www.ip-api.com | udp |
| US | 208.95.112.1:80 | www.ip-api.com | tcp |
| US | 1.1.1.1:53 | caramiliudj16.live | udp |
| US | 1.1.1.1:53 | 5a9udxg6l6gd.su | udp |
| US | 1.1.1.1:53 | alimavij72.vip | udp |
| N/A | 185.161.248.142:443 | alimavij72.vip | tcp |
| N/A | 185.161.248.142:443 | alimavij72.vip | tcp |
| NL | 142.251.36.42:443 | infinitedata-pa.googleapis.com | tcp |
| N/A | 185.161.248.142:443 | alimavij72.vip | tcp |
| N/A | 185.161.248.142:443 | alimavij72.vip | tcp |
| N/A | 185.161.248.142:443 | alimavij72.vip | tcp |
| N/A | 185.161.248.142:443 | alimavij72.vip | tcp |
| DE | 172.217.23.196:443 | tcp | |
| NL | 142.250.179.142:443 | tcp | |
| NL | 142.250.179.131:443 | tcp | |
| NL | 142.250.179.131:443 | tcp | |
| US | 1.1.1.1:53 | g.tenor.com | udp |
| NL | 142.251.36.42:443 | g.tenor.com | tcp |
| N/A | 185.161.248.142:443 | alimavij72.vip | tcp |
Files
/data/data/com.wouldbegan28/app_DynamicOptDex/HdoCq.json
| MD5 | 28170be78b5ad3652a054edf8d5e8b1e |
| SHA1 | 7c75f9299e4b979428e6e87130b9d8f186d2330e |
| SHA256 | 16f76e47de48686e59d9314a14d0296c6b45e3f81327604d980e662170841234 |
| SHA512 | 96a824ecccf00a598ef36ac296fc7ad8f64e2788533e8e698d6047a76c5411a48b84fc3023eb58db5857ef9b99e1d4cb71107966636ed7153df74699ba397ed0 |
/data/data/com.wouldbegan28/app_DynamicOptDex/HdoCq.json
| MD5 | 095439df27d25eafee908d27ed9ef84f |
| SHA1 | e101b69770c6720d1f78abe1a5b8981d1844450a |
| SHA256 | a9dbf65bd41426a28ce92be32f7688498bb6ace5eef5c5525d820ff3de4cff39 |
| SHA512 | a4883248ae56db04e9f1ce4917a1d108b78261c86334db12a119abb9bc7b17577d55eb9e933eb2d53cffb3260bb995f9caf0d5a752ba91d1e0295025eff67939 |
/data/user/0/com.wouldbegan28/app_DynamicOptDex/HdoCq.json
| MD5 | 1b0f40a4711285faa8988c53c198d925 |
| SHA1 | 740235e31edb1bb69454f99579b4936994dc0cad |
| SHA256 | 1c63b4ad699c13b3e88e63fd74869d092f24a16591ab62ee2a514586704c22e8 |
| SHA512 | 11f5736a43ffe1c9154d44851b5006319b5dd448a8554062da24ee184e02d53233b292c3973ec58158f10dedd55ddf4d862c9a4b1ed86543abf95e52c51eed83 |
/data/data/com.wouldbegan28/cache/eaaej
| MD5 | 24ac7aeaa9235624fa180eb3ee6067a3 |
| SHA1 | 2882e07823e18b33bf715bff3d881b87e94d75f0 |
| SHA256 | 3a3c932c69144c05aba4be0ccb4815c08f77f1a4364894ba72f808564bfe6ddd |
| SHA512 | e204dc2efafd7beb75c3b0d1f1e9dd8ca1c3153fa88c4088cbc25fab1205a1e2784055832f90f33630097d75328176c89aae4b330a080aeaca61d4c2f571ca1d |
/data/user/0/com.wouldbegan28/cache/eaaej
| MD5 | 24ac7aeaa9235624fa180eb3ee6067a3 |
| SHA1 | 2882e07823e18b33bf715bff3d881b87e94d75f0 |
| SHA256 | 3a3c932c69144c05aba4be0ccb4815c08f77f1a4364894ba72f808564bfe6ddd |
| SHA512 | e204dc2efafd7beb75c3b0d1f1e9dd8ca1c3153fa88c4088cbc25fab1205a1e2784055832f90f33630097d75328176c89aae4b330a080aeaca61d4c2f571ca1d |
/data/user/0/com.wouldbegan28/cache/eaaej
| MD5 | 24ac7aeaa9235624fa180eb3ee6067a3 |
| SHA1 | 2882e07823e18b33bf715bff3d881b87e94d75f0 |
| SHA256 | 3a3c932c69144c05aba4be0ccb4815c08f77f1a4364894ba72f808564bfe6ddd |
| SHA512 | e204dc2efafd7beb75c3b0d1f1e9dd8ca1c3153fa88c4088cbc25fab1205a1e2784055832f90f33630097d75328176c89aae4b330a080aeaca61d4c2f571ca1d |
/data/data/com.wouldbegan28/kl.txt
| MD5 | 13dee5a63abacca9cd3906fa5ee0932c |
| SHA1 | ba2d3700ced23d8e32e42f50426bc8058ab32038 |
| SHA256 | e673a94c7e8b9cdea475ca617ccec54ec2f62d2f76aeb28305c0095918d16604 |
| SHA512 | f1a7a341aa76f4c28a9712e899def9ee0510b8e61d0be649ff9ccedd33b720f052704edbe0294e134bc97901b97b5416d70752835031f32402f13bea68fab3da |
/data/data/com.wouldbegan28/kl.txt
| MD5 | 0d6f82bacfa555e90bb7f317a85354ac |
| SHA1 | 36a661bbe5af97573c7ec1afd9d9d7f46dd725e8 |
| SHA256 | 0954c2e349d589f6f22777b38d2f754021b8c85db2f3371fad833a9d2ea2566d |
| SHA512 | f70f41472658a983db751e54dc32ba7b8e52a254e800d3c1ef1d4bec1f194c26c651dec881f6b2c8f9a5448a7319507a135be2176379464db2a40e5fbd381633 |
/data/data/com.wouldbegan28/kl.txt
| MD5 | af6765ca31457ecbaf28e175e068c1e4 |
| SHA1 | 34fe7d4825caf923949368f0beee29507219a1e6 |
| SHA256 | b22737b2d54e153147d70f83b9172e42e7a96286f5949f608799efae16612572 |
| SHA512 | 971ab99177063742945e685ce95cffda6011704450c50f401e2c85c06686887ae8db0a9cf594f795d8a264f05dcdac1814f1cb959c70af05a15400df2cd866e1 |
/data/data/com.wouldbegan28/kl.txt
| MD5 | af6765ca31457ecbaf28e175e068c1e4 |
| SHA1 | 34fe7d4825caf923949368f0beee29507219a1e6 |
| SHA256 | b22737b2d54e153147d70f83b9172e42e7a96286f5949f608799efae16612572 |
| SHA512 | 971ab99177063742945e685ce95cffda6011704450c50f401e2c85c06686887ae8db0a9cf594f795d8a264f05dcdac1814f1cb959c70af05a15400df2cd866e1 |
/data/data/com.wouldbegan28/kl.txt
| MD5 | b6dfef4517f1f25a7a972e511df9f11e |
| SHA1 | f28490bbc050b89245032597e32656273c97d6f6 |
| SHA256 | d176797b7c8f6a7e6c290b24abff159a08cc2039625ec5301c0a6dfd2352c4c8 |
| SHA512 | 6c379f56a5d1924cf0121b1a642c6fa7e4c257577abfca59cec8acdf87df652ca5d88d0135b0eaba4953e661ab4df729312375810cb4dea78ca0890a9fa50b06 |
/data/data/com.wouldbegan28/cache/oat/eaaej.cur.prof
| MD5 | a20c01ceeb104b9e08d88e789d92a3fe |
| SHA1 | 821b621fc95d8feef3a8e2c6c81429e7ba5d4f9c |
| SHA256 | fb00b4c8ae0ecb7c8097b8f17895f24adf36560abcec8f46543492c37746034e |
| SHA512 | b3692eee73aa5da81bfd39874dd8482525287266f399a14169bc90a7cee3a5ea39f1fc4dd1832ec670311c5e7363de3db80c9f9c55558bd2668a8b8d9d8af9b4 |
/data/data/com.wouldbegan28/.qcom.wouldbegan28
| MD5 | 046a414913add6f5bb60072c7db819b6 |
| SHA1 | 451ee4f6809260aec622d772fd329c7d0297a842 |
| SHA256 | b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a |
| SHA512 | 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c |
Analysis: behavioral3
Detonation Overview
Submitted
2023-09-19 22:00
Reported
2023-09-19 22:03
Platform
win7-20230831-en
Max time kernel
134s
Max time network
132s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a7140000000000200000000001066000000010000200000005a78deac4ce18ec0af8817bbffa66340bde2f99577cd1a1655946813ec9b7ac6000000000e8000000002000020000000198b4ba4210cc1b999364a98d3aeb024996110e34212ba849f253d5c3b3a918d2000000099101340f029836bd35278fb98dd7809991506ee1df2ba1ac65d0668800553cb400000007d547417f7f98207882afaa0d213fcaba39139b50ac817bfafe4bfbb0818949f4e4629cff91c1c160067baabc901f269bbf3bca4ada05b8b6c1521419e984ae0 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a714000000000020000000000106600000001000020000000c03fd0f422c22d0b6d057856cea57db372863ef80f063637a4827a920aa720d7000000000e800000000200002000000025ee96179b87d491ff795903db346d44f8dc59a4973806aa9c6ae76f217993f19000000018ca14f2f4aa350d11f1ae405f14a14e617365f667e7274fd30d5bd7b565b2b6028945efe9f99a7f7d920ab516f168d822029bcfbc1408fb10dd0c0446d728f1e4362b44d713ab8a6cc468cd48f70140297cf60550d0de14f4e9f38510fd88675a5ced4d20f71ded2c5f6da103b21ab6fd7745fe5a7945b8bca3f2faf14c4e2fc96af0ddc9775f805b0370fa33d23edd400000002c735a93b657b14f685b5496f3cf92ffeb61c654632a05c7b250fb92fccd0ec7eda853be3337c5f2b60df0bc24c8e24336ff568c00523d0aa5926173c1986404 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10a835d444ebd901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401322720" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FF5F5E51-5737-11EE-9BFA-76A8121F2E0E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2176 wrote to memory of 1504 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2176 wrote to memory of 1504 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2176 wrote to memory of 1504 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2176 wrote to memory of 1504 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2176 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab602D.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar60BC.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c7207b96aa4242e0a86cb1b107582b42 |
| SHA1 | a8315338c43a1f4f8afcff1ffc74e7cba3dc2710 |
| SHA256 | a61753a81caf56dd0852924f85e6a7c504eef58ce959a5994f17d601871f21ee |
| SHA512 | 41274179a44e8954c9ec2ffc4bf022320ef29e366c6d6f2843205e48cce7baf48b042526eb72e9cc8b0f5e33ed9f590f603406ae82cdf1ebaf5121dc4b261804 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 71413f7e6cb05b03556b11b31ac9cb8c |
| SHA1 | b289361b8dbcd6b9827ef4bcc424d2d70cafbb6d |
| SHA256 | 2b38ab381ed358bade537215130e5cf8e3bf0670cd05427f3661e98015633e2f |
| SHA512 | 54a6f4413c28b40387ae564a7892c2c6e73581790db3d93c27e48cc808fe5da8d41b4ad3e4049e1eaa4ab5d5ed93edf5bfeed2999f989be2a84fd06ad24db3f8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bc8ba350dfaf54b3196a4bf8387fe075 |
| SHA1 | 3b568adc7f7d4a71dbbebd9b9d9fb3427d637462 |
| SHA256 | ae3bfb80f7f9f7832a29500b4ef42503998b27af8bbccb501098cb14c94dffd1 |
| SHA512 | 52ffc7d41d5de0320dc24c59271e7919ee98c057868cf33e62b40d2d2a4b5492d2ac7ef47bd0ed32b534653f03e3c204bd3a456c367f2a40c5fa6b913c5dd1b2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3678d0dec932b6c1aa048ddfdb04c0a6 |
| SHA1 | 3179912b6f8d73d355c73595e04a9105bd8a3c26 |
| SHA256 | 812aed34f6a85cae9f9a23049c629d81b2607579228b912726a986175eff5927 |
| SHA512 | c5bc7dc3ab9a5a59793404002384bf94ec59bf6d9d0fcaf679f1c76662cd8295291a3c43712be8f4ada5f36cd0208bc17c1f825a8ef130c51976fa75569aadcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 69a1ff1b784fec8262b3c0bcac327166 |
| SHA1 | f0fdb50f47d908cc642246ce4d576747756e8447 |
| SHA256 | a05e728abf6462fa749144046e7aee72584373d1c2a85236f76c8922c0ea1f11 |
| SHA512 | dd56e7aceba6cd77b0c87d2ec3ab5037904767f5ea210f371816b3cb085965e156e09235b35fbf96bdbfe64c9b0ee298d76f8d7122ed0324ac55d60705d7df74 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f91dd00a984b0e01da9143e3868690a6 |
| SHA1 | 032479f52621b63ecc31c8157ba1a13600f86cbb |
| SHA256 | d1d96b410f95809f5131391c085e4ce8b369fe2f3d887c44b94eb19fac1a352c |
| SHA512 | c463bb4fcf9abfd83d90adaae8e687a57e6bb41ae93389c76bfbd9f489611ebcc989902e453411e2153a1fb3a39333fe757170cb33e988442835f4927398ac06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6e01a3aa8ca95b59afd582ce86e7d4dd |
| SHA1 | 0173e6b96bdb36940f4b73aa03dc7151027ec4f5 |
| SHA256 | 1efee7ef65479cab112ba228118cd361ac2e6b55871a0a6d5a5b5273cc266ec7 |
| SHA512 | f158e18ce8b49aeed59db449192fd46ce91482096291c1feea065272f875e7fa29731e3c7638f46be157c31a5bf73bc981b8757ad4cf2e98d465412400c08014 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d88e4316319151be7ee3ecc15bc75e06 |
| SHA1 | 4c9d096da4507ecaeaa6f95b2a656aa6619acfbb |
| SHA256 | 14004eec0a7c1bb63b8b575ac050e8370188a0d086d942a6a61e2c5d37c259ff |
| SHA512 | 83c1b666ef2324b89a3110868ca19350be3c0b97482f4a9f665deb3fb248a4c87d70b4bd20a85c253add0a04e728b9ef1a3018b52e9fdbc93a4c1f65c5637aee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | da3cd93dafde6a3c0c6654e793fe4051 |
| SHA1 | 97426fdd416e3cae2ae63b5b672549a92320522a |
| SHA256 | 2a23f33101f0f23a3179c5e57487f825dc14f3db0079d6c7d422fcda551b7b4d |
| SHA512 | 3a00557d0a4c5b0995f2744b588f77f9fcc526034d7a90490996e4fe514f2a714df28b3a78700c6d020c7080f82d33c542893b2a99cdbaf1058b65a019f06cda |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 686d86e4f366018c055c3cc4a3bdae97 |
| SHA1 | 98d6312e31810e09e38f6f4ea5c68163a33079df |
| SHA256 | 6e56524e40384e35aaae1414c2063412713f15e632ba0dcf3f337da731b425a5 |
| SHA512 | 62ac37ea5dd61aea75b629b18e98efdd94fd0b3d6f3eb3a5a2983a6dafd08baf53f4c5cb1dd849f24c6e3ab7342e8baa505c7833661ac0ecb2c15edfddccbc53 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e6031ea0d659528630519f861eaccb5a |
| SHA1 | bff80ad8df07a0521d20df7e1bde86461a0dbaad |
| SHA256 | 3fec3804bce28f43037786f978d9b9c7778dbc22459a7a9ad3e29350483620c8 |
| SHA512 | 0482afa1fee9ad9efdb4c116e0142e783cb856492f9d74d770deec9dde0629339bc9bd6a8ee3b497202c43c88c2c4f2becc3869fdefdbb7ecfa3f92850ee273a |
Analysis: behavioral4
Detonation Overview
Submitted
2023-09-19 22:00
Reported
2023-09-19 22:03
Platform
win10v2004-20230915-en
Max time kernel
86s
Max time network
128s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3591427575" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e01d3a14bb1f3846b5fc27e9e0ad356000000000020000000000106600000001000020000000e759ae906a55b811ba579835e59a8329c4407955b1cffba82a99eb857438159d000000000e800000000200002000000052cd4e2b9b5cc86601b1cb2689d1f252b914aa8428a6e8d154cdf2f92cfd1238200000006d80f4d2caf97a357d414be8c54d523f7b2c28a34b9e39fdaf14f28a27f5d6de40000000e6070149a37d74556e566d16ee14c2b2d7688ad5464c699275f45ed72b2bb79691e9418ab2ace2a50cdd3291e33e464ac6109a7a5aec49d7fd1891f702d20a4a | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401925829" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058756" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31058756" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40b13bd644ebd901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058756" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{002BA5C7-5738-11EE-941E-C68ECCB5A471} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3572520832" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3572520832" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e01d3a14bb1f3846b5fc27e9e0ad3560000000000200000000001066000000010000200000009b9662168d48c3e4f258d38698228a350a18ef658f239e3e273d2aaffac4bf83000000000e8000000002000020000000c3605f2a1ef0c740411bba295330b1d28783e0d543041ddb8ede4178756f99c52000000001389798a35d7315db776ce99273320edc997a4f20bd6f4a8efef407053beb2240000000e9bf11c36710b6347eec51443ab01e18a0df93f887248dffeccd409ce775a1fd7d4ee82f6de06ec2a09afe8729cc4604bef7f17523ea2f980c0b762e973cae25 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10534cd644ebd901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3960 wrote to memory of 2444 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3960 wrote to memory of 2444 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 3960 wrote to memory of 2444 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3960 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.24.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.20.238.8.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MRL3SWXH\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-19 22:00
Reported
2023-09-19 22:03
Platform
android-x86-arm-20230831-en
Max time kernel
2943888s
Max time network
141s
Command Line
Signatures
Octo
Octo payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
| Description | Indicator | Process | Target |
| Framework service call | android.content.pm.IPackageManager.getInstalledApplications | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.wouldbegan28/app_DynamicOptDex/HdoCq.json | N/A | N/A |
| N/A | /data/user/0/com.wouldbegan28/app_DynamicOptDex/HdoCq.json | N/A | N/A |
| N/A | /data/user/0/com.wouldbegan28/cache/eaaej | N/A | N/A |
| N/A | /data/user/0/com.wouldbegan28/cache/eaaej | N/A | N/A |
Reads information about phone network operator.
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.wouldbegan28
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wouldbegan28/app_DynamicOptDex/HdoCq.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.wouldbegan28/app_DynamicOptDex/oat/x86/HdoCq.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.250.179.138:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | 5a9udxg6l6gd.su | udp |
| US | 1.1.1.1:53 | www.ip-api.com | udp |
| US | 208.95.112.1:80 | www.ip-api.com | tcp |
| N/A | 185.161.248.142:443 | 5a9udxg6l6gd.su | tcp |
| US | 1.1.1.1:53 | boodycookies41.info | udp |
| N/A | 185.161.248.142:443 | boodycookies41.info | tcp |
| N/A | 185.161.248.142:443 | boodycookies41.info | tcp |
| NL | 172.217.168.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| N/A | 185.161.248.142:443 | boodycookies41.info | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.206:443 | android.apis.google.com | tcp |
| N/A | 185.161.248.142:443 | boodycookies41.info | tcp |
| N/A | 185.161.248.142:443 | boodycookies41.info | tcp |
| N/A | 185.161.248.142:443 | boodycookies41.info | tcp |
| N/A | 185.161.248.142:443 | boodycookies41.info | tcp |
Files
/data/data/com.wouldbegan28/app_DynamicOptDex/HdoCq.json
| MD5 | 28170be78b5ad3652a054edf8d5e8b1e |
| SHA1 | 7c75f9299e4b979428e6e87130b9d8f186d2330e |
| SHA256 | 16f76e47de48686e59d9314a14d0296c6b45e3f81327604d980e662170841234 |
| SHA512 | 96a824ecccf00a598ef36ac296fc7ad8f64e2788533e8e698d6047a76c5411a48b84fc3023eb58db5857ef9b99e1d4cb71107966636ed7153df74699ba397ed0 |
/data/data/com.wouldbegan28/app_DynamicOptDex/HdoCq.json
| MD5 | 095439df27d25eafee908d27ed9ef84f |
| SHA1 | e101b69770c6720d1f78abe1a5b8981d1844450a |
| SHA256 | a9dbf65bd41426a28ce92be32f7688498bb6ace5eef5c5525d820ff3de4cff39 |
| SHA512 | a4883248ae56db04e9f1ce4917a1d108b78261c86334db12a119abb9bc7b17577d55eb9e933eb2d53cffb3260bb995f9caf0d5a752ba91d1e0295025eff67939 |
/data/user/0/com.wouldbegan28/app_DynamicOptDex/HdoCq.json
| MD5 | 1b0f40a4711285faa8988c53c198d925 |
| SHA1 | 740235e31edb1bb69454f99579b4936994dc0cad |
| SHA256 | 1c63b4ad699c13b3e88e63fd74869d092f24a16591ab62ee2a514586704c22e8 |
| SHA512 | 11f5736a43ffe1c9154d44851b5006319b5dd448a8554062da24ee184e02d53233b292c3973ec58158f10dedd55ddf4d862c9a4b1ed86543abf95e52c51eed83 |
/data/user/0/com.wouldbegan28/app_DynamicOptDex/HdoCq.json
| MD5 | 526a4842bc4a61473840b08132762d31 |
| SHA1 | f7bc29d95c3ca258385dd6cb34720999e444c27a |
| SHA256 | 53d9cf6863bcedf16d11517cea53df7bb5acd5b5745674be7dc13eb72eb702c5 |
| SHA512 | 4ee74bdf871c72c91b9424fa0522b79ecb5364c88e139dc881ea0bb2f304aa7b13cf1ec4fcd991d0962d306e96c9a1acaa4f18895bdaf1fc8b5646568287b35c |
/data/data/com.wouldbegan28/cache/eaaej
| MD5 | 24ac7aeaa9235624fa180eb3ee6067a3 |
| SHA1 | 2882e07823e18b33bf715bff3d881b87e94d75f0 |
| SHA256 | 3a3c932c69144c05aba4be0ccb4815c08f77f1a4364894ba72f808564bfe6ddd |
| SHA512 | e204dc2efafd7beb75c3b0d1f1e9dd8ca1c3153fa88c4088cbc25fab1205a1e2784055832f90f33630097d75328176c89aae4b330a080aeaca61d4c2f571ca1d |
/data/user/0/com.wouldbegan28/cache/eaaej
| MD5 | 24ac7aeaa9235624fa180eb3ee6067a3 |
| SHA1 | 2882e07823e18b33bf715bff3d881b87e94d75f0 |
| SHA256 | 3a3c932c69144c05aba4be0ccb4815c08f77f1a4364894ba72f808564bfe6ddd |
| SHA512 | e204dc2efafd7beb75c3b0d1f1e9dd8ca1c3153fa88c4088cbc25fab1205a1e2784055832f90f33630097d75328176c89aae4b330a080aeaca61d4c2f571ca1d |
/data/user/0/com.wouldbegan28/cache/eaaej
| MD5 | 24ac7aeaa9235624fa180eb3ee6067a3 |
| SHA1 | 2882e07823e18b33bf715bff3d881b87e94d75f0 |
| SHA256 | 3a3c932c69144c05aba4be0ccb4815c08f77f1a4364894ba72f808564bfe6ddd |
| SHA512 | e204dc2efafd7beb75c3b0d1f1e9dd8ca1c3153fa88c4088cbc25fab1205a1e2784055832f90f33630097d75328176c89aae4b330a080aeaca61d4c2f571ca1d |
/data/data/com.wouldbegan28/kl.txt
| MD5 | 6311c3fd15588bb5c126e6c28ff5fffe |
| SHA1 | ce81d136fce31779f4dd62e20bdaf99c91e2fc57 |
| SHA256 | 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8 |
| SHA512 | 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6 |
/data/data/com.wouldbegan28/kl.txt
| MD5 | dce0dd36a5608ad6a26a97349f37da46 |
| SHA1 | 648b974da89aaa56be44855f095b7afcf2cd1414 |
| SHA256 | a1517ae75b7eb6a7b7c55ab5efe042feaf13268e15b2d1f6848f995ca5bb97c6 |
| SHA512 | 2efff6e27a530b33cafc823eacf574e6fd02519a5523cbd040043492532de8860f11ae57f733af8eb8f0e908ffb241fb3cce40529a8da1c7813df675d085a5f8 |
/data/data/com.wouldbegan28/kl.txt
| MD5 | 39247e15f9887de1c9fb1d277c809158 |
| SHA1 | cbbb76395657784f81e73cf7f3c2016599c79ff6 |
| SHA256 | 9e8fa0baaff6e49bc0ccb6554e1f4381060f4d14033914dad5ba2f514cb20287 |
| SHA512 | 9a36a38d4e3734140eb3529eecf32b1813eca1ef5e18d08523da21196dce43573d189efc380cec4a55f90e6be9382b3e72b4d6811006b87b12343e55cf64d558 |
/data/data/com.wouldbegan28/kl.txt
| MD5 | a6d0fefca5493fbf7148fe5f872ed895 |
| SHA1 | d38283f6b69a2f45c85970f7b7050d32ca9d9355 |
| SHA256 | 73b3aa0ba95e972ceac33a339ad2773f6f93d6a33d1a8d2b819b437a3c80d197 |
| SHA512 | 555ec80062ebb0bf3b139388019974626fbc1a9e497bb5a70bd9e94a7d813b5b00391ddf43aa1609ef4645135880b740fdc3a28bf6f6e5eddf1b5775a3bb782a |
/data/data/com.wouldbegan28/kl.txt
| MD5 | f7c381ef0f8e799ab4d4d1607ce56ae7 |
| SHA1 | 4330142c6e582557da4978ed2c06450354206732 |
| SHA256 | eca949c6722d862552ea13f6752dc9d50962d116b57c0159d584c1ad5b5c6e4b |
| SHA512 | 4c20d1028bd979bd5f20895e664a2d2681e3cf1a6eacde74db9fb34f267d56d36976ec77b415203740bfe9fc9d2ffa90036dc43f3156eeefbbdaedc2ccc15a70 |
/data/data/com.wouldbegan28/cache/oat/eaaej.cur.prof
| MD5 | d9da5b70c732f93c2585909fc717a0bb |
| SHA1 | b08faaac7650a15864f6750cffe82f2559caf197 |
| SHA256 | bda1ae3a890eddb1f82ae98ee2db2f4d633abd9c84664b8eb09b1bdf7433fb10 |
| SHA512 | d3af150a336dc5aace2aa52762a8c6dc98de479949b3758064e4af14e9ff90be7c8b81150f083d29e27e8abf6b7262fe093d3c2e1edd008a3873265f5bf9be3d |
/data/data/com.wouldbegan28/.qcom.wouldbegan28
| MD5 | 046a414913add6f5bb60072c7db819b6 |
| SHA1 | 451ee4f6809260aec622d772fd329c7d0297a842 |
| SHA256 | b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a |
| SHA512 | 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c |