Analysis Overview
SHA256
3de0ca27d3f0b6ae0deccb6ee1f11f8693100fe7d829ae73473e911aef8f1918
Threat Level: Known bad
The file 3de0ca27d3f0b6ae0deccb6ee1f11f8693100fe7d829ae73473e911aef8f1918.bin was found to be: Known bad.
Malicious Activity Summary
Octo
Octo payload
Removes its main activity from the application launcher
Makes use of the framework's Accessibility service.
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
Acquires the wake lock.
Requests dangerous framework permissions
Loads dropped Dex/Jar
Reads information about phone network operator.
Requests disabling of battery optimizations (often used to enable hiding in the background).
Removes a system notification.
Uses Crypto APIs (Might try to encrypt user data).
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-20 22:00
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an app to access location in the background. | android.permission.ACCESS_BACKGROUND_LOCATION | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2023-09-20 22:00
Reported
2023-09-20 22:03
Platform
win10v2004-20230915-en
Max time kernel
91s
Max time network
151s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31058958" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058958" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31058958" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "402012238" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{309288DC-5801-11EE-A4AD-D212195BFD32} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "85191418" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000053f6c1c968fea744ae4054d48ac91ea9000000000200000000001066000000010000200000009ff3d90137884eab3b0877c8ba8657554b338a6629798344fba620fc2fee8e72000000000e80000000020000200000003b4eec41c88f26ef3d4e2cb7b1307b24008eae5ae08c61fd7bbcdee178c98ee2200000002233e21019cb6128093591d415b334451e901c90148445f294e50910a58c9a54400000003d77f9c4bd33809d8aca8d8dc27ef3f89d6ee539decb20c722f0342d589ffede4fcc9f1f21c9e886c513ab4fbce38a94eb68f7be6b796427fa7c72786bf63e99 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b091be060eecd901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000053f6c1c968fea744ae4054d48ac91ea90000000002000000000010660000000100002000000026996d657b83d6a23b7f393e7fc6b1796b0d4934c371bb46504ebe67f82d3113000000000e800000000200002000000086b5242d8f943ba8dda5b387567576f62abc42cf71d58844ff9c6c009654d1d7200000005e299bc52cbd199e70c077fe7016e76fece3efaf1bdd86a31664bba9e87ecbd940000000e1a7f387fe91bbbc227318560cb5d951b45c9afa6ccc2f826b48803debe8b103aff0efa4d8c7a223b3968db0aa01589606309f8e0cb1866655f553618c917ec2 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "98628952" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "85036397" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0c3a6060eecd901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1388 wrote to memory of 3184 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1388 wrote to memory of 3184 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1388 wrote to memory of 3184 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1388 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.25.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.20.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZFOAR009\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-20 22:00
Reported
2023-09-20 22:03
Platform
android-x86-arm-20230831-en
Max time kernel
3030297s
Max time network
130s
Command Line
Signatures
Octo
Octo payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
| Description | Indicator | Process | Target |
| Framework service call | android.content.pm.IPackageManager.getInstalledApplications | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.seaknowsplp/app_DynamicOptDex/Dild.json | N/A | N/A |
| N/A | /data/user/0/com.seaknowsplp/app_DynamicOptDex/Dild.json | N/A | N/A |
| N/A | /data/user/0/com.seaknowsplp/cache/fxuzb | N/A | N/A |
| N/A | /data/user/0/com.seaknowsplp/cache/fxuzb | N/A | N/A |
Reads information about phone network operator.
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.seaknowsplp
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.seaknowsplp/app_DynamicOptDex/Dild.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.seaknowsplp/app_DynamicOptDex/oat/x86/Dild.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 142.250.179.170:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| NL | 142.251.36.42:443 | semanticlocation-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | junggvrebvqq.org | udp |
| US | 1.1.1.1:53 | lauytropo.net | udp |
| US | 1.1.1.1:53 | www.ip-api.com | udp |
| US | 208.95.112.1:80 | www.ip-api.com | tcp |
| US | 1.1.1.1:53 | bobnoopo.org | udp |
| US | 1.1.1.1:53 | junggvbvqqnetok.com | udp |
| US | 1.1.1.1:53 | lauytropo.net | udp |
| US | 1.1.1.1:53 | junggvbvqqnetok.com | udp |
| US | 1.1.1.1:53 | junggvbvqqnetok.com | udp |
| US | 1.1.1.1:53 | junggpervbvqqqqqq.com | udp |
| US | 1.1.1.1:53 | reservop.top | udp |
| US | 1.1.1.1:53 | junggvbvqqgroup.com | udp |
| NL | 172.217.168.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.142:443 | android.apis.google.com | tcp |
Files
/data/data/com.seaknowsplp/app_DynamicOptDex/Dild.json
| MD5 | 2e5fe405a120b75cc65cd2844ed028c8 |
| SHA1 | 8009d3d4feda42bb679f76fcb2364b402a332672 |
| SHA256 | 654ddcc1dea947725ac83019b892a4ffba0b97845428d31026ca65a1385d44fe |
| SHA512 | 0f304367b2fedefac22fa7b22ba1173bc32d0b79264b758cb2522aa929fdb62d9503786fb015660b4945dd67d346748ba6157fc4511a6001b7f406df49910cc0 |
/data/data/com.seaknowsplp/app_DynamicOptDex/Dild.json
| MD5 | 0c5d76c5fccdcd48df22b2fdea895c5b |
| SHA1 | ba846963bf3454f635b570239780734279fb07ae |
| SHA256 | 87a5eaed5176f0c33f4d833fd4fc7bfb38da7aba6b4ebaaf569989ac38362fe1 |
| SHA512 | 263a85a31ffde6339f12df1acb5ae324849cba0a4b6a4b1f2ac6e93e41f273d34ed244ba2abff2d29a4f22ba9970d92bafdabdf7b14b7d9e4bb8567e6b25c501 |
/data/user/0/com.seaknowsplp/app_DynamicOptDex/Dild.json
| MD5 | abdfa1fc42842d12414d867f537a84be |
| SHA1 | 9892e8c24047ae6e3b1b35be1aaf4fec01620e3c |
| SHA256 | cd40e2d8a61b7a5d1fc9a3f05f8203ee7971ca8ebbd2f7b23106ec31dfd08298 |
| SHA512 | ff0ab81d177eb898a91642162b15658b83dde11b886f95c36690f6c974ef949d9fa24689bdbbfa1546cad47314c24f2da94c3058f49e61d8c456950214d37849 |
/data/user/0/com.seaknowsplp/app_DynamicOptDex/Dild.json
| MD5 | 64a95da5ce47d088bb564caf680bd228 |
| SHA1 | eb70c209906b1f9c66c9ac2eae37395221348695 |
| SHA256 | 2fc975b6b4c3e231e12c1b9fdfb188fbfaf7ed50758a6ea55e36be506dea0551 |
| SHA512 | f9c6a1fa8a829be4e84634176027f41931b00282033720182d25e4cfae746321655940483ac39c27ef7c11e86de046cc589c031d8175407288b3e3ce62e3ed23 |
/data/data/com.seaknowsplp/cache/fxuzb
| MD5 | a1405db751a141e61ad44b351fa1f62a |
| SHA1 | a3e44b7dd5e3e79b10d455cc951688d7716d589d |
| SHA256 | 14f700d4160083a1081d1cd97fa3a612bdc4edc045bb944c8c9d5da09abe0082 |
| SHA512 | 56dd2a2b296637f7169a3e41be191a7b6a569681a791e4dae7bcf2d19af1d653adfc7725fb165bc9797d3b4ff1b6974cf5401b8a21996aac0bd6fff7f692aaa1 |
/data/user/0/com.seaknowsplp/cache/fxuzb
| MD5 | a1405db751a141e61ad44b351fa1f62a |
| SHA1 | a3e44b7dd5e3e79b10d455cc951688d7716d589d |
| SHA256 | 14f700d4160083a1081d1cd97fa3a612bdc4edc045bb944c8c9d5da09abe0082 |
| SHA512 | 56dd2a2b296637f7169a3e41be191a7b6a569681a791e4dae7bcf2d19af1d653adfc7725fb165bc9797d3b4ff1b6974cf5401b8a21996aac0bd6fff7f692aaa1 |
/data/user/0/com.seaknowsplp/cache/fxuzb
| MD5 | a1405db751a141e61ad44b351fa1f62a |
| SHA1 | a3e44b7dd5e3e79b10d455cc951688d7716d589d |
| SHA256 | 14f700d4160083a1081d1cd97fa3a612bdc4edc045bb944c8c9d5da09abe0082 |
| SHA512 | 56dd2a2b296637f7169a3e41be191a7b6a569681a791e4dae7bcf2d19af1d653adfc7725fb165bc9797d3b4ff1b6974cf5401b8a21996aac0bd6fff7f692aaa1 |
/data/data/com.seaknowsplp/kl.txt
| MD5 | 6311c3fd15588bb5c126e6c28ff5fffe |
| SHA1 | ce81d136fce31779f4dd62e20bdaf99c91e2fc57 |
| SHA256 | 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8 |
| SHA512 | 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6 |
/data/data/com.seaknowsplp/kl.txt
| MD5 | 43a12c1b7ac47221c235b4164115c7ad |
| SHA1 | 414872e672858bc176421ed340bd6865f8a689c8 |
| SHA256 | 921c50a8018bc49871a73a0aae01397f11517757d47a02c94e9b44547996ff86 |
| SHA512 | 775c5a253c30ebbda09a2b81690b7cce901ca25fb09e9f34f46051c306e322ffe285dca9bfcfa521bf22e8f47186f78bc4b1e3f330913109be7a38196ffce03c |
/data/data/com.seaknowsplp/kl.txt
| MD5 | afed4d27932a62fd826897259b74641a |
| SHA1 | 1d55e5687ca7139b1ab5b9a49707c9bbb32e2f6e |
| SHA256 | 2a61a30b4715c6bd270c5ccab197302830f7a60f2e1c7f5ad3d5e828d5d0912b |
| SHA512 | e5dbabbd326815d280bd8a1b672e18f7726f7db7c6f4a7d401c8a9c720cd43d8dd36a48fae1042f9af08b703d1863c0e1dd86b4c0df38cf6b4155e8600ee5240 |
/data/data/com.seaknowsplp/kl.txt
| MD5 | 23bd1e795b1d8d1a1f98edfbb3a1e1de |
| SHA1 | c5b97364fe6b5299cf652d040cfbcc771386323a |
| SHA256 | 94438fb44f243eaa4a9edf1c70f1c0d848c0662ecaa7b15ab5d3a12f6cd1ac6a |
| SHA512 | a1c9e38c1aaa85259c6190956f3a18376fa986244d11db17bd33d52b6c06d27e53455735202703f809cb5e91b686c05b21e0a7a03855f189f2382c857984ae62 |
/data/data/com.seaknowsplp/kl.txt
| MD5 | e7dcdb937399fb4ee468f28ccd6141f1 |
| SHA1 | 629a9892c9caa139451ef92d92b771075e25ddc7 |
| SHA256 | f6d1cc67654ef77a14de89734845bde9e0beff6307d62c3ea92fa021587e62f6 |
| SHA512 | 38a79604d598afea9ec9eecc60faf1fc6b5f4a68ebde29b70ed502b9bb2e647250198c4478e6f0cecb82c0e267a95e2918a9c1eab187c89ce78e0176a6ed4574 |
/data/data/com.seaknowsplp/cache/oat/fxuzb.cur.prof
| MD5 | bf3afc895847be4ce1ca5523c116551b |
| SHA1 | bea3a1b597f0c2a2c34bad2fd99e9a61fe84d566 |
| SHA256 | ea49e09cb5e021fb34a4cf248ae576921a051d53fbb21395e010d74bd1a21631 |
| SHA512 | 8f10b234072473714dd5eec926875d321853a6cdcce2a6d95b6604c0055071c1c87ff72cc17d208399b0fa8ea22150804e55c0c9fbb8b595977159304116f3bc |
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-20 22:00
Reported
2023-09-20 22:03
Platform
android-x64-arm64-20230831-en
Max time kernel
3030298s
Max time network
143s
Command Line
Signatures
Octo
Octo payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
| Description | Indicator | Process | Target |
| Framework service call | android.content.pm.IPackageManager.getInstalledApplications | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.seaknowsplp/app_DynamicOptDex/Dild.json | N/A | N/A |
| N/A | /data/user/0/com.seaknowsplp/cache/fxuzb | N/A | N/A |
| N/A | /data/user/0/com.seaknowsplp/cache/fxuzb | N/A | N/A |
Reads information about phone network operator.
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.seaknowsplp
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.250.179.142:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.142:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | lauytropo.net | udp |
| US | 1.1.1.1:53 | junggpervbvqqqqqq.com | udp |
| US | 1.1.1.1:53 | junggvbvqqgroup.com | udp |
| US | 1.1.1.1:53 | www.ip-api.com | udp |
| US | 1.1.1.1:53 | reservop.top | udp |
| US | 1.1.1.1:53 | bobnoopo.org | udp |
| US | 1.1.1.1:53 | junggvbvqqnetok.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.250.179.200:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | bobnoopo.org | udp |
| US | 1.1.1.1:53 | junggvrebvqq.org | udp |
| US | 1.1.1.1:53 | bobnoopo.org | udp |
| DE | 172.217.23.206:443 | tcp |
Files
/data/user/0/com.seaknowsplp/app_DynamicOptDex/Dild.json
| MD5 | 2e5fe405a120b75cc65cd2844ed028c8 |
| SHA1 | 8009d3d4feda42bb679f76fcb2364b402a332672 |
| SHA256 | 654ddcc1dea947725ac83019b892a4ffba0b97845428d31026ca65a1385d44fe |
| SHA512 | 0f304367b2fedefac22fa7b22ba1173bc32d0b79264b758cb2522aa929fdb62d9503786fb015660b4945dd67d346748ba6157fc4511a6001b7f406df49910cc0 |
/data/user/0/com.seaknowsplp/app_DynamicOptDex/Dild.json
| MD5 | 0c5d76c5fccdcd48df22b2fdea895c5b |
| SHA1 | ba846963bf3454f635b570239780734279fb07ae |
| SHA256 | 87a5eaed5176f0c33f4d833fd4fc7bfb38da7aba6b4ebaaf569989ac38362fe1 |
| SHA512 | 263a85a31ffde6339f12df1acb5ae324849cba0a4b6a4b1f2ac6e93e41f273d34ed244ba2abff2d29a4f22ba9970d92bafdabdf7b14b7d9e4bb8567e6b25c501 |
/data/user/0/com.seaknowsplp/app_DynamicOptDex/Dild.json
| MD5 | abdfa1fc42842d12414d867f537a84be |
| SHA1 | 9892e8c24047ae6e3b1b35be1aaf4fec01620e3c |
| SHA256 | cd40e2d8a61b7a5d1fc9a3f05f8203ee7971ca8ebbd2f7b23106ec31dfd08298 |
| SHA512 | ff0ab81d177eb898a91642162b15658b83dde11b886f95c36690f6c974ef949d9fa24689bdbbfa1546cad47314c24f2da94c3058f49e61d8c456950214d37849 |
/data/user/0/com.seaknowsplp/cache/fxuzb
| MD5 | a1405db751a141e61ad44b351fa1f62a |
| SHA1 | a3e44b7dd5e3e79b10d455cc951688d7716d589d |
| SHA256 | 14f700d4160083a1081d1cd97fa3a612bdc4edc045bb944c8c9d5da09abe0082 |
| SHA512 | 56dd2a2b296637f7169a3e41be191a7b6a569681a791e4dae7bcf2d19af1d653adfc7725fb165bc9797d3b4ff1b6974cf5401b8a21996aac0bd6fff7f692aaa1 |
/data/user/0/com.seaknowsplp/cache/fxuzb
| MD5 | a1405db751a141e61ad44b351fa1f62a |
| SHA1 | a3e44b7dd5e3e79b10d455cc951688d7716d589d |
| SHA256 | 14f700d4160083a1081d1cd97fa3a612bdc4edc045bb944c8c9d5da09abe0082 |
| SHA512 | 56dd2a2b296637f7169a3e41be191a7b6a569681a791e4dae7bcf2d19af1d653adfc7725fb165bc9797d3b4ff1b6974cf5401b8a21996aac0bd6fff7f692aaa1 |
/data/user/0/com.seaknowsplp/cache/fxuzb
| MD5 | a1405db751a141e61ad44b351fa1f62a |
| SHA1 | a3e44b7dd5e3e79b10d455cc951688d7716d589d |
| SHA256 | 14f700d4160083a1081d1cd97fa3a612bdc4edc045bb944c8c9d5da09abe0082 |
| SHA512 | 56dd2a2b296637f7169a3e41be191a7b6a569681a791e4dae7bcf2d19af1d653adfc7725fb165bc9797d3b4ff1b6974cf5401b8a21996aac0bd6fff7f692aaa1 |
/data/user/0/com.seaknowsplp/cache/oat/fxuzb.cur.prof
| MD5 | 0825773fb2cf675cdb3a57e42c44537a |
| SHA1 | dd4bde6e3d9baeb77c88bac89080f4138b929d5d |
| SHA256 | a379bd7f1986eccfc2a13f49627f0aa7352d5abaaa676375fa7cd72b184af17a |
| SHA512 | dd85a598354cfdcc39504dfa48409a3d5006d3fd093b79692ca37a2e970588e1aea5c570109f79a3a25ab10093845a24bb998c806bd98539256bf8bb6a989d2a |
Analysis: behavioral3
Detonation Overview
Submitted
2023-09-20 22:00
Reported
2023-09-20 22:03
Platform
win7-20230831-en
Max time kernel
134s
Max time network
131s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0f841040eecd901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef00000000020000000000106600000001000020000000f2dd5c70c9658eb8d0b9b03e7f4cc70dd1df83ac53d3e499bf1e94d0ffe43fe9000000000e8000000002000020000000a9a2cc651ed1f7da729cd89c538bec4cb221639f0b5d07e4b6cc65e651c1990d9000000029a1ae234e3fc0809db3019c95aef40e808fa04d85c0c132da9ce70d3b61486e9fcbed93bb233e6e27e8e952b9f07d9da525b0724f8dff74a123536729b404df2ded455878c9f7bf39fecf07102ba3d81694485e91025dc34a7ff8037440fcec3bfae0de219f0df7ea2a8b2039611b188005c8e48c7cd75c21a6f2d3bb22732c8e53be8bdb7402b8e8f5cff1f50a4a1b4000000082f2427c7b6f1d0f08f2e72a716d4fb741acc9473f8bd03e8bc7ec9a7a51497a340d216b451d54e840d03e53393aa21c9fd5b57f4d47fe9c436ec998aabf4fec | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000918258b1c6eaef44bc85c7515db804ef000000000200000000001066000000010000200000009eba478610aff1c2444a5cdeac76b0df0bd93077a7a474bb1814050ebbb76e22000000000e80000000020000200000003ac0aae2b315e6024259789dc9e98c38652bd09c31ccff0029f99c5b40ffcc3d20000000257407408af27b7399ae927ae0c60da48e11b9a12159f0f27112241ad5a36dbc40000000ea6034fa4766c092d86d87baff849085b3e10bce1926b00f2ff3a80f5260a94efb312b500bbbf969cf0e31c5b3614110e8b39a07c146a101f1d5120f941ed248 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2F8F8311-5801-11EE-A914-5AE3C8A3AD14} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401409128" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2292 wrote to memory of 772 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2292 wrote to memory of 772 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2292 wrote to memory of 772 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2292 wrote to memory of 772 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\license.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2292 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab5CF1.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar5DFE.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f7cc0b695f5030f1aced120b6da33ad6 |
| SHA1 | 28f109ae748584133b5e5b9d43a786477e2664a9 |
| SHA256 | 83cb4dfbbfda1a8f6d747a30aeaeb3069dba56d99381499fee01a4bae3d3954d |
| SHA512 | ccfa7bf1ce2bd76b9b68378487fd3f462544e953231064d13bf6e5b830e6cad3f22a44daa4baffd25429fc2db9861a686a55986f84bf4c2f972c2c6b7026c9b1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9e4d0c11caf3e97bbc7d10e1fe5a616d |
| SHA1 | 2bb688646ae3cc191c22752234683e09e4384dab |
| SHA256 | 13372e78b121851e494579e8884caaa53315a1004c4842ae2a7ecdde82720a77 |
| SHA512 | ee53957cf94e30992c78e5b1b2025f8f8ba0221746afce73b4da64e3501c70687793e6473af6bfbba2e58dc0011916b4a7a6327e9112bdfd94ce1d66de35fb81 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bf21be597b9c224c33e9d1f69ddc7543 |
| SHA1 | 37a48e8827e2b9ad6dce1d9bcafd36d756c21b77 |
| SHA256 | b16d152dbf9d59c0aee5a6f34d5d8366c8dbd8734a5f039b47447de9194f3da5 |
| SHA512 | 76b4933f39022be75a005cf3c28226934ac490e448a2999f3279e5917e23be02381954357a5b66ebfe202e2def4670ab0657f8a25168267ddff4622430b4c7ea |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a42ea690e9d3aaef577aabf627670474 |
| SHA1 | bcb441ef45c52855715a22a1c362f4678f8ec9b1 |
| SHA256 | 5394ac224186e5df54a9a4b92fe8319c12a5abc8e2ceb7fdf8f74876de3b6af5 |
| SHA512 | c19d3e7c39402c070432cee8695eeb35573eafbb0d0ea719d9fe47c02ad91c618f3cfa5e2789a89fdeaa13793a4093e7353151c4f03e4b3026ca14725a5c43a4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 57d4183631b4bf3f3724d861544d44ad |
| SHA1 | ba3deb2858174ea2d4edb5160c619898f0eb6b82 |
| SHA256 | e861b8bfbb405ff21bc74a2e678ea1822202a32d60030985fd19a5a5acbc785a |
| SHA512 | bf65b841e85df98e5059e21b2c0cad0cd343de8b83f753ac772a17b76172fe007a592a4af10853638535f17607cf8ebf319c0aafe2b5fdb2261ef8f428f2e142 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 83ad9203af54ce101a4357a3858f7583 |
| SHA1 | 5d188216558f49af489f2fd52d28a71e58bead9a |
| SHA256 | a98e6050f90c38ae5fdd053f50e7a287b38981e042a4fdaad0c6168414efcfb3 |
| SHA512 | afd1dbe80bd3637716d2e68d0de019d8cecef10718d12d00450f94f39cba41cfd8f98acfa70b51bc8938e72c172c5ccdd3f2151ca94bcdef4846a4416d2eb74c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d33c3ed493dfe895e51d39460be5a113 |
| SHA1 | a1bacad29927af374cf18a0e44441e8f14791f99 |
| SHA256 | 378d890b57b2b6035350aa3e3fd6da1b96f6aaeedf3dde9bb4cdf76ffc6cdc1a |
| SHA512 | 185a44e78abdd28876f08682a5fd30576272d1b5889c8b388cc2e65dc33a8c5ce52db862b830dceeda1c452d74768cd82adc1672a9fad763b41058df373848a8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fb72d33f54fdfd2db77500633bd0cd5f |
| SHA1 | 11dccdd52712d13e74d1ae43ecf8553ab8f67db4 |
| SHA256 | b86e91c7409d9aeeda2cd01cc7d05410525875e46bf7edc32a7faee3a6a35cf3 |
| SHA512 | 0403b4827db673aea04496f5562efca82c5b6704266d71a8e6bd08513a6b69ef5f487b6744df9a5dd03c2aa5f911059f4b0d23915e729bcc6ad16dd167b0141c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 916178f2f61d0df90192d03172ab2399 |
| SHA1 | 6021ec46c46b1184d6ce55c6e070e5c4a7dc575a |
| SHA256 | 03f9e0b455cfbb7bd257b7aed34115bc173f8a4972e081a0a11238090e74ae2d |
| SHA512 | 69f800861afc5e5b63f20c7cedebba0ec82e1f2a2c216e420fe45ed47d058911d12019900f17c8317e2c8daa0ac029a8152632fc69584a000a4c5bae4261bedf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 42c4687c37a7d4cfbd153202fc8cca96 |
| SHA1 | 4d09134425cd151c934cf75574fbfa8e294169f7 |
| SHA256 | 4519b76c4b8585930c04411d1837f3220c47c98516695ed68aa176b17c5dd2f0 |
| SHA512 | 1eccf0aad3537aa694e97f12017d4d4a43ced269a8d6d29e72caf48cde2e27c4b2032d807f0c94449c51ff38fa6a82968af43d379d5a9bb49ef0125e46bcec78 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a83b37f1e7ad864b97c2bc722129162b |
| SHA1 | be317b76bc7897e2ef0a7205bf8e571d3ac5d981 |
| SHA256 | a3c9862e4b81599e3cf50609556b9f37a94f29f1760fef687337955135bc7758 |
| SHA512 | 18a1ffb756c27b6fa1de7b208ce008bb6d6e08b46200dc2df40bfde47b7c0fb9acf2a396cec721dcb41414efa107a5562927b710e2472bd2798ba9d61d603b23 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1f4041ca7ac724aa279c916a945d0272 |
| SHA1 | 2b5d165b9d50e7482dbb9f9748b01dbe6c4b646b |
| SHA256 | 870a1f6aab375080ad608a53aea567ec3ac4921fd8cbd95be3db070c0e0b4782 |
| SHA512 | 1030cf1a85c308def1c16e95654d7821870537f7299322e8cea94c783fcd4207966fb6a4def1f4655d75e52c82860f0fd0e18345514511a45f31ed4860575499 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bb98866331e6b7cb24b9a2b26d3d541a |
| SHA1 | f060775e4f90e8d8ab5900fe329389d779ee0182 |
| SHA256 | 1f9d2443e5605ec94eb18f26744538da1aa3c395d28ff8c4ed3001fc50bef6ec |
| SHA512 | 2e66548a7390c8dc629b4a689e1a3b3ca65f64814e5f9fe6e450ecd8a9c67dafe80cfa145977e860209619e92b9aa72299a69c3b091278cbd0d1e87851950cc3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 20b2dedeb1a7f015ccdc2ef0c69a911c |
| SHA1 | 12efb9d230892ba1476bd4b892a3fedfdb4e6f06 |
| SHA256 | 75dc7688291ff05b7cdbc6e57d3a42115ef49b57378e5f837daa2fd5febd0eae |
| SHA512 | 3edf0edfb2fae37a0644370868024cca0cc4af18c04419a7d441e5a4e8ffac684d07c0c015ade59e28033af6768d66a1c4c62a7c67dd913b27fc33b514851419 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6e2dd6fbede4323d7a1f07298facf3d1 |
| SHA1 | 6e28e993517e26577747644c2c57d7ec4d122c72 |
| SHA256 | 14f1b7188a8b864cbed2d87eb7f77f727bd39697085a2e9cfba2d56580be3f38 |
| SHA512 | f0db1fd09204e29497f60c6ddbfcd1f4a8537f68340d6125ddffec5195d485478a7c3d321bcf1cc3d2c60ec25655a6a9ea29472e8407bfd8e07de6b0d01243dd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 883e0bca762edef15afca22a88b6a6c6 |
| SHA1 | 6b8d50e4c5dbc79276a647c54c2066b92a9b6379 |
| SHA256 | 3e60d639b70c88661167095c21e9e0d63dac3f09863f0ea1a172f13c95356d6f |
| SHA512 | bc25fad8d3ed599860fbc11283a776a7e907fb47b2914159e58e5d282ef6d6dec96bfd06d329f5453fce60cce73eb89a473ccb8f148db0ccb44b3fb6da5b0a81 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ded7dd78105db2fabb13e992974e7b7a |
| SHA1 | 53a5b8d1ef328f13446d2bfda2c1464ebef959de |
| SHA256 | 2aff38ff6216d6fb6bff150cc590a547cb2a55965c066e37c16062af82583034 |
| SHA512 | c4076468c4e9040618199f2708db36ce9e2b4fbf33062209211e079ee3843b8e74f267035ac441a2dfd6142a25b41ebdac75fc82ce536b19281c9ee3ec8dffc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 999a670f315285a2fb3a6c6574779c31 |
| SHA1 | 36631f4775c6330bd374c320881b476487177e6f |
| SHA256 | c5fdb46b31ce025aeeda6719712046dbbb4cee50551168abde714a54b92a429e |
| SHA512 | 008d6d23e2067bed99eea1f136c88833ef4f2c4ffd17cdf8841c35f64eff951f98c7dd9a5a3c0a0330661d4ff224fc14a3e2ed42d8c4f59dcacf30035eb27fc6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 90242ba68a93f854f281fe4d100a26b1 |
| SHA1 | a2bb694e94a4846bf797ba928148321eba613108 |
| SHA256 | 1c8ab5ed606cf0a3df9a0709ad43f48247b60ba3729bbe63188e964a453d67d6 |
| SHA512 | f420318a239ec27f4b5da82fd43a4686ebdf13e7c44431679667eca6f98ecabcbcfd189d0151c4217cf427b2b08b1792ca66670fd617e98c32b00936e6c8c156 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ac83c548992a88eaf60ffb6331f394b2 |
| SHA1 | 1ac5b6a75c465d456343c10a91e7469dc0156ece |
| SHA256 | 3cdd1971051d2b78b640f0c25b81e2fb500ad95811009f19b89d01e76a5cbe95 |
| SHA512 | 6d6f22a60c25a41dbfa78b1580008157d7b375dce7bc21bfb9ee8c14f749182a60900771b211e45bf78f5715bd0e04dbcbe996ff54c01318ff75a753fc22599b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 49445c9568ad6ca4ddbee3933939d924 |
| SHA1 | d1cf49791a23cb6e1f0cc667cc3eeaaf098eea5b |
| SHA256 | 3bbe31ec719b6741c754e55af47dd4c31c9dc4eef80d9fdbc2bd5d5fe1ae4bcd |
| SHA512 | 3e75309e8e813fc3326e17ab641c34151f3fd2750c3e65abcab5782a8c1c625aeb245b5f1175cb578cba1b2ac77f7b9620052685454071e91dc1a56ab389e426 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a47c81e4a73d18dd57d8a37ebcfc8e4d |
| SHA1 | 9d0e54a4a5288e6917ee7b5a6fddf3a2f8d8646d |
| SHA256 | e8de4f3f9d6c5a081b96ed509548087cd8c8d219e6f050e886b8ab1df2d84a5b |
| SHA512 | b35f86543c81df28c22d0c55173ea1d8dda4faa9355700634e7a62111e21fe467b275d650166a00cf419d826a7f92754707971750eb7f76bc368f6006662744c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 40aa17a730b6647948418092ed41af5c |
| SHA1 | db590103dcfcb7741d1313e4ff85c7fbbee752b2 |
| SHA256 | f3f6d7b493b9d8d48870175bc163c9eaa6fcbae481ea8c544ba19765cbefd818 |
| SHA512 | e8586981c1c70e0d2eba4e249d78d0b57f263697690631503c1219a67d1fd9e99e6bbe50aa7bdafb76a573252a7351ed998bb4376cde1acc68e2b94c8b7d84b8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1f79c37a94c7b67885ee5aeb50b9c872 |
| SHA1 | 86c7a146ce36e15b1a71182606b3bddec8b6438e |
| SHA256 | f11b2ab38d0238b9d07beb1c382e616ae4295978e43d5fb1ed7f40791af31ce8 |
| SHA512 | e7d605792b8bb03a64a0daf5c8c8c853bfcf15313cd9e6ef1819505d8d0b21e9e40fb801ebca3359c4559d8f01189adf99347f7de1e25bd8dcf4e938ce994186 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4e9e7f1a934f7faad4762d0beb7b9197 |
| SHA1 | 6a72650f391ac96a7a4e2067f0338f6ee41e377a |
| SHA256 | ce6047878fc58e2a49f707ce926fdd7131780cc78876dd9ea5b8664449187a0c |
| SHA512 | e8e566c23eeb98498887b89eed8530e313f163eee096b60cc6047b0010e568fb098e2b024438ca99b9da36542c644aa34f63739b14add367e494d3f9ccd0e351 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c1b1f6b88b47779231b9e8400fe2d418 |
| SHA1 | 9ae2f4494aba7c1cfe29d59cb8dda3f14a3209e4 |
| SHA256 | 4c87865a681deeb8c0e00e363ee1aaebf10d5a1c8694ee1a2d357e7700ec97cc |
| SHA512 | 0ee2ca74a9f5ca7840566d4c780607a600293decdcc26ebf2e9fe0bd80369e76a220372946642861138f27d3dc1c30f9e1a7b064bdfbdf088708f6e4ab1af662 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4889f9de5cad2ede09da702127b7b23c |
| SHA1 | 625173fa7463eab2b5d36ab32547f903b681229c |
| SHA256 | 86de31d39ad5661f7a5c1e7313bb8a3c13f28fc06520e1b895f286008249b2d6 |
| SHA512 | e6a5c442d44f6c0790f6cb2a056d3afba227e1d75604926705c31c943e3f223c7155fec528fae7bd688e838d781f3e92d4e6922c26019f32da0bc1054c72ecd7 |