Malware Analysis Report

2024-10-19 12:19

Sample ID 230920-hrn4rsee9w
Target chrome-update23586.apk
SHA256 a6e664bd38d4c2030e107e16efc00905f85554196bc3c4ba777edad54efefd09
Tags
octo banker evasion infostealer ransomware rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a6e664bd38d4c2030e107e16efc00905f85554196bc3c4ba777edad54efefd09

Threat Level: Known bad

The file chrome-update23586.apk was found to be: Known bad.

Malicious Activity Summary

octo banker evasion infostealer ransomware rat stealth trojan

Octo

Octo payload

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Loads dropped Dex/Jar

Requests dangerous framework permissions

Acquires the wake lock.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-20 06:58

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win7-20230831-en

Max time kernel

150s

Max time network

125s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\clips_onboarding.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\json_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\.json C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\json_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\json_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\.json\ = "json_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\json_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\json_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\clips_onboarding.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\clips_onboarding.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\clips_onboarding.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 420ddba988de5005ee5a10b465384f70
SHA1 83d9ba84f4d9c5984bd7c9021b954e60a418e210
SHA256 fc878b38ef110316dfe13a37fbf909a4437b9e9205df9a865a39c688a28e3fe2
SHA512 369ac218b6d624cd3aed2cdf811a27ae26cf5c8a650dcd41639f397e160bf317a3ee1320112b302731ff96135da2be8afb3d204019f5b0aed0538873d088009a

Analysis: behavioral21

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win7-20230831-en

Max time kernel

120s

Max time network

123s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_ua.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_ua.txt

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win10v2004-20230915-en

Max time kernel

86s

Max time network

126s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\data_2.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\data_2.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win10v2004-20230915-en

Max time kernel

91s

Max time network

154s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\check_circle_outline_56.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\check_circle_outline_56.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 254.105.26.67.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 120.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win7-20230831-en

Max time kernel

150s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\data_1.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\json_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\json_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\json_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\json_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\json_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\.json C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\.json\ = "json_auto_file" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\data_1.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\data_1.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\data_1.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 6e3f84ea610a10a13b8794afc785b385
SHA1 8242da2f313a6c5529bc6b3439bd4d512bfd4701
SHA256 5b7cfbc8505456818f9db4755f78f3ea7eae7892d81ded0ed078b5eb65e24df9
SHA512 ef30ce4ad831867a73a9873c92de54890be56f639c87ee73dc2d7a5e46a8da6005c5324987c989c2d28f416c475eeaaccc32ceaa968e5342c1ab51329ea51f59

Analysis: behavioral24

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win10v2004-20230915-en

Max time kernel

137s

Max time network

143s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\data_1.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\data_1.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win10v2004-20230915-en

Max time kernel

139s

Max time network

154s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\data_1_en.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\data_1_en.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win7-20230831-en

Max time kernel

151s

Max time network

126s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\data_2.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.json C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.json\ = "json_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\data_2.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\data_2.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\data_2.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 15f2cbffd31e41c6d38bf7e0b70eee36
SHA1 8ebd901df11d706ad97e9cc772d7843f0680db66
SHA256 c6348426437f17b8cb8d7afc2c57c85a5122b7448f335b35e1bce7531d3f5a7b
SHA512 9e0310c90565a3a5f8d5aeba6ff6a5f9a11b1becd63bfbb4974d3e386d2c82c20ac2170ff336a5a0dd184e977b1e1ab1426bc90df8a8bcc7f5928ec79ac0648b

Analysis: behavioral11

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win7-20230831-en

Max time kernel

118s

Max time network

121s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_kz.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_kz.txt

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win10v2004-20230915-en

Max time kernel

103s

Max time network

119s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_kz.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_kz.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 254.105.26.67.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 254.21.238.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win7-20230831-en

Max time kernel

152s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\data_3.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\json_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\json_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\.json\ = "json_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\json_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\json_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\json_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000_CLASSES\.json C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\data_3.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\data_3.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\data_3.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 ab2e1baee0c3dcb228aef5754e8c3a89
SHA1 1d0ce085cf9fdc67aa97830ca9ff6b850f716269
SHA256 5ce250d0df14e82096b0ba68111e744d4d332a687287aba66b28110403c841e0
SHA512 75690e239a00b32032941ae0efd10a964c470fd362c3273e72dab80204945e76dd357d45b8651ac3ce8ae8ae4cda7e96feca1faef8ad64a63b6cbb8c4489b42b

Analysis: behavioral3

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win7-20230831-en

Max time kernel

152s

Max time network

127s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\NKFq.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\.json C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\.json\ = "json_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\NKFq.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NKFq.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NKFq.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 0b467a4c4c3fc3b333fc4c3baae0edc6
SHA1 e5fb687d875ba9529aeb018d23bf5ac24858193b
SHA256 3e36550c33d765ef5ea2e200d5f91b3f6f1fa71be061a75c886273d6e5d321d4
SHA512 b51b03e8f9208be4ca0e30f33c00b95cad49ffecf4a23af651ca6eedf1e36e94913ddcbfc790769632857e9ad986503bb60d34e22c65c2e9e5c11f865ed221a2

Analysis: behavioral13

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win7-20230831-en

Max time kernel

120s

Max time network

124s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_min_age_16.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_min_age_16.txt

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win10v2004-20230915-en

Max time kernel

142s

Max time network

154s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_ru.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_ru.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 254.3.248.8.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win7-20230831-en

Max time kernel

151s

Max time network

127s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\data_1_en.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\.json C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\.json\ = "json_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\json_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\data_1_en.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\data_1_en.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\data_1_en.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 8aecb5421616ba72a39977b4888209d1
SHA1 f87db84b13a3a195479182a0d91a3fec13b379a3
SHA256 8675284f848ed7fc77195a33ac74f018dfb7e333770d16c7f96e99fc8e121cb2
SHA512 c3ab50b3b61563edfee7856b9c0c6ff3b4779643c80b54b3775c9ee49840c49a2f8bc4f13c594b3a8b57c0fa1664789b90215adb610a9a71d19648af27dc1db2

Analysis: behavioral8

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win10v2004-20230915-en

Max time kernel

142s

Max time network

156s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\clips_onboarding.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\clips_onboarding.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win10v2004-20230915-en

Max time kernel

142s

Max time network

151s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_min_age_16.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_min_age_16.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win7-20230831-en

Max time kernel

121s

Max time network

124s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_ru.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_ru.txt

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win7-20230831-en

Max time kernel

151s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\data_2_en.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_CLASSES\json_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_CLASSES\json_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_CLASSES\.json C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_CLASSES\.json\ = "json_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_CLASSES\json_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_CLASSES\json_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000_CLASSES\json_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\data_2_en.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\data_2_en.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\data_2_en.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 4078bb3693dbf7863c80c62cbd6c7c7f
SHA1 d830686b40de3bd08809ed16daeddec574ad330c
SHA256 208d801c7b567fdefa7ef7d49672512420c0dc039ab9067e51801170525ccdc5
SHA512 7d1913fe0dcc3ef2e26d71cef32b0be193bc807cdc27affb7d1ac178683ead338a7cdc9af0380c67c560cedb6a892c0aad21805ef676366c2e613c20487a4cdf

Analysis: behavioral9

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win7-20230831-en

Max time kernel

118s

Max time network

121s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_en.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_en.txt

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

android-x86-arm-20230831-en

Max time kernel

2992017s

Max time network

134s

Command Line

com.pressfigure65

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.pressfigure65/app_DynamicOptDex/NKFq.json N/A N/A
N/A /data/user/0/com.pressfigure65/app_DynamicOptDex/NKFq.json N/A N/A
N/A /data/user/0/com.pressfigure65/cache/hcjfh N/A N/A
N/A /data/user/0/com.pressfigure65/cache/hcjfh N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.pressfigure65

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.pressfigure65/app_DynamicOptDex/NKFq.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.pressfigure65/app_DynamicOptDex/oat/x86/NKFq.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
DE 172.217.23.202:443 infinitedata-pa.googleapis.com tcp
NL 142.251.36.10:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.170:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 9r8i1u84t2gp1.online udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
N/A 185.161.248.142:443 9r8i1u84t2gp1.online tcp
US 1.1.1.1:53 arw2he7x57wp.pw udp
N/A 185.161.248.142:443 arw2he7x57wp.pw tcp
N/A 185.161.248.142:443 arw2he7x57wp.pw tcp
DE 172.217.23.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.174:443 android.apis.google.com tcp
N/A 185.161.248.142:443 arw2he7x57wp.pw tcp
N/A 185.161.248.142:443 arw2he7x57wp.pw tcp
N/A 185.161.248.142:443 arw2he7x57wp.pw tcp
N/A 185.161.248.142:443 arw2he7x57wp.pw tcp

Files

/data/data/com.pressfigure65/app_DynamicOptDex/NKFq.json

MD5 a8f77d5722a4e089752397852a305a2e
SHA1 99124b37a548883dd05eb4007f2b697cef33898a
SHA256 91fd4d4ac57df1b30bc40406d2e03d68055633d5bf2cd8a184eba6f4a222c7ee
SHA512 a29486bb4abcff207030c8ea1d3fa4fd98654b178993847e50da19501e86360197bfb15067a7ece47ad75181e48c05f4ad1596ea436ef64490f4ae4992a5865b

/data/data/com.pressfigure65/app_DynamicOptDex/NKFq.json

MD5 87f9025a2e6ce4806027e51a2d05a15a
SHA1 ff1b6e1f28e153f9b3f74e957953c8b53c355d01
SHA256 f130a5bfcfa239dfb6c9807a02599916683bb334be342c7f3e3d97a725a55a76
SHA512 98011fe3bc58cbd91c3c074104dd443c517e58522628a33b495f73f5b61f2fa58bb2b5597232341f3a44c2b56f98d71cde635c8d6352673c1e4566b956febf32

/data/user/0/com.pressfigure65/app_DynamicOptDex/NKFq.json

MD5 af73f1889e4ada2c7fbb0512c31c6dbb
SHA1 927cae26592a79b9eefda0dc8e8473954b3b49cc
SHA256 67b19fae633db8d33717975a406969e59cc00f2e70bd43ae41c79349c6f74a7d
SHA512 be7a9381f6169910e0baf052bd2978ea5577e024074d68e909244e3e5c248e856d90a9cf42bb9819a7e285a8e9fcf159f4a8de9a5c099e6f0f6b87e3e2f3916d

/data/user/0/com.pressfigure65/app_DynamicOptDex/NKFq.json

MD5 d081aaa8c167bf676a3521d7dc6c888e
SHA1 cb56830b448ab1c485656d22d509b36839ce9acc
SHA256 d38501e22d23feb948612ea574812d167bc04874ec194ddb20864ca12b5f961c
SHA512 aa85ee5587af1c8565dd32ef2c38a8d0612d5be0fb76cff94707e2b7fa4d44dd6c2106deafcd2df9f9b2fec633f78c98ccb745e567c5cace9b5af0901a4b7fbd

/data/data/com.pressfigure65/cache/hcjfh

MD5 59e431e1f02923d8d1de501547797bb6
SHA1 5be8d6ec7112fe0d3beb30f19967b4ca232b1a17
SHA256 63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0
SHA512 72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa

/data/user/0/com.pressfigure65/cache/hcjfh

MD5 59e431e1f02923d8d1de501547797bb6
SHA1 5be8d6ec7112fe0d3beb30f19967b4ca232b1a17
SHA256 63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0
SHA512 72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa

/data/user/0/com.pressfigure65/cache/hcjfh

MD5 59e431e1f02923d8d1de501547797bb6
SHA1 5be8d6ec7112fe0d3beb30f19967b4ca232b1a17
SHA256 63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0
SHA512 72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa

/data/data/com.pressfigure65/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.pressfigure65/kl.txt

MD5 0e98c491011e242b195c9e5e169f4e4c
SHA1 f2454484747991d786b1ea517e977890a86947b1
SHA256 c25559353ad38fb1cf95921d4b382833f917761fc18a46e9c961ef015c9bdc3e
SHA512 fddd7b77ca7dd37dbb2368e8da2e6f16c0c4d3aefe4ef967c7b723dad31c71ac72264cebcfbb9fad3927ab3bfb6165b29547a2bf9996cde362382594859e7f7c

/data/data/com.pressfigure65/kl.txt

MD5 865fef754e4774ad095dd4d3b3fd2720
SHA1 dfcb9513b1f398af56ee6f8d4b3e756de7d4a1d8
SHA256 8074ad1bd7934ab750f4870df2d520539d58c7b243eee1e6940b597c5bf719b9
SHA512 0d51de9d1ba3eb7806ed0886c17e5ce641e011a5271af0371d465934127ed5a503a3022f08cb2d746ae4b0bdcb4254a7bc5cbc7d403fd317309c1d5538382c78

/data/data/com.pressfigure65/kl.txt

MD5 fc78b26475c708f52b439885c8d5e1ff
SHA1 dee0fbcde0e6cd5caf92dd349fd3b0f68d1aaf29
SHA256 2e909ccc2d94eb5487e80d4b092d84b4dadfc4a956c3fe873252f908f73d706b
SHA512 cb7cc46114986064b69c8cd3af3d1482c2f3f2832b138dc805960be2ba39c059e33b4018829a21383623d23a767f43437a2c1c808bc4568a0fb561b9613c7396

/data/data/com.pressfigure65/kl.txt

MD5 d0f3085ab000d7c808b4a707de417add
SHA1 24c1191c820d75c61adea1794320cef8eea1b799
SHA256 f0ed5e887ab0f464c4c03d2f17b36a8dbcfb0a0772d98ffdd9c9a32ce91b5545
SHA512 ecd75d16ddde47ff69dca3de54bf83ee2fceff731dc021aaaf7f9f305dc732bd4ea260c5a984bdb17529569d7f5056c4af8681d6b0d4e9d0bbed28d4ec43e8b8

/data/data/com.pressfigure65/cache/oat/hcjfh.cur.prof

MD5 1828bc0f2f177421c47b268d04ad8319
SHA1 5ef4f025dcc3fd3ddbc0f5acf423730e5d232c39
SHA256 198195a745c211b29813da215269affe2f076f8f83f1bdf6a83c1cc574e41e2a
SHA512 7c6b95e3a49581cf55c8ec4ff36778cedf0d2f8b2fb5c68b3e9d38a8d7cd9c82e48ddda534d4677d1ae15f245ab4e5793c7ccad1c5453117e1397fc05895a896

/data/data/com.pressfigure65/.qcom.pressfigure65

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral4

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win10v2004-20230915-en

Max time kernel

142s

Max time network

152s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\NKFq.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\NKFq.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win10v2004-20230915-en

Max time kernel

151s

Max time network

155s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_pt_br.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_pt_br.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 254.105.26.67.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 13.85.23.206:443 tcp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win10v2004-20230915-en

Max time kernel

142s

Max time network

156s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_ua.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_ua.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 254.210.247.8.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win10v2004-20230915-en

Max time kernel

142s

Max time network

147s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\data_2_en.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\data_2_en.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 254.3.248.8.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win10v2004-20230915-en

Max time kernel

139s

Max time network

155s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_en.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_en.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 254.3.248.8.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win7-20230831-en

Max time kernel

151s

Max time network

125s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\check_circle_outline_56.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.json C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\.json\ = "json_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000_CLASSES\json_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\check_circle_outline_56.json

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\check_circle_outline_56.json

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\check_circle_outline_56.json"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 0b4e302f2dd8523b3ea26b0021f94d69
SHA1 493f01f0da3381b50db8eee9c35623d75b92e73c
SHA256 d6c9e45106defcdab08069324118108183466530a72d1de501842b4e6774b25f
SHA512 df3a70db67cd11c31413bd3c72f0deaf1166bfed6092a303679ae3eded01e25ec8b8ece75fe5e58f70c824c5151a34923a660bc91a5d4e20ea65c6c621e48c25

Analysis: behavioral15

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win7-20230831-en

Max time kernel

121s

Max time network

124s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_pt.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_pt.txt

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win10v2004-20230915-en

Max time kernel

133s

Max time network

156s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_pt.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_pt.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 120.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win7-20230831-en

Max time kernel

122s

Max time network

127s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_pt_br.txt

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\countries_pt_br.txt

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

win10v2004-20230915-en

Max time kernel

142s

Max time network

150s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\data_3.json

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\data_3.json

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 254.105.26.67.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-20 06:58

Reported

2023-09-20 11:25

Platform

android-x64-20230831-en

Max time kernel

2992021s

Max time network

162s

Command Line

com.pressfigure65

Signatures

Octo

banker trojan infostealer rat octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.pressfigure65/app_DynamicOptDex/NKFq.json N/A N/A
N/A /data/user/0/com.pressfigure65/cache/hcjfh N/A N/A
N/A /data/user/0/com.pressfigure65/cache/hcjfh N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.pressfigure65

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.251.39.110:443 tcp
NL 142.251.39.110:443 tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 9r8i1u84t2gp.online udp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
US 1.1.1.1:53 cm603lzeyxdw1.site udp
N/A 185.161.248.142:443 cm603lzeyxdw1.site tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
N/A 185.161.248.142:443 cm603lzeyxdw1.site tcp
US 1.1.1.1:53 9r8i1u84t2gp.online udp
N/A 185.161.248.142:443 cm603lzeyxdw1.site tcp
N/A 185.161.248.142:443 cm603lzeyxdw1.site tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
N/A 185.161.248.142:443 cm603lzeyxdw1.site tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 cm603lzeyxdw.space udp
US 1.1.1.1:53 arw2he7x57wp1.pw udp
US 1.1.1.1:53 cm603lzeyxdw.site udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 cm603lzeyxdw.space udp
US 1.1.1.1:53 arw2he7x57wp1.pw udp
DE 172.217.23.202:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 cm603lzeyxdw.site udp
N/A 185.161.248.142:443 cm603lzeyxdw.site tcp
US 1.1.1.1:53 9r8i1u84t2gp1.online udp
N/A 185.161.248.142:443 cm603lzeyxdw.site tcp
US 1.1.1.1:53 9r8i1u84t2gp1.online udp
US 1.1.1.1:53 cm603lzeyxdw.biz udp
N/A 185.161.248.142:443 cm603lzeyxdw.biz tcp
N/A 185.161.248.142:443 cm603lzeyxdw.biz tcp
NL 142.251.39.98:443 tcp
NL 142.250.179.170:443 infinitedata-pa.googleapis.com tcp
N/A 185.161.248.142:443 cm603lzeyxdw.biz tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.208.104:443 ssl.google-analytics.com tcp

Files

/data/data/com.pressfigure65/app_DynamicOptDex/NKFq.json

MD5 a8f77d5722a4e089752397852a305a2e
SHA1 99124b37a548883dd05eb4007f2b697cef33898a
SHA256 91fd4d4ac57df1b30bc40406d2e03d68055633d5bf2cd8a184eba6f4a222c7ee
SHA512 a29486bb4abcff207030c8ea1d3fa4fd98654b178993847e50da19501e86360197bfb15067a7ece47ad75181e48c05f4ad1596ea436ef64490f4ae4992a5865b

/data/data/com.pressfigure65/app_DynamicOptDex/NKFq.json

MD5 87f9025a2e6ce4806027e51a2d05a15a
SHA1 ff1b6e1f28e153f9b3f74e957953c8b53c355d01
SHA256 f130a5bfcfa239dfb6c9807a02599916683bb334be342c7f3e3d97a725a55a76
SHA512 98011fe3bc58cbd91c3c074104dd443c517e58522628a33b495f73f5b61f2fa58bb2b5597232341f3a44c2b56f98d71cde635c8d6352673c1e4566b956febf32

/data/user/0/com.pressfigure65/app_DynamicOptDex/NKFq.json

MD5 af73f1889e4ada2c7fbb0512c31c6dbb
SHA1 927cae26592a79b9eefda0dc8e8473954b3b49cc
SHA256 67b19fae633db8d33717975a406969e59cc00f2e70bd43ae41c79349c6f74a7d
SHA512 be7a9381f6169910e0baf052bd2978ea5577e024074d68e909244e3e5c248e856d90a9cf42bb9819a7e285a8e9fcf159f4a8de9a5c099e6f0f6b87e3e2f3916d

/data/data/com.pressfigure65/cache/hcjfh

MD5 59e431e1f02923d8d1de501547797bb6
SHA1 5be8d6ec7112fe0d3beb30f19967b4ca232b1a17
SHA256 63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0
SHA512 72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa

/data/user/0/com.pressfigure65/cache/hcjfh

MD5 59e431e1f02923d8d1de501547797bb6
SHA1 5be8d6ec7112fe0d3beb30f19967b4ca232b1a17
SHA256 63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0
SHA512 72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa

/data/user/0/com.pressfigure65/cache/hcjfh

MD5 59e431e1f02923d8d1de501547797bb6
SHA1 5be8d6ec7112fe0d3beb30f19967b4ca232b1a17
SHA256 63dfc78268b922a5d0fb34f3b56d7bdd24780176bf03dbd4bbff71a5f019d7c0
SHA512 72a2f60d6a163bc7281ece342559684e03b230e6f7e310c09301be4440a78e8340f490e4e73a47401d366f0f1de2879ff8f5bc9e81905a9afbd070cba61b26aa

/data/data/com.pressfigure65/kl.txt

MD5 6311c3fd15588bb5c126e6c28ff5fffe
SHA1 ce81d136fce31779f4dd62e20bdaf99c91e2fc57
SHA256 8b82f6032e29a2b5c96031a3630fb6173d12ff0295bc20bb21b877d08f0812d8
SHA512 2975fe2e94b6a8adc9cfc1a865ad113772b54572883a537b02a16dd2d029c0f7d9cca3b154fd849bdfe978e18b396bcf9fa6e67e7c61f92bdc089a29a9c355c6

/data/data/com.pressfigure65/kl.txt

MD5 e6f1eb63ff96ca35f6b052e51d75c0b0
SHA1 7700cecd750211786a601af7039d6b48b5f0efc6
SHA256 675cf26a834e7c8266a0d5c8957439236699a6ea80dc9d3e74dd7e8f81fc371e
SHA512 c2fb15197d675542e6d7b32ee6bf205d7b9963c61d96918445c9ec446cee74aec6681cf2bdf0d519157824986240a32d974a18ddb318d3e6f1a6b38f0df652ae

/data/data/com.pressfigure65/kl.txt

MD5 d6f4ade7382b70118217ee0550114b0b
SHA1 b72c7518754e64394dfc418819b234dbe711ac69
SHA256 c345230d52ae20c9b6b4710eeedf2772f1c31e7d6ebba16f1249a91fcc5a2932
SHA512 e458fbc20a5babaa01f714dec95dbb88be05815e90072d3c09a5a50ab1a55d2ae7f61c76d29a45a207452114584a1b9227268120a2e28f76c53d676b0509f0a7

/data/data/com.pressfigure65/kl.txt

MD5 adbc36bfa788b1817ddfb9d81e11e73c
SHA1 70b7297451a86c57c4024872add4c59858e1ee7a
SHA256 500fb06f28c997a2858bbc751b99a22f01759a9fc1acfc3e8e97357c62980650
SHA512 4075a3bcdcc52b424419b2f62e0c1fe6399ce8d64e08e0073f781c1827779e3404f1b8f24e9059b34d53325a4476a8a0d11e50ede319aa1077fcf43a9f381f2c

/data/data/com.pressfigure65/kl.txt

MD5 5042f8330af020ddf6cba1dbe438f568
SHA1 a42a9b25a34bbcec7d354693c98be8a80ddd8b8e
SHA256 07d0787ba363cb8edebe83a22d7c0ec7ba82e79a06f2fa442dbabad0339d380e
SHA512 64fb6fb0e9f1b250a97208659fe6b74efd02c9b20e4be9941daedb5049cb02cb44a895652d2691f3cbcd8c5ad3762766633992fee5d8c5663c9682adbb6d4333

/data/data/com.pressfigure65/cache/oat/hcjfh.cur.prof

MD5 ff76f46883ba92a357c1da3ddc28e0b9
SHA1 6cb1c4d555c0219723bbcd3855ea4983fe93c3f6
SHA256 84d6720a5da1aaf0da7813f26114283c377388ec1710af33a8c33bae84f601fc
SHA512 a692abeda00ef50b9301aab69c054eff4270a7a3af4c9e59fe01cdea780f52b23dace022f71fc4c50f15d2cfa574a6c9df22d3de018a190d1e439b06d78df939

/data/data/com.pressfigure65/.qcom.pressfigure65

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c