Analysis Overview
SHA256
1b51293002041bfee9c8daba4eda7fe5b4678ef1b9ee693cced004400bf01d64
Threat Level: Known bad
The file 1b51293002041bfee9c8daba4eda7fe5b4678ef1b9ee693cced004400bf01d64.bin was found to be: Known bad.
Malicious Activity Summary
Cerberus payload
Alienbot
Cerberus
Makes use of the framework's Accessibility service.
Removes its main activity from the application launcher
Loads dropped Dex/Jar
Requests dangerous framework permissions
Acquires the wake lock.
Requests disabling of battery optimizations (often used to enable hiding in the background).
Removes a system notification.
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-14 00:51
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2023-10-14 00:51
Reported
2023-10-14 13:13
Platform
win7-20230831-en
Max time kernel
120s
Max time network
140s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\HM_JsBridge.js
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-10-14 00:51
Reported
2023-10-14 13:15
Platform
win10v2004-20230915-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\HM_JsBridge.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.81.57.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.21.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.109.69.13.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2023-10-14 00:51
Reported
2023-10-14 13:15
Platform
win7-20230831-en
Max time kernel
135s
Max time network
152s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a7140000000000200000000001066000000010000200000007d87b9bcbb2385950e28120e93cb93b12106e26834384477ef760e98feb39ad4000000000e8000000002000020000000dcadd1167b2ef9db04aa4892f5db11457c272512e314fc41695b5e14a0cad6ad90000000d8f8eae4490ed65e3addc8f34683edf79f83662813292d7d4ea9435e1460fcb6ce15ed035c10ca9d04fc2e7fb6b6e8e32a334230cfc66022e182cce472234794f8d20aebf3af11d60207d6a85abef5828191326e01379f095381f69dbf64306e9854f05dafa167079c0cd87d60bbb5b3d1a6e765f77ec2013dd7686d925414b0a28a85543c8fa64625a92573db164b5b40000000097aeb414fc573ede82dbc93f2bb17fa1d1ed0b5d85e3d6e8a954f7b6d5cafc05b4424c90082e5b6c58caffba7aa7aa393fed9a8fb3ca60978f3d40bd248f7b6 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5BAF5CA1-6A93-11EE-BA54-F6205DB39F9E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008c66dacf3255794896cbcb5ac20a7140000000000200000000001066000000010000200000000ab2912127fd5a1926f73133f2b7be0b875c63b4538207464f259d1b0d882d3e000000000e800000000200002000000075881eee1bdb0570f2c2e8dc9633b47ff73842eac5903fe0fddf31451c2971dd20000000760307e47b215557860b1fa1fe17a862a53bd0aa3428886d5860596e3af72e824000000037b70c1a15c7f7305a0b440f2f429ac84b414a9bf3f6836990fcfe7640c44c4f4efeb11b49a8c4de6dc4a05489b0be12314e375ef1dbe6fe9f2e39d9dbd2da67 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6061cf30a0fed901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "403451032" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1200 wrote to memory of 2052 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1200 wrote to memory of 2052 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1200 wrote to memory of 2052 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 1200 wrote to memory of 2052 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\consentform.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1200 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ae608e716680375af089515825dda297 |
| SHA1 | 2fce1d949ed380d98a8708ac296f4639f4d03360 |
| SHA256 | bfb24f8f351f9a5083d7160db31f4ca420c64ddd28875ae552b7891891c32e9f |
| SHA512 | 24b5c9dc454646c48ed0a7a5310283820c1fe939681ba7163416d19429197166e7460587930aff2517479d86aae5b9189af858c991442d7289085950c6a35d10 |
C:\Users\Admin\AppData\Local\Temp\CabA19D.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\TarA1A0.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 84c6180aa21aff14e76ffda3e2ea834e |
| SHA1 | 4eaa0fbcf941c61890de09d941eb63408674d734 |
| SHA256 | a6183a3d00d32e6e36f5ceb4064947806e0f72bd2faa14e6584b254969bec55c |
| SHA512 | f9ed4e0ff3f78d775691b5b4810d181a146a0167e8a11b73b7b0222d9bc0e15a0f1776db14987e1876bffeac3aed4cb6900d5f16fc458255e44bd2d162c11e0d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8f380bcbeb8c631c828bc7903d91a066 |
| SHA1 | 8a3e67aa830d11dcfb78d006f115e0abf63c3782 |
| SHA256 | 0c3a3c1dfdf787cd2152bcba1c251819cc496ede380d51d9315ce86452cadecf |
| SHA512 | 364578925227d627f1bf0a82ef630a7b99f9d02504bd048dd45c1b95c1fc34f863d4fc6c71dd9d4903e6336c03920dbf0e369aefb6ab285ace30636d43f9c20b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6be92748cac9a5b6212dc846b3ad416e |
| SHA1 | 147233608051da2cde5cf9d590f36facdfc410e7 |
| SHA256 | 57b54290d5a75a4e7adc3b9df5c392e5c94ae85b7ce7f8aaa40390c875d4125f |
| SHA512 | e4594b46766f83d0001770517a4760c9ce55d999cba00910441a7fefc19ceb6255527941b34b7b66431d51fa64d8067fe4f66e100a29d2929ac41c42d1312305 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 07b55c736dd15c647c8812211f9c5b53 |
| SHA1 | abe52e6bea11a477d55f14045d0afa7237153476 |
| SHA256 | 54a18ad8b686b82604f4187d28fd770c6fb0ab2172f7ddad88d50aba8ec351f7 |
| SHA512 | 66ee4e89907a6adf9b7e3c7592a7a6766d38c634f21e3eb422f5eea2990264753fd3f3743724e3b6922283e9a603836925dde6b159ce8a641e6e2eef44991b03 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b90da6e143014d7df76ea3358d5a6115 |
| SHA1 | cd0b14f9ccae7b371b6426cb7238eddec25a5077 |
| SHA256 | ce8281499945a9b1ffa4b6995332563689eacd169185113317647e75e2b1d363 |
| SHA512 | 32cd7b774f8c5715bece6372d6ccb05556c210ec6fe9b8c0fa67ffae67274d4e963e5f1c1603ff05f4b56579ef1232ef44026edefd1aaccf4e1abf4017969b04 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 722db67132055caafe61953cd561f026 |
| SHA1 | 30016262435fcf96cf2782cadee89435cf3c0515 |
| SHA256 | 882adb43b65d2baf3a76ccc720f27e14b4ded5c6008bc129c081601d0bcde1f4 |
| SHA512 | 626559a1482e79b4690cbf760f19e7d08c26c117265640eb3942f8239e4e123ebc8b5074f255b34bb898b5edf043f0d48024dcd249ea0b8599985d556c9aecad |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d0c9b108768b676fbd804981c10d4ee5 |
| SHA1 | 6638caf6c4fb86abbbceff90cb14b11f6b1287f2 |
| SHA256 | 226f53668b59c1be80f6534d51be3be66cb213ef17d603f86dcc36ca87c813d4 |
| SHA512 | 466cd804983c3cf79165d7bb4a5d35b42d9818ea03434108e0fe5a55bb2472f215394ca9599a93d0ae1e831871127371e06c8a1dc7ede6e931dd37cd0f4b1753 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 30483b6af9387f3fec7de480a0fd6a70 |
| SHA1 | d804524f2b21c2fcf678f39104cdae0362a2c20b |
| SHA256 | afde15925ada4c3e606a6da64e5a2425fceb297baf4cbc2453c3d274013893e4 |
| SHA512 | c11f4753255fe2f0bffe223cdb4bda4d45f23c897561beeca4d411a93b5684166c1732029d9f51f633f3dc28d56a39322154612de619caf88b5c0dec094ab262 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1c2d85f3a5bebb1238362fafe0006f90 |
| SHA1 | cb839b59892d6dd16f479f8f20b23e29bcd78ba1 |
| SHA256 | c7094b262c3022e9381789d7cd83771e25d0c729c30374477a70f45b34f4a3e0 |
| SHA512 | 532239cc7c1835d687af1e085713dacdeb40c1bb9af125ef2f1864ca202223c367b7ad89ce080501960292140c56d8f025481642b6fd8ee7c85645a2564b2d60 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8daaf4f145c06396072998d575aa2edf |
| SHA1 | 5867dd072d1f169b676a8c5f21fe784546ddea3c |
| SHA256 | b4547f07618c0495be8a6212dccb17404d3956a837f3ad48815e61c3db375f44 |
| SHA512 | a15df27fc34c19b6b484420e2e9fea6356f4046b06e54e34e0dd07d584f0a30811395525fb6c3c8602b9e7fc9c2f2ab024cdb0c661804223e82deac605c99c5e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 13dd6ed296eb20bbd95d1db747100d44 |
| SHA1 | 746e7318a159e6a87571fb44f3d160881270c266 |
| SHA256 | 97893bd6a3c9e028df192eb6c401138937e978a010b41333d0c6e8d04c75a451 |
| SHA512 | 05abe3bb42d572ef5f31c599f2fc7b9957129459c3f3641813028ebb3ee16c46fdd209e44982f5ca67539be4a9d6470e991af9d999c64bb4f95c3dd01c93dbc4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f217bbb87b7d03188d3049655104f28f |
| SHA1 | 6df679b2fc3821a6d558ba88fcc35dc344700f3d |
| SHA256 | ed0a9b6b6f71ffb4ab076155e9557aac6c6c4ddcbfe5cac93615403a4f033ead |
| SHA512 | 76d734a70bf27eb21c4c303c99738292a8d9d48177dc1749d935e517ef436826249b89847eaa296c3784aeb02994ec4c660c1f93a2001fe8bd251e151c15ef89 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c95590503f449e2043cb69f54507c6c0 |
| SHA1 | 0ad3ca50cee947c94255eb55b787da474b76edde |
| SHA256 | 88b11568bb07a81aa8774db8184293d94dc4f9e627e3ad19713f974d1cf20b20 |
| SHA512 | ec73ddf20a945118e16e5406c17a7878d0c4d2441b6765f9e6795a8e7816b45b5b6956a71d7e95443949bc830e2a3c5a566b86130cb81d26e5da3b25c13d9d8b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dfb637166f6c082c8210713b0cef8192 |
| SHA1 | 3c90a2a436664b811f13853dc22ca076cbf3b585 |
| SHA256 | bde457de0f4714277fcb8aa08b1ac6ee2fc06aa28017eb86d2bf1f7c85be279c |
| SHA512 | a44bd9a52397a837a31f1dd5c86088594da6c9f1f6399e34a0417f6a4480b513aaf22641375364a48aae4329fed4fb91b02755eb8771dec58e4b0de863c1c637 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | e97694635d72b53e6d27dbabd986af2d |
| SHA1 | 2e393a93d203c88de674ae4b2ddf0e391011748d |
| SHA256 | b45d421f6c7048349e49634f6b6192bc8f3d1bf32095855c803df974d79b9ea9 |
| SHA512 | 3d9ada2734cd49ddf3cfaf1759ea72d186ebff9346e11953b97548857c3038936f18c70eec735063c83d00409495d63a29cd3871ddc2f03557e88798ae19c257 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3deed1407f674123e0da884aafa8e5c7 |
| SHA1 | d19f7aa4ab07567ec85c5efc5828a7aa23d248d0 |
| SHA256 | bbe64f1afdafafd6c4140fc8ee4bb5c5e5e2735b7a04d58bf381dd0e88a9c301 |
| SHA512 | 1155705df88f4223efa2bb6663925776104992be5fce382af510d3eea794bdc984b0b0d18cac0611682bb8ed5727831ac30284c9c29b037bc410dafe4a7c2f50 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3cbe04441156d95d33f302852d35fac2 |
| SHA1 | f1472ac656850f81e22246b95c14ce8c274031dd |
| SHA256 | 9468f56227f5713e2458eb55da1990082bd29eff54f649550eb98dbbb3afa7db |
| SHA512 | ce3169179268c68f5a574deb1e53edd624eaf89def67e1d814384da660ec8c365bb2637456bb6e6867a0e8b7f5cb21b25f314b24f2027b2632fd5abb2e6a6176 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 793bbe657fa7f2affd0572cdf129e699 |
| SHA1 | 2dab20907586283f7b003a8ebec744ae902e9c0d |
| SHA256 | 5c05a6f6e83c016751b5473ada4ae756e7f5773d6322543db1c35d009cc66b94 |
| SHA512 | 10b4c4c93b5bea7dab8891d8ccb00ae08f647092567da5970e45efd6a1d194438425ea45ca26495eea090e9656c734d841a84fdd6bcbb9cc03b94a89fdd5f9b6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | 5f18edd9738e5a37308c9303c33bd570 |
| SHA1 | f771b01ff3d199bdf8e694d2ac0c1c056cf58ff1 |
| SHA256 | 18fa8fc727a03980f5cb97fcc85e0c0336bb4351a8386f9d71ad766b6ea6e52a |
| SHA512 | b942ccb005612f654aa2898a76122acbdb777942270e035347e50f38e69e5931a1a748ea9a2541a73bdabde0abf85f369fb1198cd4c2e361fad7acd7484291fc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a615a303c0681e69925cda4f6d956183 |
| SHA1 | 8afad9606c2fb9ed3351bcaf252406a1858b7f1a |
| SHA256 | 719d9569a27accd975e3f425171894c7135db05186e34197c6359500b99053b1 |
| SHA512 | 80f5578a587d5cd0cc72c2feade3ca258cc33eda27cde24fd45cf513613a6837f63b95361ef22a2992c7e8e4384262101c586f9768870f81e2408c6c42a715b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1c6f2bbe0da2b29443816bc5029cd13a |
| SHA1 | a5522296956e777e3f3e7ebe08979a11d3dace6a |
| SHA256 | 520a837116684ddd8c7b13642e0fb53f3bfe8945ecae17a48bd7ff7e083a4a04 |
| SHA512 | f31cdb8720d37c23dd7dce39796e4a5390d0f315ea74d16a5304d3af6ed4acd2657d0330220619ad138461d56cc8a884f964b8d6967f7a4bbaf5fd557e3d200e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 66bb9cb8231f8d486b4e8935b0936494 |
| SHA1 | 30ed5140d6608a947aa406a0d6da474dec316ab3 |
| SHA256 | d6b97d4030ac33e0ea60fc3548b9301d78cbd8d5a327631ead21bedaf85c8516 |
| SHA512 | 11d0cd6e4670d9c14953bcfa9887aed5a55c303bae515e69c9d3e875c74bec375fb20634eac4909c39bb96f39014bcc33a2ba85ad0cf3047ed952be17616ca49 |
Analysis: behavioral7
Detonation Overview
Submitted
2023-10-14 00:51
Reported
2023-10-14 13:12
Platform
win10v2004-20230915-en
Max time kernel
177s
Max time network
201s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404053993" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000091f6bb296bed3f4ab6e1d050ca02d81f0000000002000000000010660000000100002000000005faedb4956065c9aee2c65f49c59d9cb6072952a731d5990608948603625b9a000000000e8000000002000020000000192854d7fc0c8b419744318dda2fb65e56f874a45fd98e54c6060d454cbfcb7520000000f490e78b4215f75182649441086b7c7725e8640e8c87dd3418221cfaa00edf9b40000000c08597b02478bccec663d0b53d1bd452db2ca600316d3d33ec439f72f6743575ca79aaa3e661e36b2e7341e18b8cf9849e87ac7556501daa69468aaea8d308db | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\User Preferences | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\Version = "5" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3640144522" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0060ce09ffed901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3672020142" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31063711" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000091f6bb296bed3f4ab6e1d050ca02d81f00000000020000000000106600000001000020000000ac23615edb0367cec832a9419a094fb1b46a7dad0ba7aa94bbaea549d7e9fee1000000000e80000000020000200000007bbbb016fbc91cdaa65851a0b87e3be7e5359f1b742f9df0257f431f153a531720000000fd6a5fc5f9b6976c3cf716445daaa0ebeb6abea896868e1a315338ba955572f74000000060f90e3d9460b4177105704df3e5418160187baa5e2cf3eedd5cfbae7355e30f415b07419a84c7412faa7b8815264c4e5990b8dfe2e00a3cbc955a12db6cf4e9 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTSuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&market={language}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IENTSS" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0eb53dd9ffed901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURL = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IESS02&market={language}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000091f6bb296bed3f4ab6e1d050ca02d81f000000000200000000001066000000010000200000008d71ed8777a9ec0b9e08ea09d00a159793de354a6b4e052538b51dc26e375997000000000e8000000002000020000000865de48c3467b8726b01aa5a07af5398ed270c12c2405246c4613ae9e7d15eab50000000856c2cdee69db71675ee87197b0aa32f47ba4da533b7ef2147ff901fb6204fff3239f0e092ecd3cff30208ddafaa6c9ce246cc6c11616a04dc261082d9f119c2ad50a7054c02d739697b777cbc3d545b4000000012eb0e8253f0123c96715a886e7d718ca1bec250a6c909e2b86ae920673a2a84771e1a7ce134fd5b2e4b735a96931efacce8c566736544f813dd329711fc8c68 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTLogoURL = "http://go.microsoft.com/fwlink/?LinkID=403856&language={language}&scale={scalelevel}&contrast={contrast}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{059C0BC4-6A93-11EE-83FE-56402FC161CD} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31063711" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000091f6bb296bed3f4ab6e1d050ca02d81f0000000002000000000010660000000100002000000006c6d955bd94d5def4d1da9d6dedede2b224134c73246df953ae8bcd57a5811e000000000e800000000200002000000014ebabc6f3bce1a6cbcc3850391a723057a640e48ecd4ddbd35568cee375a4211000000097a04e5faa309aa8411644e8d881b05e400000009f978446ab6f2ec07697ed153dba7b5f50ad99e04c15a228892451ab78421b80ef66ed05badeb29ff42d5a4ed547be1009d5611db9351f497cbf2e4dc5146191 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 042d5e82d5e7d901 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3640144522" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31063711" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTSR" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4964 wrote to memory of 4776 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4964 wrote to memory of 4776 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 4964 wrote to memory of 4776 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\consentform.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4964 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.81.57.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.82.57.23.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 131.253.33.200:443 | www.bing.com | tcp |
| US | 131.253.33.200:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.33.253.131.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.116.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
| MD5 | da597791be3b6e732f0bc8b20e38ee62 |
| SHA1 | 1125c45d285c360542027d7554a5c442288974de |
| SHA256 | 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07 |
| SHA512 | d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7H3JZN74\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-14 00:51
Reported
2023-10-14 13:11
Platform
android-x86-arm-20230831-en
Max time kernel
776962s
Max time network
146s
Command Line
Signatures
Alienbot
Cerberus
Cerberus payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json | N/A | N/A |
| N/A | /data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Processes
com.cattle.way
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.cattle.way/app_DynamicOptDex/oat/x86/efyrx.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.251.36.10:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 172.217.168.202:443 | infinitedata-pa.googleapis.com | tcp |
| NL | 142.250.179.170:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | jsonplaceholder.typicode.com | udp |
| US | 188.114.96.0:443 | jsonplaceholder.typicode.com | tcp |
| DE | 172.217.23.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.206:443 | android.apis.google.com | tcp |
| DE | 23.88.40.50:80 | tcp | |
| DE | 23.88.40.50:80 | tcp | |
| DE | 23.88.40.50:80 | tcp | |
| DE | 23.88.40.50:80 | tcp | |
| DE | 23.88.40.50:80 | tcp | |
| DE | 23.88.40.50:80 | tcp | |
| DE | 23.88.40.50:80 | tcp | |
| DE | 23.88.40.50:80 | tcp | |
| DE | 23.88.40.50:80 | tcp |
Files
/data/data/com.cattle.way/app_DynamicOptDex/efyrx.json
| MD5 | f3985de7f85cf76cfa98e6c1e0477c61 |
| SHA1 | fed6b8d0fd062b72b031fcb2c65dd0eeda29326c |
| SHA256 | 77b822ba471e584f6a624e39aa7e30aee06996b75920a5eac9198244d7edfb87 |
| SHA512 | 94a8b72324408f8da621db348bf2aed7c96927da838f611d48b84431334507ca592e260fa48e6adcf63eafde427201bbee079678d998bb8d5d1bc4b8c59d0ec8 |
/data/data/com.cattle.way/app_DynamicOptDex/efyrx.json
| MD5 | b5c02c909a7078df281f55ca9e60af8a |
| SHA1 | 03068e95674919cdbc49a289b2b33b668dff6a40 |
| SHA256 | a7828afdec786b19764540a2437575fcac02107139314c4140574b45a9dd159a |
| SHA512 | a6d3f5cbf93fe3854be6b9aacc97dde9d4c68954a32ce2323fff648871e027a77ebdaa492c2ded2ceb0e9103ab06d5e95d6345e7ed4feabdc6e405b3f7a139e9 |
/data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json
| MD5 | cd5443f4f22b8a71f1d6aa4c9dc7b95d |
| SHA1 | 9044803662bf5b81c8181ed5cd92ec45974875db |
| SHA256 | 5027e406bb115f8b0312928d979392edf7e73bf194ff3712c9bfe2661750452f |
| SHA512 | c122c4774f603bff013425b36575f4cd7257b48db9fa86b99477ffc25c71d1d55c7e12fbe86cefeb98bb35bb869abb060b0d02490c987e587c6415f259be926d |
/data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json
| MD5 | 2c4612b37cde86d4f83519190d66d5b6 |
| SHA1 | cb754ec9cc0b9119e31b843e8eeb0660c40c4d81 |
| SHA256 | 971148e5eb4e575e3f5ffcdf26a55e86cc94e64b508f740df8e1be7b66f9b44b |
| SHA512 | 7dbcc932b9f90a4d4a64737058a6230f7186b381a7f82ce2aa44db2d5ae130daa64b8624242ae5f83e36dd5e371f23cb4463d13c0717237090a39a814efce756 |
/data/data/com.cattle.way/app_DynamicOptDex/oat/efyrx.json.cur.prof
| MD5 | a008c2c74b313e135961c3e3cf7a69d4 |
| SHA1 | 1d5cb51d6faa3f82ce856667bc6a18bcab459bb2 |
| SHA256 | 5cb96cdbd1b19e1f8055e95b0210bc06165e423a77297d77bf7e1e435faa48db |
| SHA512 | f50dd40d762e607242e3c97045145fd75cb3ae4f4eee293c761ada55071db9ccb0ba3034cc4310c150bab2c63c7ec302da07fd5ca1c6228f4157c6728b458b5e |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-14 00:51
Reported
2023-10-14 13:11
Platform
android-x64-20230831-en
Max time kernel
776968s
Max time network
152s
Command Line
Signatures
Alienbot
Cerberus
Cerberus payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json | N/A | N/A |
Processes
com.cattle.way
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 216.58.214.10:80 | play.googleapis.com | tcp |
| DE | 172.217.23.202:80 | play.googleapis.com | tcp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | jsonplaceholder.typicode.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.251.36.8:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | jsonplaceholder.typicode.com | udp |
| US | 188.114.96.0:443 | jsonplaceholder.typicode.com | tcp |
| DE | 23.88.40.50:80 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.251.39.110:443 | android.apis.google.com | tcp |
| DE | 23.88.40.50:80 | tcp | |
| DE | 23.88.40.50:80 | tcp | |
| DE | 23.88.40.50:80 | tcp | |
| DE | 23.88.40.50:80 | tcp | |
| DE | 23.88.40.50:80 | tcp | |
| DE | 23.88.40.50:80 | tcp | |
| DE | 23.88.40.50:80 | tcp | |
| DE | 23.88.40.50:80 | tcp | |
| DE | 23.88.40.50:80 | tcp |
Files
/data/data/com.cattle.way/app_DynamicOptDex/efyrx.json
| MD5 | f3985de7f85cf76cfa98e6c1e0477c61 |
| SHA1 | fed6b8d0fd062b72b031fcb2c65dd0eeda29326c |
| SHA256 | 77b822ba471e584f6a624e39aa7e30aee06996b75920a5eac9198244d7edfb87 |
| SHA512 | 94a8b72324408f8da621db348bf2aed7c96927da838f611d48b84431334507ca592e260fa48e6adcf63eafde427201bbee079678d998bb8d5d1bc4b8c59d0ec8 |
/data/data/com.cattle.way/app_DynamicOptDex/efyrx.json
| MD5 | b5c02c909a7078df281f55ca9e60af8a |
| SHA1 | 03068e95674919cdbc49a289b2b33b668dff6a40 |
| SHA256 | a7828afdec786b19764540a2437575fcac02107139314c4140574b45a9dd159a |
| SHA512 | a6d3f5cbf93fe3854be6b9aacc97dde9d4c68954a32ce2323fff648871e027a77ebdaa492c2ded2ceb0e9103ab06d5e95d6345e7ed4feabdc6e405b3f7a139e9 |
/data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json
| MD5 | cd5443f4f22b8a71f1d6aa4c9dc7b95d |
| SHA1 | 9044803662bf5b81c8181ed5cd92ec45974875db |
| SHA256 | 5027e406bb115f8b0312928d979392edf7e73bf194ff3712c9bfe2661750452f |
| SHA512 | c122c4774f603bff013425b36575f4cd7257b48db9fa86b99477ffc25c71d1d55c7e12fbe86cefeb98bb35bb869abb060b0d02490c987e587c6415f259be926d |
/data/data/com.cattle.way/app_DynamicOptDex/oat/efyrx.json.cur.prof
| MD5 | 96babf2305587c439faa9d0e6557f562 |
| SHA1 | 5139e512a9c09e2e65042ef7a86dd87bad52f332 |
| SHA256 | a9c98b1da9a516f4d395d7bbaa6dbcbf91beaf3e986738923991f3932037f19d |
| SHA512 | 6a20feebddd207cb7a0c234c1165beb22fc00d6fc3bff382c63c5551822a3fd7a997fad1f5d37d78f914b033c3ae6d49e060c849c2688c0f9a7e5c55d70f3c85 |
Analysis: behavioral3
Detonation Overview
Submitted
2023-10-14 00:51
Reported
2023-10-14 13:11
Platform
android-x64-arm64-20230831-en
Max time kernel
776985s
Max time network
163s
Command Line
Signatures
Alienbot
Cerberus
Cerberus payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Processes
com.cattle.way
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
Network
| Country | Destination | Domain | Proto |
| NL | 142.251.36.10:80 | play.googleapis.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 216.58.214.10:443 | infinitedata-pa.googleapis.com | tcp |
| NL | 142.251.36.46:443 | tcp | |
| NL | 142.250.179.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | jsonplaceholder.typicode.com | udp |
| US | 188.114.96.0:443 | jsonplaceholder.typicode.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| DE | 23.88.40.50:80 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| DE | 172.217.23.206:443 | android.apis.google.com | tcp |
| DE | 23.88.40.50:80 | tcp | |
| DE | 23.88.40.50:80 | tcp | |
| DE | 23.88.40.50:80 | tcp | |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| NL | 142.251.36.13:443 | accounts.google.com | tcp |
| DE | 23.88.40.50:80 | tcp | |
| US | 1.1.1.1:53 | cdusochxsreyr | udp |
| US | 1.1.1.1:53 | cuqslvlzrao | udp |
| US | 1.1.1.1:53 | dyxfmytka | udp |
| US | 1.1.1.1:53 | cdusochxsreyr | udp |
| US | 1.1.1.1:53 | dyxfmytka | udp |
| DE | 23.88.40.50:80 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| DE | 172.217.23.200:443 | ssl.google-analytics.com | tcp |
| DE | 23.88.40.50:80 | tcp | |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| US | 1.1.1.1:53 | edgedl.me.gvt1.com | udp |
Files
/data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json
| MD5 | f3985de7f85cf76cfa98e6c1e0477c61 |
| SHA1 | fed6b8d0fd062b72b031fcb2c65dd0eeda29326c |
| SHA256 | 77b822ba471e584f6a624e39aa7e30aee06996b75920a5eac9198244d7edfb87 |
| SHA512 | 94a8b72324408f8da621db348bf2aed7c96927da838f611d48b84431334507ca592e260fa48e6adcf63eafde427201bbee079678d998bb8d5d1bc4b8c59d0ec8 |
/data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json
| MD5 | b5c02c909a7078df281f55ca9e60af8a |
| SHA1 | 03068e95674919cdbc49a289b2b33b668dff6a40 |
| SHA256 | a7828afdec786b19764540a2437575fcac02107139314c4140574b45a9dd159a |
| SHA512 | a6d3f5cbf93fe3854be6b9aacc97dde9d4c68954a32ce2323fff648871e027a77ebdaa492c2ded2ceb0e9103ab06d5e95d6345e7ed4feabdc6e405b3f7a139e9 |
/data/user/0/com.cattle.way/app_DynamicOptDex/efyrx.json
| MD5 | cd5443f4f22b8a71f1d6aa4c9dc7b95d |
| SHA1 | 9044803662bf5b81c8181ed5cd92ec45974875db |
| SHA256 | 5027e406bb115f8b0312928d979392edf7e73bf194ff3712c9bfe2661750452f |
| SHA512 | c122c4774f603bff013425b36575f4cd7257b48db9fa86b99477ffc25c71d1d55c7e12fbe86cefeb98bb35bb869abb060b0d02490c987e587c6415f259be926d |
/data/user/0/com.cattle.way/app_DynamicOptDex/oat/efyrx.json.cur.prof
| MD5 | b8047385addbb9597d0b0b2cfa2beb41 |
| SHA1 | 7ea408eb3ebdb629531fdfd9cd307758fc80588d |
| SHA256 | c88e704bd411fcf3fedbcdd0633e2710682a0674ff37714f139706ffac6fb6fe |
| SHA512 | cccc3a29b90412d1d6e11f9dfc39aa28ecd6305d553109e70b3ab26db24f76d48fe477ec5b66c99d8c039bfeb87b6c535fa67c3c646339006f2c7af6b71c4a42 |