Malware Analysis Report

2024-10-19 11:55

Sample ID 231101-1wp6qsdf41
Target 5c3698ae03004b6832f15eb99df5ef302867a49d3226e281f8039fe72ed0f8db.bin
SHA256 5c3698ae03004b6832f15eb99df5ef302867a49d3226e281f8039fe72ed0f8db
Tags
alienbot cerberus banker evasion infostealer rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c3698ae03004b6832f15eb99df5ef302867a49d3226e281f8039fe72ed0f8db

Threat Level: Known bad

The file 5c3698ae03004b6832f15eb99df5ef302867a49d3226e281f8039fe72ed0f8db.bin was found to be: Known bad.

Malicious Activity Summary

alienbot cerberus banker evasion infostealer rat stealth trojan

Alienbot

Cerberus

Cerberus payload

Makes use of the framework's Accessibility service.

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Acquires the wake lock.

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-11-01 22:00

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:05

Platform

android-x64-arm64-20231023-en

Max time kernel

2364223s

Max time network

169s

Command Line

com.hammer.abuse

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.hammer.abuse/app_DynamicOptDex/sddPBX.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.hammer.abuse

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
NL 142.250.179.142:443 tcp
NL 142.250.179.142:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
DE 172.217.23.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 bundangayri.com udp
US 1.1.1.1:53 bundangayri.com udp
US 1.1.1.1:53 bundangayri.com udp

Files

/data/user/0/com.hammer.abuse/app_DynamicOptDex/sddPBX.json

MD5 8a84cb4cd62df7053f117c23f79e9340
SHA1 ff6a23580b006de7bacc86fbe4eb003b18d985f1
SHA256 84ac1990c0d000252436dc44163e3211db9585e2f521268e33bb130890aaf8f9
SHA512 822fdbeb236c3f7c680a0fdf926cda6ec7875c07073cd994689329d987175ceda27878456acbd9f3ec95039d4e5c008ae2b36a6acf363424e85c42386fbcbed0

/data/user/0/com.hammer.abuse/app_DynamicOptDex/sddPBX.json

MD5 62d6cafa163c8dae7594cbfb9785ffb7
SHA1 c42ff394c29fe148ec9aae8658b61512375fd7fd
SHA256 d68215d4ae0589442ac38b5acbfa3a0d73d7155ebc6168da81e3048d4bd3440b
SHA512 bf979ef863aff48474f0416b9639e0b663c90e58f0f08b054b139cdd7b3070c5521604517ab48b2af45069dea2c0ad9dccdf6e00d9edc0865b80f79f2b3e435d

/data/user/0/com.hammer.abuse/app_DynamicOptDex/sddPBX.json

MD5 3fad4fc6c7fe2d43154b8af5137b109d
SHA1 a4627dd6dab4bf7a8af274bf0958455646a8d559
SHA256 90b18be5b64da444b7729613d465fa61df61f5000a8052941b3fd9decfa54e4d
SHA512 58a9164cf54ca65bf52a79e396299c1b5257596ae919bb98493e5137aa018de6483c8937cb7e4a789e2abb554190395e45a8886b8ea1bff7a3cd90e67f75c18c

/data/user/0/com.hammer.abuse/app_DynamicOptDex/oat/sddPBX.json.cur.prof

MD5 9f7ee0af892562289835c6f9d20d0cef
SHA1 68dc7248de1657af8498ab64983edca7771b1316
SHA256 a07d3c48a9377e239bc1e72ce14eec1e54906d4a90c65b77bbdcb3f26d0287e5
SHA512 e0636c9cff0b7e0e75f9a123202c10f67f0d86722422410b2a329d4335a7d0908f546139616d1fb9f8dcc537cfedcd21037d4e02724ff9dc3e78e0d64a698906

Analysis: behavioral5

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:04

Platform

win10v2004-20231020-en

Max time kernel

136s

Max time network

148s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\165.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\165.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 113.208.253.8.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 49.192.11.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:03

Platform

win10v2004-20231023-en

Max time kernel

143s

Max time network

156s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\340.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\340.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:04

Platform

win10v2004-20231020-en

Max time kernel

150s

Max time network

156s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\387.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\387.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 50.4.107.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:04

Platform

win10v2004-20231020-en

Max time kernel

138s

Max time network

149s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\394.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\394.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 193.98.74.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:03

Platform

win7-20231020-en

Max time kernel

117s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\165.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\165.js

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:04

Platform

win10v2004-20231020-en

Max time kernel

141s

Max time network

167s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\338.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\338.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:04

Platform

win10v2004-20231020-en

Max time kernel

146s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\386.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\386.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:05

Platform

win7-20231020-en

Max time kernel

118s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\394.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\394.js

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:05

Platform

win10v2004-20231020-en

Max time kernel

129s

Max time network

135s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\388.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\388.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:05

Platform

android-x64-20231023.1-en

Max time kernel

2364091s

Max time network

155s

Command Line

com.hammer.abuse

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.hammer.abuse/app_DynamicOptDex/sddPBX.json N/A N/A

Processes

com.hammer.abuse

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
DE 172.217.23.202:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 216.58.214.8:443 ssl.google-analytics.com tcp
DE 172.217.23.202:443 tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 bundangayri.com udp
NL 142.250.102.188:5228 tcp
GB 216.58.208.110:443 tcp
NL 142.250.179.142:443 tcp
NL 142.251.36.14:443 tcp
NL 172.217.168.226:443 tcp
DE 172.217.23.196:443 tcp
NL 172.217.168.195:443 tcp
NL 172.217.168.195:443 tcp
US 1.1.1.1:53 bundangayri.com udp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
NL 142.250.179.142:443 android.apis.google.com tcp
NL 142.250.179.142:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 bundangayri.com udp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.202:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.hammer.abuse/app_DynamicOptDex/sddPBX.json

MD5 8a84cb4cd62df7053f117c23f79e9340
SHA1 ff6a23580b006de7bacc86fbe4eb003b18d985f1
SHA256 84ac1990c0d000252436dc44163e3211db9585e2f521268e33bb130890aaf8f9
SHA512 822fdbeb236c3f7c680a0fdf926cda6ec7875c07073cd994689329d987175ceda27878456acbd9f3ec95039d4e5c008ae2b36a6acf363424e85c42386fbcbed0

/data/data/com.hammer.abuse/app_DynamicOptDex/sddPBX.json

MD5 62d6cafa163c8dae7594cbfb9785ffb7
SHA1 c42ff394c29fe148ec9aae8658b61512375fd7fd
SHA256 d68215d4ae0589442ac38b5acbfa3a0d73d7155ebc6168da81e3048d4bd3440b
SHA512 bf979ef863aff48474f0416b9639e0b663c90e58f0f08b054b139cdd7b3070c5521604517ab48b2af45069dea2c0ad9dccdf6e00d9edc0865b80f79f2b3e435d

/data/user/0/com.hammer.abuse/app_DynamicOptDex/sddPBX.json

MD5 3fad4fc6c7fe2d43154b8af5137b109d
SHA1 a4627dd6dab4bf7a8af274bf0958455646a8d559
SHA256 90b18be5b64da444b7729613d465fa61df61f5000a8052941b3fd9decfa54e4d
SHA512 58a9164cf54ca65bf52a79e396299c1b5257596ae919bb98493e5137aa018de6483c8937cb7e4a789e2abb554190395e45a8886b8ea1bff7a3cd90e67f75c18c

Analysis: behavioral6

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:04

Platform

win7-20231020-en

Max time kernel

119s

Max time network

133s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\338.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\338.js

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:04

Platform

win10v2004-20231020-en

Max time kernel

133s

Max time network

156s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\380.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\380.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 50.4.107.13.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:04

Platform

win7-20231025-en

Max time kernel

117s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\381.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\381.js

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:05

Platform

win7-20231023-en

Max time kernel

121s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\395.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\395.js

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:04

Platform

android-x86-arm-20231023-en

Max time kernel

2364184s

Max time network

138s

Command Line

com.hammer.abuse

Signatures

Alienbot

banker trojan infostealer alienbot

Cerberus

banker trojan infostealer evasion rat cerberus

Cerberus payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.hammer.abuse/app_DynamicOptDex/sddPBX.json N/A N/A
N/A /data/user/0/com.hammer.abuse/app_DynamicOptDex/sddPBX.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

com.hammer.abuse

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hammer.abuse/app_DynamicOptDex/sddPBX.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.hammer.abuse/app_DynamicOptDex/oat/x86/sddPBX.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
DE 172.217.23.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 jsonplaceholder.typicode.com udp
US 172.64.199.35:443 jsonplaceholder.typicode.com tcp
NL 142.251.36.14:443 tcp
NL 142.251.36.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
DE 172.217.23.206:443 android.apis.google.com tcp
US 1.1.1.1:53 bundangayri.com udp
NL 142.250.179.170:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.hammer.abuse/app_DynamicOptDex/sddPBX.json

MD5 8a84cb4cd62df7053f117c23f79e9340
SHA1 ff6a23580b006de7bacc86fbe4eb003b18d985f1
SHA256 84ac1990c0d000252436dc44163e3211db9585e2f521268e33bb130890aaf8f9
SHA512 822fdbeb236c3f7c680a0fdf926cda6ec7875c07073cd994689329d987175ceda27878456acbd9f3ec95039d4e5c008ae2b36a6acf363424e85c42386fbcbed0

/data/data/com.hammer.abuse/app_DynamicOptDex/sddPBX.json

MD5 62d6cafa163c8dae7594cbfb9785ffb7
SHA1 c42ff394c29fe148ec9aae8658b61512375fd7fd
SHA256 d68215d4ae0589442ac38b5acbfa3a0d73d7155ebc6168da81e3048d4bd3440b
SHA512 bf979ef863aff48474f0416b9639e0b663c90e58f0f08b054b139cdd7b3070c5521604517ab48b2af45069dea2c0ad9dccdf6e00d9edc0865b80f79f2b3e435d

/data/user/0/com.hammer.abuse/app_DynamicOptDex/sddPBX.json

MD5 3fad4fc6c7fe2d43154b8af5137b109d
SHA1 a4627dd6dab4bf7a8af274bf0958455646a8d559
SHA256 90b18be5b64da444b7729613d465fa61df61f5000a8052941b3fd9decfa54e4d
SHA512 58a9164cf54ca65bf52a79e396299c1b5257596ae919bb98493e5137aa018de6483c8937cb7e4a789e2abb554190395e45a8886b8ea1bff7a3cd90e67f75c18c

/data/user/0/com.hammer.abuse/app_DynamicOptDex/sddPBX.json

MD5 a9a27905b06d8576c443f23aba195e6b
SHA1 770c9456a534045219f22fa6f3a4003545b816fd
SHA256 233a73d03446cb87b6a3f72f56465f193fbc0efa1d7abe3bf4bcf371a62d80bf
SHA512 db6e8fcc04ca1b2657bc1f2afc720f2e047db6357d23de522aa6cff6d6d589c68c41978193cf6169d65ab5acabb1d25a9b7c9323a11d4c0ecc836378a232a7d3

/data/data/com.hammer.abuse/app_DynamicOptDex/oat/sddPBX.json.cur.prof

MD5 b777abdfa52cebbc7d4eed6b86f01546
SHA1 d49387703f4e897c28bd7cf30695750adff97b88
SHA256 6be7faecd99ecb75aa9b57b4799b763c7bd48cb0dd3b9f5ab3d4469e40474100
SHA512 10d012897ab1ee0717336a4255c1ae472e95fb0682829e558d6f45ee3ed3a338922b61072d788c78457096490da140725b44217a4920b1e6d28dfc6b3720e0ff

Analysis: behavioral18

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:04

Platform

win7-20231020-en

Max time kernel

122s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\384.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\384.js

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:04

Platform

win7-20231023-en

Max time kernel

119s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\388.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\388.js

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:07

Platform

win7-20231023-en

Max time kernel

119s

Max time network

159s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\389.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\389.js

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:07

Platform

win7-20231023-en

Max time kernel

240s

Max time network

281s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\392.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\392.js

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:04

Platform

win10v2004-20231023-en

Max time kernel

119s

Max time network

131s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\341.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\341.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 50.4.107.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:07

Platform

win7-20231023-en

Max time kernel

241s

Max time network

282s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\342.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\342.js

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:04

Platform

win7-20231023-en

Max time kernel

120s

Max time network

128s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\380.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\380.js

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:04

Platform

win7-20231020-en

Max time kernel

120s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\387.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\387.js

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:04

Platform

win7-20231023-en

Max time kernel

122s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\341.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\341.js

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:04

Platform

win10v2004-20231023-en

Max time kernel

137s

Max time network

158s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\389.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\389.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.4.107.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:04

Platform

win10v2004-20231023-en

Max time kernel

137s

Max time network

158s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\392.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\392.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:06

Platform

win7-20231023-en

Max time kernel

239s

Max time network

278s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\340.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\340.js

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:05

Platform

win10v2004-20231023-en

Max time kernel

143s

Max time network

162s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\342.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\342.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 50.4.107.13.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:04

Platform

win10v2004-20231023-en

Max time kernel

138s

Max time network

158s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\381.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\381.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:05

Platform

win10v2004-20231025-en

Max time kernel

115s

Max time network

147s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\384.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\384.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2023-11-01 22:00

Reported

2023-11-01 22:05

Platform

win7-20231025-en

Max time kernel

121s

Max time network

136s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\386.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\386.js

Network

N/A

Files

N/A