Overview

overview

10

Static

static

10

vbug-maste...DE.apk

windows11-21h2-x64

3

vbug-maste...DS.apk

windows11-21h2-x64

3

elite.apk

windows11-21h2-x64

3

fbcr.apk

windows11-21h2-x64

3

mobelejen.apk

windows11-21h2-x64

3

vi4a.apk

windows11-21h2-x64

3

vbug-master/vbug.py

windows11-21h2-x64

3

Analysis

  • max time kernel
    33s
  • max time network
    21s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22-08-2024 18:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vbug-master/vbug-AIDE.apk

  • Size

    2.2MB

  • MD5

    90c72d2c718ef0e16579befb4aa2b193

  • SHA1

    befc0a75d30d2d3d20e9fb3643ac64ae587234da

  • SHA256

    08d9dda676460b38cb84c66887d30e0da4e5b37803fb5bca136a0d5534fdc6c1

  • SHA512

    20bd4bbaade22969c74f98a408fce4cc89d51b3ee59d4487a5f771d687f956a12e59a9ae15747bac29642d6995b1eed04a70b1c2989bf449a9de045be4d32062

  • SSDEEP

    49152:57a8WgPMpjqIWWZoQwwLggP5glEvSyUQfUF53MdiAjRDN:wdgPYqk6zwLgug69U1TcdX

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 20 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\vbug-master\vbug-AIDE.apk
    1⤵
    • Modifies registry class
    PID:4124
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\vbug-master\vbug-AIDE.apk"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4508
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\vbug-master\vbug-AIDE.apk
        3⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2528
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1932 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {54af5a02-210b-4def-89de-6f667b345198} 2528 "\\.\pipe\gecko-crash-server-pipe.2528" gpu
          4⤵
            PID:3980
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2344 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {59dcf9e6-69ce-4e14-8b0a-5f3cbea463a4} 2528 "\\.\pipe\gecko-crash-server-pipe.2528" socket
            4⤵
              PID:1460
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3392 -childID 1 -isForBrowser -prefsHandle 3264 -prefMapHandle 3220 -prefsLen 24739 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29e21c8e-c9ac-4eb4-b065-6fc6d0c763b8} 2528 "\\.\pipe\gecko-crash-server-pipe.2528" tab
              4⤵
                PID:2880
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3168 -childID 2 -isForBrowser -prefsHandle 3104 -prefMapHandle 3140 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1d0087e-dd0b-42de-ab3c-fab9f035c3bc} 2528 "\\.\pipe\gecko-crash-server-pipe.2528" tab
                4⤵
                  PID:4260
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5184 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5196 -prefMapHandle 5192 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5d41a5ca-1797-4b0c-a5b3-3fffd9532d3d} 2528 "\\.\pipe\gecko-crash-server-pipe.2528" utility
                  4⤵
                  • Checks processor information in registry
                  PID:1600
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 3 -isForBrowser -prefsHandle 5428 -prefMapHandle 5076 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {275930ec-a962-402b-bb7e-a7fe5b1d97ae} 2528 "\\.\pipe\gecko-crash-server-pipe.2528" tab
                  4⤵
                    PID:1760
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5736 -childID 4 -isForBrowser -prefsHandle 5656 -prefMapHandle 5660 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a515120f-b737-44c2-8662-bbdac91a4954} 2528 "\\.\pipe\gecko-crash-server-pipe.2528" tab
                    4⤵
                      PID:4876
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5884 -childID 5 -isForBrowser -prefsHandle 5476 -prefMapHandle 5532 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 936 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9bdd5915-5f13-43a5-a8f9-05ae88a6c389} 2528 "\\.\pipe\gecko-crash-server-pipe.2528" tab
                      4⤵
                        PID:3540
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\vbug-master\vbug-AIDE.apk"
                  1⤵
                    PID:3120
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\vbug-master\vbug-AIDE.apk
                      2⤵
                      • Checks processor information in registry
                      PID:4476
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\vbug-AIDE.apk"
                    1⤵
                      PID:4116
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\vbug-AIDE.apk
                        2⤵
                        • Checks processor information in registry
                        PID:404

                    Network

                    MITRE ATT&CK Matrix ATT&CK v13

                    Initial Access

                    Execution

                    Persistence

                    Privilege Escalation

                    Defense Evasion

                    Credential Access

                    Discovery

                    System Information Discovery

                    2
                    T1082

                    Query Registry

                    2
                    T1012

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Resource Development

                    Reconnaissance

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\adahrqhl.default-release\activity-stream.discovery_stream.json
                      Filesize

                      33KB

                      MD5

                      452b516b2c3d025d7ad763d000dc7c65

                      SHA1

                      e4ab0bd8fe12ccbaefc5d1158f7623d0a7619ce8

                      SHA256

                      8789c63d77f54ce21833e48648fec3f3dd4b9dad392e27864036f4cc86920275

                      SHA512

                      9bd111a616b9815fa73d79796e97d6d3ab870e461411c4ae5686a5dae370022016d0d87797aea11252a5de8682d81a6911629bb22b3fd1c31c549d50981a3441

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      6KB

                      MD5

                      81e1b2f170673a0198ee3e736a73b1e0

                      SHA1

                      421cf56babb67155d9fab7f12ba82da00c07ba43

                      SHA256

                      b56f4493db7b09fac4cede43f08cb84e8efa9f8b770a4c2b8bc2ef8f3e0494a4

                      SHA512

                      491dec024bddb6e7fc0827de142b5f29b65331a04218d133150c2707d5d4a2677ebedf9915209576a92ff1f78d18337a7c66fe1e488626056af56ce77122795c

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      5KB

                      MD5

                      c8cb9a95bf10f0925ff1a23b71a02156

                      SHA1

                      af3c483150368209cdeeb8472aa5afc5e51331bc

                      SHA256

                      1137f9ace6186930a35b81468fd9f740a7ad4459098d86fe5c2e5c2cb2664ec6

                      SHA512

                      073aed8206e028d08e32f4c176abea542abb402315448ba5e58ab5654f94c94d6f0111e8f268837f61f1aed46938b3d6e5f0d28fb6f5020191c2e050726365ee

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp
                      Filesize

                      6KB

                      MD5

                      9f70a43cc9a41b27ffaac0c6cc70ca39

                      SHA1

                      006ea17f9c810a95b1cebb4d9c0a29394ca101fa

                      SHA256

                      d0b556bb4f309eee18f634aa807ebdc62d2c7b7081920aca19f51d20d326aa77

                      SHA512

                      03807de91e51447a5e3e0898605ad906e7957206d84099421944e8b8a3e67519ee357fb480da643b342dd74adcf6224def17705e998cf7e1120efa1df608afaa

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\65c7422c-12f3-465c-a0cd-b926d5008ccf
                      Filesize

                      24KB

                      MD5

                      2091e712ba0bab4935d11a189147f219

                      SHA1

                      6dcd36b58d2a01389b527f957526365a3370c3c5

                      SHA256

                      0821306ab6cb6956e92e1e725b82a8089f23bbaf234b06dc1e3589d1c932ae07

                      SHA512

                      31b7d63755193035400bb4d13bcf0c7d0b9e2234919d6ecc71ef4302bbe746e85e549d8a793a66bc8370f9a018235c4f49740bfaca2eb7c501a76a9c87b33585

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\c3853da1-0292-4ba6-9d2d-d20fdd51595a
                      Filesize

                      982B

                      MD5

                      82cc43cff9acc99cb99135a040c2dec0

                      SHA1

                      dc8506b4b77290a9db1d44d8eb3ec08a1f905ca7

                      SHA256

                      a3522acab138ddcabc9c6a9120bdfbe14891e5ec8e84e406b20d752772d82d84

                      SHA512

                      cc58582b291f5e1f7731eeeea5a6e323ddc02c34ca91e678da34cb4fd206a38fcba2933b0ea3fd8a435c32768c460cefee429b122babe5a455fc9fb87c06da3d

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\ce21d755-6c90-4ac6-bc24-1339151381e4
                      Filesize

                      671B

                      MD5

                      184a68e3139e39e58cf81bec427a07cb

                      SHA1

                      22d535e89e6dd840805a95f784ca48df71b59bf2

                      SHA256

                      370642b3701953304ff41482a492a95b86062c0162c3106406ac2df9cf053acc

                      SHA512

                      b5ce10470b255dc9203d724db8448173a0e2ff1707013876460908d9e638ed2db79dcbf05bbc4bfdde4cb176365bee73ad7e96707f78a370b12195105631dff8

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs-1.js
                      Filesize

                      11KB

                      MD5

                      418db74e42e18ca0f3b29711db956a7f

                      SHA1

                      cce99a41f7327bcba1a147c276c04226bb3a45bd

                      SHA256

                      24c9c82cec4f4ab63e5073660e4409f3813d91ed5cf1c9e7a1f1ab92a3ebf40d

                      SHA512

                      5c3171aba2b4e16032cd9f815ad40e672e0e311a0a4e23b1566d9eeb246d833cf5e6567ef6837f34c055f2463a5c6fe76930168fcc83cce54f4c28aec8ca335d

                      Download Submit
                    • C:\Users\Admin\Downloads\GwGZwOYI.apk.part
                      Filesize

                      2.2MB

                      MD5

                      90c72d2c718ef0e16579befb4aa2b193

                      SHA1

                      befc0a75d30d2d3d20e9fb3643ac64ae587234da

                      SHA256

                      08d9dda676460b38cb84c66887d30e0da4e5b37803fb5bca136a0d5534fdc6c1

                      SHA512

                      20bd4bbaade22969c74f98a408fce4cc89d51b3ee59d4487a5f771d687f956a12e59a9ae15747bac29642d6995b1eed04a70b1c2989bf449a9de045be4d32062

                      Download Submit