Malware Analysis Report

2024-10-19 11:36

Sample ID 240825-wh4prawgjb
Target https://webbntuan.danain.icu/
Tags
discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://webbntuan.danain.icu/ was found to be: Known bad.

Malicious Activity Summary

discovery

Reads runtime system information

System Location Discovery: System Language Discovery

Enumerates kernel/hardware configuration

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks CPU information

Checks memory information

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 17:56

Signatures

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-25 17:56

Reported

2024-08-25 17:56

Platform

debian9-mipsel-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 17:56

Reported

2024-08-25 17:58

Platform

android-x86-arm-20240624-en

Max time kernel

64s

Max time network

66s

Command Line

com.android.chrome

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 webbntuan.danain.icu udp
US 104.21.10.125:443 webbntuan.danain.icu tcp
US 104.21.10.125:443 webbntuan.danain.icu tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.187.195:443 update.googleapis.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.201.106:443 tcp

Files

files/dom-0.html

MD5 e856ed94a79c5047ffe12d8c71dc93be
SHA1 06de53b608755612429d84cca00b44b444e8698c
SHA256 af2e67941f955cf59b7dcd0495800e57acd799eea2b34608c31b73136efadb89
SHA512 2da941ed8b9d1fcfd390f168143bf6d8390f37bad4f8e54af0c81ca8a4ec9e4c667d531e79eeeedf4be403507fa44d8c0dddb5d3f1722ae99802e72d6968e574

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-25 17:56

Reported

2024-08-25 17:57

Platform

android-x64-arm64-20240624-en

Max time kernel

61s

Max time network

68s

Command Line

com.android.chrome

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 webbntuan.danain.icu udp
US 1.1.1.1:53 accounts.google.com udp
BE 64.233.184.84:443 accounts.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 webbntuan.danain.icu udp
GB 173.194.76.84:443 accounts.google.com tcp
US 172.67.190.38:443 webbntuan.danain.icu tcp
US 1.1.1.1:53 a.nel.cloudflare.com udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.179.227:443 update.googleapis.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

files/dom-0.html

MD5 605272fbd7111234243e3b2651098dd8
SHA1 d758962359f719d8714e0be6e6162e78783aa3bd
SHA256 3c22beca2bccb993657e0f15047e3bd2d2bb0d716ee92afd73a2ee72b7b180ac
SHA512 df275607f5ef94f5ab95df5ab89e6ae6f92cd8e01e561314a17427b9d76ac3b20c4ac2636c18a70e7c8f068f36ab8c8184381969b49bcdb8d149b4b33e1943ae

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-25 17:56

Reported

2024-08-25 17:56

Platform

debian9-armhf-20240729-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-25 17:56

Reported

2024-08-25 17:56

Platform

debian9-mipsbe-20240729-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 17:56

Reported

2024-08-25 17:58

Platform

win10-20240404-en

Max time kernel

77s

Max time network

78s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" https://webbntuan.danain.icu/

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "923944597" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "931756573" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31127320" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000065ffbf8448a55e479d2c799891dcc65a00000000020000000000106600000001000020000000dd5d5890c7361da3232fe50596024dad6b190768f88cc45a1b7a55f68d019447000000000e8000000002000020000000ca13b43b24779d02acf48a7333121c398182927727eebbae0051d9a89b2fafa420000000a389e3658b67df286883e3fc92ddaf0431822cc45be6a50319756d8d3722973c40000000b76e0af64c7b92d64aac2bc6febffd23e18943d857652a23216c47b36d80f887a75bdc00852ec3c71bd7efa215fd5b29b6fe5ca52d419744ff5eea6d62e6813f C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20c5973718f7da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz! C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31127320" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "931756573" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6292E11D-630B-11EF-A2FF-FE3012D2C5F2} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000065ffbf8448a55e479d2c799891dcc65a00000000020000000000106600000001000020000000052154a05fa395a7a81a50e76182871bc85b91f0e6718359a89a06207a8606d6000000000e800000000200002000000018f6f65e26cceec0b8b4977684694a6ae607a87637d390bffa7b36513139160e2000000008cefc6d4316800f6fcbac388b2ca13c643caf4fe5423db3132e03adbf8f545c40000000db0f484434df1f105b744c9de3e3e4e7056fcf638b561e2c0cbe876275378d9fb8f618875e9ccc35a39e41465b09449e196fca8c7e2f71972bd88401d17d01ac C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "923944597" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "431422162" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31127320" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431373576" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\FlipAhead C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "431390170" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31127320" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20e3923718f7da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://webbntuan.danain.icu/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:168 CREDAT:82945 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 webbntuan.danain.icu udp
US 104.21.10.125:443 webbntuan.danain.icu tcp
US 104.21.10.125:443 webbntuan.danain.icu tcp
US 8.8.8.8:53 125.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
FR 216.58.214.163:80 c.pki.goog tcp
US 104.21.10.125:443 webbntuan.danain.icu tcp
US 104.21.10.125:443 webbntuan.danain.icu tcp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 163.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 167.57.26.184.in-addr.arpa udp
US 8.8.8.8:53 244.73.46.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 fd2b34efbcd42306d28644e06549ec4a
SHA1 f1dc152da81e50e8b67e3d743abd442b06b4fd6f
SHA256 68051b9f8cbc063e33cd147e5ab5cb615fac3567b218e4a843ec8722b50b8b75
SHA512 26767d3e561f4a651b1ebcf20c1fa805ddd1119f54d7aa0fe8ad34fb35e6167c42f193dc068a413d9dba69fc1bb0cdfa25fcea11a5ff89aaf380644e0921b601

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 7fb5fa1534dcf77f2125b2403b30a0ee
SHA1 365d96812a69ac0a4611ea4b70a3f306576cc3ea
SHA256 33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f
SHA512 a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 d465d02862766fc0df512b158f2d0c48
SHA1 4ccb4179cea16808359454647e1580c582cb9518
SHA256 aac7ea5b9640d2c1882be8740f37eafc0168f5055515c4109311df56047456cb
SHA512 fe9324fd3ec0495b866a898446bf9b33d21566b7436cddc7b28e26e09085369cd8788158db59bffb9f6e9ad8cae70af8563704e847c4615d270b30a5e6d000fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 29dcd3f1d22c2a95ac5c4f6a17d9b805
SHA1 062b3b90dd83756bb34c94e6923ed8ce15e8446b
SHA256 54bb6ebd39350849f85f2b30319525203a066bc670284fece00245be76a0b617
SHA512 0a72fc0daff92ff87d6aedcc33f61a5c7cbcac5765fbdd733a85810fe3bdd78dd728dbf04b3f694f97891cb0d5bd356398afbabc1ae69e0e52f115f907798340

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 43d5fafeb011a21c3db1436bd927de76
SHA1 a048836cdd54fce2b5eb495445deee8f6ede1af4
SHA256 f8b04b85388e394a943ec77310e078e098199c38b949c100713ce520d5ed0477
SHA512 a052d702c75dbc99f0377f45d8eaa80e6f434ad8b68a548403996982cf56f7bc79a7ffdadee6913572a1c583242beab59a25c97982d0bf14b30b23f60acabc0d

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verED9C.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\PWJ9MKLM.cookie

MD5 d64ee003e9848419e59e767261926d64
SHA1 fcf4a30f07ffec3a4f48a1e532c313e2fe8edbd2
SHA256 0bc850c61c87b138a504121aaa78b1f3c81a2a325f6c12599fb18b6e68836feb
SHA512 23a53020f7af31285df5195a93d831e35075d3e372bf19035f94f2283e19f7250419c58f31249ea204caaa706380e3943d76de2f3817bb919889b62e9d2b305a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TQAR3J3W\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-25 17:56

Reported

2024-08-25 17:57

Platform

android-x64-20240624-en

Max time kernel

64s

Max time network

67s

Command Line

com.android.chrome

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 accounts.google.com udp
GB 173.194.76.84:443 accounts.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
GB 74.125.71.84:443 accounts.google.com tcp
US 1.1.1.1:53 webbntuan.danain.icu udp
US 104.21.10.125:443 webbntuan.danain.icu tcp
US 104.21.10.125:443 webbntuan.danain.icu tcp
US 1.1.1.1:53 a.nel.cloudflare.com udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.200.35:443 update.googleapis.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.234:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

files/dom-0.html

MD5 e6bf8cb7c6a8a603f091545942c6966e
SHA1 ac3e1c48ddd4fe6b6611c673cf2546ecd00ac81c
SHA256 adf4a1718b2db01819925eda27031dcef901fd0fdc9dc4474021c31acf5ec043
SHA512 f6623f848df4421fd601e5f8da9e9706e676e084d44fd62a00f3c0ec9dd5182bfb23df27bbfa99d85ab0edf5eb7ff16a1fe8a11157c01544257d429fb3a9c5e1

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-25 17:56

Reported

2024-08-25 17:57

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Max time network

47s

Command Line

[xdg-open https://webbntuan.danain.icu/]

Signatures

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/bus/pci/devices/0000:00:01.1/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/class /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/class /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/class /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/class /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/class /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/class /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/irq /usr/lib/firefox/firefox N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/self/stat /usr/lib/firefox/firefox N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/self/stat /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/task/1662/stat /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/fd /usr/bin/dbus-send N/A
File opened for reading /proc/self/fd /usr/bin/dbus-send N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/self/task/1636/stat /usr/lib/firefox/firefox N/A
File opened for reading /proc/filesystems /usr/lib/firefox/firefox N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/filesystems /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/task/1649/stat /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/stat /usr/lib/firefox/firefox N/A
File opened for reading /proc/filesystems /usr/lib/firefox/firefox N/A

Processes

/usr/bin/xdg-open

[xdg-open https://webbntuan.danain.icu/]

/usr/bin/dbus-send

[dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager]

/usr/bin/dbus-launch

[dbus-launch --autolaunch 11c67417355f45d397f6be11f62e85a6 --binary-syntax --close-stderr]

/bin/grep

[grep = \"xfce4\"$]

/usr/bin/xprop

[xprop -root _DT_SAVE_MODE]

/bin/grep

[grep -i ^xfce_desktop_window]

/usr/bin/xprop

[xprop -root]

/bin/grep

[grep -q ^Enlightenment]

/bin/uname

[uname]

/bin/grep

[grep -q ^file://]

/bin/egrep

[egrep -q ^[[:alpha:]+\.\-]+:]

/usr/local/sbin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/usr/local/bin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/usr/sbin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/usr/bin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/sbin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/bin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/bin/sed

[sed -n s/\(^[[:alnum:]+\.-]*\):.*$/\1/p]

/usr/bin/xdg-mime

[xdg-mime query default x-scheme-handler/https]

/usr/bin/dbus-send

[dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager]

/usr/bin/dbus-launch

[dbus-launch --autolaunch 11c67417355f45d397f6be11f62e85a6 --binary-syntax --close-stderr]

/bin/grep

[grep = \"xfce4\"$]

/usr/bin/xprop

[xprop -root _DT_SAVE_MODE]

/bin/grep

[grep -i ^xfce_desktop_window]

/usr/bin/xprop

[xprop -root]

/bin/grep

[grep -q ^Enlightenment]

/bin/uname

[uname]

/bin/sed

[sed s/:/ /g]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/head

[head -n 1]

/bin/grep

[grep x-scheme-handler/https= /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/head

[head -n 1]

/bin/grep

[grep x-scheme-handler/https= /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/head

[head -n 1]

/bin/grep

[grep x-scheme-handler/https= /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/head

[head -n 1]

/bin/grep

[grep x-scheme-handler/https= /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/head

[head -n 1]

/bin/grep

[grep x-scheme-handler/https= /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache]

/bin/sed

[sed s/:/ /g]

/bin/sed

[sed -e s|-|/|]

/bin/sed

[sed -e s|-|/|]

/usr/bin/cut

[cut -d= -f 2-]

/usr/bin/which

[which firefox]

/usr/bin/cut

[cut -d= -f 2-]

/usr/bin/cut

[cut -d= -f 2-]

/usr/bin/cut

[cut -d= -f 2-]

/usr/bin/firefox

[/usr/bin/firefox https://webbntuan.danain.icu/]

/usr/bin/which

[which /usr/bin/firefox]

/usr/lib/firefox/firefox

[/usr/lib/firefox/firefox https://webbntuan.danain.icu/]

/bin/grep

[grep -q %s]

/usr/bin/x-www-browser

[x-www-browser https://webbntuan.danain.icu/]

/usr/bin/which

[which /usr/bin/x-www-browser]

/usr/lib/firefox/firefox

[/usr/lib/firefox/firefox https://webbntuan.danain.icu/]

/bin/grep

[grep -q %s]

/usr/bin/firefox

[firefox https://webbntuan.danain.icu/]

/usr/bin/which

[which /usr/bin/firefox]

/usr/lib/firefox/firefox

[/usr/lib/firefox/firefox https://webbntuan.danain.icu/]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.62:443 tcp
GB 185.125.188.62:443 tcp
US 151.101.1.91:443 tcp
US 151.101.1.91:443 tcp
GB 195.181.164.14:443 tcp

Files

N/A