Malware Analysis Report

2024-10-19 12:55

Sample ID 220615-mj4xgagdc8
Target 36e0cfd29afaa0b0d6c7e5da433379112514cbe1b03b2c82d32f2fc14d57086b
SHA256 36e0cfd29afaa0b0d6c7e5da433379112514cbe1b03b2c82d32f2fc14d57086b
Tags
banker ransomware
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

36e0cfd29afaa0b0d6c7e5da433379112514cbe1b03b2c82d32f2fc14d57086b

Threat Level: Likely malicious

The file 36e0cfd29afaa0b0d6c7e5da433379112514cbe1b03b2c82d32f2fc14d57086b was found to be: Likely malicious.

Malicious Activity Summary

banker ransomware

Makes use of the framework's Accessibility service.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Requests dangerous framework permissions

Acquires the wake lock.

Loads dropped Dex/Jar

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-15 10:30

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-15 10:30

Reported

2022-06-15 10:33

Platform

android-x86-arm-20220310-en

Max time kernel

1726814s

Max time network

151s

Command Line

com.lineanysl

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.lineanysl/cache/syxinxxjzdmhf N/A N/A
N/A /data/user/0/com.lineanysl/cache/syxinxxjzdmhf N/A N/A

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.lineanysl

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 216.58.208.106:443 semanticlocation-pa.googleapis.com tcp
NL 142.251.39.106:80 play.googleapis.com tcp
NL 216.58.208.106:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 alt8-mtalk.google.com udp
US 142.250.115.188:5228 alt8-mtalk.google.com tcp
NL 172.217.168.238:443 tcp
NL 216.58.208.106:443 semanticlocation-pa.googleapis.com tcp
US 173.194.202.188:5228 tcp
US 173.194.202.188:5228 tcp
US 1.1.1.1:53 4-u.wtf udp
US 1.1.1.1:53 fitnessstyle.xyz udp
US 1.1.1.1:53 sportsstyle.club udp
US 1.1.1.1:53 alt4-mtalk.google.com udp
US 142.250.157.188:443 alt4-mtalk.google.com tcp
NL 142.250.179.174:443 udp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 142.250.115.188:5228 alt8-mtalk.google.com tcp
US 1.1.1.1:853 tcp
NL 216.58.214.14:443 tcp

Files

/data/user/0/com.lineanysl/cache/syxinxxjzdmhf

MD5 9af1044411e312db0bca097cba17b972
SHA1 f2de6a855f04a0f5e0999c5b413347adaa1197e2
SHA256 b67a102526766779119a6428b4e4ea6b94f7bb31eaec21cb82f96fb49524f604
SHA512 75615e48dcdaa67a06e294b991e90f94503553cf2f0708e3d2db227afdd1d408e7f902ec71302882abc198d4511965d2dcb1e42822aa69f990e009e8543f5f6d

/data/user/0/com.lineanysl/cache/syxinxxjzdmhf.x86.flock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.lineanysl/cache/syxinxxjzdmhf

MD5 9af1044411e312db0bca097cba17b972
SHA1 f2de6a855f04a0f5e0999c5b413347adaa1197e2
SHA256 b67a102526766779119a6428b4e4ea6b94f7bb31eaec21cb82f96fb49524f604
SHA512 75615e48dcdaa67a06e294b991e90f94503553cf2f0708e3d2db227afdd1d408e7f902ec71302882abc198d4511965d2dcb1e42822aa69f990e009e8543f5f6d

/data/user/0/com.lineanysl/cache/syxinxxjzdmhf

MD5 9af1044411e312db0bca097cba17b972
SHA1 f2de6a855f04a0f5e0999c5b413347adaa1197e2
SHA256 b67a102526766779119a6428b4e4ea6b94f7bb31eaec21cb82f96fb49524f604
SHA512 75615e48dcdaa67a06e294b991e90f94503553cf2f0708e3d2db227afdd1d408e7f902ec71302882abc198d4511965d2dcb1e42822aa69f990e009e8543f5f6d

/data/user/0/com.lineanysl/cache/oat/syxinxxjzdmhf.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-15 10:30

Reported

2022-06-15 10:34

Platform

android-x64-20220310-en

Max time kernel

1726824s

Max time network

155s

Command Line

com.lineanysl

Signatures

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.lineanysl/cache/syxinxxjzdmhf N/A N/A
N/A /data/user/0/com.lineanysl/cache/syxinxxjzdmhf N/A N/A

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.lineanysl

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

/data/user/0/com.lineanysl/cache/syxinxxjzdmhf

MD5 9af1044411e312db0bca097cba17b972
SHA1 f2de6a855f04a0f5e0999c5b413347adaa1197e2
SHA256 b67a102526766779119a6428b4e4ea6b94f7bb31eaec21cb82f96fb49524f604
SHA512 75615e48dcdaa67a06e294b991e90f94503553cf2f0708e3d2db227afdd1d408e7f902ec71302882abc198d4511965d2dcb1e42822aa69f990e009e8543f5f6d

/data/user/0/com.lineanysl/cache/syxinxxjzdmhf

MD5 9af1044411e312db0bca097cba17b972
SHA1 f2de6a855f04a0f5e0999c5b413347adaa1197e2
SHA256 b67a102526766779119a6428b4e4ea6b94f7bb31eaec21cb82f96fb49524f604
SHA512 75615e48dcdaa67a06e294b991e90f94503553cf2f0708e3d2db227afdd1d408e7f902ec71302882abc198d4511965d2dcb1e42822aa69f990e009e8543f5f6d

/data/user/0/com.lineanysl/cache/syxinxxjzdmhf

MD5 9af1044411e312db0bca097cba17b972
SHA1 f2de6a855f04a0f5e0999c5b413347adaa1197e2
SHA256 b67a102526766779119a6428b4e4ea6b94f7bb31eaec21cb82f96fb49524f604
SHA512 75615e48dcdaa67a06e294b991e90f94503553cf2f0708e3d2db227afdd1d408e7f902ec71302882abc198d4511965d2dcb1e42822aa69f990e009e8543f5f6d

/data/user/0/com.lineanysl/cache/oat/syxinxxjzdmhf.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e