Malware Analysis Report

2024-10-19 12:55

Sample ID 220615-mj79wsgdd2
Target 5bb714a7ae9542e717211bc4f865c9015e14e2909a426706656ec118131f9b95
SHA256 5bb714a7ae9542e717211bc4f865c9015e14e2909a426706656ec118131f9b95
Tags
banker ransomware
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

5bb714a7ae9542e717211bc4f865c9015e14e2909a426706656ec118131f9b95

Threat Level: Likely malicious

The file 5bb714a7ae9542e717211bc4f865c9015e14e2909a426706656ec118131f9b95 was found to be: Likely malicious.

Malicious Activity Summary

banker ransomware

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Makes use of the framework's Accessibility service.

Acquires the wake lock.

Requests dangerous framework permissions

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-15 10:30

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-15 10:30

Reported

2022-06-15 10:34

Platform

android-x86-arm-20220310-en

Max time kernel

1726827s

Max time network

148s

Command Line

com.seeturn9

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.seeturn9

Network

Country Destination Domain Proto
NL 142.251.36.42:80 play.googleapis.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 173.194.202.188:5228 tcp
US 173.194.202.188:5228 tcp
US 1.1.1.1:53 alt8-mtalk.google.com udp
US 142.250.115.188:5228 alt8-mtalk.google.com tcp
US 1.1.1.1:53 alt8-mtalk.google.com udp
US 142.250.115.188:5228 alt8-mtalk.google.com tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-15 10:30

Reported

2022-06-15 10:34

Platform

android-x64-20220310-en

Max time kernel

1726831s

Max time network

158s

Command Line

com.seeturn9

Signatures

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.seeturn9

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2022-06-15 10:30

Reported

2022-06-15 10:31

Platform

android-x64-arm64-20220310-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A