Malware Analysis Report

2024-12-01 22:18

Sample ID 230727-sd4x6sgb91
Target TG8024_xjh.apk
SHA256 e71d005aaf3a71519a192bed82fda07a6f3f0e7d06c209f877ce7cfd07cbc31c
Tags
gigabud infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e71d005aaf3a71519a192bed82fda07a6f3f0e7d06c209f877ce7cfd07cbc31c

Threat Level: Known bad

The file TG8024_xjh.apk was found to be: Known bad.

Malicious Activity Summary

gigabud infostealer rat trojan

Gigabud

Requests dangerous framework permissions

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-07-27 15:01

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-27 15:01

Reported

2023-07-27 15:02

Platform

android-x86-arm-20230621-en

Max time kernel

2547980s

Max time network

10s

Command Line

org.telegram.messenger

Signatures

Gigabud

rat trojan infostealer gigabud

Processes

org.telegram.messenger

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.39.110:443 android.apis.google.com tcp
NL 142.251.39.110:443 android.apis.google.com tcp
NL 142.251.39.110:443 android.apis.google.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp

Files

/data/user/0/org.telegram.messenger/files/.ss/l77952c79.so

MD5 70bf8ff5e3f15b4e57a8a453f69b4347
SHA1 ff808df0f697ad51ba8ce88aabb7bec653967b3f
SHA256 b76d3e228da1f4e829f1cff3ff67a5c1172e05a50e5e003f2b3a6f19683e7b7c
SHA512 be15508ed524de82c6d0574d76500623bbdcf81385578503441fa7c013c7311b65432ad573fd7618ec069a2f0e9ce248f738df4a2744575202796e80fdb6d418