Malware Analysis Report

2024-12-01 22:18

Sample ID 230728-etscescb2t
Target TG8024_xjh.apk
SHA256 e71d005aaf3a71519a192bed82fda07a6f3f0e7d06c209f877ce7cfd07cbc31c
Tags
gigabud infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e71d005aaf3a71519a192bed82fda07a6f3f0e7d06c209f877ce7cfd07cbc31c

Threat Level: Known bad

The file TG8024_xjh.apk was found to be: Known bad.

Malicious Activity Summary

gigabud infostealer rat trojan

Gigabud

Requests dangerous framework permissions

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-07-28 04:14

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-28 04:14

Reported

2023-07-28 04:17

Platform

android-x64-20230621-en

Max time network

9s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 g.tenor.com udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-28 04:14

Reported

2023-07-28 04:17

Platform

android-x64-arm64-20230621-en

Max time kernel

2595691s

Max time network

15s

Command Line

org.telegram.messenger

Signatures

Gigabud

rat trojan infostealer gigabud

Processes

org.telegram.messenger

Network

Country Destination Domain Proto
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
DE 172.217.23.206:443 android.apis.google.com tcp
DE 172.217.23.206:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 216.58.214.10:443 infinitedata-pa.googleapis.com tcp

Files

/data/user/0/org.telegram.messenger/files/.ss/l77952c79.so

MD5 da0cdfe8b1a87972d9c7af3788bb58f2
SHA1 ecea10133f4eccf64015fc7885476a5d17986405
SHA256 a97336f08246300f65f8a0c82c24a9bd28985539444e4a1d73d314c8b2956f3f
SHA512 2b144f4c46a2781206c659910837e68c1ef33a356e0d7149e790a0ebee1d6445fd1aa9d3cdb41972860e08aab4fbd7df5a243a45c2845a3d9b7a96cc9f082275

Analysis: behavioral3

Detonation Overview

Submitted

2023-07-28 04:14

Reported

2023-07-28 04:17

Platform

android-x86-arm-20230621-en

Max time kernel

2595692s

Max time network

10s

Command Line

org.telegram.messenger

Signatures

Gigabud

rat trojan infostealer gigabud

Processes

org.telegram.messenger

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp

Files

/data/user/0/org.telegram.messenger/files/.ss/l77952c79.so

MD5 70bf8ff5e3f15b4e57a8a453f69b4347
SHA1 ff808df0f697ad51ba8ce88aabb7bec653967b3f
SHA256 b76d3e228da1f4e829f1cff3ff67a5c1172e05a50e5e003f2b3a6f19683e7b7c
SHA512 be15508ed524de82c6d0574d76500623bbdcf81385578503441fa7c013c7311b65432ad573fd7618ec069a2f0e9ce248f738df4a2744575202796e80fdb6d418