Analysis Overview
SHA256
e71d005aaf3a71519a192bed82fda07a6f3f0e7d06c209f877ce7cfd07cbc31c
Threat Level: Known bad
The file TG8024_xjh.apk was found to be: Known bad.
Malicious Activity Summary
Gigabud
Requests dangerous framework permissions
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-07-28 04:14
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Required to be able to connect to paired Bluetooth devices. | android.permission.BLUETOOTH_CONNECT | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to access location in the background. | android.permission.ACCESS_BACKGROUND_LOCATION | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-28 04:14
Reported
2023-07-28 04:17
Platform
android-x64-20230621-en
Max time network
9s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | g.tenor.com | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-28 04:14
Reported
2023-07-28 04:17
Platform
android-x64-arm64-20230621-en
Max time kernel
2595691s
Max time network
15s
Command Line
Signatures
Gigabud
Processes
org.telegram.messenger
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| DE | 172.217.23.206:443 | android.apis.google.com | tcp |
| DE | 172.217.23.206:443 | android.apis.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 216.58.214.10:443 | infinitedata-pa.googleapis.com | tcp |
Files
/data/user/0/org.telegram.messenger/files/.ss/l77952c79.so
| MD5 | da0cdfe8b1a87972d9c7af3788bb58f2 |
| SHA1 | ecea10133f4eccf64015fc7885476a5d17986405 |
| SHA256 | a97336f08246300f65f8a0c82c24a9bd28985539444e4a1d73d314c8b2956f3f |
| SHA512 | 2b144f4c46a2781206c659910837e68c1ef33a356e0d7149e790a0ebee1d6445fd1aa9d3cdb41972860e08aab4fbd7df5a243a45c2845a3d9b7a96cc9f082275 |
Analysis: behavioral3
Detonation Overview
Submitted
2023-07-28 04:14
Reported
2023-07-28 04:17
Platform
android-x86-arm-20230621-en
Max time kernel
2595692s
Max time network
10s
Command Line
Signatures
Gigabud
Processes
org.telegram.messenger
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
Files
/data/user/0/org.telegram.messenger/files/.ss/l77952c79.so
| MD5 | 70bf8ff5e3f15b4e57a8a453f69b4347 |
| SHA1 | ff808df0f697ad51ba8ce88aabb7bec653967b3f |
| SHA256 | b76d3e228da1f4e829f1cff3ff67a5c1172e05a50e5e003f2b3a6f19683e7b7c |
| SHA512 | be15508ed524de82c6d0574d76500623bbdcf81385578503441fa7c013c7311b65432ad573fd7618ec069a2f0e9ce248f738df4a2744575202796e80fdb6d418 |