Analysis Overview
SHA256
353831c9633cbe9efb3d61181ac58cd032949ec56dbc0963b8b786d57f5ea5a4
Threat Level: Known bad
The file radare-fail-2.apk was found to be: Known bad.
Malicious Activity Summary
Gigabud family
Gigabud payload
Gigabud
Requests dangerous framework permissions
Enumerates physical storage devices
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-01 09:42
Signatures
Gigabud family
Gigabud payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral7
Detonation Overview
Submitted
2023-09-01 09:42
Reported
2023-09-01 09:43
Platform
debian9-mipsbe-20230831-en
Max time kernel
3s
Command Line
Signatures
Processes
/tmp/l77b500f4_a64.so
[/tmp/l77b500f4_a64.so]
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2023-09-01 09:42
Reported
2023-09-01 09:45
Platform
ubuntu1804-amd64-20230831-en
Max time kernel
3s
Max time network
143s
Command Line
Signatures
Processes
/tmp/l77b500f4_x64.so
[/tmp/l77b500f4_x64.so]
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2023-09-01 09:42
Reported
2023-09-01 09:45
Platform
ubuntu1804-amd64-20230831-en
Max time kernel
3s
Max time network
144s
Command Line
Signatures
Processes
/tmp/l77b500f4_x86.so
[/tmp/l77b500f4_x86.so]
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2023-09-01 09:42
Reported
2023-09-01 09:45
Platform
win10v2004-20230831-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\MOC-Add-On.apk
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-09-01 09:42
Reported
2023-09-01 09:43
Platform
ubuntu1804-amd64-en-20211208
Max time kernel
4s
Command Line
Signatures
Processes
/tmp/l77b500f4_a64.so
[/tmp/l77b500f4_a64.so]
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2023-09-01 09:42
Reported
2023-09-01 09:43
Platform
debian9-armhf-20230831-en
Max time kernel
3s
Command Line
Signatures
Processes
/tmp/l77b500f4_a64.so
[/tmp/l77b500f4_a64.so]
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2023-09-01 09:42
Reported
2023-09-01 09:45
Platform
debian9-armhf-20230831-en
Max time kernel
3s
Max time network
126s
Command Line
Signatures
Processes
/tmp/l77b500f4_a32.so
[/tmp/l77b500f4_a32.so]
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2023-09-01 09:42
Reported
2023-09-01 09:43
Platform
debian9-mipsel-20230831-en
Max time kernel
3s
Command Line
Signatures
Processes
/tmp/l77b500f4_a64.so
[/tmp/l77b500f4_a64.so]
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-01 09:42
Reported
2023-09-01 09:45
Platform
android-x86-arm-20230831-en
Max time kernel
1344271s
Max time network
130s
Command Line
Signatures
Gigabud
Processes
com.mmt.myao
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 142.250.179.170:443 | infinitedata-pa.googleapis.com | tcp |
| NL | 142.251.36.10:443 | infinitedata-pa.googleapis.com | tcp |
| NL | 142.250.179.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.251.39.110:443 | android.apis.google.com | tcp |
Files
/data/data/com.mmt.myao/files/.ss/l77b500f4.so
| MD5 | 4fb6dae0ff1d065bc12586afad5203c2 |
| SHA1 | f367dd347b6683e9cadc6f9177d6376f8a2a5bde |
| SHA256 | a731b1ddf5a9b3b6852ae787340383ca0f304b6628baab0d97395b5c0a9b3558 |
| SHA512 | 1e377f785398a73eb1bd9543e3225f51c4e3bffbeb9785e8c9db615dd890db4fb6fdbdfaef1d74ccaef74ca2fd9767d5ffea3d7f8eaa5962f2191c3d6c898d8e |
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-01 09:42
Reported
2023-09-01 09:45
Platform
win7-20230831-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\.apk\ = "apk_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\apk_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\apk_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\.apk | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\apk_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\apk_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\apk_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\apk_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2848 wrote to memory of 2724 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2848 wrote to memory of 2724 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2848 wrote to memory of 2724 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2724 wrote to memory of 3028 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2724 wrote to memory of 3028 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2724 wrote to memory of 3028 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2724 wrote to memory of 3028 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\MOC-Add-On.apk
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MOC-Add-On.apk
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\MOC-Add-On.apk"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | a268d3622ff2c6dd16772696523b5f68 |
| SHA1 | 5d70e6b2565c468e5ed1ac9ea7f1bc5bde8f7105 |
| SHA256 | 6769d8cc80f28ecd1c275d253a44200f7f654953df19241d68f93bbef09e7d4c |
| SHA512 | 5e0615816d7015cf72b59bd9f42d18bdf4a32fba05c6ac73ecaeba46a283597dc81e621ca390359a0906f148238287c5d63422c1da905c823ad1085e8ca801a5 |