Malware Analysis Report

2024-12-01 03:20

Sample ID 230901-lppt3adh7t
Target radare-fail-2.apk
SHA256 353831c9633cbe9efb3d61181ac58cd032949ec56dbc0963b8b786d57f5ea5a4
Tags
gigabud infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

353831c9633cbe9efb3d61181ac58cd032949ec56dbc0963b8b786d57f5ea5a4

Threat Level: Known bad

The file radare-fail-2.apk was found to be: Known bad.

Malicious Activity Summary

gigabud infostealer rat trojan

Gigabud family

Gigabud payload

Gigabud

Requests dangerous framework permissions

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-01 09:42

Signatures

Gigabud family

gigabud

Gigabud payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-09-01 09:42

Reported

2023-09-01 09:43

Platform

debian9-mipsbe-20230831-en

Max time kernel

3s

Command Line

[/tmp/l77b500f4_a64.so]

Signatures

N/A

Processes

/tmp/l77b500f4_a64.so

[/tmp/l77b500f4_a64.so]

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-09-01 09:42

Reported

2023-09-01 09:45

Platform

ubuntu1804-amd64-20230831-en

Max time kernel

3s

Max time network

143s

Command Line

[/tmp/l77b500f4_x64.so]

Signatures

N/A

Processes

/tmp/l77b500f4_x64.so

[/tmp/l77b500f4_x64.so]

Network

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-09-01 09:42

Reported

2023-09-01 09:45

Platform

ubuntu1804-amd64-20230831-en

Max time kernel

3s

Max time network

144s

Command Line

[/tmp/l77b500f4_x86.so]

Signatures

N/A

Processes

/tmp/l77b500f4_x86.so

[/tmp/l77b500f4_x86.so]

Network

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-09-01 09:42

Reported

2023-09-01 09:45

Platform

win10v2004-20230831-en

Max time kernel

142s

Max time network

151s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\MOC-Add-On.apk

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\MOC-Add-On.apk

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-09-01 09:42

Reported

2023-09-01 09:43

Platform

ubuntu1804-amd64-en-20211208

Max time kernel

4s

Command Line

[/tmp/l77b500f4_a64.so]

Signatures

N/A

Processes

/tmp/l77b500f4_a64.so

[/tmp/l77b500f4_a64.so]

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-09-01 09:42

Reported

2023-09-01 09:43

Platform

debian9-armhf-20230831-en

Max time kernel

3s

Command Line

[/tmp/l77b500f4_a64.so]

Signatures

N/A

Processes

/tmp/l77b500f4_a64.so

[/tmp/l77b500f4_a64.so]

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-09-01 09:42

Reported

2023-09-01 09:45

Platform

debian9-armhf-20230831-en

Max time kernel

3s

Max time network

126s

Command Line

[/tmp/l77b500f4_a32.so]

Signatures

N/A

Processes

/tmp/l77b500f4_a32.so

[/tmp/l77b500f4_a32.so]

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-09-01 09:42

Reported

2023-09-01 09:43

Platform

debian9-mipsel-20230831-en

Max time kernel

3s

Command Line

[/tmp/l77b500f4_a64.so]

Signatures

N/A

Processes

/tmp/l77b500f4_a64.so

[/tmp/l77b500f4_a64.so]

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-01 09:42

Reported

2023-09-01 09:45

Platform

android-x86-arm-20230831-en

Max time kernel

1344271s

Max time network

130s

Command Line

com.mmt.myao

Signatures

Gigabud

rat trojan infostealer gigabud

Processes

com.mmt.myao

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.250.179.170:443 infinitedata-pa.googleapis.com tcp
NL 142.251.36.10:443 infinitedata-pa.googleapis.com tcp
NL 142.250.179.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.39.110:443 android.apis.google.com tcp

Files

/data/data/com.mmt.myao/files/.ss/l77b500f4.so

MD5 4fb6dae0ff1d065bc12586afad5203c2
SHA1 f367dd347b6683e9cadc6f9177d6376f8a2a5bde
SHA256 a731b1ddf5a9b3b6852ae787340383ca0f304b6628baab0d97395b5c0a9b3558
SHA512 1e377f785398a73eb1bd9543e3225f51c4e3bffbeb9785e8c9db615dd890db4fb6fdbdfaef1d74ccaef74ca2fd9767d5ffea3d7f8eaa5962f2191c3d6c898d8e

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-01 09:42

Reported

2023-09-01 09:45

Platform

win7-20230831-en

Max time kernel

150s

Max time network

125s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\MOC-Add-On.apk

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\.apk\ = "apk_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\apk_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\apk_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\.apk C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\apk_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\apk_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\apk_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000_CLASSES\apk_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\MOC-Add-On.apk

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MOC-Add-On.apk

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\MOC-Add-On.apk"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 a268d3622ff2c6dd16772696523b5f68
SHA1 5d70e6b2565c468e5ed1ac9ea7f1bc5bde8f7105
SHA256 6769d8cc80f28ecd1c275d253a44200f7f654953df19241d68f93bbef09e7d4c
SHA512 5e0615816d7015cf72b59bd9f42d18bdf4a32fba05c6ac73ecaeba46a283597dc81e621ca390359a0906f148238287c5d63422c1da905c823ad1085e8ca801a5