Analysis Overview
SHA256
353831c9633cbe9efb3d61181ac58cd032949ec56dbc0963b8b786d57f5ea5a4
Threat Level: Known bad
The file radarefail2_JC.apk was found to be: Known bad.
Malicious Activity Summary
Gigabud payload
Gigabud
Gigabud family
Requests dangerous framework permissions
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-01 16:55
Signatures
Gigabud family
Gigabud payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2023-09-01 16:55
Reported
2023-09-01 16:55
Platform
debian9-mipsel-en-20211208
Max time kernel
7s
Command Line
Signatures
Processes
/tmp/l77b500f4_a64.so
[/tmp/l77b500f4_a64.so]
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2023-09-01 16:55
Reported
2023-09-01 16:58
Platform
ubuntu1804-amd64-20230831-en
Max time kernel
3s
Max time network
135s
Command Line
Signatures
Processes
/tmp/l77b500f4_x86.so
[/tmp/l77b500f4_x86.so]
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-01 16:55
Reported
2023-09-01 16:58
Platform
android-x86-arm-20230831-en
Max time kernel
1370227s
Max time network
156s
Command Line
Signatures
Gigabud
Processes
com.mmt.myao
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 142.251.36.10:443 | infinitedata-pa.googleapis.com | tcp |
| NL | 172.217.168.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.251.39.110:443 | android.apis.google.com | tcp |
Files
/data/data/com.mmt.myao/files/.ss/l77b500f4.so
| MD5 | 4fb6dae0ff1d065bc12586afad5203c2 |
| SHA1 | f367dd347b6683e9cadc6f9177d6376f8a2a5bde |
| SHA256 | a731b1ddf5a9b3b6852ae787340383ca0f304b6628baab0d97395b5c0a9b3558 |
| SHA512 | 1e377f785398a73eb1bd9543e3225f51c4e3bffbeb9785e8c9db615dd890db4fb6fdbdfaef1d74ccaef74ca2fd9767d5ffea3d7f8eaa5962f2191c3d6c898d8e |
Analysis: behavioral3
Detonation Overview
Submitted
2023-09-01 16:55
Reported
2023-09-01 16:58
Platform
win10v2004-20230831-en
Max time kernel
140s
Max time network
153s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\MOC-Add-On.apk
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-09-01 16:55
Reported
2023-09-01 16:55
Platform
ubuntu1804-amd64-20230831-en
Max time kernel
4s
Command Line
Signatures
Processes
/tmp/l77b500f4_a64.so
[/tmp/l77b500f4_a64.so]
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2023-09-01 16:55
Reported
2023-09-01 16:55
Platform
debian9-armhf-20230831-en
Max time kernel
3s
Command Line
Signatures
Processes
/tmp/l77b500f4_a64.so
[/tmp/l77b500f4_a64.so]
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2023-09-01 16:55
Reported
2023-09-01 16:56
Platform
debian9-mipsbe-20230831-en
Max time kernel
28s
Command Line
Signatures
Processes
/tmp/l77b500f4_a64.so
[/tmp/l77b500f4_a64.so]
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-01 16:55
Reported
2023-09-01 16:58
Platform
win7-20230831-en
Max time kernel
150s
Max time network
126s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\apk_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\apk_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\.apk | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\apk_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\apk_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\apk_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\.apk\ = "apk_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\apk_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2248 wrote to memory of 2316 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2248 wrote to memory of 2316 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2248 wrote to memory of 2316 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2316 wrote to memory of 2760 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2316 wrote to memory of 2760 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2316 wrote to memory of 2760 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2316 wrote to memory of 2760 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\MOC-Add-On.apk
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MOC-Add-On.apk
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\MOC-Add-On.apk"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | a3d8c3276e0f5bd08c7a5f522a6c0180 |
| SHA1 | 1c2601dea8647d0ee0b4b4e4b8cb06f9cafc2c30 |
| SHA256 | c045c1de5529e5351b3b9bdb5f5e672a01a640e959b38c9aa6315e2d68fbb383 |
| SHA512 | 6f7576a1f3e65b5d6a5cda9f35bdb689feb0778998a9255b51996bbff1ab7a013d9c811c08bceb6c92489258ff83498afe833200d2c5a3307efbb978646abe92 |
Analysis: behavioral4
Detonation Overview
Submitted
2023-09-01 16:55
Reported
2023-09-01 16:58
Platform
debian9-armhf-en-20211208
Max time kernel
5s
Max time network
156s
Command Line
Signatures
Processes
/tmp/l77b500f4_a32.so
[/tmp/l77b500f4_a32.so]
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2023-09-01 16:55
Reported
2023-09-01 16:58
Platform
ubuntu1804-amd64-20230831-en
Max time kernel
3s
Command Line
Signatures
Processes
/tmp/l77b500f4_x64.so
[/tmp/l77b500f4_x64.so]