Malware Analysis Report

2024-12-01 03:22

Sample ID 230901-vfb2aagb3z
Target radarefail2_JC.apk
SHA256 353831c9633cbe9efb3d61181ac58cd032949ec56dbc0963b8b786d57f5ea5a4
Tags
gigabud infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

353831c9633cbe9efb3d61181ac58cd032949ec56dbc0963b8b786d57f5ea5a4

Threat Level: Known bad

The file radarefail2_JC.apk was found to be: Known bad.

Malicious Activity Summary

gigabud infostealer rat trojan

Gigabud payload

Gigabud

Gigabud family

Requests dangerous framework permissions

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-01 16:55

Signatures

Gigabud family

gigabud

Gigabud payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-09-01 16:55

Reported

2023-09-01 16:55

Platform

debian9-mipsel-en-20211208

Max time kernel

7s

Command Line

[/tmp/l77b500f4_a64.so]

Signatures

N/A

Processes

/tmp/l77b500f4_a64.so

[/tmp/l77b500f4_a64.so]

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-09-01 16:55

Reported

2023-09-01 16:58

Platform

ubuntu1804-amd64-20230831-en

Max time kernel

3s

Max time network

135s

Command Line

[/tmp/l77b500f4_x86.so]

Signatures

N/A

Processes

/tmp/l77b500f4_x86.so

[/tmp/l77b500f4_x86.so]

Network

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-01 16:55

Reported

2023-09-01 16:58

Platform

android-x86-arm-20230831-en

Max time kernel

1370227s

Max time network

156s

Command Line

com.mmt.myao

Signatures

Gigabud

rat trojan infostealer gigabud

Processes

com.mmt.myao

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.251.36.10:443 infinitedata-pa.googleapis.com tcp
NL 172.217.168.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.39.110:443 android.apis.google.com tcp

Files

/data/data/com.mmt.myao/files/.ss/l77b500f4.so

MD5 4fb6dae0ff1d065bc12586afad5203c2
SHA1 f367dd347b6683e9cadc6f9177d6376f8a2a5bde
SHA256 a731b1ddf5a9b3b6852ae787340383ca0f304b6628baab0d97395b5c0a9b3558
SHA512 1e377f785398a73eb1bd9543e3225f51c4e3bffbeb9785e8c9db615dd890db4fb6fdbdfaef1d74ccaef74ca2fd9767d5ffea3d7f8eaa5962f2191c3d6c898d8e

Analysis: behavioral3

Detonation Overview

Submitted

2023-09-01 16:55

Reported

2023-09-01 16:58

Platform

win10v2004-20230831-en

Max time kernel

140s

Max time network

153s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\MOC-Add-On.apk

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2474409663-2236862430-1045297337-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\MOC-Add-On.apk

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-09-01 16:55

Reported

2023-09-01 16:55

Platform

ubuntu1804-amd64-20230831-en

Max time kernel

4s

Command Line

[/tmp/l77b500f4_a64.so]

Signatures

N/A

Processes

/tmp/l77b500f4_a64.so

[/tmp/l77b500f4_a64.so]

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-09-01 16:55

Reported

2023-09-01 16:55

Platform

debian9-armhf-20230831-en

Max time kernel

3s

Command Line

[/tmp/l77b500f4_a64.so]

Signatures

N/A

Processes

/tmp/l77b500f4_a64.so

[/tmp/l77b500f4_a64.so]

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-09-01 16:55

Reported

2023-09-01 16:56

Platform

debian9-mipsbe-20230831-en

Max time kernel

28s

Command Line

[/tmp/l77b500f4_a64.so]

Signatures

N/A

Processes

/tmp/l77b500f4_a64.so

[/tmp/l77b500f4_a64.so]

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-01 16:55

Reported

2023-09-01 16:58

Platform

win7-20230831-en

Max time kernel

150s

Max time network

126s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\MOC-Add-On.apk

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\apk_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\apk_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\.apk C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\apk_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\apk_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\apk_auto_file\ C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\.apk\ = "apk_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000_CLASSES\apk_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\MOC-Add-On.apk

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MOC-Add-On.apk

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\MOC-Add-On.apk"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 a3d8c3276e0f5bd08c7a5f522a6c0180
SHA1 1c2601dea8647d0ee0b4b4e4b8cb06f9cafc2c30
SHA256 c045c1de5529e5351b3b9bdb5f5e672a01a640e959b38c9aa6315e2d68fbb383
SHA512 6f7576a1f3e65b5d6a5cda9f35bdb689feb0778998a9255b51996bbff1ab7a013d9c811c08bceb6c92489258ff83498afe833200d2c5a3307efbb978646abe92

Analysis: behavioral4

Detonation Overview

Submitted

2023-09-01 16:55

Reported

2023-09-01 16:58

Platform

debian9-armhf-en-20211208

Max time kernel

5s

Max time network

156s

Command Line

[/tmp/l77b500f4_a32.so]

Signatures

N/A

Processes

/tmp/l77b500f4_a32.so

[/tmp/l77b500f4_a32.so]

Network

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-09-01 16:55

Reported

2023-09-01 16:58

Platform

ubuntu1804-amd64-20230831-en

Max time kernel

3s

Command Line

[/tmp/l77b500f4_x64.so]

Signatures

N/A

Processes

/tmp/l77b500f4_x64.so

[/tmp/l77b500f4_x64.so]

Network

N/A

Files

N/A