Malware Analysis Report

2024-12-01 22:17

Sample ID 230902-je1gpsbd8v
Target TCQLDD.apk
SHA256 2792a30e0b600d0f9320c24c98f5c8f43bc19df1843e6bc15410836cd98cc00c
Tags
gigabud infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2792a30e0b600d0f9320c24c98f5c8f43bc19df1843e6bc15410836cd98cc00c

Threat Level: Known bad

The file TCQLDD.apk was found to be: Known bad.

Malicious Activity Summary

gigabud infostealer rat trojan

Gigabud

Requests dangerous framework permissions

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-09-02 07:35

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-09-02 07:35

Reported

2023-09-02 07:38

Platform

ubuntu1804-amd64-en-20211208

Max time kernel

3s

Max time network

103s

Command Line

[/tmp/l597c37ee_x64.so]

Signatures

N/A

Processes

/tmp/l597c37ee_x64.so

[/tmp/l597c37ee_x64.so]

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-09-02 07:35

Reported

2023-09-02 07:38

Platform

ubuntu1804-amd64-20230831-en

Max time kernel

3s

Max time network

111s

Command Line

[/tmp/l597c37ee_x86.so]

Signatures

N/A

Processes

/tmp/l597c37ee_x86.so

[/tmp/l597c37ee_x86.so]

Network

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-02 07:35

Reported

2023-09-02 07:38

Platform

debian9-armhf-20230831-en

Max time kernel

2s

Max time network

127s

Command Line

[/tmp/l597c37ee_a32.so]

Signatures

N/A

Processes

/tmp/l597c37ee_a32.so

[/tmp/l597c37ee_a32.so]

Network

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-09-02 07:35

Reported

2023-09-02 07:35

Platform

debian9-armhf-en-20211208

Max time kernel

3s

Command Line

[/tmp/l597c37ee_a64.so]

Signatures

N/A

Processes

/tmp/l597c37ee_a64.so

[/tmp/l597c37ee_a64.so]

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-09-02 07:35

Reported

2023-09-02 07:35

Platform

debian9-mipsbe-20230831-en

Max time kernel

2s

Command Line

[/tmp/l597c37ee_a64.so]

Signatures

N/A

Processes

/tmp/l597c37ee_a64.so

[/tmp/l597c37ee_a64.so]

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-09-02 07:35

Reported

2023-09-02 07:35

Platform

debian9-mipsel-20230831-en

Max time kernel

2s

Command Line

[/tmp/l597c37ee_a64.so]

Signatures

N/A

Processes

/tmp/l597c37ee_a64.so

[/tmp/l597c37ee_a64.so]

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-02 07:35

Reported

2023-09-02 07:38

Platform

android-x86-arm-20230831-en

Max time kernel

1423042s

Max time network

82s

Command Line

cmbhql.nlrjyowx.wmx

Signatures

Gigabud

rat trojan infostealer gigabud

Processes

cmbhql.nlrjyowx.wmx

Network

Country Destination Domain Proto
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.250.179.138:443 infinitedata-pa.googleapis.com tcp
NL 142.251.39.106:443 infinitedata-pa.googleapis.com tcp
NL 142.250.179.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp

Files

/data/data/cmbhql.nlrjyowx.wmx/files/.ss/l597c37ee.so

MD5 f897fbecac65e56f0bdb42fb1810a7ba
SHA1 44066af9921dc64d983321aed5e2307ede1ed6ea
SHA256 e7b05b84d749695309924cee2afa19eb2ff4689d49e0537b69719e297b15c930
SHA512 b0a56524ca38e098b3800c933eb1182f00de4edef23cfd80f991e31057d8056c3eb52d608b03f8576867c7a534bf6c2909e51fb053f536f8af517ff19fbdff7e

Analysis: behavioral3

Detonation Overview

Submitted

2023-09-02 07:35

Reported

2023-09-02 07:35

Platform

ubuntu1804-amd64-20230831-en

Max time kernel

3s

Command Line

[/tmp/l597c37ee_a64.so]

Signatures

N/A

Processes

/tmp/l597c37ee_a64.so

[/tmp/l597c37ee_a64.so]

Network

N/A

Files

N/A