Malware Analysis Report

2024-12-01 22:16

Sample ID 230909-j1n1ssaa81
Target C6213E451E4A23B7725143EDD1C725AA748FD9EB32E33304B4F87D63C19E0504.apk
SHA256 c6213e451e4a23b7725143edd1c725aa748fd9eb32e33304b4f87d63c19e0504
Tags
gigabud ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6213e451e4a23b7725143edd1c725aa748fd9eb32e33304b4f87d63c19e0504

Threat Level: Known bad

The file C6213E451E4A23B7725143EDD1C725AA748FD9EB32E33304B4F87D63C19E0504.apk was found to be: Known bad.

Malicious Activity Summary

gigabud ransomware

Gigabud payload

Gigabud family

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data).

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-09 08:08

Signatures

Gigabud family

gigabud

Gigabud payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-09-09 08:08

Reported

2023-09-09 08:08

Platform

debian9-armhf-20230831-en

Max time kernel

3s

Command Line

[/tmp/l58882ccd_a64.so]

Signatures

N/A

Processes

/tmp/l58882ccd_a64.so

[/tmp/l58882ccd_a64.so]

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-09-09 08:08

Reported

2023-09-09 08:08

Platform

debian9-mipsbe-20230831-en

Max time kernel

2s

Command Line

[/tmp/l58882ccd_a64.so]

Signatures

N/A

Processes

/tmp/l58882ccd_a64.so

[/tmp/l58882ccd_a64.so]

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-09-09 08:08

Reported

2023-09-09 08:08

Platform

debian9-mipsel-20230831-en

Max time kernel

3s

Command Line

[/tmp/l58882ccd_a64.so]

Signatures

N/A

Processes

/tmp/l58882ccd_a64.so

[/tmp/l58882ccd_a64.so]

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-09-09 08:08

Reported

2023-09-09 08:11

Platform

ubuntu1804-amd64-20230831-en

Max time kernel

3s

Max time network

103s

Command Line

[/tmp/l58882ccd_x64.so]

Signatures

N/A

Processes

/tmp/l58882ccd_x64.so

[/tmp/l58882ccd_x64.so]

Network

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-09-09 08:08

Reported

2023-09-09 08:11

Platform

ubuntu1804-amd64-20230831-en

Max time kernel

3s

Max time network

135s

Command Line

[/tmp/l58882ccd_x86.so]

Signatures

N/A

Processes

/tmp/l58882ccd_x86.so

[/tmp/l58882ccd_x86.so]

Network

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-09 08:08

Reported

2023-09-09 08:11

Platform

win7-20230831-en

Max time kernel

150s

Max time network

126s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\kqkticwjgzy.dat

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\.dat\ = "dat_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\dat_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\dat_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\dat_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\dat_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\dat_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\.dat C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\dat_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\kqkticwjgzy.dat

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\kqkticwjgzy.dat

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\kqkticwjgzy.dat"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 33ffdc8d7f45ea032fe0deedfdbd9a93
SHA1 b3d1b9df12ddbb9103aedf37fb591f35022b7ec6
SHA256 3901c6ad4f6a9d3becde7021a05f3b2f73d08b803ef18b89d2fc38606d3da4a9
SHA512 384e045719f5c07deb9fc333509dfe789ceb6bef58eda4bdfbc688925a0d945fe63d59541e3d89c32f752af5d49f5892e772b893e3934c7f5ea1e0c22a3659fa

Analysis: behavioral3

Detonation Overview

Submitted

2023-09-09 08:08

Reported

2023-09-09 08:11

Platform

win10v2004-20230831-en

Max time kernel

138s

Max time network

144s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\kqkticwjgzy.dat

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\kqkticwjgzy.dat

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 77.121.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-09 08:08

Reported

2023-09-09 08:11

Platform

android-x86-arm-20230831-en

Max time kernel

2029800s

Max time network

157s

Command Line

nrmahn.kwqzdrb.nahh

Signatures

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

nrmahn.kwqzdrb.nahh

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 216.58.214.10:443 infinitedata-pa.googleapis.com tcp
NL 142.251.39.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.39.110:443 android.apis.google.com tcp
US 1.1.1.1:53 app.pzs5k.xyz udp
SG 8.219.85.91:8888 tcp
NL 142.251.39.106:443 infinitedata-pa.googleapis.com tcp
SG 8.219.85.91:8888 tcp
SG 8.219.85.91:8888 tcp
SG 8.219.85.91:8888 tcp
SG 8.219.85.91:8888 tcp
SG 8.219.85.91:8888 tcp
SG 8.219.85.91:8888 tcp
SG 8.219.85.91:8888 tcp
SG 8.219.85.91:8888 tcp

Files

/data/data/nrmahn.kwqzdrb.nahh/no_backup/.flurryNoBackup/installationNum

MD5 0a756a8dd330bf230319402e3b5b7d1f
SHA1 14ae1369076cc5368d57a5f3d2575b6f4e78b212
SHA256 66ad5efede560328cde41754a662531e4de2d6e1e98e5976f5b0d7d9b6c73985
SHA512 f63463a6a48499b95be71fe515e656421cbe4a914768a84eaa662c7d1b6a9878b3628ee309d9115a860a5515c78cfed7c6c35833435ce2b62ff05f07dbb6b179

Analysis: behavioral4

Detonation Overview

Submitted

2023-09-09 08:08

Reported

2023-09-09 08:11

Platform

debian9-armhf-20230831-en

Max time kernel

2s

Max time network

128s

Command Line

[/tmp/l58882ccd_a32.so]

Signatures

N/A

Processes

/tmp/l58882ccd_a32.so

[/tmp/l58882ccd_a32.so]

Network

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-09-09 08:08

Reported

2023-09-09 08:08

Platform

ubuntu1804-amd64-en-20211208

Max time kernel

3s

Command Line

[/tmp/l58882ccd_a64.so]

Signatures

N/A

Processes

/tmp/l58882ccd_a64.so

[/tmp/l58882ccd_a64.so]

Network

N/A

Files

N/A