Analysis Overview
SHA256
c6213e451e4a23b7725143edd1c725aa748fd9eb32e33304b4f87d63c19e0504
Threat Level: Known bad
The file C6213E451E4A23B7725143EDD1C725AA748FD9EB32E33304B4F87D63C19E0504.apk was found to be: Known bad.
Malicious Activity Summary
Gigabud payload
Gigabud family
Requests dangerous framework permissions
Uses Crypto APIs (Might try to encrypt user data).
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-09 08:08
Signatures
Gigabud family
Gigabud payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral6
Detonation Overview
Submitted
2023-09-09 08:08
Reported
2023-09-09 08:08
Platform
debian9-armhf-20230831-en
Max time kernel
3s
Command Line
Signatures
Processes
/tmp/l58882ccd_a64.so
[/tmp/l58882ccd_a64.so]
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2023-09-09 08:08
Reported
2023-09-09 08:08
Platform
debian9-mipsbe-20230831-en
Max time kernel
2s
Command Line
Signatures
Processes
/tmp/l58882ccd_a64.so
[/tmp/l58882ccd_a64.so]
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2023-09-09 08:08
Reported
2023-09-09 08:08
Platform
debian9-mipsel-20230831-en
Max time kernel
3s
Command Line
Signatures
Processes
/tmp/l58882ccd_a64.so
[/tmp/l58882ccd_a64.so]
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2023-09-09 08:08
Reported
2023-09-09 08:11
Platform
ubuntu1804-amd64-20230831-en
Max time kernel
3s
Max time network
103s
Command Line
Signatures
Processes
/tmp/l58882ccd_x64.so
[/tmp/l58882ccd_x64.so]
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2023-09-09 08:08
Reported
2023-09-09 08:11
Platform
ubuntu1804-amd64-20230831-en
Max time kernel
3s
Max time network
135s
Command Line
Signatures
Processes
/tmp/l58882ccd_x86.so
[/tmp/l58882ccd_x86.so]
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-09 08:08
Reported
2023-09-09 08:11
Platform
win7-20230831-en
Max time kernel
150s
Max time network
126s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\.dat\ = "dat_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\dat_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\dat_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\dat_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\dat_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\dat_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\.dat | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000_CLASSES\dat_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2956 wrote to memory of 2580 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2956 wrote to memory of 2580 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2956 wrote to memory of 2580 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2580 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2580 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2580 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2580 wrote to memory of 2692 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\kqkticwjgzy.dat
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\kqkticwjgzy.dat
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\kqkticwjgzy.dat"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 33ffdc8d7f45ea032fe0deedfdbd9a93 |
| SHA1 | b3d1b9df12ddbb9103aedf37fb591f35022b7ec6 |
| SHA256 | 3901c6ad4f6a9d3becde7021a05f3b2f73d08b803ef18b89d2fc38606d3da4a9 |
| SHA512 | 384e045719f5c07deb9fc333509dfe789ceb6bef58eda4bdfbc688925a0d945fe63d59541e3d89c32f752af5d49f5892e772b893e3934c7f5ea1e0c22a3659fa |
Analysis: behavioral3
Detonation Overview
Submitted
2023-09-09 08:08
Reported
2023-09-09 08:11
Platform
win10v2004-20230831-en
Max time kernel
138s
Max time network
144s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2848203831-2014322062-3611574811-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\kqkticwjgzy.dat
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.121.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-09 08:08
Reported
2023-09-09 08:11
Platform
android-x86-arm-20230831-en
Max time kernel
2029800s
Max time network
157s
Command Line
Signatures
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
nrmahn.kwqzdrb.nahh
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 216.58.214.10:443 | infinitedata-pa.googleapis.com | tcp |
| NL | 142.251.39.110:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.251.39.110:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | app.pzs5k.xyz | udp |
| SG | 8.219.85.91:8888 | tcp | |
| NL | 142.251.39.106:443 | infinitedata-pa.googleapis.com | tcp |
| SG | 8.219.85.91:8888 | tcp | |
| SG | 8.219.85.91:8888 | tcp | |
| SG | 8.219.85.91:8888 | tcp | |
| SG | 8.219.85.91:8888 | tcp | |
| SG | 8.219.85.91:8888 | tcp | |
| SG | 8.219.85.91:8888 | tcp | |
| SG | 8.219.85.91:8888 | tcp | |
| SG | 8.219.85.91:8888 | tcp |
Files
/data/data/nrmahn.kwqzdrb.nahh/no_backup/.flurryNoBackup/installationNum
| MD5 | 0a756a8dd330bf230319402e3b5b7d1f |
| SHA1 | 14ae1369076cc5368d57a5f3d2575b6f4e78b212 |
| SHA256 | 66ad5efede560328cde41754a662531e4de2d6e1e98e5976f5b0d7d9b6c73985 |
| SHA512 | f63463a6a48499b95be71fe515e656421cbe4a914768a84eaa662c7d1b6a9878b3628ee309d9115a860a5515c78cfed7c6c35833435ce2b62ff05f07dbb6b179 |
Analysis: behavioral4
Detonation Overview
Submitted
2023-09-09 08:08
Reported
2023-09-09 08:11
Platform
debian9-armhf-20230831-en
Max time kernel
2s
Max time network
128s
Command Line
Signatures
Processes
/tmp/l58882ccd_a32.so
[/tmp/l58882ccd_a32.so]
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-09-09 08:08
Reported
2023-09-09 08:08
Platform
ubuntu1804-amd64-en-20211208
Max time kernel
3s
Command Line
Signatures
Processes
/tmp/l58882ccd_a64.so
[/tmp/l58882ccd_a64.so]