Malware Analysis Report

2024-12-01 03:13

Sample ID 231025-evpypaeh5z
Target TCQLDD.apk
SHA256 897996eb6ef6f3817656e5a15bc6e2489b89e141612c91fcbcb360571605f8e8
Tags
golddigger
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

897996eb6ef6f3817656e5a15bc6e2489b89e141612c91fcbcb360571605f8e8

Threat Level: Known bad

The file TCQLDD.apk was found to be: Known bad.

Malicious Activity Summary

golddigger

GoldDigger payload

Golddigger family

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-25 04:15

Signatures

GoldDigger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Golddigger family

golddigger

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-25 04:15

Reported

2023-10-25 04:19

Platform

android-x86-arm-20231023-en

Max time network

130s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.250.179.202:443 infinitedata-pa.googleapis.com tcp
NL 142.251.36.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
DE 172.217.23.206:443 android.apis.google.com tcp
GB 216.58.208.106:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-10-25 04:15

Reported

2023-10-25 04:19

Platform

win10v2004-20231020-en

Max time kernel

140s

Max time network

156s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\kqkticwjgzy.dat

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\kqkticwjgzy.dat

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 254.109.26.67.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-10-25 04:15

Reported

2023-10-25 04:16

Platform

ubuntu1804-amd64-20231023-en

Max time kernel

3s

Max time network

6s

Command Line

[/tmp/l41740f07_a64.so]

Signatures

N/A

Processes

/tmp/l41740f07_a64.so

[/tmp/l41740f07_a64.so]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.66.49:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-25 04:15

Reported

2023-10-25 04:18

Platform

win7-20231023-en

Max time kernel

150s

Max time network

127s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\kqkticwjgzy.dat

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\.dat\ = "dat_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\dat_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\dat_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\dat_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\.dat C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\dat_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\dat_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\dat_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\kqkticwjgzy.dat

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\kqkticwjgzy.dat

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\kqkticwjgzy.dat"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 342216ddcbb272fbfde2338064bc1236
SHA1 58c30ad4d7f083f11e5024c8c8cd9a2f0912e7af
SHA256 1cec93893dae5ac0e79811bd762f5d2354b27599878b0b156024280b45e69f5e
SHA512 9408b8a749cb339fcc3f8f8ecf687abb2a816b27b3fbc7de067fbe7658f834318d0371df91a1c8c2b04d52c6d4e4c5fc9daf66e59d9eb31a66d28c6ff1c8e1d8

Analysis: behavioral4

Detonation Overview

Submitted

2023-10-25 04:15

Reported

2023-10-25 04:18

Platform

debian9-armhf-20231023.1-en

Max time kernel

5s

Command Line

[/tmp/l41740f07_a32.so]

Signatures

N/A

Processes

/tmp/l41740f07_a32.so

[/tmp/l41740f07_a32.so]

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-10-25 04:15

Reported

2023-10-25 04:16

Platform

debian9-armhf-20231023.1-en

Max time kernel

7s

Command Line

[/tmp/l41740f07_a64.so]

Signatures

N/A

Processes

/tmp/l41740f07_a64.so

[/tmp/l41740f07_a64.so]

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-10-25 04:15

Reported

2023-10-25 04:16

Platform

debian9-mipsbe-20231020-en

Max time kernel

5s

Command Line

[/tmp/l41740f07_a64.so]

Signatures

N/A

Processes

/tmp/l41740f07_a64.so

[/tmp/l41740f07_a64.so]

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-10-25 04:15

Reported

2023-10-25 04:16

Platform

debian9-mipsel-20231023-en

Max time kernel

4s

Command Line

[/tmp/l41740f07_a64.so]

Signatures

N/A

Processes

/tmp/l41740f07_a64.so

[/tmp/l41740f07_a64.so]

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-10-25 04:15

Reported

2023-10-25 04:19

Platform

ubuntu1804-amd64-20231023-en

Max time kernel

4s

Max time network

133s

Command Line

[/tmp/l41740f07_x64.so]

Signatures

N/A

Processes

/tmp/l41740f07_x64.so

[/tmp/l41740f07_x64.so]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.2.49:443 tcp
US 151.101.65.91:443 tcp
DE 195.181.170.19:443 tcp
GB 185.125.188.61:443 tcp
GB 185.125.188.62:443 tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-10-25 04:15

Reported

2023-10-25 04:19

Platform

ubuntu1804-amd64-20231023-en

Max time kernel

4s

Max time network

132s

Command Line

[/tmp/l41740f07_x86.so]

Signatures

N/A

Processes

/tmp/l41740f07_x86.so

[/tmp/l41740f07_x86.so]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 151.101.2.49:443 tcp
US 1.1.1.1:53 cdn.fwupd.org udp
US 1.1.1.1:53 cdn.fwupd.org udp
US 151.101.2.49:443 cdn.fwupd.org tcp
US 151.101.65.91:443 tcp
DE 156.146.33.141:443 tcp
GB 185.125.188.62:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.65.91:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
NL 195.181.172.27:443 1527653184.rsc.cdn77.org tcp

Files

N/A