Malware Analysis Report

2024-09-09 16:17

Sample ID 231220-n5jn4afehm
Target af34c9058b5332b24f06d0484ee08f73d01c738446055be34b26fd7c29d5288e
SHA256 af34c9058b5332b24f06d0484ee08f73d01c738446055be34b26fd7c29d5288e
Tags
airavat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af34c9058b5332b24f06d0484ee08f73d01c738446055be34b26fd7c29d5288e

Threat Level: Known bad

The file af34c9058b5332b24f06d0484ee08f73d01c738446055be34b26fd7c29d5288e was found to be: Known bad.

Malicious Activity Summary

airavat

Airavat family

Requests enabling of the accessibility settings.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-20 11:58

Signatures

Airavat family

airavat

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Reported

0001-01-01 00:00

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-20 11:58

Reported

2023-12-23 10:10

Platform

android-x64-20231215-en

Max time kernel

2519029s

Max time network

160s

Command Line

lizord.demon

Signatures

N/A

Processes

lizord.demon

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 projectname-3d2a2-default-rtdb.firebaseio.com udp
US 34.120.206.254:443 projectname-3d2a2-default-rtdb.firebaseio.com tcp
US 34.120.206.254:443 projectname-3d2a2-default-rtdb.firebaseio.com tcp
FR 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.169.36:443 tcp
GB 172.217.169.36:443 tcp
GB 142.250.187.238:443 android.apis.google.com tcp
FR 216.58.201.98:443 tcp
GB 142.250.179.238:443 tcp
GB 216.58.212.234:443 tcp

Files

/storage/emulated/0/Android/data/lizord.demon/files/uid.txt

MD5 7fd65e939e63e71ccbea5d4c3135a176
SHA1 726706baf6655ca0295f7c85d3602e0a3e6e0d5e
SHA256 6b439e58753258eaa234fd4e2c014837d34e4f24a1705cf25848da42382b6406
SHA512 a2da58ccfe34b9c11934d81f59580df7781ce170c29549d8d0ac06d8640d3a78a274f5fe5adaecfa843e24718956d2cf84c792f7e0dcaeddb1241de23d6f0995

/storage/emulated/0/Android/data/lizord.demon/files/panel.txt

MD5 1a737e99d08dcc67b098f4fe8a2e2bc7
SHA1 858d525d63890650c94a15314fa68e7739e367e5
SHA256 189aa03aa2658ad81cf34e8324979a9b4935985239cfaa050ec63e90fddec744
SHA512 c0cd1d904ad0ff2eca3dcc27e7956647489a6c898f0f8670806ed2f018bf9d73bca45bc75f0cecc7af9f680bb79a5d4acab73ceb596d046216f7c97f99fbc9a0

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-20 11:58

Reported

2023-12-23 10:10

Platform

android-x64-arm64-20231215-en

Max time kernel

2519036s

Max time network

165s

Command Line

lizord.demon

Signatures

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Processes

lizord.demon

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.10:443 udp
GB 142.250.178.14:443 udp
US 1.1.1.1:53 projectname-3d2a2-default-rtdb.firebaseio.com udp
US 34.120.206.254:443 projectname-3d2a2-default-rtdb.firebaseio.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 redirector.gvt1.com udp
GB 142.250.179.238:443 redirector.gvt1.com tcp
US 1.1.1.1:53 r2---sn-4g5lznl7.gvt1.com udp
DE 74.125.163.167:443 r2---sn-4g5lznl7.gvt1.com tcp
US 34.120.206.254:443 projectname-3d2a2-default-rtdb.firebaseio.com tcp
US 1.1.1.1:53 r5---sn-4g5lzned.gvt1.com udp
DE 74.125.162.10:443 r5---sn-4g5lzned.gvt1.com tcp
US 1.1.1.1:53 r3---sn-4g5e6nzs.gvt1.com udp
DE 74.125.13.232:443 r3---sn-4g5e6nzs.gvt1.com tcp
US 1.1.1.1:53 r1---sn-4g5lznlz.gvt1.com udp
DE 74.125.104.70:443 r1---sn-4g5lznlz.gvt1.com tcp
US 1.1.1.1:53 r2---sn-4g5e6ns7.gvt1.com udp
DE 173.194.182.71:443 r2---sn-4g5e6ns7.gvt1.com tcp
US 1.1.1.1:53 r2---sn-4g5edndy.gvt1.com udp
DE 173.194.1.7:443 r2---sn-4g5edndy.gvt1.com tcp
US 1.1.1.1:53 r1---sn-4g5edndr.gvt1.com udp
DE 172.217.133.230:443 r1---sn-4g5edndr.gvt1.com tcp
US 1.1.1.1:53 r1---sn-4g5edn6k.gvt1.com udp
DE 74.125.111.134:443 r1---sn-4g5edn6k.gvt1.com tcp
US 1.1.1.1:53 r3---sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
US 1.1.1.1:53 r3---sn-4g5ednds.gvt1.com udp
DE 74.125.162.200:443 r3---sn-4g5ednds.gvt1.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/storage/emulated/0/Android/data/lizord.demon/files/uid.txt (deleted)

MD5 5b88acacc01ba799d7001bc506bceb2e
SHA1 cae9ccaa1f8ae5703637c2fb124a4573602b2643
SHA256 e209c01b1b3aa0c345b9a61495f6b363c66d673f37c8fe98262dd49b056e0aee
SHA512 9deb92b920fcc5666666b729ca5b30a0f769fca8a4bcc241a825df6ba10e00678fbbe373d8551f81fbdd3cee4344fd8c96521a7a17869d86830ea5e934e75bb3

/storage/emulated/0/Android/data/lizord.demon/files/panel.txt (deleted)

MD5 1a737e99d08dcc67b098f4fe8a2e2bc7
SHA1 858d525d63890650c94a15314fa68e7739e367e5
SHA256 189aa03aa2658ad81cf34e8324979a9b4935985239cfaa050ec63e90fddec744
SHA512 c0cd1d904ad0ff2eca3dcc27e7956647489a6c898f0f8670806ed2f018bf9d73bca45bc75f0cecc7af9f680bb79a5d4acab73ceb596d046216f7c97f99fbc9a0