Malware Analysis Report

2024-09-09 16:17

Sample ID 240215-29neqsbb2w
Target 1c110a129bdaab64320d8f0f40fc1c5397735e91c86cbef9024027d98636db6b
SHA256 1c110a129bdaab64320d8f0f40fc1c5397735e91c86cbef9024027d98636db6b
Tags
airavat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1c110a129bdaab64320d8f0f40fc1c5397735e91c86cbef9024027d98636db6b

Threat Level: Known bad

The file 1c110a129bdaab64320d8f0f40fc1c5397735e91c86cbef9024027d98636db6b was found to be: Known bad.

Malicious Activity Summary

airavat

Airavat family

Requests enabling of the accessibility settings.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-15 23:17

Signatures

Airavat family

airavat

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-15 23:17

Reported

2024-02-15 23:19

Platform

android-x86-arm-20231215-en

Max time kernel

138s

Max time network

148s

Command Line

sigma.male

Signatures

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Processes

sigma.male

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 insta-vip-default-rtdb.firebaseio.com udp
US 34.120.160.131:443 insta-vip-default-rtdb.firebaseio.com tcp
US 1.1.1.1:53 instagram.com udp
GB 157.240.214.174:443 instagram.com tcp
US 1.1.1.1:53 www.instagram.com udp
GB 163.70.147.174:443 www.instagram.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
US 1.1.1.1:53 static.cdninstagram.com udp
GB 172.217.169.74:443 safebrowsing.googleapis.com tcp
GB 157.240.214.63:443 static.cdninstagram.com tcp
GB 157.240.214.63:443 static.cdninstagram.com tcp
GB 157.240.214.63:443 static.cdninstagram.com tcp
GB 157.240.214.63:443 static.cdninstagram.com tcp
GB 157.240.214.63:443 static.cdninstagram.com tcp
GB 157.240.214.63:443 static.cdninstagram.com tcp
GB 157.240.214.63:443 static.cdninstagram.com tcp
US 1.1.1.1:53 www.facebook.com udp
GB 163.70.147.35:443 www.facebook.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 www.instagram.com udp
GB 163.70.151.174:443 www.instagram.com tcp

Files

/data/data/sigma.male/app_sslcache/insta-vip-default-rtdb.firebaseio.com.443

MD5 bd4666adaf7d7173d5cb647d01925457
SHA1 be6fda05f006c334c41bf5fedad36d336ef06cbd
SHA256 7a7a14724c212fc02622b22d6440bd60f9a86418c1e508c8badf610fe18641b4
SHA512 b91bf0b60e652e1e1edaf756825527af080312114c16de94ab104a4aac7ba5e8f7ea63add9b52524ca3bf83864a6d11cc4f433250fa3d3859bce9c9a99402fba

/storage/emulated/0/Android/data/sigma.male/files/uid.txt

MD5 b383b13c74c4b1bb7d79df5f3d62c150
SHA1 56e943275287d886f9ccc8f85d4020e07994dfe1
SHA256 6c1c0949b592723b58a64f48797e828246eb8a8af83e7e5c73b73f789225c4fe
SHA512 11f0222007104e62c02f499f4c6f66abb038f6c73f5dd911877fda90743c3806262032d306c58408875be13064d585d6937ff81f7f746da837dd383d02f46dd4

/storage/emulated/0/Android/data/sigma.male/files/panel.txt

MD5 6e0075dcc0b7ac222bea767743b61a33
SHA1 44b3eaebc17568ca6e120747fef61521137068d9
SHA256 d0d1b610858419980e61586967769ed1bf001756aacbd5e00518b3b0eb83a402
SHA512 9950d09e464f74889ae85d70e72e57197b8a2713518bb7901b2c7b6e1ae51dc7e53547b2865f0226bfcc3bd5ea530453298512f8ecbc7b790da3339b5e05cf42

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-15 23:17

Reported

2024-02-15 23:20

Platform

android-x64-20231215-en

Max time kernel

138s

Max time network

156s

Command Line

sigma.male

Signatures

N/A

Processes

sigma.male

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 insta-vip-default-rtdb.firebaseio.com udp
US 35.190.39.113:443 insta-vip-default-rtdb.firebaseio.com tcp
US 1.1.1.1:53 instagram.com udp
GB 163.70.147.174:443 instagram.com tcp
US 1.1.1.1:53 www.instagram.com udp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 216.58.204.74:443 safebrowsing.googleapis.com tcp
US 1.1.1.1:53 static.cdninstagram.com udp
GB 157.240.221.63:443 static.cdninstagram.com tcp
GB 157.240.221.63:443 static.cdninstagram.com tcp
GB 157.240.221.63:443 static.cdninstagram.com tcp
GB 157.240.221.63:443 static.cdninstagram.com tcp
US 1.1.1.1:53 www.facebook.com udp
GB 157.240.214.35:443 www.facebook.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 172.217.169.46:443 tcp
GB 142.250.200.2:443 tcp
US 1.1.1.1:53 www.instagram.com udp
GB 157.240.221.174:443 www.instagram.com tcp

Files

/storage/emulated/0/Android/data/sigma.male/files/uid.txt

MD5 7c789707637c616140948ab60a4decdd
SHA1 07b73bd73a9c65df3a4380c5c370aa90cde64715
SHA256 8980971296d01474b9ec100a318843bdc17b93a23591ddb16001495ae72ca558
SHA512 400f65e49caba53d6fc1ebf8b2015ae1a4516378fd09e766c2daefe45d9cdc6a82ad4e25860c8ec1c275266827d97205941dfe54821160c22509353bcdb5d08a

/storage/emulated/0/Android/data/sigma.male/files/panel.txt

MD5 6e0075dcc0b7ac222bea767743b61a33
SHA1 44b3eaebc17568ca6e120747fef61521137068d9
SHA256 d0d1b610858419980e61586967769ed1bf001756aacbd5e00518b3b0eb83a402
SHA512 9950d09e464f74889ae85d70e72e57197b8a2713518bb7901b2c7b6e1ae51dc7e53547b2865f0226bfcc3bd5ea530453298512f8ecbc7b790da3339b5e05cf42

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-15 23:17

Reported

2024-02-15 23:19

Platform

android-x64-arm64-20231215-en

Max time kernel

136s

Max time network

152s

Command Line

sigma.male

Signatures

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Processes

sigma.male

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 udp
GB 142.250.200.46:443 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 insta-vip-default-rtdb.firebaseio.com udp
US 35.190.39.113:443 insta-vip-default-rtdb.firebaseio.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 instagram.com udp
GB 157.240.214.174:443 instagram.com tcp
US 1.1.1.1:53 www.instagram.com udp
GB 163.70.147.174:443 www.instagram.com tcp
US 1.1.1.1:53 static.cdninstagram.com udp
GB 163.70.151.63:443 static.cdninstagram.com tcp
GB 163.70.151.63:443 static.cdninstagram.com tcp
GB 163.70.151.63:443 static.cdninstagram.com tcp
GB 163.70.151.63:443 static.cdninstagram.com tcp
GB 163.70.151.63:443 static.cdninstagram.com tcp
GB 163.70.151.63:443 static.cdninstagram.com tcp
US 1.1.1.1:53 redirector.gvt1.com udp
GB 172.217.169.46:443 redirector.gvt1.com tcp
US 1.1.1.1:53 r1---sn-4g5ednsk.gvt1.com udp
DE 173.194.188.230:443 r1---sn-4g5ednsk.gvt1.com tcp
US 1.1.1.1:53 r3---sn-4g5edndz.gvt1.com udp
DE 74.125.162.232:443 r3---sn-4g5edndz.gvt1.com tcp
US 1.1.1.1:53 r3---sn-4g5ednde.gvt1.com udp
DE 74.125.162.136:443 r3---sn-4g5ednde.gvt1.com tcp
US 1.1.1.1:53 r5---sn-4g5ednld.gvt1.com udp
DE 173.194.182.106:443 r5---sn-4g5ednld.gvt1.com tcp
GB 163.70.151.63:443 static.cdninstagram.com tcp
US 1.1.1.1:53 r1---sn-4g5edn6k.gvt1.com udp
DE 74.125.111.134:443 r1---sn-4g5edn6k.gvt1.com tcp
US 1.1.1.1:53 r2---sn-4g5edndy.gvt1.com udp
DE 173.194.1.7:443 r2---sn-4g5edndy.gvt1.com tcp
US 1.1.1.1:53 www.facebook.com udp
GB 163.70.151.35:443 www.facebook.com tcp
US 1.1.1.1:53 r1---sn-4g5edndr.gvt1.com udp
DE 172.217.133.230:443 r1---sn-4g5edndr.gvt1.com tcp
US 1.1.1.1:53 r3---sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
US 1.1.1.1:53 r3---sn-4g5ednds.gvt1.com udp
DE 74.125.162.200:443 r3---sn-4g5ednds.gvt1.com tcp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp

Files

/storage/emulated/0/Android/data/sigma.male/files/uid.txt (deleted)

MD5 92da37fc44c4256c31752978872f42a2
SHA1 68ea23b1ce19c5057f6a1e57175a3977dd7623b9
SHA256 aae2c865226a44fa6b6ec52a1ce12c040778d0f9014c3c1169bc93fb010adbe7
SHA512 6fb3d014c9bf4ffeb749b51fc95ebd5e6b9f71344ce1c6cb057f80bd674082ceca75a5389b676d38b344f50ec1fa862e0c8fb33b760f35ae5b74dc44173a8700

/storage/emulated/0/Android/data/sigma.male/files/panel.txt (deleted)

MD5 6e0075dcc0b7ac222bea767743b61a33
SHA1 44b3eaebc17568ca6e120747fef61521137068d9
SHA256 d0d1b610858419980e61586967769ed1bf001756aacbd5e00518b3b0eb83a402
SHA512 9950d09e464f74889ae85d70e72e57197b8a2713518bb7901b2c7b6e1ae51dc7e53547b2865f0226bfcc3bd5ea530453298512f8ecbc7b790da3339b5e05cf42