Analysis Overview
SHA256
c6213e451e4a23b7725143edd1c725aa748fd9eb32e33304b4f87d63c19e0504
Threat Level: Known bad
The file appปลอมกรมที่ดิน_DOL.apk was found to be: Known bad.
Malicious Activity Summary
Gigabud family
Gigabud payload
Declares services with permission to bind to the system
Requests dangerous framework permissions
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-21 15:07
Signatures
Gigabud family
Gigabud payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-21 15:07
Reported
2024-02-21 15:09
Platform
android-x86-arm-20240221-en
Max time kernel
3s
Max time network
77s
Command Line
Signatures
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
nrmahn.kwqzdrb.nahh
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.178.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.14:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | app.pzs5k.xyz | udp |
| SG | 8.219.85.91:8888 | tcp | |
| SG | 8.219.85.91:8888 | tcp |
Files
/data/data/nrmahn.kwqzdrb.nahh/no_backup/.flurryNoBackup/installationNum
| MD5 | 1bf61ebab131a3726d13deace5d20b88 |
| SHA1 | 9dd98ddf5676c9c85140822111ae36e5d8d0a866 |
| SHA256 | 4ff3bacf466794026e1fd29ac4bec3a867dd28602db2fa2330821aaf85d67b3d |
| SHA512 | 9f81982d0e58d04c33df54a13587acfba76a22beb5fb66e6ed36de589fcea83b9e25a3653d692e8e9a6b1f2914aaa98da7e10f0ab2490d428ec9236cd0b227d7 |