Malware Analysis Report

2025-01-19 05:35

Sample ID 240304-1wvq8aeg2w
Target 30fc97f72e71097e43c58fc550c5ee9cae18963eb80c915916b693d61fa6ebcd.bin
SHA256 30fc97f72e71097e43c58fc550c5ee9cae18963eb80c915916b693d61fa6ebcd
Tags
collection discovery evasion stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

30fc97f72e71097e43c58fc550c5ee9cae18963eb80c915916b693d61fa6ebcd

Threat Level: Likely malicious

The file 30fc97f72e71097e43c58fc550c5ee9cae18963eb80c915916b693d61fa6ebcd.bin was found to be: Likely malicious.

Malicious Activity Summary

collection discovery evasion stealth trojan

Removes its main activity from the application launcher

Reads the content of outgoing SMS messages.

Reads the content of SMS inbox messages.

Acquires the wake lock

Reads information about phone network operator.

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-04 22:00

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-04 22:00

Reported

2024-03-04 22:04

Platform

android-x86-arm-20240221-en

Max time kernel

47s

Max time network

158s

Command Line

com.pickersoft.myweb

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Reads the content of outgoing SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/sent N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.pickersoft.myweb

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 telegra.ph udp
NL 149.154.164.13:443 telegra.ph tcp
IT 172.232.219.166:8080 172.232.219.166 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
IT 172.232.219.166:8080 172.232.219.166 tcp
IT 172.232.219.166:8080 172.232.219.166 tcp
US 1.1.1.1:53 www.molot.mobi udp
DE 46.4.4.235:443 www.molot.mobi tcp
DE 46.4.4.235:443 www.molot.mobi tcp
DE 46.4.4.235:443 www.molot.mobi tcp
DE 46.4.4.235:443 www.molot.mobi tcp
DE 46.4.4.235:443 www.molot.mobi tcp
DE 46.4.4.235:443 www.molot.mobi tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp
DE 46.4.4.235:443 www.molot.mobi tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/misc/profiles/cur/0/com.pickersoft.myweb/primary.prof

MD5 028419bf8b452894e2f485e68d27256a
SHA1 c20d720b52d713b2ddbb9ac5257c305515f0db39
SHA256 8b14e57b96e22109bb4c716b45a3fac2863324688077f1dd6ce675ed9ab196ca
SHA512 1b231e043af636704637187a7925ba639cd67ea2475d833ec0247d26ef3b49d59494ab5f547eb1e19715c084539e273410e39661e44fbc5e30ba797ed280f155

/data/data/com.pickersoft.myweb/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 3235dc807f6c41f67c953113211e81b5
SHA1 f99a7be21838ef095f21de54e3b7c863a77d0f0e
SHA256 ff1c059e46b99e40171d1b1d737910fb22a59fd9b718c5334a258ae6142e0f0d
SHA512 30e8b508ba9c3510e352c1d7704d7e74af002ea51760ceb257e74a2661b534dfafe1168033567ba9bad50d23106563c9886bb1bd21bd5b67d989eebd34f656ec

/data/data/com.pickersoft.myweb/files/profileInstalled

MD5 2704d6755be00daf78d21cde5cc72b9b
SHA1 381bf314f46dee79d1d1437a5fee2983e2206105
SHA256 b8a636186af4226c24e230208b7519598df4fb3b961f9686f1b37546db5eee1f
SHA512 8122b4bf13eb8cb44a572bb5c18387a92923805df29b8fb21e09a9686930280d1240b7d07606cc8e50493a89036bdc19f1aef463937aa75c8eca7f8545839230

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-04 22:00

Reported

2024-03-04 22:03

Platform

android-x64-20240221-en

Max time kernel

47s

Max time network

165s

Command Line

com.pickersoft.myweb

Signatures

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Reads the content of outgoing SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/sent N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.pickersoft.myweb

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 telegra.ph udp
NL 149.154.164.13:443 telegra.ph tcp
IT 172.232.219.166:8080 172.232.219.166 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
IT 172.232.219.166:8080 172.232.219.166 tcp
IT 172.232.219.166:8080 172.232.219.166 tcp
US 1.1.1.1:53 www.molot.mobi udp
DE 46.4.4.235:443 www.molot.mobi tcp
DE 46.4.4.235:443 www.molot.mobi tcp
DE 46.4.4.235:443 www.molot.mobi tcp
DE 46.4.4.235:443 www.molot.mobi tcp
DE 46.4.4.235:443 www.molot.mobi tcp
DE 46.4.4.235:443 www.molot.mobi tcp
DE 46.4.4.235:443 www.molot.mobi tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.16.238:443 tcp

Files

/data/misc/profiles/cur/0/com.pickersoft.myweb/primary.prof

MD5 028419bf8b452894e2f485e68d27256a
SHA1 c20d720b52d713b2ddbb9ac5257c305515f0db39
SHA256 8b14e57b96e22109bb4c716b45a3fac2863324688077f1dd6ce675ed9ab196ca
SHA512 1b231e043af636704637187a7925ba639cd67ea2475d833ec0247d26ef3b49d59494ab5f547eb1e19715c084539e273410e39661e44fbc5e30ba797ed280f155

/data/data/com.pickersoft.myweb/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 8f0a28c21ac10c5c58ab16dab3c87ebd
SHA1 02651f079589cd445c225e736ea6e1952c2b05e7
SHA256 a5303a504fa4f3578f7a3736ccd0111adccbfb8a8ca54d279a9c0c9fbc030b25
SHA512 b1c64c3cddc2028068f146dc94968185f10bd65c8c1442c883cf84a4ff267b13b5b78699281d1c65d07bbd1bdf1ccdb26928cd49a6e2a4e3676a05c26421bf10

/data/data/com.pickersoft.myweb/files/profileInstalled

MD5 12e9895686ce5be3499ffd544b54a08d
SHA1 fa70157023dbf01646ba774600c1fac6af148803
SHA256 76ce5265399a900c9a11f4ff6bdf993026f665f5c0b3209d5836c0078426f246
SHA512 b5bdd84ee0e95f4f8557c6f3c143af4d085895c3093d2279c0def671ae4820b52e87d0ccd6b5d09d18e93cd457141124fb52f232c7a1118edae82311a4925f87

/data/misc/profiles/cur/0/com.pickersoft.myweb/primary.prof

MD5 1a15f536df581f355984cc92eeb5df90
SHA1 2ab75b95a4f1bb5019ab5d234fc787361f9f9b90
SHA256 bd3b73ed906b9a13bbb012e7de1aa28f4733a53bb25427d84e35819aeb80d272
SHA512 38468c869f6e9bfee2a67ea1eb3587bff651ce2790ab9ae0e36dc8c080ec7841f28651e439f40d281bee1a5227c90d2fb710f743056a264db8f601f02639921c

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-04 22:00

Reported

2024-03-04 22:03

Platform

android-x64-arm64-20240221-en

Max time kernel

47s

Max time network

170s

Command Line

com.pickersoft.myweb

Signatures

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Reads the content of outgoing SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/sent N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.pickersoft.myweb

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 telegra.ph udp
NL 149.154.164.13:443 telegra.ph tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
IT 172.232.219.166:8080 172.232.219.166 tcp
US 1.1.1.1:53 www.ip-api.com udp
US 208.95.112.1:80 www.ip-api.com tcp
IT 172.232.219.166:8080 172.232.219.166 tcp
IT 172.232.219.166:8080 172.232.219.166 tcp
IT 172.232.219.166:8080 172.232.219.166 tcp
US 1.1.1.1:53 www.molot.mobi udp
DE 46.4.4.235:443 www.molot.mobi tcp
DE 46.4.4.235:443 www.molot.mobi tcp
DE 46.4.4.235:443 www.molot.mobi tcp
DE 46.4.4.235:443 www.molot.mobi tcp
DE 46.4.4.235:443 www.molot.mobi tcp
DE 46.4.4.235:443 www.molot.mobi tcp
DE 46.4.4.235:443 www.molot.mobi tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp

Files

/data/data/com.pickersoft.myweb/files/Исходящие сообщения (ID 707092444) [1].txt

MD5 3b0c61d2ee11956d0ca0a1faf473ebd9
SHA1 04ce4f5a5e0817458e2159bfc6f8caf9f57a6792
SHA256 362ba76a556507c08b06b7178fc49aabff39cbb4336484b0aa762624c5097448
SHA512 8f997f2a6d4730b9851ae1363dc9532e69fe00214f36fbc5feb37f966da59191b6cc96a67d5c60ecbd7d5b66dab096e34f7eceb72e9e110f6a3d62eccfdc4b8c