Malware Analysis Report

2025-01-19 05:34

Sample ID 240307-ea4w4sea67
Target 2eb4546ef8f173039501329088e7cf81
SHA256 6260f500a0847ecebe34f4fcbe89cf5f9708669dabe7bb1dfa6ca0d2f3cbd107
Tags
collection evasion stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

6260f500a0847ecebe34f4fcbe89cf5f9708669dabe7bb1dfa6ca0d2f3cbd107

Threat Level: Likely malicious

The file 2eb4546ef8f173039501329088e7cf81 was found to be: Likely malicious.

Malicious Activity Summary

collection evasion stealth trojan

Removes its main activity from the application launcher

Reads the content of photos stored on the user's device.

Reads the content of the call log.

Requests dangerous framework permissions

Acquires the wake lock

Looks up external IP address via web service

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-07 03:45

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-07 03:45

Reported

2024-03-07 03:48

Platform

android-x86-arm-20240221-en

Max time kernel

14s

Max time network

137s

Command Line

com.sas.seafkoagent.seafkoagent

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Reads the content of photos stored on the user's device.

collection
Description Indicator Process Target
URI accessed for read content://media/external/images/media N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.sas.seafkoagent.seafkoagent

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.42:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 webknight619.000webhostapp.com udp
US 145.14.145.24:443 webknight619.000webhostapp.com tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/com.sas.seafkoagent.seafkoagent/databases/evernote_jobs.db-journal

MD5 1252c0f27c60bf6228a335d0c7cc36f5
SHA1 1840dec5c068a3d172fe020c1478cc059121c0a6
SHA256 bffc013180eb23b234fd6b6a2df80c615e7b5ee322610fe80e7d3ab37c7e918e
SHA512 44959f2af0479157088d11c39a7cd73ce8fd8ec6c0125329cd7160c44e80191574bbf3e85bc69fae2e3fbe400f6962cdeb2a22ce45b006e7cefab832a9d830cd

/data/data/com.sas.seafkoagent.seafkoagent/databases/evernote_jobs.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.sas.seafkoagent.seafkoagent/databases/evernote_jobs.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.sas.seafkoagent.seafkoagent/databases/evernote_jobs.db-wal

MD5 ab4e0b339a0c56aa7ab8cb522b999e1d
SHA1 e2efa3adc266e3418db16efafd0528fd7f644821
SHA256 336f3e2bbdc09b5e465233dded31e3957fd3c5e2e6a675c02f3fca391aba95d1
SHA512 54174bd027165a19d2e122722d9edaefa3046ef4a849ee916d0395810bc4d8f7fe5a7bc081b2e5a748f238e667c044530e3c01a239176d5d60c5fceabf103f7b

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-07 03:45

Reported

2024-03-07 03:48

Platform

android-x64-20240221-en

Max time kernel

10s

Max time network

147s

Command Line

com.sas.seafkoagent.seafkoagent

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Reads the content of photos stored on the user's device.

collection
Description Indicator Process Target
URI accessed for read content://media/external/images/media N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Processes

com.sas.seafkoagent.seafkoagent

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 1.1.1.1:53 webknight619.000webhostapp.com udp
US 145.14.144.70:443 webknight619.000webhostapp.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/com.sas.seafkoagent.seafkoagent/databases/evernote_jobs.db-journal

MD5 20cfac20673ff4c5171f47ed8aaa7780
SHA1 73d3c306b910ea342200318aedf4d06f4fc2cc69
SHA256 116397d7761d858a748c5723493f4468ac72f0e48b45cb87f894951cfbf63364
SHA512 a2bf174a0153479b5bf3ddc7ddb5f4d6c04096c15f61869a53294e8f73febb575b64e7d67852d487ed27188ba9d77385e66c8d7bbf8a3db75b224930e7bfe86e

/data/data/com.sas.seafkoagent.seafkoagent/databases/evernote_jobs.db

MD5 34ff4194951600ab46262c0a8d12b002
SHA1 f7e1d16ab6acbbc643058e1ee04424b0751a0b29
SHA256 b0aaef6ec379602db455d9a608177a049fda4649e759560d0d9ed2fac4f55cc1
SHA512 6580b797fb6a743bb878e5fc6083e7eedce07b4e54826779aa3859e311003fd57c47513d24c4901c78da47c721ff09d1efedb40602b32a2f83b4a90dc2a3c11a

/data/data/com.sas.seafkoagent.seafkoagent/databases/evernote_jobs.db-journal

MD5 2f8249a4d78a2bc7df01ce568698f0b2
SHA1 018a29e78a54de1767cb19734952cfc35bad142e
SHA256 5bbd347f0664258622790bc7a6d60d341ee5d21a06a06e5108296b107fc72f38
SHA512 b9401c1a9e3754a94abfb89ade53d9908492257ec77dc56985f6800dd11996d40ad7ebf05b636382c00468635eb83cf44dd7382137543607a69050019e6c170d

/data/data/com.sas.seafkoagent.seafkoagent/databases/evernote_jobs.db-journal

MD5 0ba941c35ca0620a86a215b8880cb60b
SHA1 1d92938745c231d8efeab36eb8c571e11446bb7a
SHA256 321dd70e749685f4a93257f68e635cb7f2babed15b454388c1c477f9bb14072e
SHA512 bd90582e0f2bf8eeda5ad2f5cdc55604ef8322044c0abb42d03a9b3a776860720433ac90cee3d2bfbec456c1d443fff96a84e8a7e8b8add0a323c3836d052d76

/data/data/com.sas.seafkoagent.seafkoagent/databases/evernote_jobs.db-journal

MD5 c09739685b600c52ee69708e239be3b0
SHA1 2e0427fdf7cd86aca41e51513564a2b14767b6c1
SHA256 ae89531731c5c38159b90a10301f5ae346983a2973c0d5f5c2ffc13274c8ad8c
SHA512 2736b6c7754013a0bdec6ffe09f9c2361585a9187c0e71652a9c5a68e83cafc9919f1323abfb5499d679ba3c61d301aa608e7136781a7b7b16b51fcc29cdac0a

/data/data/com.sas.seafkoagent.seafkoagent/databases/evernote_jobs.db-journal

MD5 6c314fd67ad503f1f93c13a471abc76a
SHA1 4f10d20c84bce9eb8619f98cff5a13969ba37be2
SHA256 d0e4df9fc311dd7023ee3cdf9c5784e729abbe29ca6e195149f6c7439ec11136
SHA512 9362d2323b92c9c5e7633ae74aa4ad924a8f9cb584b72ed45699e9082429097dd518e81aaabad6bcb737ba5833ab21a5d7b62590622e589f3a11ce2c5d7840a0

/data/data/com.sas.seafkoagent.seafkoagent/databases/evernote_jobs.db-journal

MD5 220cdc1f74c51033162afdd338c82de5
SHA1 ab17a43d4dc633a0ba2149f5adb54d979f7b834c
SHA256 a566cb93aea57e8218ca790c91aca893871d14880daaf34a6860377821d1d3be
SHA512 ad50e725bac8918b078e1797a4270fc24a6f4b48dc6b16bc31715c0db11e867f925fc298d4c3dc920d7b8f020bf6d61168f37a07cb8454a69823dbd03c1be16f

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-07 03:45

Reported

2024-03-07 03:48

Platform

android-x64-arm64-20240221-en

Max time kernel

10s

Max time network

144s

Command Line

com.sas.seafkoagent.seafkoagent

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Reads the content of photos stored on the user's device.

collection
Description Indicator Process Target
URI accessed for read content://media/external/images/media N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Processes

com.sas.seafkoagent.seafkoagent

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 webknight619.000webhostapp.com udp
US 145.14.145.167:443 webknight619.000webhostapp.com tcp
GB 172.217.169.4:443 tcp
GB 172.217.169.4:443 tcp

Files

/data/user/0/com.sas.seafkoagent.seafkoagent/databases/evernote_jobs.db-journal

MD5 bffcb744ad662644877bdf8ed45598da
SHA1 0a208becebcb75fe763985a2005990367f6b71b4
SHA256 30df10928c2302e8834f6c0b4afed7dbe9293cd77295ac84fb5a3c07a3541527
SHA512 d998a11622c23a24f45f90a859b143b43db565037b3af2ef38dc238854dfc019fe3161d1fe016148ed304a40192a76cce794ac052bc0a9316cd7866e9701354d

/data/user/0/com.sas.seafkoagent.seafkoagent/databases/evernote_jobs.db

MD5 59a6f5a47e5f7cc3fbeb3554b9a1716b
SHA1 5300611869d10ebb568c50298416ae2d8b27907d
SHA256 d4e61a70b49bd35acd3057ce9a093e8ce19852457547d0b535d5831009124d35
SHA512 82a5bb8a1fc36e574349c9ecad6f13ba1d10d53ac97da0d503bcb384c786f80cd22d2a889f25d7eccb7bd21330dbcb14dea2a6813ab7ad39b0e991d604dc28f3

/data/user/0/com.sas.seafkoagent.seafkoagent/databases/evernote_jobs.db-journal

MD5 91b7973a10582b8e314b7e3627c6451f
SHA1 e33cdb7282e2f3ba8993f457b1112180f17e32e1
SHA256 f276d79531dd363022bde30abf399df5637e1800cdc5aab244e4526f7575d27f
SHA512 44ff34692dff961c5928769a76c0b19accd3f248f1e80457db8787baf2df6996e449a408df0b979b6705c989d6f1689344c566621e6eb76007eb41f2e878e9f9

/data/user/0/com.sas.seafkoagent.seafkoagent/databases/evernote_jobs.db-journal

MD5 a5e1662114d2658735bba9fd6219d1fe
SHA1 52423664d4aafdee5c72dccee1db83d28c3a7ddc
SHA256 6601f233da7245227fe617804f453eb43e33d87c870f6633984b1590c365ee96
SHA512 4fd495064ac78012116b8b3e947dd3423338891caf81e766e56d8b8edafdfcf2a3d8818a1465742b46a1abd7e5196ed10739c7051b9fe945ba9d18a631557cfe

/data/user/0/com.sas.seafkoagent.seafkoagent/databases/evernote_jobs.db-journal

MD5 a19ad5b411a59d034a39eec1f3d29566
SHA1 ddee1df7506fa316346b7a28f30b093f2ff07fc0
SHA256 f0de2802c8fe3b1133707daaedf7654f5829f8f7a428e4f6f3bb45f09f6b242e
SHA512 b57c2e243fec1ec9bd8cfcf4d3cba3d67a3813385e0143da1e4880827bf6506637c0996ec5cc45b458b82b46162d122b60f4aa0b92c9e54b2fab22529d31be52

/data/user/0/com.sas.seafkoagent.seafkoagent/databases/evernote_jobs.db-journal

MD5 c558d7fe657bdfad1b6a3fa2d69cd762
SHA1 96364e3503a1025fa1430963ffc0773c4b50a2a0
SHA256 6fcf682167d274100bd592419e3a141a9caac255d610b2de5d9207768e223106
SHA512 11a2c40181b7d6c920b580e58399381bd348b8ca395a5b0c2acf0d5deba8ce49a5c1ebceb8e9fcabe91d086b1a58979736cd72471ebec2873c5945e9f7fd51ea

/data/user/0/com.sas.seafkoagent.seafkoagent/databases/evernote_jobs.db-journal

MD5 23d2c2b4d6082dcb200b1dea07391076
SHA1 4355d833c3c4a85e84fb0f76db2061ed509fb597
SHA256 63370584fbd79785318be50f81a94ae6c649970fa5dcbc9ce415608124af77ba
SHA512 5af950bfb030a044034bbe90d53845c9425be07dde7ab48a6264ec418c125920f2a5aaddc3957f11ef9e08c83f6e6509473fad3b7153f605108d7d491c1f30df