Malware Analysis Report

2024-09-22 12:21

Sample ID 240424-z5lz1ahg5w
Target https://github.com/Endermanch/MalwareDatabase
Tags
discovery evasion collection
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

Threat Level: Shows suspicious behavior

The file https://github.com/Endermanch/MalwareDatabase was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion collection

Checks CPU information

Checks memory information

Reads the content of photos stored on the user's device.

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-24 21:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-24 21:18

Reported

2024-04-24 21:48

Platform

android-x86-arm-20240221-en

Max time kernel

1798s

Max time network

1792s

Command Line

com.android.chrome

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A camo.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 142.250.180.10:443 safebrowsing.googleapis.com tcp
US 1.1.1.1:53 github.githubassets.com udp
US 1.1.1.1:53 avatars.githubusercontent.com udp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 1.1.1.1:53 github-cloud.s3.amazonaws.com udp
US 1.1.1.1:53 user-images.githubusercontent.com udp
US 1.1.1.1:53 camo.githubusercontent.com udp
US 185.199.110.133:443 user-images.githubusercontent.com tcp
US 185.199.110.133:443 user-images.githubusercontent.com tcp
US 185.199.110.133:443 user-images.githubusercontent.com tcp
US 185.199.110.133:443 user-images.githubusercontent.com tcp
US 185.199.110.133:443 user-images.githubusercontent.com tcp
US 1.1.1.1:53 camo.githubusercontent.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
US 1.1.1.1:53 yhpfqnfh udp
US 1.1.1.1:53 dnbubateugna udp
US 1.1.1.1:53 lznhezuczxgel udp
US 1.1.1.1:53 update.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.co.uk udp
GB 142.250.200.3:443 www.google.co.uk tcp
GB 142.250.200.3:443 www.google.co.uk tcp
GB 142.250.200.3:443 www.google.co.uk tcp
GB 142.250.200.3:443 www.google.co.uk tcp
US 1.1.1.1:53 consent.google.co.uk udp
US 1.1.1.1:53 consent.google.co.uk udp
GB 172.217.16.238:443 consent.google.co.uk tcp
GB 142.250.178.4:443 www.google.com tcp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 id.google.co.uk udp
US 1.1.1.1:53 encrypted-tbn0.gstatic.com udp
GB 216.58.204.78:443 encrypted-tbn0.gstatic.com tcp
US 1.1.1.1:53 maldroid.github.io udp
US 185.199.110.153:443 maldroid.github.io tcp
US 1.1.1.1:53 github.com udp
US 1.1.1.1:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 1.1.1.1:53 github-cloud.s3.amazonaws.com udp
US 1.1.1.1:53 github-cloud.s3.amazonaws.com udp
US 1.1.1.1:53 github-cloud.s3.amazonaws.com udp
US 1.1.1.1:53 bazaar.abuse.ch udp
US 151.101.2.49:443 bazaar.abuse.ch tcp
US 151.101.2.49:443 bazaar.abuse.ch tcp
US 1.1.1.1:53 www.google.co.uk udp
US 1.1.1.1:53 www.google.co.uk udp
US 1.1.1.1:53 www.domaintools.com udp
US 141.193.213.21:443 www.domaintools.com tcp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 1.1.1.1:53 info.domaintools.com udp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 104.17.71.206:443 info.domaintools.com tcp
US 1.1.1.1:53 domaintools.com udp
US 1.1.1.1:53 cdn-4.convertexperiments.com udp
GB 104.78.166.172:443 cdn-4.convertexperiments.com tcp
US 1.1.1.1:53 acsbapp.com udp
US 1.1.1.1:53 www.clarity.ms udp
US 104.22.0.204:443 acsbapp.com tcp
US 13.107.246.52:443 www.clarity.ms tcp
US 1.1.1.1:53 snap.licdn.com udp
US 1.1.1.1:53 munchkin.marketo.net udp
US 1.1.1.1:53 trk.techtarget.com udp
US 1.1.1.1:53 cdn.bizible.com udp
GB 173.222.211.56:443 snap.licdn.com tcp
US 1.1.1.1:53 c.clarity.ms udp
GB 23.204.224.203:443 munchkin.marketo.net tcp
US 104.18.36.196:443 trk.techtarget.com tcp
FR 152.195.15.58:443 cdn.bizible.com tcp
IE 68.219.88.97:443 c.clarity.ms tcp
US 1.1.1.1:53 freegeoip.app udp
US 172.67.160.84:443 freegeoip.app tcp
US 1.1.1.1:53 cdn.bizibly.com udp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
US 1.1.1.1:53 c.bing.com udp
US 1.1.1.1:53 x.clarity.ms udp
GB 216.58.201.98:443 googleads.g.doubleclick.net tcp
US 13.107.21.237:443 c.bing.com tcp
US 20.114.190.119:443 x.clarity.ms tcp
US 1.1.1.1:53 region1.analytics.google.com udp
US 1.1.1.1:53 stats.g.doubleclick.net udp
US 216.239.32.36:443 region1.analytics.google.com tcp
US 1.1.1.1:53 px.ads.linkedin.com udp
BE 74.125.71.156:443 stats.g.doubleclick.net tcp
US 1.1.1.1:53 ibc-flow.techtarget.com udp
US 13.107.42.14:443 px.ads.linkedin.com tcp
US 13.107.42.14:443 px.ads.linkedin.com tcp
US 34.111.208.231:443 ibc-flow.techtarget.com tcp
US 216.239.32.36:443 region1.analytics.google.com tcp
US 1.1.1.1:53 132-ohd-785.mktoresp.com udp
US 192.28.144.124:443 132-ohd-785.mktoresp.com tcp
US 20.114.190.119:443 x.clarity.ms tcp
US 20.114.190.119:443 x.clarity.ms tcp
GB 216.58.212.195:80 tcp
GB 216.58.204.68:443 tcp
US 20.114.190.119:443 x.clarity.ms tcp
GB 142.250.178.3:443 tcp
GB 142.250.178.3:443 tcp
US 1.1.1.1:53 x.clarity.ms udp
US 20.114.190.119:443 x.clarity.ms tcp
GB 142.250.178.3:443 tcp
GB 142.250.178.3:443 tcp
US 1.1.1.1:53 www.zscaler.com udp
US 104.18.28.74:443 www.zscaler.com tcp
US 1.1.1.1:53 info.zscaler.com udp
US 1.1.1.1:53 cdn.intellimize.co udp
US 1.1.1.1:53 cdn.cookielaw.org udp
US 104.19.177.52:443 cdn.cookielaw.org tcp
US 151.101.2.132:443 cdn.intellimize.co tcp
US 104.19.177.52:443 cdn.cookielaw.org tcp
US 104.17.74.206:443 info.zscaler.com tcp
US 104.19.177.52:443 cdn.cookielaw.org tcp
US 1.1.1.1:53 geolocation.onetrust.com udp
US 172.64.155.119:443 geolocation.onetrust.com tcp
US 172.64.155.119:443 geolocation.onetrust.com tcp
US 1.1.1.1:53 117186981.intellimizeio.com udp
US 1.1.1.1:53 api.intellimize.co udp
IE 46.137.89.126:443 api.intellimize.co tcp
US 1.1.1.1:53 log.intellimize.co udp
US 1.1.1.1:53 117186981.intellimizeio.com udp
US 54.149.206.149:443 log.intellimize.co tcp
US 54.149.206.149:443 log.intellimize.co tcp
IE 54.76.93.18:443 117186981.intellimizeio.com tcp
US 54.149.206.149:443 log.intellimize.co tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.68:443 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp
US 1.1.1.1:53 encrypted-tbn0.gstatic.com udp
GB 142.250.200.46:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.200.46:443 encrypted-tbn0.gstatic.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.178.3:443 update.googleapis.com tcp
US 1.1.1.1:53 i.ytimg.com udp
US 1.1.1.1:53 encrypted-tbn0.gstatic.com udp
GB 216.58.204.86:443 i.ytimg.com tcp
GB 216.58.204.86:443 i.ytimg.com tcp
GB 216.58.204.86:443 i.ytimg.com tcp
GB 216.58.204.86:443 i.ytimg.com tcp
GB 142.250.200.46:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.200.46:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.200.46:443 encrypted-tbn0.gstatic.com tcp
US 1.1.1.1:53 stingrayfnaf2.bio.link udp
US 1.1.1.1:53 stingrayfnaf2.bio.link udp
US 172.67.68.55:443 stingrayfnaf2.bio.link tcp
US 172.67.68.55:443 stingrayfnaf2.bio.link tcp
US 1.1.1.1:53 cdn.bio.link udp
US 1.1.1.1:53 cdn.coverr.co udp
US 1.1.1.1:53 analytics.bio.link udp
US 1.1.1.1:53 assets.pinterest.com udp
US 104.26.1.159:443 cdn.coverr.co tcp
GB 199.232.56.84:443 assets.pinterest.com tcp
US 104.26.1.159:443 cdn.coverr.co tcp
US 1.1.1.1:53 cdn.coverr.co udp
US 172.67.71.169:443 cdn.coverr.co tcp
US 1.1.1.1:53 plausible.io udp
GB 143.244.38.136:443 plausible.io tcp
GB 143.244.38.136:443 plausible.io tcp
US 104.26.7.114:443 analytics.bio.link tcp
US 1.1.1.1:53 stats.bio.link udp
US 1.1.1.1:53 bio.link udp
US 1.1.1.1:53 log.pinterest.com udp
US 151.101.128.84:443 log.pinterest.com tcp
US 1.1.1.1:53 stats.bio.link udp
US 1.1.1.1:53 modsofapk.com udp
US 172.67.196.82:443 modsofapk.com tcp
US 172.67.196.82:443 modsofapk.com tcp
US 1.1.1.1:53 play-lh.googleusercontent.com udp
US 1.1.1.1:53 cdn.modsofapk.com udp
US 1.1.1.1:53 tpc.googlesyndication.com udp
GB 216.58.213.1:443 tpc.googlesyndication.com tcp
US 1.1.1.1:53 www.googletagservices.com udp
US 1.1.1.1:53 ionigravida.com udp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 143.244.38.136:443 cdn.modsofapk.com tcp
GB 143.244.38.136:443 cdn.modsofapk.com tcp
US 1.1.1.1:53 secure.gravatar.com udp
US 1.1.1.1:53 thoakeet.net udp
US 1.1.1.1:53 static.cloudflareinsights.com udp
US 192.0.73.2:443 secure.gravatar.com tcp
US 104.16.80.73:443 static.cloudflareinsights.com tcp
US 1.1.1.1:53 facebook.com udp
US 1.1.1.1:53 t.me udp
US 1.1.1.1:53 twitter.com udp
US 1.1.1.1:53 www.youtube.com udp
US 1.1.1.1:53 play-lh.googleusercontent.com udp
US 1.1.1.1:53 region1.google-analytics.com udp
US 216.239.34.36:443 region1.google-analytics.com tcp
US 1.1.1.1:53 clients1.google.com udp
US 1.1.1.1:53 ionigravida.com udp
GB 142.250.179.238:443 clients1.google.com tcp
US 1.1.1.1:53 thoakeet.net udp
NL 139.45.197.251:443 thoakeet.net tcp
NL 139.45.197.251:443 thoakeet.net tcp
US 1.1.1.1:53 jouteetu.net udp
US 1.1.1.1:53 my.rtmark.net udp
NL 139.45.195.8:443 my.rtmark.net tcp
NL 139.45.197.251:443 thoakeet.net tcp
US 1.1.1.1:53 play-lh.googleusercontent.com udp
GB 216.58.201.118:443 play-lh.googleusercontent.com tcp
GB 216.58.201.118:443 play-lh.googleusercontent.com tcp
GB 216.58.201.118:443 play-lh.googleusercontent.com tcp
GB 216.58.201.118:443 play-lh.googleusercontent.com tcp
GB 216.58.201.118:443 play-lh.googleusercontent.com tcp
GB 216.58.201.118:443 play-lh.googleusercontent.com tcp
US 1.1.1.1:53 jouteetu.net udp
US 1.1.1.1:53 ionigravida.com udp
NL 139.45.197.251:443 jouteetu.net tcp
NL 139.45.197.251:443 jouteetu.net tcp
NL 139.45.197.251:443 jouteetu.net tcp
NL 139.45.197.251:443 jouteetu.net tcp
US 1.1.1.1:53 cdn.itskiddien.club udp
NL 139.45.197.251:443 jouteetu.net tcp
NL 23.109.170.135:443 ionigravida.com tcp
NL 139.45.197.236:443 cdn.itskiddien.club tcp
US 1.1.1.1:53 yonmewon.com udp
US 1.1.1.1:53 sr7pv7n5x.com udp
NL 139.45.197.236:443 yonmewon.com tcp
US 1.1.1.1:53 sr7pv7n5x.com udp
NL 212.117.190.201:443 sr7pv7n5x.com tcp
US 104.16.80.73:443 static.cloudflareinsights.com tcp
NL 139.45.197.251:443 jouteetu.net tcp
GB 216.58.213.1:443 tpc.googlesyndication.com tcp
NL 139.45.197.251:443 jouteetu.net tcp
NL 139.45.197.251:443 jouteetu.net tcp
NL 139.45.197.251:443 jouteetu.net tcp
NL 139.45.197.251:443 jouteetu.net tcp
NL 139.45.197.251:443 jouteetu.net tcp
GB 172.217.16.238:443 www.youtube.com tcp
NL 139.45.197.251:443 jouteetu.net tcp
GB 216.58.213.1:443 tpc.googlesyndication.com tcp
NL 139.45.197.251:443 jouteetu.net tcp
NL 139.45.197.251:443 jouteetu.net tcp
NL 139.45.197.251:443 jouteetu.net tcp
NL 139.45.197.251:443 jouteetu.net tcp
NL 139.45.197.251:443 jouteetu.net tcp
NL 139.45.197.251:443 jouteetu.net tcp
NL 139.45.197.251:443 jouteetu.net tcp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
NL 139.45.197.251:443 jouteetu.net tcp
NL 139.45.197.251:443 jouteetu.net tcp
GB 216.58.213.1:443 tpc.googlesyndication.com tcp
NL 139.45.197.251:443 jouteetu.net tcp
NL 139.45.197.251:443 jouteetu.net tcp
US 1.1.1.1:53 cdn.modsofapk.com udp
US 1.1.1.1:53 tpc.googlesyndication.com udp
US 1.1.1.1:53 facebook.com udp
US 1.1.1.1:53 t.me udp
US 1.1.1.1:53 ionigravida.com udp
US 1.1.1.1:53 play-lh.googleusercontent.com udp
US 1.1.1.1:53 assets.pinterest.com udp
US 1.1.1.1:53 plausible.io udp
US 172.67.71.169:443 cdn.coverr.co tcp
US 1.1.1.1:53 bio.site udp
US 1.1.1.1:53 bio.site udp
US 151.101.130.132:443 bio.site tcp
US 151.101.130.132:443 bio.site tcp
US 1.1.1.1:53 media.bio.site udp
US 1.1.1.1:53 apkrabi.com udp
US 172.67.201.89:443 apkrabi.com tcp
US 172.67.201.89:443 apkrabi.com tcp
US 1.1.1.1:53 images.dmca.com udp
GB 143.244.38.136:443 images.dmca.com tcp
US 1.1.1.1:53 www.dmca.com udp
US 13.107.246.64:443 www.dmca.com tcp
US 13.107.246.64:443 www.dmca.com tcp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 1.1.1.1:53 static.cloudflareinsights.com udp
US 104.16.79.73:443 static.cloudflareinsights.com tcp
US 172.67.201.89:80 apkrabi.com tcp
US 172.67.201.89:80 apkrabi.com tcp
US 104.16.79.73:443 static.cloudflareinsights.com tcp
US 1.1.1.1:53 files.apkrabi.download udp
US 172.67.212.171:443 files.apkrabi.download tcp
US 172.67.212.171:443 files.apkrabi.download tcp
US 172.67.212.171:443 files.apkrabi.download tcp
US 1.1.1.1:53 files.da61ec391c694e2c4f75ceea255b660f.r2.cloudflarestorage.com udp
US 104.18.8.90:443 files.da61ec391c694e2c4f75ceea255b660f.r2.cloudflarestorage.com tcp
US 104.18.8.90:443 files.da61ec391c694e2c4f75ceea255b660f.r2.cloudflarestorage.com tcp
US 104.18.8.90:443 files.da61ec391c694e2c4f75ceea255b660f.r2.cloudflarestorage.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
BE 74.125.71.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
US 1.1.1.1:53 omnatuor.com udp
NL 139.45.197.227:443 omnatuor.com tcp
NL 139.45.197.227:443 omnatuor.com tcp
US 1.1.1.1:53 static.ptoahaistais.com udp
US 1.1.1.1:53 pushimg.com udp
NL 139.45.197.153:443 static.ptoahaistais.com tcp
NL 139.45.197.153:443 static.ptoahaistais.com tcp
NL 37.48.68.87:443 pushimg.com tcp
NL 139.45.197.227:443 omnatuor.com tcp
NL 139.45.197.227:443 omnatuor.com tcp

Files

files/dom-0.html

MD5 a4170b4de13691b5ded10ffd60bc052f
SHA1 378547a9572db9074f31489e38c846bdc53cd9a0
SHA256 cb446209e783ccfdde25ab17246dc2d3e934d903f588f4da3ee02652641870ac
SHA512 d7d4837528fc6197722234094f8a186abbd4ac5c906709c4dfee24ae540c73666a97ed185e67a260b2673a624a68efe76997524442a81da496e74a945672d310

/storage/emulated/0/Download/.com.google.Chrome.IpBs69

MD5 5a7a1acf43e76f72058a5e0805d2304d
SHA1 a79ab3559a7e2002c7661a3c144ea0838a42ff36
SHA256 09eaebefef611cd74176aa3788e48039a5b57a81e6f366356c8e61396f62273a
SHA512 7d6d684cc1a07e0ab66a7d031357c75a92710e5c6326ed0800026df9ae8a6523b47356f0914fc552bdf82d5605a44570e69de82e151103855224a4f27d1749c0

/storage/emulated/0/Download/5251a356421340a45c8dc6d431ef8a8cbca4078a0305a87f4fbd552e9fc0793e.zip.crdownload

MD5 ae0353a2f952bd2988ca6f45be359104
SHA1 31876cf8a5a866251a49d1f40b2fcd2326b0ebaf
SHA256 2c6d81026c661c3b5960a249640ffbe8dbad24430f2f2cf74fc6c98d74695b90
SHA512 5019bcc8bbc9a306cfce7e6259c8d98cd4ec34446c873312aea336a5f683c419affc6d7f33f9b4855cbbef4dc505e47d791e8aae5fd4aa28231dfacf854489b2

/storage/emulated/0/Download/.com.google.Chrome.WSbcIm

MD5 b826d38eab72a98affd8c8360d76467e
SHA1 2d39e701f27b1d1b86fe5278ce48e72d69b0dd80
SHA256 e60f1b3ed5c8ae886880aa7cbf388d09ab1e10f8f75d96b8b3860ec6336ec783
SHA512 d0a26697632885f5964977ec0c239165ef42bab6a78953f29a2e9f821e3751685654e7c70a6abc56397f0b8917ea204cf04e5aaf55506584e3af4cde26e8be88

/storage/emulated/0/Download/Unconfirmed 826511.crdownload

MD5 007e3ce85045f41f3b5780df106ae8e4
SHA1 39b55376efcd2f4c0bef0b382bbffbeef38b09b5
SHA256 edb77b9ff47359d775c0483ba448f48f52a9d79246cfafde9db984250f3e1926
SHA512 75b6f57b3f25f5540552edf486caaa725e2bb9bfcb1841c7c91c18190faf5aef3075688e44cbb24e356e7cec0858414f0cb07df21531dda71166ddb7955c4600

/storage/emulated/0/Download/.com.google.Chrome.UKuCoN

MD5 dd67db51c53a4df87fd1613e9d9501c7
SHA1 1af9d2efd6f70e91b02e75aec6e9790c0bb62e5e
SHA256 b3ac63a6df7a794525dde9d16819942671692175b08e0ee914aec722b8d2ba81
SHA512 edec67b6f187c858dd76158fa40d92a653a6458881d26c41543e8885d1b93dc5ba98a84058113372c1076a6d302a708d738f4c5356af6fcb03c6d30005d57ed6

/storage/emulated/0/Download/Unconfirmed 692535.crdownload

MD5 66c2504ab4e440d65190a8712cc1b143
SHA1 8b2c0b42cf57ce943404d1ddc31893db4cf74095
SHA256 6faeddf27d66750144f1071937786767f997c90ef349793872e7734de21ad47f
SHA512 293e2e54146e3f94d0c59004473a45041bf25062623222cd497499d479307a492442506ae11095f8bef1a588536b82ccae07e96cb5a3aa669e0b3bf70d8a7d29

/storage/emulated/0/Download/.com.google.Chrome.npiEzb

MD5 72ec4b6ee6ce5bcc785ca6af14f2f1f5
SHA1 67f8e1875aeda4f249bca57618eacf09d4a059f2
SHA256 71c12a9802b1e406ba3a632a127ef1c189a374056add0c3093357bbff5ae5ecd
SHA512 ef321f034d87e8428fb451365fb9ff5d4922df0652ff8ee0b1c70b3aa94700548b9db8167db5111c1d19db8f369895c7c959668aafcc765020b3bbb1a0f43932

/storage/emulated/0/Download/Unconfirmed 20066.crdownload

MD5 a00b03cc51e95531814f6e14e4bb8f55
SHA1 803bdf3629c40776b8fe5bd703e7011866528928
SHA256 a4037c1be731890b78eeaf6b5c2cf4205b9cce7bd91a81401896e334153db581
SHA512 26cb64f05d46dc3ac69bef731ac0d12653d78ea5a00c7bd3fbe3fdc822379cfe42436ff43a39fb157850b4c1ff5a57ca483f7eca5f2dfd366452f5f51e1bac46

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-24 21:18

Reported

2024-04-24 21:48

Platform

android-x64-20240221-en

Max time kernel

1749s

Max time network

1807s

Command Line

com.android.chrome

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Reads the content of photos stored on the user's device.

collection
Description Indicator Process Target
URI accessed for read content://media/external/images/media N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A camo.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.133.84:443 accounts.google.com tcp
US 1.1.1.1:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
US 1.1.1.1:53 github.githubassets.com udp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 1.1.1.1:53 avatars.githubusercontent.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 1.1.1.1:53 github-cloud.s3.amazonaws.com udp
US 1.1.1.1:53 user-images.githubusercontent.com udp
US 1.1.1.1:53 camo.githubusercontent.com udp
US 185.199.111.133:443 camo.githubusercontent.com tcp
US 185.199.108.133:443 camo.githubusercontent.com tcp
US 185.199.108.133:443 camo.githubusercontent.com tcp
US 185.199.108.133:443 camo.githubusercontent.com tcp
US 185.199.108.133:443 camo.githubusercontent.com tcp
US 185.199.108.133:443 camo.githubusercontent.com tcp
US 185.199.111.133:443 camo.githubusercontent.com tcp
GB 142.250.187.234:443 tcp
GB 142.250.187.234:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.187.195:443 update.googleapis.com tcp
US 1.1.1.1:53 clients1.google.com udp
US 185.199.111.154:443 github.githubassets.com tcp
GB 172.217.169.14:443 clients1.google.com tcp
US 185.199.111.154:443 github.githubassets.com tcp
US 1.1.1.1:53 hfvzhilnmh udp
US 1.1.1.1:53 zuvfuhxjeysdwkp udp
US 1.1.1.1:53 zzolztolw udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
GB 142.250.187.195:443 update.googleapis.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.187.234:443 tcp
GB 172.217.169.34:443 tcp
GB 142.250.178.3:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.200.35:443 update.googleapis.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
BE 173.194.76.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp

Files

files/dom-0.html

MD5 8106986c7385dac76a6f9fd07787d559
SHA1 1c95611222773beda0ae373db68710478d1d64a7
SHA256 11f35aab7f8bec9b059ba838902ab097e29bf0491c461130afdf7a294e659d70
SHA512 dd693e6f1be4ff41ba0d27a5c81097c6fbea561ae1cdbd807f515fd30c268c313cd63bd040673b301e7d0090bb12644e588c1f0ebc7db2412b6c02af80c3f239

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-24 21:18

Reported

2024-04-24 21:48

Platform

android-x64-arm64-20240221-en

Max time kernel

1685s

Max time network

1666s

Command Line

com.android.chrome

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A camo.githubusercontent.com N/A N/A
N/A camo.githubusercontent.com N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 udp
GB 142.250.200.46:443 udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 github.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.71.84:443 accounts.google.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 1.1.1.1:53 github.com udp
US 1.1.1.1:53 accounts.google.com udp
GB 20.26.156.215:443 github.com tcp
BE 74.125.71.84:443 accounts.google.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 142.250.187.202:443 safebrowsing.googleapis.com tcp
US 1.1.1.1:53 github.githubassets.com udp
US 1.1.1.1:53 avatars.githubusercontent.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 1.1.1.1:53 camo.githubusercontent.com udp
US 185.199.111.133:443 camo.githubusercontent.com tcp
US 1.1.1.1:53 avatars.githubusercontent.com udp
US 1.1.1.1:53 github-cloud.s3.amazonaws.com udp
US 1.1.1.1:53 user-images.githubusercontent.com udp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.178.3:443 update.googleapis.com tcp
US 1.1.1.1:53 clients1.google.com udp
US 1.1.1.1:53 xpmzidler udp
US 1.1.1.1:53 xdihjhldtptd udp
US 1.1.1.1:53 kitlhwbcfieve udp
US 1.1.1.1:53 clients1.google.com udp
GB 142.250.200.14:443 clients1.google.com tcp
US 1.1.1.1:53 collector.github.com udp
US 140.82.114.21:443 collector.github.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 1.1.1.1:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 1.1.1.1:53 xdihjhldtptd udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 216.58.204.67:443 update.googleapis.com tcp
US 1.1.1.1:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 1.1.1.1:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 1.1.1.1:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 1.1.1.1:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 142.250.187.226:443 tcp
GB 142.250.200.3:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
BE 108.177.15.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp

Files

files/dom-0.html

MD5 f959a2093204b46966189adf53b716a7
SHA1 08f0ee74e04ac232ad649e26ca4339799600dbc4
SHA256 b086f7e12aab7d72a6d3ac721b7374ceffc5ee3189a5050d8156f7f7f5942b38
SHA512 8cc30f127fe9c03e737f90dbc5cf1de454942e3935779d2b98349385095d5297d75690bab5e2cbde0a13474f66150cb101e3cd9512ec6bb215ea1beb369f4687