Malware Analysis Report

2024-12-01 03:18

Sample ID 240515-p1ltbsab3s
Target 864140f2ff91c793cdd1caeb2145853b.apk
SHA256 dea2da2052f3c3789a624445370229d4b8538e2a53b6b4ef438bda767f0456a5
Tags
gigabud golddigger discovery impact persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dea2da2052f3c3789a624445370229d4b8538e2a53b6b4ef438bda767f0456a5

Threat Level: Known bad

The file 864140f2ff91c793cdd1caeb2145853b.apk was found to be: Known bad.

Malicious Activity Summary

gigabud golddigger discovery impact persistence

GoldDigger payload

Golddigger family

Gigabud family

Gigabud payload

Registers a broadcast receiver at runtime (usually for listening for system events)

Declares services with permission to bind to the system

Requests dangerous framework permissions

Checks if the internet connection is available

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 12:47

Signatures

Gigabud family

gigabud

Gigabud payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

GoldDigger payload

Description Indicator Process Target
N/A N/A N/A N/A

Golddigger family

golddigger

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 12:47

Reported

2024-05-15 12:51

Platform

android-x86-arm-20240514-en

Max time kernel

5s

Max time network

188s

Command Line

com.agniagnia.gnoeneoa

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.agniagnia.gnoeneoa

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.227:443 tcp
US 1.1.1.1:53 www.baidu.com udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 rpc.vnly2.top udp
SG 54.179.221.26:443 rpc.vnly2.top tcp
US 1.1.1.1:53 www.baidu.com udp
US 1.1.1.1:53 www.baidu.com udp

Files

/data/data/com.agniagnia.gnoeneoa/no_backup/androidx.work.workdb-journal

MD5 4c31f11c0701abb7a7add9bc87440264
SHA1 abca6331c347a2fd6639c3ac1a7c1840ae661d55
SHA256 874a1a55d5cec5c0eaa225c86464384c8ecddeb5d65264815e5ea45e9fa0bcd0
SHA512 011c777691ec044e42f8403ec1a14b3240173c974d58d70fb6271e7a9f3b8d7f4dd7a13eae58695c67537940efafec41c24becb3a9d95fded32eefda019a7c49

/data/data/com.agniagnia.gnoeneoa/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.agniagnia.gnoeneoa/no_backup/androidx.work.workdb-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.agniagnia.gnoeneoa/no_backup/androidx.work.workdb-wal

MD5 7832c821a9ceea461828be318941f4a6
SHA1 560ee156d8f033cddca462d49672e28a9e6f96eb
SHA256 797962bc726469e3e4fc9ffaa572a2ee87f760f36c5f515528ba19b02d4122f6
SHA512 0dfbf5f5f6373581c5e03627d15eab45f943e04db164473344f9f63c24e2b11c18803c6f88c37104f3d2668c0bf0d9f954bc2986982f2e6916f177b8f0bd1852

/data/data/com.agniagnia.gnoeneoa/no_backup/.flurryNoBackup/installationNum

MD5 d9256d671a2f8fb2e7f1502485ef4f84
SHA1 63eef3648939f7f435eace68992fd558fa3f2d78
SHA256 10a28a15fd2880668ebf48fa3b6c0cb9bef9efae5583e6d7852fac10bcff510f
SHA512 4231f939cf2e5b2b41fbde395dab7bc599b90a0ee8546669d3866b63e8e188a3d9418bc1e29ffad77d8ccb4f17dfa988f35a73cba445fd15a6e53bf809b80109

/data/data/com.agniagnia.gnoeneoa/no_backup/androidx.work.workdb-wal

MD5 2955d3f1d43bf6c10a47541d21549f69
SHA1 99c5736a4b98198cd883a00fa8a490f1259efe6d
SHA256 2b274ecb13964d284d755833e4bffa06b62bb6107969cc15ac4b2d359d4e5824
SHA512 ca6adbe55b436f93b913e66396d5a9370025746be1d8fb31ea2957ffc01b12f502ff1479964b1cfe1058ce22e947743d5547535d2272af130bbeedef59bba23f

/data/data/com.agniagnia.gnoeneoa/no_backup/androidx.work.workdb-wal

MD5 86cf6271f6097fc74f56510b385053f4
SHA1 63fe61af97713566208328b8426860580b0bb45e
SHA256 9dad186ecbeca85307145d39ad6c8c51c62c978f659c1878d106a8f284cff216
SHA512 b7c87934fafda7a4757f0aa216e96f33c0d9588b929fae0f2268a3a63ad904371a43841517d4bfa96dcf19f1dea954a21865cf9818f0a38894a532056f64762d