Malware Analysis Report

2024-09-09 19:11

Sample ID 240517-s3p6baee25
Target fake angry.apk
SHA256 d63857461a281f32233b548b411227d2318ae85ac3695d600391d0aa0ac63b6d
Tags
impact privilege_escalation
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d63857461a281f32233b548b411227d2318ae85ac3695d600391d0aa0ac63b6d

Threat Level: Shows suspicious behavior

The file fake angry.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

impact privilege_escalation

Tries to add a device administrator.

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-17 15:39

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 15:39

Reported

2024-05-17 15:42

Platform

android-x64-20240514-en

Max time kernel

76s

Max time network

165s

Command Line

com.katecca.screenofflock

Signatures

N/A

Processes

com.katecca.screenofflock

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
GB 142.250.200.46:443 tcp
GB 172.217.16.226:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp

Files

/data/data/com.katecca.screenofflock/files/one_time_settings

MD5 68934a3e9455fa72420237eb05902327
SHA1 7cb6efb98ba5972a9b5090dc2e517fe14d12cb04
SHA256 fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa
SHA512 719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 15:39

Reported

2024-05-17 15:42

Platform

android-33-x64-arm64-20240514-en

Max time kernel

161s

Max time network

165s

Command Line

com.katecca.screenofflock

Signatures

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

com.katecca.screenofflock

com.katecca.screenofflock:qs

com.katecca.screenofflock:ls

Network

Country Destination Domain Proto
GB 142.250.187.228:443 udp
N/A 224.0.0.251:5353 udp
GB 142.250.187.228:443 udp
US 1.1.1.1:53 gmscompliance-pa.googleapis.com udp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 l.anzhuo7.com udp
GB 216.58.204.74:443 gmscompliance-pa.googleapis.com udp
GB 216.58.204.74:443 gmscompliance-pa.googleapis.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 udp
GB 216.58.204.67:443 tcp
GB 216.58.204.67:443 udp
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 clients4.google.com udp
GB 142.250.179.238:443 clients4.google.com udp
GB 142.250.179.238:443 clients4.google.com tcp
US 1.1.1.1:53 mobilemaps.googleapis.com udp
US 216.239.38.135:443 mobilemaps.googleapis.com udp
US 1.1.1.1:53 mobilemaps-pa-gz.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 216.239.34.36:443 tcp
US 1.1.1.1:53 region1.app-measurement.com udp
US 216.239.34.36:443 region1.app-measurement.com tcp

Files

/data/user/0/com.katecca.screenofflock/files/one_time_settings

MD5 68934a3e9455fa72420237eb05902327
SHA1 7cb6efb98ba5972a9b5090dc2e517fe14d12cb04
SHA256 fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa
SHA512 719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

/data/user/0/com.katecca.screenofflock/files/cm.lg

MD5 2b9fcfd9c4ea76523e1f77b8e00a212f
SHA1 24b9d96b2b4a4090b57cd2f87dcc822e153d09bf
SHA256 4745a9680fa7367a992f7ccd58c6e8775a41568f27a0be797554592a622eda57
SHA512 860172181a94df6dc7451db7b042a9d45421fa8d08714918eb3d546206315ca48b007385dca9e44baf698ff7cc549368f4b764b9dbf8ee9f683b16bbd0711bf2

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-17 15:39

Reported

2024-05-17 15:42

Platform

android-x86-arm-20240514-en

Max time kernel

145s

Max time network

149s

Command Line

com.katecca.screenofflock

Signatures

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

com.katecca.screenofflock

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp

Files

/data/data/com.katecca.screenofflock/files/one_time_settings

MD5 68934a3e9455fa72420237eb05902327
SHA1 7cb6efb98ba5972a9b5090dc2e517fe14d12cb04
SHA256 fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa
SHA512 719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d