Malware Analysis Report

2024-09-09 19:11

Sample ID 240517-wygvxscd92
Target 22d0e9abc0cd8c6d0c9f7e3017cbb8c6
SHA256 4c2114824eaf97c3c0ded5dea516db8dc7435a00c04aa2ac6706877908a42585
Tags
discovery evasion impact privilege_escalation stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4c2114824eaf97c3c0ded5dea516db8dc7435a00c04aa2ac6706877908a42585

Threat Level: Likely malicious

The file 22d0e9abc0cd8c6d0c9f7e3017cbb8c6 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact privilege_escalation stealth trojan

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Tries to add a device administrator.

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-17 18:19

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-17 18:19

Reported

2024-05-17 18:29

Platform

android-x86-arm-20240514-en

Max time kernel

12s

Max time network

185s

Command Line

app.six

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Reads information about phone network operator.

discovery

Processes

app.six

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 gomon48.ru udp
US 104.155.138.21:80 gomon48.ru tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp

Files

/data/data/app.six/databases/a-journal

MD5 62541eeeb647ff0a5529c054014d6609
SHA1 97275878f86d54386b614be2e412917416eed139
SHA256 84891028f66325d79162c1a2af4b56b1cae200afab4902f6862e609f2822db56
SHA512 f36bb28c9bcdb0dd4ab2a37f25efcd46cd5d987c9512e741f16e501be53abe6a3d27f35525fa7f25de98aa1e612e79595ea5a6071860f0b7943318f9406f53da

/data/data/app.six/databases/a

MD5 56c3b883b89768a572d72d5e24f6037b
SHA1 eb6296d234fbe5bb3958bdcca8d1d21cbf6798b9
SHA256 fe7f7123a850794ea84998f7e6142199110607005384120c337577517c664501
SHA512 0c3f233673b2156194623d3326291337d9c108badc29edee2ac1d4faa4bf6f6d7a73ab8659f676092c144fd510195f663e6dd1ab1edcd04a7b35332da6bdfa9f

/data/data/app.six/databases/a-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/app.six/databases/a-wal

MD5 1c9720d5f263390323db47e8793918ce
SHA1 8f40d0c930af3576cc154d39a2553f6e58275f22
SHA256 115b50edfa8d0ddc540240a7881cafcff90fa2cdea3b71f32325a3ddca5b5440
SHA512 5d82fb2871ce4aee446211267eaa7165cec57ff17471cc75e99a9810dfd4265fa8dfd56283de3c5433a2e910ea97bfa962a75ebf30ab75274000f8bec4b55189

/data/data/app.six/databases/sdffsfdsfdsfsd-journal

MD5 c4021184dadfcdc556e063f90a1db636
SHA1 ecb0c614d8915ac04df8da9a3808291c8f0c89c0
SHA256 2db7ed55800ded554c928d29ab40f85d417501774ae681db4172b4d66bc6ea16
SHA512 9153ac05f9fb00bdf9bcc32569e3b0be775a19093e51009c2a46b9f23f821a3b440a97655168e898cd21c90fb164ea8296bd6ecd3c924a8849fa91862eb411b9

/data/data/app.six/databases/sdffsfdsfdsfsd

MD5 d706104234bfc1b5e07ea031e8d94e1c
SHA1 3bae570c61dceb013047fd2357a82ba40ca3392f
SHA256 3cdee45dee917d36fbd1dd1e48055fb7a44f9c855f1c16851ae155a7c358cacc
SHA512 7109e0e8238672c726392adc890a2cec28d98b1f950ec00409f91675a2591321de3da56d7a27ac72264704bc98d34fe024d01b2d721f42b76966989e7800723d

/data/data/app.six/databases/sdffsfdsfdsfsd-wal

MD5 738f05c738579ed7461d6510e5301801
SHA1 d7d862bfc30bebb3dba769bb3920bae44a21bfd4
SHA256 4a3da40bf5f3de01e8738a7077f8da4c6dbbf94a3535bea7c8052ef83c3bce1e
SHA512 5c7f12d79311437c386d7baeea703e5ee31a36d0f3d21c993fdcfab3617fc555a932bf64360bac65a17f5f32519300c6f1ba62736483b225186c0ac10a723fc9

/data/data/app.six/databases/sdffsfdsfdsfsd-wal

MD5 0b96ac12c6cc7d73857539ec5b6e0e77
SHA1 19ac052aba9fb8d12e86dc4abbe59bcae86ea272
SHA256 4a83de736c764b246c9b0a36b7bce977eb755536b8717effce98e3087b2b3912
SHA512 7bad60b7137b8ec5328d20b2716dc9919698340dddfda02fbe7ab3a75012f73ff9749f0a66a084dea4fe8db042132d2bf5dd66f01943a66b137a01598df5a022

/data/data/app.six/databases/sdffsfdsfdsfsd

MD5 e70a38a64851bde18196852b5fdc1d62
SHA1 1a20dcea868a4eefb68b2aa5124dc6b2a5d93982
SHA256 84326898a60864c4d42cb9ed0e11b3f848776b9d154743b2f34dca2a57261e96
SHA512 a98ac12f6ab1c22409433daa7797dcaaa8dbbee3f9c1e1c54474588a2ee721e452d4041efe0c1c9049e3591cb0b38dc368a9caab5bce5101298d0bb89ce1125e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-17 18:19

Reported

2024-05-17 18:28

Platform

android-x64-20240514-en

Max time kernel

13s

Max time network

149s

Command Line

app.six

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

app.six

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 gomon48.ru udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 104.155.138.21:80 gomon48.ru tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 172.217.16.226:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp

Files

/data/data/app.six/databases/a-journal

MD5 09c76ae2e8a8a9dec32dd9fa67501eb7
SHA1 18cadec663520f4332676d5d57b0f3b526768c84
SHA256 9a8647266fab4df819334e1ec6caf9d4e267930c3706825602db6d1147b22802
SHA512 8cad3dd97327def77376fe3f9401a0248822fe9d252d19fed707be43e3f751255a8504b7c9fe32c05e6160745dcd849ea28a3fe159ff3d78649385f4e4c663dc

/data/data/app.six/databases/a

MD5 c69ef7005c3f91851e4e6fbc49e01083
SHA1 ad90dfc9ee0a554d6698dcd1d5c057c2f585effe
SHA256 fcb8a9d175b007f341481140c4a4ca394656864a3938d8c0e15ccf18888aa776
SHA512 7bf02687ffec137b03b6f646c0db6f9ad5feff73ec5fccfb903a37e0e59c3b9cd1211d8038506fc1abdef6e65eccd1ce6634d3d699f2d0fc636b31648a17716a

/data/data/app.six/databases/a-journal

MD5 9fc260daa547f1ff0575b72bc7d0be01
SHA1 ccf50ff6cbb6dde1cd2426580023f5f82fad9e9e
SHA256 e32d4c494fc25a4997b212af1357dd4e997b37142139b99cb0576282fb52d652
SHA512 4941ce670bf76dd41144e1945512811921f1ec46213e306f06d10cae9914488f82ee673e3a2a3697588bf64b54801740b79713f7297e6cff3621faf782f9963f

/data/data/app.six/databases/a-journal

MD5 ace4aec081e12c7bb51532500288df17
SHA1 329882a364de204aa18f7e284a694581755a2ba6
SHA256 6d28e1146d6983a9cd9e586349cdfc715847abafcdbc611c5ffe190a8697a9cb
SHA512 434c18b0e5c5c71585217482b43e2252bc04cbf2a47b4980751db1848fc3331da7e0660f762628f4a403836854e9165b0e7e027726ead1e35a690745d83c4e35

/data/data/app.six/databases/sdffsfdsfdsfsd-journal

MD5 dd342c8ac192aed4be37c01f5b46399f
SHA1 2c7c8273af4962a1f322b2dc51b68844dbad9b0f
SHA256 547af80a4ffaf3576a99e65b9e7ca274c54dbe54fc9e9e6d0ca6eca114af42c6
SHA512 c9da76b639a281654a60eaa971f65c58d1cd002626d254fa52a44693b6a1849d0109a44f79fdf7e81949d4d88feed242e46cfffaf9d6b74aa731f96fff3d9661

/data/data/app.six/databases/sdffsfdsfdsfsd

MD5 5081e5c17542054e9e116e18aeb65c0e
SHA1 3fa4dc6a8c1b848a74adb11356f73d272ab38b6d
SHA256 441f93daa1b32eff632c92ec947addc28716258ed3017039abc72ec7524e72a7
SHA512 a69cdb7eae07febc90c5f2cc9b7874614a42b0d50a17a6706f8520ebb541295c64e0fbf363a3d864ad384a1ac31212283aae0024ad4da2859c6ca4301e50f1a6

/data/data/app.six/databases/sdffsfdsfdsfsd-journal

MD5 8406213559e5a50307ff4ef8cf6b83cd
SHA1 db806049d095550aba4d0cb462d61089f8f377ab
SHA256 c87647e1eab02258fc38be7bbdca2278289597b75a80562dec2cf219619350df
SHA512 33dd394da1e5aead1ed658bfcd4c785b208986dacf11245a231bd99c27a8738e814f98424ee24affe6ae1f275856c99766d7b049939d2810bdba316d536ab115

/data/data/app.six/databases/sdffsfdsfdsfsd-journal

MD5 0d0e8a4cd59d08ce1d358e490e0ed4de
SHA1 7b0604ebad56f42dae8d281579e693f9e00e751a
SHA256 aeadc0c2fcef2de8bff1a0ea55daa1f2e008b60ffef2e8bc745afc22cb1c4ad0
SHA512 f80df97a8115ad878455ff8ca45dd4eea94587eb3f242caed885118b8c56118900ac2a20ca7b670bed5d5d73de197bf58dbf686edfb212e9eff54f2d916a8496

/data/data/app.six/databases/sdffsfdsfdsfsd-journal

MD5 56799901d430cd6c8c87d41eb99bdd09
SHA1 72ebe6c797f1f7174133d2cfbdca0e426b2a963b
SHA256 8d371adaa2d1fe61a6ef6cc07ae5212bf4a45f2a37ca4b405eb3fc143553746f
SHA512 675f3806d45610627cbe424d1dfd7229a3621d0a220eeb1a324bec7b8d85551d24656e4ea912908a43632a0b781ac4c01d9302e64e2fed54c3a522ff417c2fb6

/data/data/app.six/databases/sdffsfdsfdsfsd

MD5 0ce36a19c3fb3b67a9d9b61665a36c9c
SHA1 f00d5f618591a5ae6ac4d57c5b223389c5c89063
SHA256 cf82d9fd2e07b11c7d1a758c9f92a87d944449aae7937a42f58aa0c5f7a9234e
SHA512 de540d548577c3a6b04fe71ee455704b6c798a78967def067cab34729fff12508132b82748150dc46629a66670d5e454241317cf3e5dd4b33fea20ab09afa122

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-17 18:19

Reported

2024-05-17 18:28

Platform

android-x64-arm64-20240514-en

Max time kernel

13s

Max time network

159s

Command Line

app.six

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Reads information about phone network operator.

discovery

Processes

app.six

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 gomon48.ru udp
US 104.155.138.21:80 gomon48.ru tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 142.250.200.2:443 tcp
GB 142.250.187.206:443 tcp

Files

/data/user/0/app.six/databases/a-journal

MD5 8152ab28e15419112037103fa88f0033
SHA1 82894a518a229d6b05577930506ddbffaf7f716b
SHA256 2ab2e12419fba83cc72cc0c2ee852e5b08ae79b55b5fdc63229f47215069e043
SHA512 5672a496d31350e3ff2a9a819d5922f51e15a3603acf560b5aca43e248cba54e41e9f390b8c1a2bca0c5c5866c9f8c09e33d1c518e7c8c0dae2b91118ecae8f7

/data/user/0/app.six/databases/a

MD5 09a1c65be08d5478432c8a2c4c699a06
SHA1 19f8db07639eab80eb0b3d757112bd47076bfb96
SHA256 e4f66f1058ded1727a16c604ec745de9f81950e9b1d79d937ae3f12be2023b2f
SHA512 1703e390f1b373cf02f9ba92cf6e22b7ed4cc4e553e13278e36eb30aae43b28211d1b3c76ae690e8a972dbbf6d7e634c98d8bfc7333258a19950c30d82aec429

/data/user/0/app.six/databases/a-journal

MD5 06110c17d5d6d2dbbc9c290b88a38cc5
SHA1 4bf805510ebdbdf1e8d494a352696e9131dc9a2b
SHA256 793609f8c4fac3c61c63ceb8e89c088c1eeb53c04459139973ef83e88c947019
SHA512 616c5c3237ed86628ce5d6135ced28fc90740d9520bfaed56ca295a7ab44bd2ac768a4cc4595ac0339813248a0b844cde1b98246c7bfff467ede6ea789c1918a

/data/user/0/app.six/databases/a-journal

MD5 be20f660471ad83140b6894f6071fddd
SHA1 f9fa83a6905e05211935eff19ac044bcff87c81a
SHA256 7db233f3e24dd8c62e70a4ffe885812c597dec34d8333bb8e488e40cc4f5caa8
SHA512 254a792c4f31caa3df6b1a68deb66e9b2f5d3b99618293c4b283c0f91612b34ed3e3cb721b063ea1450293010069081d5cae752d3d1eaecdeaad27aa93896cf6

/data/user/0/app.six/databases/sdffsfdsfdsfsd-journal

MD5 b3ce2fd76b91813b9b9c1e7e681e3b3d
SHA1 c98bf6a35a66c7c46dd4820dd42e23d5364a2ce3
SHA256 3f3e787ef81124f78e42023e813048d5492d5e6f50b3411a6ac3a09c7ec9365e
SHA512 b37152ba73e02f4748545a392732f00345198a7e2c798aed0db76f7343d1287973493963ca31f58c9f0e95095a2a2f2c4e0d108bb550cab0ca6ed06fdb84ca31

/data/user/0/app.six/databases/sdffsfdsfdsfsd

MD5 6bba9e0d6f735ce378f7b65aaebc13bb
SHA1 3440922e61aad3c269e7804bde6af920ab43f6b7
SHA256 f6c50d0a6fac5e4d78d92d9e7836400532ecbd33c4cf7125b86fdf8d33a6d523
SHA512 3ca02a0e4a7178a252655c1bc252f2bdee2caeb4aad3b175fa5eb1977c2c370bba8e77b6c7510f0b5ec9e12bb4b11ea24c61f166a429faa2dccfa05e650d1d8a

/data/user/0/app.six/databases/sdffsfdsfdsfsd-journal

MD5 d88d9ee9a269eef1f120bfd85da22f6e
SHA1 1c3d1e04ae58ed38eb5774417ea51110d7832aff
SHA256 9bae2ac545c227983e2b74e105ff8fccf1ca03c67e6e4995d915bdc712c6932f
SHA512 6b41d3fbbe56b6237de46c749eca8b27ca7274465b73c4beff068064c8d1c9ade3a189a9e79d42fd62582de79fb0e03bd38cf57237377acc97942c26dd46258f

/data/user/0/app.six/databases/sdffsfdsfdsfsd-journal

MD5 cdc489a8bc87727da7121c8276aedc5b
SHA1 0196c90ca512e74623953e3ead357dbbc30d1cd7
SHA256 9a4c899c5904975e26ac9e2db6a41fd9a9dfd0f67c683a7bbe9ecfde70f0eedd
SHA512 19b6cbce066ea3ca470035739a164db8a0e33f791847cfe3e3c03d33a3e21f9624723b55fd5ae78d3a6c75ad519a458f1dc0c63cfb43985298df5636578d1589

/data/user/0/app.six/databases/sdffsfdsfdsfsd-journal

MD5 386571c3ab09e9be018a62a74377809d
SHA1 aea70c610db6602d7ce86c8a072bba09b1b2ea34
SHA256 218d50fdbfcacd7e1e8de3e511018443eaa7079ee19df65167e6384cd56ec784
SHA512 c04d067f4a5d11700d04fc9e68d7d416f56ab3915a95cd91e2131a6896fd2d92849de2052e6efe183c5c8c44aba1b2513c359bf3419366dc86ecfcaa158d6396

/data/user/0/app.six/databases/sdffsfdsfdsfsd

MD5 f95358aa2d99cd922e59c368b2488d2b
SHA1 721b410a35c2d8ef93dbc5d3096c7ea61b2375c1
SHA256 777c97e44ddfa92d6633dc5a24faadb9364118e85bae5063e16fe3ea51ac8a6e
SHA512 11214aa4a61587d851958e907315f922b50e303b67803a90e50da9f72874b8019be68ccdc23cde0035ba19b2a1492556304676c3971b7c8a38187b731b982aa4