Malware Analysis Report

2024-09-09 19:08

Sample ID 240521-1x7geabg85
Target d4eb473c06270ed1114712050c2415b984d4a86db2084a7a9014c5fe45f6ebf4.bin
SHA256 d4eb473c06270ed1114712050c2415b984d4a86db2084a7a9014c5fe45f6ebf4
Tags
discovery evasion execution impact persistence privilege_escalation
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d4eb473c06270ed1114712050c2415b984d4a86db2084a7a9014c5fe45f6ebf4

Threat Level: Shows suspicious behavior

The file d4eb473c06270ed1114712050c2415b984d4a86db2084a7a9014c5fe45f6ebf4.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion execution impact persistence privilege_escalation

Queries the phone number (MSISDN for GSM devices)

Registers a broadcast receiver at runtime (usually for listening for system events)

Tries to add a device administrator.

Loads dropped Dex/Jar

Acquires the wake lock

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Checks if the internet connection is available

Schedules tasks to execute at a specified time

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 22:02

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 22:02

Reported

2024-05-21 22:16

Platform

android-x86-arm-20240514-en

Max time kernel

3s

Max time network

131s

Command Line

com.ilogen.com

Signatures

N/A

Processes

com.ilogen.com

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
GB 142.250.178.10:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 22:02

Reported

2024-05-21 22:16

Platform

android-x86-arm-20240514-en

Max time kernel

179s

Max time network

151s

Command Line

com.tencent.shopcj

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/0.obfedex N/A N/A
N/A /data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/0.obfedex N/A N/A
N/A /data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/0.obfedex N/A N/A
N/A /data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/1.obfedex N/A N/A
N/A /data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/1.obfedex N/A N/A
N/A /data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/1.obfedex N/A N/A
N/A /data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/2.obfedex N/A N/A
N/A /data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/2.obfedex N/A N/A
N/A /data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/2.obfedex N/A N/A
N/A /data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/3.obfedex N/A N/A
N/A /data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/3.obfedex N/A N/A
N/A /data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/3.obfedex N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.tencent.shopcj

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/0.obfedex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/oat/x86/0.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/1.obfedex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/oat/x86/1.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/2.obfedex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/oat/x86/2.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/3.obfedex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/oat/x86/3.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.10:443 tcp
GB 142.250.200.3:443 tcp
US 1.1.1.1:53 ggg.ilogenkk.com udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
KR 103.151.229.56:80 tcp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.206:443 tcp
GB 172.217.169.10:443 tcp

Files

/data/data/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/0.obfedex

MD5 3f80e2e1b9371d686849f4e04693730c
SHA1 ba15f9a6ba6cbe8e15d039b4b9b1ccf04240585e
SHA256 da0ba40561e9750954360023e75b0e394b5ab67c00c786a30ada743b657c6768
SHA512 20a689077fe8821ec01588bd269633e3a583a75cae187f87bf48b5f4949f93d4fc336db4f0bbe0e4c0e2a0deaf7d8895de823f4fa4aebcd5d5d30638da980e0d

/data/data/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/1.obfedex

MD5 78eafaa2e6763c83f7fa03ae56ec8afa
SHA1 7d44421d8b2b1787e80b9403e8445b601d95244f
SHA256 343b0670b06dff8c99e78ed212b846a3fdd9b9ec34cbbeb6b202922329c081a2
SHA512 484a546b4236a81c8003f65fd5fe65f17d9bc5400908768a65a343885f972258c87ab06785c7691d317a6cbd752c4fafeca51a0d1dfe429466055538c2c82ff0

/data/data/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/2.obfedex

MD5 ff537356680a9a80727d6bae73f83032
SHA1 99d8636958fec30fe845b74c493afdb0309f8237
SHA256 b726d6c742d4bcea95adef4a1fd5203852143355887d297a08166e9222d9389a
SHA512 056c9113100917ba11d9c3d3dccee50c5cb07d321bd45600299c100f8f54cee710d33310b699c3d4316b2a453144135d09638826bd5007e9b9aaabcf7f5269ce

/data/data/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/3.obfedex

MD5 5211de817ba954437cee57e966471918
SHA1 bb12abda128863d581be3a2ea472b12f9aa730b0
SHA256 c1b624c1c3bba6274d5472d89c4a7b8b6d8b55a9469bd5bd34ba3fbb5bccb3c0
SHA512 720510377dd412be1de36bd4212b2a5c651629f9b9370e1b3b20ee26361185f869567656155077c48a8ea3da521706170c6c1e7eef883f5609cce65303bec0ad

/data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/0.obfedex

MD5 3e457492747b7daaa7c48e09f0774da3
SHA1 ab95da776078a9d2cd1373c5273499141c1b0c2e
SHA256 ce4ce1a3aa583141fb560332d82835f9f9335bde9c4082bb86dbb714f6273a06
SHA512 1f90ff633c16fe08b0fdf4868784e079fe74232b83c14fb91b45ac5794a695c32ffc5a1fcef78003a23dae92b256dad4f129317dd115da51694f18139176a2a0

/data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/1.obfedex

MD5 6d4745fb56fc94a106d472bc9cb9165f
SHA1 481d5e2d211bc73ed0448b1595f5b8a3bdd2f5af
SHA256 5580afdd6a6863e35a73b8cbe3646947d6176a04c09a0f76cd9852fdca7bebce
SHA512 7907bc24286fa05a11fe70e07bf159be42441bc3e371b7cb7f4b06a922136eec361e87d124f4676a3815e85af43201c91686aa102276ac1d09c365ca42eab777

/data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/2.obfedex

MD5 84250da1d996a6eed76e1c40576ab779
SHA1 4999fdab03116e77cb0da455455190e6d7679c11
SHA256 bbaf826157261a1a0cc89c149989f01657ad1edca931ee3202c8ddb9e3a51a11
SHA512 d8d687317cc96b8b0e15394b2e0f36b1397beb4bca0a382683f063149b0232771b4d6dba55c9f96a75e2683e810f717a471e9f438ee104fc9bdb75f318c64b83

/data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/3.obfedex

MD5 852ba1a96f3877532639cd24fd020a76
SHA1 a3c94ca1b8ba2896beda587c5d9c30f5471d87db
SHA256 87611240b75ca8b6784ac2cdc8acbc6ebcec3c28d1a18e9b7b2d95e9262f0aa4
SHA512 003b322ebfcb494c05747cb56fc2bbe41a303865138d1d8c5f8710700d75f1190eb0b852fa0d0d4244996047be4714292f554d4d6128c36083b5a0600acb102d

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-21 22:02

Reported

2024-05-21 22:16

Platform

android-x64-20240514-en

Max time network

147s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.227:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.178.10:443 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.187.194:443 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-21 22:02

Reported

2024-05-21 22:16

Platform

android-x64-arm64-20240514-en

Max time kernel

179s

Max time network

131s

Command Line

com.tencent.shopcj

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/0.obfedex N/A N/A
N/A /data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/0.obfedex N/A N/A
N/A /data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/1.obfedex N/A N/A
N/A /data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/1.obfedex N/A N/A
N/A /data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/2.obfedex N/A N/A
N/A /data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/2.obfedex N/A N/A
N/A /data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/3.obfedex N/A N/A
N/A /data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/3.obfedex N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.tencent.shopcj

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ggg.ilogenkk.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
KR 103.151.229.56:80 tcp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp

Files

/data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/0.obfedex

MD5 3f80e2e1b9371d686849f4e04693730c
SHA1 ba15f9a6ba6cbe8e15d039b4b9b1ccf04240585e
SHA256 da0ba40561e9750954360023e75b0e394b5ab67c00c786a30ada743b657c6768
SHA512 20a689077fe8821ec01588bd269633e3a583a75cae187f87bf48b5f4949f93d4fc336db4f0bbe0e4c0e2a0deaf7d8895de823f4fa4aebcd5d5d30638da980e0d

/data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/1.obfedex

MD5 78eafaa2e6763c83f7fa03ae56ec8afa
SHA1 7d44421d8b2b1787e80b9403e8445b601d95244f
SHA256 343b0670b06dff8c99e78ed212b846a3fdd9b9ec34cbbeb6b202922329c081a2
SHA512 484a546b4236a81c8003f65fd5fe65f17d9bc5400908768a65a343885f972258c87ab06785c7691d317a6cbd752c4fafeca51a0d1dfe429466055538c2c82ff0

/data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/2.obfedex

MD5 ff537356680a9a80727d6bae73f83032
SHA1 99d8636958fec30fe845b74c493afdb0309f8237
SHA256 b726d6c742d4bcea95adef4a1fd5203852143355887d297a08166e9222d9389a
SHA512 056c9113100917ba11d9c3d3dccee50c5cb07d321bd45600299c100f8f54cee710d33310b699c3d4316b2a453144135d09638826bd5007e9b9aaabcf7f5269ce

/data/user/0/com.tencent.shopcj/app_com.tencent.shopcj.main.MyApplication/obfs/3.obfedex

MD5 5211de817ba954437cee57e966471918
SHA1 bb12abda128863d581be3a2ea472b12f9aa730b0
SHA256 c1b624c1c3bba6274d5472d89c4a7b8b6d8b55a9469bd5bd34ba3fbb5bccb3c0
SHA512 720510377dd412be1de36bd4212b2a5c651629f9b9370e1b3b20ee26361185f869567656155077c48a8ea3da521706170c6c1e7eef883f5609cce65303bec0ad