Malware Analysis Report

2024-09-09 19:11

Sample ID 240521-ge5qbaed24
Target TY_TrainH3.apk
SHA256 0d938d32be29c4eb8d55ff4ab1e718f988db1bc01d2c184c06a8fdf6c3c9a1f5
Tags
evasion impact persistence privilege_escalation
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0d938d32be29c4eb8d55ff4ab1e718f988db1bc01d2c184c06a8fdf6c3c9a1f5

Threat Level: Shows suspicious behavior

The file TY_TrainH3.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

evasion impact persistence privilege_escalation

Registers a broadcast receiver at runtime (usually for listening for system events)

Tries to add a device administrator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-21 05:44

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 05:44

Reported

2024-05-21 06:27

Platform

android-x64-20240514-en

Max time kernel

4s

Max time network

131s

Command Line

com.dticcms

Signatures

N/A

Processes

com.dticcms

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp

Files

/data/data/com.dticcms/databases/TY_trainDB-journal

MD5 84d10badb0843ee8253273e65214f86f
SHA1 f40c6ce0bec1ef4f4bb2914af9cf6f2ed7224219
SHA256 75dc3d4551ba9c9e3233a472fa314b1e866963e6a83dd3545851cb6edad7d5f6
SHA512 b055c23356605d742e9deb070e7f829e6dbb5e48a94e2bc6b9a72ed7f4e698bdbe3964c161be3eb3e1378c7e0c64a658902b9cc5f64229cbdfe029cb1a1a8bd4

/data/data/com.dticcms/databases/TY_trainDB

MD5 b929e02a007694f08004170c2fdfc262
SHA1 89ca20d73d9d808ecfd92867eeaf3abcad24e568
SHA256 d082a670f56cd79f410612b11b339345971850c913ca8c0065aef0138e62c173
SHA512 474fc68969fe162ff857a245f6fddb87ef1b0d2a6a8e431247bf687eebd991401f1795b2eed07f943c0b7b4368f3670b5b7ecadcaeff3c10f433685f00118306

/data/data/com.dticcms/databases/TY_trainDB-journal

MD5 6625d249f82f9811aabce0bda874c621
SHA1 9632a92bd5f988a1157b2dae7342144804b25ce0
SHA256 1521abe6631a7cd977dd34235a12c89a1b89afa098a0c9b723acaecc79bd28cf
SHA512 b353917723c13f9612b0a3779888b3ece701e71b6c2213e24a350721a0682eee99eca0aea547df83126a5a09e98cb86a27f4ad0a0ab4daf033e0740a4f1070fb

/data/data/com.dticcms/databases/TY_trainDB-journal

MD5 21a5bac6a30dc6029fe989ae35afcf7f
SHA1 dc6e07120329f254e8752bef17b1fc96625a6ed8
SHA256 54a57aa9193205fa8655c0516d222d9ac5475aba8d8eb87c99b133a6a610422a
SHA512 2cd4a699424bccdfec4aff4665a9fcd17f7c0a849d70a047e80b246d2086ed27d81e07f7b899a1b6080c9c1a62031fe3c8974838582bfcc1b79d92fb66a7397f

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 05:44

Reported

2024-05-21 06:29

Platform

android-x86-arm-20240514-en

Max time kernel

168s

Max time network

172s

Command Line

com.dticcms

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.dticcms

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
GB 142.250.200.42:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.42:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
CN 14.152.59.100:3412 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
CN 14.152.59.100:3412 tcp

Files

/data/data/com.dticcms/databases/TY_trainDB-journal

MD5 86354250acbd82867f75f6b17717997c
SHA1 5d2ac9c65735e729b8c669d45062fb0f2e733f7f
SHA256 1030d26ef8ee7fe71fc0fcf9bcac4c0b2ae99ba3184c7958356c6a4416649e41
SHA512 091946dc57edfcdb180c431506ea939296afb723ee84423661a1159af7113018eeefc9831600ff8ba264e3710490d46262c8a5e5f7d5ca1d302f08c408c35cbd

/data/data/com.dticcms/databases/TY_trainDB

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.dticcms/databases/TY_trainDB-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.dticcms/databases/TY_trainDB-wal

MD5 87462e9550aa0916d138270b64462f13
SHA1 191628d0eda9951e691352eba3eb3be383837cf3
SHA256 5682ecdb8dc26e09161c6a405217213700bfeb1bd5b5a73efb9c58acbad297f9
SHA512 af8c2052477a34aadabcdb7a919df4c658a50d8275ace019ce9d6ca4a3b7ab3fb92a51945743e153089c0981591e751efe0d1ddb86689d1b77a4a6ed26f92d50