Malware Analysis Report

2025-01-19 06:55

Sample ID 240522-ehay1abe3w
Target CANARA BANK AADHAR KYC.apk
SHA256 afec45c1051376d3e8fc57ed5bbe33cb619ab71c88ee20920bb1384ee5c6ea54
Tags
collection credential_access discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

afec45c1051376d3e8fc57ed5bbe33cb619ab71c88ee20920bb1384ee5c6ea54

Threat Level: Shows suspicious behavior

The file CANARA BANK AADHAR KYC.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access discovery evasion impact persistence

Checks CPU information

Checks memory information

Makes use of the framework's foreground persistence service

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 03:55

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 03:55

Reported

2024-05-22 03:59

Platform

android-x64-20240514-en

Max time kernel

178s

Max time network

186s

Command Line

com.my.newproject50n13

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.my.newproject50n13

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 update-ua-13-default-rtdb.firebaseio.com udp
US 35.190.39.113:443 update-ua-13-default-rtdb.firebaseio.com tcp
US 1.1.1.1:53 code.jquery.com udp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 151.101.65.229:443 cdn.jsdelivr.net tcp
US 151.101.65.229:443 cdn.jsdelivr.net tcp
US 151.101.2.137:443 code.jquery.com tcp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 35.190.39.113:443 update-ua-13-default-rtdb.firebaseio.com tcp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.10:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 s-usc1f-nss-2541.firebaseio.com udp
US 35.201.97.85:443 s-usc1f-nss-2541.firebaseio.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 03:55

Reported

2024-05-22 03:59

Platform

android-x64-arm64-20240514-en

Max time kernel

103s

Max time network

159s

Command Line

com.my.newproject50n13

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Processes

com.my.newproject50n13

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 update-ua-13-default-rtdb.firebaseio.com udp
US 34.120.206.254:443 update-ua-13-default-rtdb.firebaseio.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 151.101.65.229:443 cdn.jsdelivr.net tcp
US 1.1.1.1:53 code.jquery.com udp
US 151.101.2.137:443 code.jquery.com tcp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 34.120.206.254:443 update-ua-13-default-rtdb.firebaseio.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 03:55

Reported

2024-05-22 03:59

Platform

android-33-x64-arm64-20240514-en

Max time kernel

120s

Max time network

160s

Command Line

com.my.newproject50n13

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Processes

com.my.newproject50n13

Network

Country Destination Domain Proto
GB 172.217.16.234:443 tcp
GB 142.250.179.228:443 udp
N/A 224.0.0.251:5353 udp
GB 142.250.179.228:443 udp
US 1.1.1.1:53 update-ua-13-default-rtdb.firebaseio.com udp
US 35.190.39.113:443 update-ua-13-default-rtdb.firebaseio.com tcp
GB 172.217.16.238:443 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 151.101.193.229:443 cdn.jsdelivr.net tcp
US 1.1.1.1:53 code.jquery.com udp
US 151.101.193.229:443 cdn.jsdelivr.net udp
US 151.101.194.137:443 code.jquery.com tcp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 35.190.39.113:443 update-ua-13-default-rtdb.firebaseio.com tcp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
GB 142.250.200.3:443 tcp
US 162.159.61.3:443 udp
GB 142.250.200.3:443 udp
GB 142.250.179.228:443 udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.187.196:443 udp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 172.217.16.234:443 remoteprovisioning.googleapis.com tcp
GB 172.217.16.234:443 remoteprovisioning.googleapis.com tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-22 03:55

Reported

2024-05-22 03:59

Platform

android-x86-arm-20240514-en

Max time kernel

26s

Max time network

154s

Command Line

com.my.newproject50n13

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.my.newproject50n13

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 update-ua-13-default-rtdb.firebaseio.com udp
US 34.120.160.131:443 update-ua-13-default-rtdb.firebaseio.com tcp
US 1.1.1.1:53 code.jquery.com udp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 151.101.130.137:443 code.jquery.com tcp
GB 142.250.178.3:443 tcp
US 104.18.187.31:443 cdn.jsdelivr.net tcp
US 104.18.187.31:443 cdn.jsdelivr.net tcp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 34.120.160.131:443 update-ua-13-default-rtdb.firebaseio.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp

Files

/data/data/com.my.newproject50n13/app_sslcache/update-ua-13-default-rtdb.firebaseio.com.443

MD5 1d652111756127c9a085b070874310ef
SHA1 ab8d0741eb5eaac3ba76c9d1af6d46a22ef47214
SHA256 1d50c152b2f6aabc005d7cb88f6c3bc3bd42df5417d5714ddb0800f413389117
SHA512 0f492f565699540ca0a704d731dfe96985e208ac2bb29d3f32368ad82b872ef0d2a2d6229f517d02439db6074b08d366eaf038ed1fdf70dd37acf94fbb3792d5