Malware Analysis Report

2025-01-19 06:58

Sample ID 240522-nxme1seb44
Target DianaApp.apk
SHA256 b4da10cd63892cc82bf11a2638ce20e315576ffcd13838aa1a1c70c294097f19
Tags
banker discovery evasion persistence collection credential_access impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b4da10cd63892cc82bf11a2638ce20e315576ffcd13838aa1a1c70c294097f19

Threat Level: Likely malicious

The file DianaApp.apk was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion persistence collection credential_access impact

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Checks CPU information

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Obtains sensitive information copied to the device clipboard

Checks memory information

Checks if the internet connection is available

Reads information about phone network operator.

Acquires the wake lock

Requests dangerous framework permissions

Checks the presence of a debugger

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 11:47

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 11:46

Reported

2024-05-22 11:59

Platform

android-x86-arm-20240514-en

Max time kernel

129s

Max time network

160s

Command Line

com.medicarian.diana.app

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Checks the presence of a debugger

evasion

Processes

com.medicarian.diana.app

Network

Country Destination Domain Proto
GB 172.217.169.42:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 1.1.1.1:53 apis.google.com udp
GB 142.250.180.14:443 apis.google.com tcp
US 1.1.1.1:53 app.adtrace.io udp
IR 79.127.42.69:443 app.adtrace.io tcp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.71.84:443 accounts.google.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ryfhrxdqip udp
US 1.1.1.1:53 xitlhjupf udp
US 1.1.1.1:53 ckdgjajiqqy udp
IR 79.127.42.69:443 app.adtrace.io tcp

Files

/data/data/com.medicarian.diana.app/databases/com.google.android.datatransport.events-journal

MD5 70a9597979b4dd0d3b1e5da90615266b
SHA1 5c67e11a653b03803b597b145fb85a554393215c
SHA256 7d3ee8e7d72e65c5b8a140ec5973a22e90af375e9c277decd8e932b3b979db52
SHA512 20c23a0919575ed2adb8631f25fedfa5cd13ed4160e54c52f38af7a9841ada7cc3c5a5c7fb3cae5277992bb6008127a37c48adb09257eac9e942d48734557022

/data/data/com.medicarian.diana.app/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.medicarian.diana.app/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.medicarian.diana.app/databases/com.google.android.datatransport.events-wal

MD5 b776585d86f23050ed0a8ff9718e1b99
SHA1 13c412c9aa685169575addd1a431b090f781018d
SHA256 646fe70f8011e3e80909cfc25752574890e6056f410b63ea78aa0b2933a71b16
SHA512 67a7f1c0194f2ae6b854572fc8a0bf9170cfe47384815df4d08793b88b6c7fdbf6775fd4e68067513169096c46dea4f8bf9a13175770f3b49f0053e3f03c7368

/data/data/com.medicarian.diana.app/files/AdTraceIoPackageQueue

MD5 6ec1826d5ed4dd33c0e6ecc7b1c3ecac
SHA1 12c2291654371efe4f136eae1f87332b9ac448ed
SHA256 5aef8b1c7727547e3085f3a65e527ff686d4b1813069d0e737548ed492564365
SHA512 37b8e95ee0c6fbeaecae06b348752fa919008ec93794f9dd8abd6558f57aaeeffa2c88bb39321123d642f11575ca0eb682a1be78029bb62b7023a72d1744be4e

/data/data/com.medicarian.diana.app/files/AdTraceIoActivityState

MD5 acb4c3efb8ed494d3f0b15bb0937228c
SHA1 d05bf47f85b1d451684e38154e65e666807521d9
SHA256 808a9136b388dc4c9f47603a86e6f336c2e994a6ab5aa99434891328975dd208
SHA512 28e396c2312433ae1c989ce75c5ce54f0a46eeacb422441715db6cca89b03eb35eae617cb156c7fc0ac474e05288d211863121485b6a28a69cebd49f22da5d50

/data/data/com.medicarian.diana.app/files/PersistedInstallation2631589151858972675tmp

MD5 29b2869f024e33fb175e6ae920215ce9
SHA1 5d9ca9393f926403e5980ac32d2ca19fc6c97a6b
SHA256 c093202f3fe99989a2db1999f8d000e9e76db60496a108958a5bb0f84930a681
SHA512 5d398e183dd94aa9f6323b4ec65e2bdec048a176f52be3014dcbdd781dc126ed56ca031fa1d8ea8614e30c59554e23acfdee9d1a6d5e5a67ef0fd26e676062c0

/data/data/com.medicarian.diana.app/files/AdTraceIoPackageQueue

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/com.medicarian.diana.app/files/PersistedInstallation7599788296592532034tmp

MD5 dcc00cd3474c33970cd149858e66b2a5
SHA1 2a952aec2a6a33c65d0e946256941854dca08eea
SHA256 86391bc424bd9a20a39571c8a1c71c78724da41ba967f22a675a5402fa425e10
SHA512 e7ae17f655dcd19754da1a1ba31d2c425ee45584698fc5358a85b278f30b9f2afc11c2829803fdae68d5c93777e382c11358a26065d10bd893e2838291b5fed6

/data/data/com.medicarian.diana.app/files/AdTraceIoActivityState

MD5 9c1559d0ced3ac131f85e56dc083e54c
SHA1 0289128b35680a70ee686391f6e2187c85222cad
SHA256 412726fb4e962559aff8d6fae0049ffb86616b35483c999c1d69f4864fad6dd8
SHA512 45d7d83473edbc93add3862c4baa124764884efe8a3e9c85fc686deff99a80d859528c764b3850322cb8967b9aa11e1b16b9569d9df27de5481751c7579a47a8

/data/data/com.medicarian.diana.app/files/AdTraceIoActivityState

MD5 a2c374f4fa9a760d0f4d0bf2f818e54f
SHA1 f91cca2e13ef6f07b04322f28f3c7efc06af8007
SHA256 94db5ce893b96b5a90d30fddd0e6d4d89b561d4d1fe32bc654174806ccdd853d
SHA512 7edfa6d7accdc9522f8cde1937fc132cd1461cfdffff5ee1f47ad5c46322ab1838bc46a4e100c2f6146bc25040bc3e12a24c60fa0a87cf1d84c4ab501cef7650

/data/data/com.medicarian.diana.app/files/AdTraceIoPackageQueue

MD5 8464ea23cbbd3b48d90e6a57c9c6807d
SHA1 443562d6a6681e0da570f14930feec0478ae8131
SHA256 1ba4bb62063bb8fc2d8f2ad6ad01e506e3a93f1c642d6cda48e7136a4a881b29
SHA512 a5af5f1acd66efa72c347d1648ef69b7e02563d66c9895d00f4ef96066edb45453de93a983c925787f459df737beab31f6632578af06ded6dd130d763c2c4374

/data/data/com.medicarian.diana.app/files/AdTraceIoActivityState

MD5 4e8d1213fdc96307edac3c7de9c93abf
SHA1 c8c2ccdf4c2965a7a63b7ce93c1644bbdd0af30f
SHA256 ffb62e4c5c45ffc5d882dc83e8e4bd7b356b913f8858289590f303e3d20011d3
SHA512 35503854445eb67b029349c291863daa818f259a3d7eeecbd172fdc3746848c64a6575bbf6fe4520be68c86ad28f732963553f1959fd542d97d7027f9f6ed699

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 11:46

Reported

2024-05-22 11:59

Platform

android-x64-20240514-en

Max time kernel

130s

Max time network

153s

Command Line

com.medicarian.diana.app

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Checks the presence of a debugger

evasion

Processes

com.medicarian.diana.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 108.177.15.84:443 accounts.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.206.84:443 accounts.google.com tcp
US 1.1.1.1:53 apis.google.com udp
GB 216.58.204.78:443 apis.google.com tcp
US 1.1.1.1:53 app.adtrace.io udp
IR 79.127.42.69:443 app.adtrace.io tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
BE 74.125.71.84:443 accounts.google.com tcp
US 1.1.1.1:53 kndfehpqudhmfbp udp
US 1.1.1.1:53 oxfbpzpn udp
US 1.1.1.1:53 cczlepdvnx udp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp
IR 79.127.42.69:443 app.adtrace.io tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/data/com.medicarian.diana.app/databases/com.google.android.datatransport.events-journal

MD5 a5cfb341cbd05b0c1bfbc462a96fe05b
SHA1 60b024ca280b8cd856255fac2f20b8616facc40f
SHA256 148130e69627a76e12da3c476d51cc9b12368b574ce73f6b91a26799dd5c62b8
SHA512 170d3ad7c43ea86eb002402a25b6bcaf88220aa3404dcbb3d3e4f5ea3c100ad3f5e47979e1e65565ffc436cb5a540e18e087a21b8153ba95700b5314376b34ce

/data/data/com.medicarian.diana.app/databases/com.google.android.datatransport.events

MD5 ad7bbdcce258ba21d0a07659a3849e3f
SHA1 887e17f38cf736cc82125092f6cadd5753184286
SHA256 a6417906596802ee2a80cd22ef848d832848a6f36f4e45d320e9b98633a5c456
SHA512 4519d5aec86a163c9c2c97d1cf9862cc9b421749c0d78c0f4ceee31c9fe07ac557e736d5b3f72942e2d5d44b578fc8a6789f2e7a3ec98ec2199fdc50dd3ac45d

/data/data/com.medicarian.diana.app/databases/com.google.android.datatransport.events-journal

MD5 6f655990b4b4e34d7bcee69a4cd85c4e
SHA1 ddca223c3e077b6af80c4935b5a570b54a92aa00
SHA256 3e61c85185f395e0c060807b8cc3221a631e1db4e032286e11cdb70466dfaf8d
SHA512 49aa0f0c9671b18a6b6a13e2bb68ac7bdb0c46b0400312a3824a100688a31e42a93ef18fb8b550ace27c53597e10f8aa53828f4d7071958361db43511f0f97ca

/data/data/com.medicarian.diana.app/databases/com.google.android.datatransport.events-journal

MD5 807be451e3612feaca8b47e484295053
SHA1 b9e21a6cefe38a5cf061ce8b53e8c9cf1f3d1e8c
SHA256 7ce7001f8dccccf2759d238082080acf5e2cc31adc7e7ace824da8cc8467d2da
SHA512 c262ee002e1493dc1f7f25529347a4bd69ef9eb709ccc1519646b345ebab606e82fb8730970c4bb84564cc121c4e6e1326027e1aec2b815cbb6b2b2c4562310a

/data/data/com.medicarian.diana.app/files/PersistedInstallation1459829458309474477tmp

MD5 fefeac6f854dd226588d54b83adf135e
SHA1 f8a94ea1f8c8307dd68835c1f3c4f3843365c589
SHA256 be58b7ed979b0dc04779d4f4d35c6bcb4b03eeb5cf6b913e8703d80e108bb6b0
SHA512 ee388f9f8645919f65a04f6c2f1085e4bc9c15d47aeb30daee8cab0a9d8aa7fd9e9659fb8f52322127f149e5464f4e08cfb40ba82e7aca907c91eae8d0407276

/data/data/com.medicarian.diana.app/files/AdTraceIoActivityState

MD5 2f317ef829fa9abe07f744c74f81dce9
SHA1 c2ec16870cd429a848f0abde3c8f58e828321a17
SHA256 f7f9eed1aed6238ab50cbe01f334b32be519d079deb71e7b59bcc3917edcc2e7
SHA512 4cab98b7293a5b9a61f5f1aad5572fdd33b7a3d9ed943b6b6083108cc45b814c5d6e67d09b2b7165e337410c6e81950b1add352bc24a59a486cf9796dbc9c52e

/data/data/com.medicarian.diana.app/files/AdTraceIoPackageQueue

MD5 5efd35be772b9e3b137748d452a13f9b
SHA1 186f1a00b3835a46f5d0586e27c907805c25349e
SHA256 fdd9e09249bf0033beafe99016274928772369953064915623e0c41d58b5e020
SHA512 8e5371ec4e55ffdcb492c76b0944939163af539f3ef3c958495de817828e0330a370082fbc78f6a1a8aa49feb0610399dbfa71cc099cfe05bef7a951b2ec362f

/data/data/com.medicarian.diana.app/files/PersistedInstallation8339806607944829296tmp

MD5 cdc967a5d88c5ee29465474d9c97e56d
SHA1 c997066012c6c44e575804ceee6defe40a0e9d80
SHA256 5deeaffcdbd7ab4c9a68d16987a5a64ffdc820b5073727f5041f8a5900299baa
SHA512 426485fa4142b539ad41ac1762ac7994143156083206a37756d95b5f21aab08e13a304a4693fdd00970b09e7ed1ea88c8818c5fbe89419ab1e5382f381339a72

/data/data/com.medicarian.diana.app/files/AdTraceIoPackageQueue

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

/data/data/com.medicarian.diana.app/files/AdTraceIoActivityState

MD5 ca35e498d7d248d32562da02f7268be7
SHA1 38885ce4e0cb6d8f48636b2ab2deb623d1700efc
SHA256 f4048838f39aae5237f52fb9a8d82bf6b4777a729cc37feeb8ea53091c537822
SHA512 c6660ac43f6c948cb73721bd76d735c0b5c0b67e7f9f65e90eb58723c86ee0e1967750bb6d14016ed8e370b373d07919e90341a9ed1e3c8b0da21c4669a566d3

/data/data/com.medicarian.diana.app/files/AdTraceIoActivityState

MD5 712e8e1fa3f217b808ad25d594fe70df
SHA1 6fdc3ef7e6ac695aaa57b85de4b5102c4ebadb90
SHA256 745d7d25a021d6b44cedc8545a6477521a497124322f10c5289629175f3f031d
SHA512 74944841102dd43d261335d058bd77a5260cbe18899cba39c59e31cc035ce4550f83c727336c8da0d33bd0944f47fa846d553cd6a081c64761a843d23b622492

/data/data/com.medicarian.diana.app/files/AdTraceIoPackageQueue

MD5 8f75abad5897fb4026c7a7062718f448
SHA1 34acf33a21acf5f4eab7eb4688381900e3713999
SHA256 a71fde53cf84c93f973cd431ff3ebd380978b57c70c2b20b6b09bf0c20081346
SHA512 f9a1adfbca50fe05944b258642c344e3ac162957b56e76f7801ec94f8ae9773637435df077b1745258b19a33768f17420463c2c80f60897e33e156c2e8a593cb

/data/data/com.medicarian.diana.app/files/AdTraceIoActivityState

MD5 54d65bbe85243ff08ec1fca121c04af2
SHA1 a4c159ab99becd9e05e663919d4bf0cc90672d42
SHA256 f0fed3836e33609cebfdf5e7380bb532cfea61a94f21539fc52867563f8a64f2
SHA512 53705978c9b57d4ecff3633e626cd3db0799c37dd43a9ef98c9c178294c3d3f21a81824e1861aecfce241af799dfdb37eb40eb22eda74274371b96ee22d636ac