Malware Analysis Report

2025-01-19 06:56

Sample ID 240522-zpjjyagc2x
Target Victim_1.0.apk
SHA256 abfbe0a094d8601da53cc5a1f6605bea08274790a43324f891a980a0d78981f0
Tags
collection credential_access persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

abfbe0a094d8601da53cc5a1f6605bea08274790a43324f891a980a0d78981f0

Threat Level: Likely malicious

The file Victim_1.0.apk was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access persistence

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries account information for other applications stored on the device

Reads the contacts stored on the device.

Reads the content of the SMS messages.

Reads the content of the call log.

Registers a broadcast receiver at runtime (usually for listening for system events)

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 20:53

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 20:53

Reported

2024-05-22 20:54

Platform

android-x86-arm-20240514-en

Max time kernel

3s

Max time network

39s

Command Line

com.my.victim

Signatures

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/data/phones N/A N/A

Reads the content of the SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/ N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.my.victim

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 hayam-239f3-default-rtdb.firebaseio.com udp
US 35.201.97.85:443 hayam-239f3-default-rtdb.firebaseio.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/data/com.my.victim/app_sslcache/hayam-239f3-default-rtdb.firebaseio.com.443

MD5 1befae9a1f0d05b01c76c2704be4e752
SHA1 49c421c3c87e9e93e4094a4270973890707aa8e5
SHA256 f04ab03943d298d446971d164a351d33b8493ad6b8bd1c085d0e5a2f074c3ab2
SHA512 9e97efc2f3ad4d6a789f3ff15f04f7c151372d85eb9b1ebbadd51a25e84db336d39d514e75a687469a3e5a725d55738f11e7a763ebea09e3dba976c81cf3fb7e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 20:53

Reported

2024-05-22 20:56

Platform

android-x64-20240514-en

Max time kernel

4s

Max time network

153s

Command Line

com.my.victim

Signatures

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/data/phones N/A N/A

Reads the content of the SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/ N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.my.victim

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 hayam-239f3-default-rtdb.firebaseio.com udp
US 35.201.97.85:443 hayam-239f3-default-rtdb.firebaseio.com tcp
GB 142.250.187.238:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-22 20:53

Reported

2024-05-22 20:56

Platform

android-x64-arm64-20240514-en

Max time kernel

3s

Max time network

168s

Command Line

com.my.victim

Signatures

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/data/phones N/A N/A

Reads the content of the SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/ N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Processes

com.my.victim

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 hayam-239f3-default-rtdb.firebaseio.com udp
US 35.190.39.113:443 hayam-239f3-default-rtdb.firebaseio.com tcp
US 1.1.1.1:53 redirector.gvt1.com udp
GB 216.58.212.206:443 redirector.gvt1.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 r3---sn-aigl6nsd.gvt1.com udp
GB 74.125.105.40:443 r3---sn-aigl6nsd.gvt1.com tcp
US 1.1.1.1:53 r5---sn-aigl6nzl.gvt1.com udp
GB 74.125.168.170:443 r5---sn-aigl6nzl.gvt1.com tcp
US 1.1.1.1:53 r5---sn-aigl6nz7.gvt1.com udp
GB 74.125.168.106:443 r5---sn-aigl6nz7.gvt1.com tcp
US 1.1.1.1:53 r4---sn-aigl6nz7.gvt1.com udp
GB 74.125.168.105:443 r4---sn-aigl6nz7.gvt1.com tcp
US 1.1.1.1:53 r2---sn-aigl6ned.gvt1.com udp
GB 173.194.183.71:443 r2---sn-aigl6ned.gvt1.com tcp
US 1.1.1.1:53 r4---sn-aigl6nzk.gvt1.com udp
GB 74.125.175.105:443 r4---sn-aigl6nzk.gvt1.com tcp
US 1.1.1.1:53 r1---sn-aigl6nze.gvt1.com udp
GB 74.125.168.134:443 r1---sn-aigl6nze.gvt1.com tcp
US 1.1.1.1:53 r1---sn-aigl6ns6.gvt1.com udp
GB 74.125.105.6:443 r1---sn-aigl6ns6.gvt1.com tcp
US 1.1.1.1:53 r1---sn-aigl6nzs.gvt1.com udp
GB 74.125.175.70:443 r1---sn-aigl6nzs.gvt1.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 172.217.169.46:443 tcp
GB 216.58.213.2:443 tcp
GB 142.250.180.3:443 tcp

Files

N/A