Malware Analysis Report

2025-01-19 07:01

Sample ID 240523-n8ejjsfh8z
Target controle_clientes.apk
SHA256 343a24ea5231099de5ecc817ea1249c6d17fecf7c5cb7458b8e2533c1d9cc760
Tags
discovery evasion impact persistence collection credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

343a24ea5231099de5ecc817ea1249c6d17fecf7c5cb7458b8e2533c1d9cc760

Threat Level: Likely malicious

The file controle_clientes.apk was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence collection credential_access

Checks if the Android device is rooted.

Checks CPU information

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries the mobile country code (MCC)

Checks Android system properties for emulator presence.

Checks memory information

Registers a broadcast receiver at runtime (usually for listening for system events)

Obtains sensitive information copied to the device clipboard

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-23 12:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 12:03

Reported

2024-05-23 12:23

Platform

android-x86-arm-20240514-en

Max time kernel

33s

Max time network

160s

Command Line

br.com.contasemdia.contasemdia

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/br.com.contasemdia.contasemdia/cache/1582435991586.jar N/A N/A
N/A /data/user/0/br.com.contasemdia.contasemdia/cache/1582435991586.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

br.com.contasemdia.contasemdia

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/br.com.contasemdia.contasemdia/cache/1582435991586.jar --output-vdex-fd=71 --oat-fd=72 --oat-location=/data/user/0/br.com.contasemdia.contasemdia/cache/oat/x86/1582435991586.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 142.250.200.42:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 142.250.187.226:443 googleads.g.doubleclick.net tcp
GB 142.250.187.226:443 googleads.g.doubleclick.net tcp
GB 142.250.187.226:443 googleads.g.doubleclick.net tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.169.66:443 tcp

Files

/data/data/br.com.contasemdia.contasemdia/databases/contasDB-journal

MD5 73a5aa200fda110725b33038e655336e
SHA1 9272ca81031081e7ac782fa2dc15442f791efa59
SHA256 8013bf23898c0d608cc0024d1f597d4f2937d5ed200a1adc274bedb4527cacf6
SHA512 ea4066307fa138a0d9a7edd65e3ba1f31589c41a092c6391eddc9064644fdf62182122e77bf4a2da6d4c64db7b51551b7e321f3240cd246510efd36c96693f41

/data/data/br.com.contasemdia.contasemdia/databases/contasDB

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/br.com.contasemdia.contasemdia/databases/contasDB-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/br.com.contasemdia.contasemdia/databases/contasDB-wal

MD5 9175d7fcc6086febf35337fde6eff86f
SHA1 308415205d32e7561e1fd8f3468a8426fee73c2b
SHA256 32f5997a1dbe6ed4adcdddb0f39bba6bae8eee8f92351acbbb54b5a1fd0f554d
SHA512 659e35cf9fb810421f717da568e4408db467ada761a515f75cf219933d54989f537684bea63b14d0c51402d3d587f4cdea9a11254b79ca9ab56fcdef254dbb9f

/data/data/br.com.contasemdia.contasemdia/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/br.com.contasemdia.contasemdia/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56

/data/user/0/br.com.contasemdia.contasemdia/cache/1582435991586.jar

MD5 2048eb6124a452540ee51dae4145aadf
SHA1 d05005b2cd7fe4cd652b0d7fd1bdac2c19d51451
SHA256 105c54b6fe3f25350e92187467761598e4c21d62b1091b77d091f65f3bd98864
SHA512 bb6cb3853dd2a5d0701e20607d4e153ae201268dd2e5e2d06cc2df208b3b4dc50132a4ab428251b1644d2399fcc717662438d082ff14203387bab8794109d44d

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 12:03

Reported

2024-05-23 12:12

Platform

android-x64-20240514-en

Max time network

149s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.200.10:443 tcp
GB 142.250.200.46:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 172.217.169.14:443 tcp
GB 172.217.16.226:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-23 12:03

Reported

2024-05-23 12:12

Platform

android-x64-arm64-20240514-en

Max time kernel

122s

Max time network

132s

Command Line

br.com.contasemdia.contasemdia

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/br.com.contasemdia.contasemdia/cache/1582435991586.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

br.com.contasemdia.contasemdia

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 142.250.200.2:443 googleads.g.doubleclick.net tcp
GB 142.250.200.2:443 googleads.g.doubleclick.net tcp
GB 142.250.200.2:443 googleads.g.doubleclick.net tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/br.com.contasemdia.contasemdia/databases/contasDB-journal

MD5 22a03433c862bcbec8d7cc292efca908
SHA1 2725792e98131701647b8cb6a1afdde5ea80556e
SHA256 d4edf0cb297836cfe68d121a935e07d3c9c851b4283f7c9769f3b837c542c333
SHA512 79b1ee805f88fd95d773b844f644bf6cc9857e81097cb94ac805110c3fadc3411377b3ebef6f46b5d9a9c8aef228c5cee19a11d97129a8e7e4b7d4128997b8e3

/data/user/0/br.com.contasemdia.contasemdia/databases/contasDB

MD5 3f6df60944ac834b8319f5a85ff24a5a
SHA1 e954ea402e09542f6934dd7b026528d615152322
SHA256 172e38bed929b357ee9f19d24c90eefa422d94140e8934a616b39d5c96ad2143
SHA512 87169d9f7da254c386fea1fd72a8b7097812c314526c686d19dadfa8eabc2e96310040c2eb1cd367fdf864263e2bb9cd4cfb8961cc49c27ca7f6d5ab42e5628b

/data/user/0/br.com.contasemdia.contasemdia/databases/contasDB-journal

MD5 581f4fbb8b463cc53e8a5321cf87c077
SHA1 dc02ca4816b5cf558811c3897b7a31a345cc7757
SHA256 8e0e512e8ea3c13e931a6e6f068eb8e768f677d02591b06352d3314e53db4b89
SHA512 0ec83ec28e1d82a02ce32e61e5d91feeac602476846c548406beaef0cfb602cbcb88c4dba70470cdabb03c9124d8b22e682d1ed3d98ea98e227afc9d8cc2641d

/data/user/0/br.com.contasemdia.contasemdia/databases/contasDB-journal

MD5 37adb5a6d81cb9590f48db84e0fb3ec6
SHA1 c255b5912a175ebdcee7ad64c6fa0d9e88bccee8
SHA256 624e834e01c2d554f481df85c8b2a4aed86d84cb70673767fe8eef471af3d79e
SHA512 2a7a7b9d21e078707d21e2386f849b842fbff0c225147df60bff284b96c25be6f2937678efd08b8455d057f0f50d60b979ad33fec845bb708cc24dea47928b07

/data/user/0/br.com.contasemdia.contasemdia/cache/1582435991586.jar

MD5 e8e0527a01aefdb89afd2c508f131da1
SHA1 f1103e6b260c657ceb3d95f1b023af3fda8b133a
SHA256 f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce
SHA512 fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34

/data/user/0/br.com.contasemdia.contasemdia/cache/1582435991586.jar

MD5 fde2ee00cbd121cfab5290b078aa3ceb
SHA1 e2b77d5320e155e413d040a8c20020962065b2f8
SHA256 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685
SHA512 a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56