Malware Analysis Report

2025-01-19 07:01

Sample ID 240523-nr7h1aef21
Target (opt by vgph) NovaFlare Engine.apk
SHA256 c4b8b705b5c404c51036dbe73b3853167725b3491a67bfadef5b4590692e2d07
Tags
collection credential_access discovery evasion impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c4b8b705b5c404c51036dbe73b3853167725b3491a67bfadef5b4590692e2d07

Threat Level: Shows suspicious behavior

The file (opt by vgph) NovaFlare Engine.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access discovery evasion impact

Checks CPU information

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Listens for changes in the sensor environment (might be used to detect emulation)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-23 11:39

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 11:38

Reported

2024-05-23 11:43

Platform

android-x86-arm-20240514-en

Max time kernel

7s

Max time network

168s

Command Line

com.NovaFlareEngine

Signatures

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.NovaFlareEngine

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 static.xx.fbcdn.net udp
US 1.1.1.1:53 m.youtube.com udp
US 1.1.1.1:53 images-na.ssl-images-amazon.com udp
US 1.1.1.1:53 en.m.wikipedia.org udp
US 1.1.1.1:53 a.espncdn.com udp
US 1.1.1.1:53 s.yimg.com udp
US 1.1.1.1:53 ir.ebaystatic.com udp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
US 1.1.1.1:53 www.instagram.com udp
GB 142.250.200.46:443 m.youtube.com tcp
GB 23.59.171.9:443 images-na.ssl-images-amazon.com tcp
NL 185.15.59.224:443 en.m.wikipedia.org tcp
GB 87.248.114.11:443 s.yimg.com tcp
GB 88.221.134.131:80 a.espncdn.com tcp
PL 93.184.223.214:443 ir.ebaystatic.com tcp
GB 157.240.221.174:443 www.instagram.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
US 1.1.1.1:53 www.google.co.uk udp
US 1.1.1.1:53 urnvzpoyzpqvuk udp
US 1.1.1.1:53 sqasywnsp udp
US 1.1.1.1:53 iulfmdpwmy udp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.200.35:443 update.googleapis.com tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp

Files

N/A