Malware Analysis Report

2025-01-19 07:02

Sample ID 240523-prtgtahh4x
Target civio_shippark1.3.1内测.apk
SHA256 fd04c0f2ee81e834e6da4be44b6592e55b6b06de43c7f8dd391c6a2ef8339141
Tags
banker discovery evasion impact persistence collection credential_access
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

fd04c0f2ee81e834e6da4be44b6592e55b6b06de43c7f8dd391c6a2ef8339141

Threat Level: Likely malicious

The file civio_shippark1.3.1内测.apk was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact persistence collection credential_access

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the mobile country code (MCC)

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

Queries information about running processes on the device

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Checks if the internet connection is available

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-23 12:34

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 12:34

Reported

2024-05-23 13:12

Platform

android-x86-arm-20240514-en

Max time kernel

125s

Max time network

182s

Command Line

civio.shipparking

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

civio.shipparking

Network

Country Destination Domain Proto
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 ac1.dcloud.net.cn udp
CN 122.51.117.144:443 ac1.dcloud.net.cn tcp
US 1.1.1.1:53 s1.dcloud.net.cn udp
CN 118.89.133.90:443 s1.dcloud.net.cn tcp
CN 123.207.204.152:443 ac1.dcloud.net.cn tcp
US 1.1.1.1:53 cdn.dcloud.net.cn udp
CN 118.25.42.241:443 cdn.dcloud.net.cn tcp
CN 118.25.42.241:443 cdn.dcloud.net.cn tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
CN 121.40.119.209:443 s1.dcloud.net.cn tcp
US 1.1.1.1:53 ac2.dcloud.net.cn udp
CN 49.234.20.60:443 ac2.dcloud.net.cn tcp
CN 124.221.14.222:443 s1.dcloud.net.cn tcp
CN 150.158.175.11:443 ac2.dcloud.net.cn tcp
US 1.1.1.1:53 s2.dcloud.net.cn udp
CN 150.158.175.11:443 s2.dcloud.net.cn tcp
CN 42.192.51.127:443 s2.dcloud.net.cn tcp
CN 42.192.51.127:443 s2.dcloud.net.cn tcp
US 1.1.1.1:53 af4b3f64-9df1-4bbd-9615-52d9dd3c3fdb.bspapp.com udp
CN 39.96.249.142:443 af4b3f64-9df1-4bbd-9615-52d9dd3c3fdb.bspapp.com tcp
CN 118.25.42.241:443 cdn.dcloud.net.cn tcp
CN 49.234.20.60:443 s2.dcloud.net.cn tcp
US 1.1.1.1:53 96f0e031-f37a-48ef-84c7-2023f6360c0a.bspapp.com udp
US 1.1.1.1:53 c3a77330-3ce3-416e-9b81-5710a7ef0eb7.bspapp.com udp
CN 39.96.249.142:443 c3a77330-3ce3-416e-9b81-5710a7ef0eb7.bspapp.com tcp
CN 122.51.117.144:443 ac1.dcloud.net.cn tcp
CN 123.207.204.152:443 ac1.dcloud.net.cn tcp
CN 49.234.20.60:443 s2.dcloud.net.cn tcp
CN 150.158.175.11:443 s2.dcloud.net.cn tcp
CN 42.192.51.127:443 s2.dcloud.net.cn tcp
CN 39.96.249.142:443 c3a77330-3ce3-416e-9b81-5710a7ef0eb7.bspapp.com tcp
CN 106.54.228.253:443 cdn.dcloud.net.cn tcp
CN 106.54.228.253:443 cdn.dcloud.net.cn tcp
CN 106.54.228.253:443 cdn.dcloud.net.cn tcp

Files

/data/data/civio.shipparking/files/.imei.txt

MD5 d91e43b0008e9b2c3c39e087a79cddbd
SHA1 d6accaccb1544a74350be7546bdb59ac04e40328
SHA256 e3bb2e8fbe7968e67e0a1dd1308792f483675844f07dda58438c151ca4bba231
SHA512 8e2ccc548b314a44ffec1a6f1ebe2e245cb2404a17a43800964d8a853c3e405b8805c3a37cd2d8b6d58a37decc3c5f1543eac8f74bb242a4eba13821fbcf9249

/data/data/civio.shipparking/shared_prefs_ext/test_app

MD5 db671f1b558d49a5aa4d540b0387fc92
SHA1 df500fcc48d8ac9b1919ae7ae39b65a5b53855c7
SHA256 843113383988b69457d0e6430536eeeff0e239e0606faed784e41197eba620f6
SHA512 d5fe793e76a33ad92adb657e0f0b10d11548a3efcf694221d4996dcdcaebd8ca519b669506a400bfa848262db698888d852d82653b4752c534ade71c87c824b1

/data/data/civio.shipparking/files/cnc3ejE6/eje3cnc

MD5 762298b93820a5cd8b6d8ec469078f7f
SHA1 d5b02a2ff3b235cd2b61ceff53a1d88b8984477d
SHA256 dc3f98a33c26c2796dc294b354831fd5ca9796295f4cb38479c80b145d4807db
SHA512 70f864211ce16679d0538abf9b7071d27c2d22ae458e32409d20065032c762dd186307ef33ede90abd9ac794a4ced8b163404e9799c05f0c515337249684311e

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 12:34

Reported

2024-05-23 13:01

Platform

android-x64-20240514-en

Max time kernel

126s

Max time network

186s

Command Line

civio.shipparking

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/civio.shipparking/[email protected] N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

civio.shipparking

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 sdk.api.oaid.wocloud.cn udp
US 1.1.1.1:53 ac1.dcloud.net.cn udp
CN 123.207.204.152:443 ac1.dcloud.net.cn tcp
US 1.1.1.1:53 s1.dcloud.net.cn udp
CN 121.40.119.209:443 s1.dcloud.net.cn tcp
CN 122.51.117.144:443 ac1.dcloud.net.cn tcp
US 1.1.1.1:53 cdn.dcloud.net.cn udp
CN 106.54.228.253:443 cdn.dcloud.net.cn tcp
CN 106.54.228.253:443 cdn.dcloud.net.cn tcp
CN 124.221.14.222:443 s1.dcloud.net.cn tcp
US 1.1.1.1:53 ac2.dcloud.net.cn udp
CN 49.234.20.60:443 ac2.dcloud.net.cn tcp
CN 118.89.133.90:443 s1.dcloud.net.cn tcp
CN 150.158.175.11:443 ac2.dcloud.net.cn tcp
US 1.1.1.1:53 s2.dcloud.net.cn udp
CN 150.158.175.11:443 s2.dcloud.net.cn tcp
GB 172.217.169.14:443 tcp
GB 172.217.16.226:443 tcp
CN 42.192.51.127:443 s2.dcloud.net.cn tcp
CN 42.192.51.127:443 s2.dcloud.net.cn tcp
US 1.1.1.1:53 af4b3f64-9df1-4bbd-9615-52d9dd3c3fdb.bspapp.com udp
CN 39.96.249.142:443 af4b3f64-9df1-4bbd-9615-52d9dd3c3fdb.bspapp.com tcp
CN 49.234.20.60:443 s2.dcloud.net.cn tcp
US 1.1.1.1:53 96f0e031-f37a-48ef-84c7-2023f6360c0a.bspapp.com udp
US 1.1.1.1:53 c3a77330-3ce3-416e-9b81-5710a7ef0eb7.bspapp.com udp
CN 39.96.249.142:443 c3a77330-3ce3-416e-9b81-5710a7ef0eb7.bspapp.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
CN 123.207.204.152:443 ac1.dcloud.net.cn tcp
CN 122.51.117.144:443 ac1.dcloud.net.cn tcp
CN 49.234.20.60:443 s2.dcloud.net.cn tcp
CN 150.158.175.11:443 s2.dcloud.net.cn tcp
CN 42.192.51.127:443 s2.dcloud.net.cn tcp
CN 39.96.249.142:443 c3a77330-3ce3-416e-9b81-5710a7ef0eb7.bspapp.com tcp
CN 124.222.174.117:443 cdn.dcloud.net.cn tcp
CN 124.222.174.117:443 cdn.dcloud.net.cn tcp

Files

/data/data/civio.shipparking/.00000000000/39285EFA.dex

MD5 75a8168e7080b90fc2956592c268371f
SHA1 3702da56d31f381525473364f031dc884e37076d
SHA256 0b9c032080788add7f5989d0ce145e66a4686ff3a43b0e48dec60bf18bf75701
SHA512 33536573c834fffab7236dd96c22cbc3d075ab70b622ff7787381e5c7c262ab62e0252f0d07313c9227ccc8308cd93cd96373e57fa55a066691d5b5cfb55f5d3

/data/data/civio.shipparking/.00000000000/39285EFA.dex

MD5 02f69eb4fe05ebc6c9f736d83e5f7e26
SHA1 777d75e14a73f5721fc4ae34f49a9a4b82311373
SHA256 13502356b7d3f910107aeff131e9c4a2b892744a125a2d1a2a206b219dc36042
SHA512 7c1f5d68d40bf37aef2e59aa9a4f96d1ef642a8db7e53295953b0b5fa3a63cd7546c5cf8ad3fc17f6b84a795a08e13024d8dcb3db828ca3fad634964cba69bcc

/data/data/civio.shipparking/files/.imei.txt

MD5 aa35b7f9124d84c5141e87222ebc0fe3
SHA1 19dfc101fa4e3368c06e41b8565a1afe5c870e59
SHA256 471174c4f91ab7e267ea3b5a7407b3138de8b24b479ca3e0412282e28a472467
SHA512 ef8cb898bee9aafc5d217d3de8633e039273a96b024b773afb37633808703555185b2d7d807a7a67dd32879ef7876ea9a32d4daed6c2fc058714b94527c0d942

/data/data/civio.shipparking/shared_prefs_ext/test_app

MD5 db671f1b558d49a5aa4d540b0387fc92
SHA1 df500fcc48d8ac9b1919ae7ae39b65a5b53855c7
SHA256 843113383988b69457d0e6430536eeeff0e239e0606faed784e41197eba620f6
SHA512 d5fe793e76a33ad92adb657e0f0b10d11548a3efcf694221d4996dcdcaebd8ca519b669506a400bfa848262db698888d852d82653b4752c534ade71c87c824b1

/data/data/civio.shipparking/files/cnc3ejE6/eje3cnc

MD5 762298b93820a5cd8b6d8ec469078f7f
SHA1 d5b02a2ff3b235cd2b61ceff53a1d88b8984477d
SHA256 dc3f98a33c26c2796dc294b354831fd5ca9796295f4cb38479c80b145d4807db
SHA512 70f864211ce16679d0538abf9b7071d27c2d22ae458e32409d20065032c762dd186307ef33ede90abd9ac794a4ced8b163404e9799c05f0c515337249684311e