Malware Analysis Report

2024-09-09 17:54

Sample ID 240529-2s6jzsdg74
Target 91c5a5f4739f5a5762f3c3196c1d4c5257551f0e6c1df0fba5177cf1e02e5938.bin
SHA256 91c5a5f4739f5a5762f3c3196c1d4c5257551f0e6c1df0fba5177cf1e02e5938
Tags
banker collection discovery impact persistence privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

91c5a5f4739f5a5762f3c3196c1d4c5257551f0e6c1df0fba5177cf1e02e5938

Threat Level: Likely malicious

The file 91c5a5f4739f5a5762f3c3196c1d4c5257551f0e6c1df0fba5177cf1e02e5938.bin was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery impact persistence privilege_escalation

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Reads the contacts stored on the device.

Registers a broadcast receiver at runtime (usually for listening for system events)

Tries to add a device administrator.

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Checks if the internet connection is available

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-29 22:51

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 22:51

Reported

2024-05-29 22:54

Platform

android-x86-arm-20240514-en

Max time kernel

9s

Max time network

185s

Command Line

com.ZUouNv38.CUst82od

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/data/phones N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.ZUouNv38.CUst82od

Network

Country Destination Domain Proto
GB 142.250.187.195:443 tcp
N/A 224.0.0.251:5353 udp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp

Files

/data/data/com.ZUouNv38.CUst82od/app_config/config

MD5 abbc162979f999e2e4c79db3ab353c89
SHA1 897463e42273ba5727da02e67f1f783bce2a57ec
SHA256 26247b4c2418cdaaed1e13d355dcee727388c809bd4d26de33a439083c70ee68
SHA512 7fe1b291be332370dce33a360f23edfa0c248f6ebb7d675a01747446339ff86aef59dbc60ad14290cee27e8e013abc3d0b624f9c93ef67d241150d22a4bc1d50

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 22:51

Reported

2024-05-29 22:54

Platform

android-x64-20240514-en

Max time kernel

64s

Max time network

187s

Command Line

com.ZUouNv38.CUst82od

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.ZUouNv38.CUst82od

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 157.52.188.251:80 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 157.52.188.251:80 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 157.52.188.251:80 tcp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
GB 216.58.213.14:443 tcp
GB 142.250.200.2:443 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp

Files

/data/data/com.ZUouNv38.CUst82od/app_config/config

MD5 af87a64966ba849a11ae9c74ffd3668a
SHA1 e043f52ae343f510cd9ca8186a1f0a4d8ac7adb1
SHA256 ef32f9b1aea00d45bf601f5ea9dc2be350524b29626086bb93e086212b23bd36
SHA512 2928b55f5643d50cd31072f530cee6e43853f856f297946f30d3637c4a2b3134adbf8a59a3279528b2d7a91c0d892df09fa9ad4fc8ffdb73133967edb2851534

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-29 22:51

Reported

2024-05-29 22:54

Platform

android-x64-arm64-20240514-en

Max time kernel

13s

Max time network

188s

Command Line

com.ZUouNv38.CUst82od

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/data/phones N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.ZUouNv38.CUst82od

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 157.52.188.251:80 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
GB 142.250.187.196:443 www.google.com tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp
US 157.52.188.251:80 tcp

Files

/data/user/0/com.ZUouNv38.CUst82od/app_config/config

MD5 3be3c71de9943efb25c2e687cec1c62e
SHA1 7d2795ae29bb4ededae2b6838ffaca8e8c463451
SHA256 1f2029069c27932556eb1e8c0fba0803f48bf0101e0cbf252d28c3760fc85be3
SHA512 b71c42be307c27607683fb1cc498867b0a857e25c578113c22efa713cf737bd2e63b4243c145c9b63e51a849bb1f90da37d6e8aff279948424ac023d4072e715