Malware Analysis Report

2024-09-09 17:54

Sample ID 240601-az7bbabd8y
Target bf7aeedd068639437b11c98ac589862ed4a6313ac6f90f803b1b36d711d634f6.bin
SHA256 bf7aeedd068639437b11c98ac589862ed4a6313ac6f90f803b1b36d711d634f6
Tags
banker collection discovery impact persistence privilege_escalation
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

bf7aeedd068639437b11c98ac589862ed4a6313ac6f90f803b1b36d711d634f6

Threat Level: Likely malicious

The file bf7aeedd068639437b11c98ac589862ed4a6313ac6f90f803b1b36d711d634f6.bin was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery impact persistence privilege_escalation

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Reads the contacts stored on the device.

Registers a broadcast receiver at runtime (usually for listening for system events)

Tries to add a device administrator.

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Checks if the internet connection is available

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-01 00:40

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 00:40

Reported

2024-06-01 00:43

Platform

android-x86-arm-20240514-en

Max time kernel

10s

Max time network

185s

Command Line

com.Zrgmkpdq.Rlofgsau

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/data/phones N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.Zrgmkpdq.Rlofgsau

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp

Files

/data/data/com.Zrgmkpdq.Rlofgsau/app_config/config

MD5 3556f26122efc707a4a13de2294adf5f
SHA1 fb372d395b741b26c1eb28868f5a5ab6332cfc75
SHA256 9a0df22c6c42011cccf004a64e5e55683f0fca4112fee75b95217fe87e6daad2
SHA512 a87ecff604f656a4c8d702d92845429eb14582bc957a042b692e27b699d74b7c59b436427a9449aed18b879ee258edcec9512fad1a627b29ca408e4b56c31fa0

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 00:40

Reported

2024-06-01 00:43

Platform

android-x64-20240514-en

Max time kernel

10s

Max time network

188s

Command Line

com.Zrgmkpdq.Rlofgsau

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/data/phones N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.Zrgmkpdq.Rlofgsau

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 23.247.12.221:80 tcp
GB 142.250.200.46:443 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
GB 216.58.213.14:443 tcp
GB 142.250.200.2:443 tcp
US 23.247.12.221:80 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp

Files

/data/data/com.Zrgmkpdq.Rlofgsau/app_config/config

MD5 b6b10e371be9b3060975f14ea1cf65e3
SHA1 b80ce0a9d8c6101b29207beaa171af2da78f45d9
SHA256 af5c9548cad8f96aa82be465e528e491f92cab572b33387af2841608d4c63739
SHA512 e0293a61218e776204c1b388c62e6ad4096e427a030284deec571cc7468f6681155b7a10d2798891d861d983356cde55f8d5cb964abe994cb877520bd10bb2a2

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-01 00:40

Reported

2024-06-01 00:43

Platform

android-x64-arm64-20240514-en

Max time kernel

14s

Max time network

187s

Command Line

com.Zrgmkpdq.Rlofgsau

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/data/phones N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.Zrgmkpdq.Rlofgsau

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 23.247.12.221:80 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp
US 23.247.12.221:80 tcp

Files

/data/user/0/com.Zrgmkpdq.Rlofgsau/app_config/config

MD5 b6b10e371be9b3060975f14ea1cf65e3
SHA1 b80ce0a9d8c6101b29207beaa171af2da78f45d9
SHA256 af5c9548cad8f96aa82be465e528e491f92cab572b33387af2841608d4c63739
SHA512 e0293a61218e776204c1b388c62e6ad4096e427a030284deec571cc7468f6681155b7a10d2798891d861d983356cde55f8d5cb964abe994cb877520bd10bb2a2