Malware Analysis Report

2025-01-19 08:10

Sample ID 240606-cyc27aeh2s
Target c816d7513cb36becac080698ee3937bccfc5f8f3b2b0a436c8b46f7f0635197b
SHA256 c816d7513cb36becac080698ee3937bccfc5f8f3b2b0a436c8b46f7f0635197b
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c816d7513cb36becac080698ee3937bccfc5f8f3b2b0a436c8b46f7f0635197b

Threat Level: Likely malicious

The file c816d7513cb36becac080698ee3937bccfc5f8f3b2b0a436c8b46f7f0635197b was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 02:28

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 02:28

Reported

2024-06-06 02:31

Platform

android-x86-arm-20240603-en

Max time kernel

174s

Max time network

145s

Command Line

Aktualizacja.apps

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

Aktualizacja.apps

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.nxspy.eu udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp
GB 216.58.213.2:443 tcp

Files

/data/data/Aktualizacja.apps/files/libaudio.so

MD5 fed75efe9a6c09d293b34ee0463a3b02
SHA1 9f4102ba620eb944e2e3d4fab9399cd865a82edd
SHA256 d846bf51e3f38585f4b3f396a5a06c7ccd569bb3c1101f630d8d5b4b9449eacc
SHA512 4f80f99e6807d337553fb08d255a0629962a3732e8bf1171f4485cbaabbd1ebd586e8d1b7c32f2e93800371cb18c1de0872ff15eab56ee40fa0ee6f0083c930e

/data/data/Aktualizacja.apps/files/libaudio.so

MD5 8d0bce096580cf6b3618a551eeaa445a
SHA1 3f9bdf7bdbb5084b59845c11e99358dbfb39448d
SHA256 47b54f8217b0031be958ae19d19af6c86e1bfb77388b696c59d0ca2221b2cbb2
SHA512 5b8374a44cd71fdef9a58616ec0ca6957ec7b3a388e41abc51a94d54c6ed3950decab7ce49373944938f76731da61e075c78e2147d0066158e5ec9aed4d2aff6

/data/data/Aktualizacja.apps/files/libaudio.so

MD5 bc62d331c60214a040381f49922da677
SHA1 6329eacf4870f7a7e24e728b5dd0f983fd45ae8a
SHA256 dc19ba665b5112a92703a06fc028e11406c0a9104b1df3f604cfe8b4c09b6e82
SHA512 5ef29c38ecd92b6754feed0b37f1e77336c1370021d93f2b0bf955affbdbaa88722bd887191d076b20cb9bb4c426ef012804851bf53b464c26a06b5b32b3d75c

/data/data/Aktualizacja.apps/files/libaudio.so

MD5 a9ab57241115e2a8849f4ade8aeb3ed6
SHA1 83d21768124541b70930af7932b4bd055df3e5d2
SHA256 8b244601e2a35ca624dbe21035fe6cc7d24b3bd81e310cbf4a8f82e20f5f2f9d
SHA512 667651813257b3ee6f66cb2beae903e4c95b7032e57c572af114bad99d25e2206d0889c58fc4004af4642527e951c9db7624312034ceeb7ff133fa1a2992bcc2

/data/data/Aktualizacja.apps/files/libaudio.so

MD5 dade1b296b16923233cb28872be33b0a
SHA1 a2aaf73ec1dc6ad2d7d59c919e328564170d82f5
SHA256 db593abf4a04d761570a1e452bc1e1c1f3e3826c77394f38a8b361c8b5d9139a
SHA512 28317807448108b00327b83594a9f89e5dba794982f22d03fa980618fc387799b541fc4558242881790e3c2162d7bb76f715e22b914ea58c0c3c8fe4521be17e