Malware Analysis Report

2024-07-28 14:53

Sample ID 240608-1kvbbagg5y
Target VirusShare_e09e167e47a753b7eb20583ac507b231
SHA256 e24ad9004cb46df8047944c468c8e67581e88e35bd3ec7f9e9748543f3cb8d29
Tags
discovery evasion impact privilege_escalation stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e24ad9004cb46df8047944c468c8e67581e88e35bd3ec7f9e9748543f3cb8d29

Threat Level: Likely malicious

The file VirusShare_e09e167e47a753b7eb20583ac507b231 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact privilege_escalation stealth trojan

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Queries information about active data network

Tries to add a device administrator.

Queries the unique device ID (IMEI, MEID, IMSI)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 21:42

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 21:42

Reported

2024-06-08 21:52

Platform

android-x86-arm-20240603-en

Max time kernel

135s

Max time network

175s

Command Line

com.install.l

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

com.install.l

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
PL 212.59.240.32:7 tcp
PL 212.59.240.32:80 tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
PL 212.59.240.32:7 tcp
PL 212.59.240.32:80 tcp

Files

/storage/emulated/0/lbt.txt

MD5 bd9ff8196a73215acd97ca73ab4c0390
SHA1 22cf41bba8e69b21a42413d8525d6e865cf54387
SHA256 1e8f95e55c5e46e6182c5691826975c2548110d192904e723490e28b5448c5ea
SHA512 387b984e74c7dca83062ad4971a08b3c3cf692899ab9dc85000c30181ecbbb939aa015c18106fcb7868a4ac2df9e5c34453150e539b70588ec00f6ea5adf9d98

/storage/emulated/0/lbt.txt

MD5 bb979d74ae9d556e134c076be430dd55
SHA1 7a819c9c8daf3fc5748699abfbdf47e2926a5688
SHA256 6256cfac0153c481c71431149ded37a153415201fa35f936ff8e62af9461f91e
SHA512 b8a1d1e07c5c5028f7494b43e1f6f5dca56415c7230d98be4fa47bd0ad1d4f62cfc5f979852da1a277d204b58c2e10bdb49bfa56038d6db930f53a723fb0fb85

/storage/emulated/0/lbt.txt

MD5 8f979e2dac097a2e0794f40c9aff8d43
SHA1 0ec20b17953d03368f650d01dbbd3af7e153280c
SHA256 e5ea1aff22185377626398cf9bd0a95f86c541bc42665897542f3e4b9e87eadb
SHA512 2bfa73705f504414506d3b54520a740c036f4fb9e3562ae513908127b1782870e31f7cfdaffd2ef1cbcc54cd81b86bf605751fff55328a914f6a44555af69a09

/storage/emulated/0/lbt.txt

MD5 03dce64eda80fc53dd0fe0ba20f05fca
SHA1 3edc789ca6f0695ff7965dedab2ab5de1a1f8bcb
SHA256 5c99a0222d2c547c241f3ae61185f0d4b6379455bbcf94b0f3fad2dfe2e2d199
SHA512 511d143528df7350e11cabcd41289f4989f74f7d41ed898e394d4a7f2c552bec16daf8118f9e59072bd3faf8e7fc56d9fcbb24529c55ea3e4224fcd2ad7944d7

/storage/emulated/0/lbt.txt

MD5 5efe7f9e5e0738b99739093360861cdb
SHA1 af0e221f4a634cada6283d44908876caa5e2eb76
SHA256 5cab0912aa050eb491462eadd8b65a17c3f49c72b3d028550ff5b5c71b23986c
SHA512 a6aaf7e54283a83b31dd9803cc978b0f33d30c4770874558ee8a831d27f8c3df5f8c8e3352fd64520378a2b7b19d87cee563b688fcff1970eb58d9d7493f8216

/storage/emulated/0/lbt.txt

MD5 52394e496f96606c6227e6fe4642ec72
SHA1 0658730eb84147e439dcfd06302199450fc8c668
SHA256 feed239fab3ff43218b864f86a1638798533bca9e40566e51bd325f4b632cfde
SHA512 0ff8fee8bb0dfc23ed22a3357bb8e0dd94bd9c464c09e70268bf55b18643f1515e13eeef2c64d5956baa0bec46d398ef75bd238f89cdf643269e3ba1d8bb0f67

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 21:42

Reported

2024-06-08 21:52

Platform

android-x64-20240603-en

Max time kernel

142s

Max time network

184s

Command Line

com.install.l

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

com.install.l

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
PL 212.59.240.32:7 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
PL 212.59.240.32:80 tcp
GB 142.250.179.238:443 tcp
GB 142.250.187.226:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 216.58.212.206:443 tcp
PL 212.59.240.32:7 tcp
PL 212.59.240.32:80 tcp

Files

/storage/emulated/0/lbt.txt

MD5 54edf00e6fe540f44bb0d1baab655a75
SHA1 6ffc204e5d10ea6117a770b18f1a8d39c3f73704
SHA256 f01237b90effd6fa392477fd4bb04715ee6f94d33e3f8a57374457a588f71a96
SHA512 17a6fa36632739cdacb7a544767a485dd5eb85b7e0666200b3c92176083ca6d12a3edf6a841c0a766089fcea5c13cd34e54c820d4d0f471906d6b7ecf2c049b2

/storage/emulated/0/lbt.txt

MD5 bb979d74ae9d556e134c076be430dd55
SHA1 7a819c9c8daf3fc5748699abfbdf47e2926a5688
SHA256 6256cfac0153c481c71431149ded37a153415201fa35f936ff8e62af9461f91e
SHA512 b8a1d1e07c5c5028f7494b43e1f6f5dca56415c7230d98be4fa47bd0ad1d4f62cfc5f979852da1a277d204b58c2e10bdb49bfa56038d6db930f53a723fb0fb85

/storage/emulated/0/lbt.txt

MD5 8f979e2dac097a2e0794f40c9aff8d43
SHA1 0ec20b17953d03368f650d01dbbd3af7e153280c
SHA256 e5ea1aff22185377626398cf9bd0a95f86c541bc42665897542f3e4b9e87eadb
SHA512 2bfa73705f504414506d3b54520a740c036f4fb9e3562ae513908127b1782870e31f7cfdaffd2ef1cbcc54cd81b86bf605751fff55328a914f6a44555af69a09

/storage/emulated/0/lbt.txt

MD5 03dce64eda80fc53dd0fe0ba20f05fca
SHA1 3edc789ca6f0695ff7965dedab2ab5de1a1f8bcb
SHA256 5c99a0222d2c547c241f3ae61185f0d4b6379455bbcf94b0f3fad2dfe2e2d199
SHA512 511d143528df7350e11cabcd41289f4989f74f7d41ed898e394d4a7f2c552bec16daf8118f9e59072bd3faf8e7fc56d9fcbb24529c55ea3e4224fcd2ad7944d7

/storage/emulated/0/lbt.txt

MD5 5efe7f9e5e0738b99739093360861cdb
SHA1 af0e221f4a634cada6283d44908876caa5e2eb76
SHA256 5cab0912aa050eb491462eadd8b65a17c3f49c72b3d028550ff5b5c71b23986c
SHA512 a6aaf7e54283a83b31dd9803cc978b0f33d30c4770874558ee8a831d27f8c3df5f8c8e3352fd64520378a2b7b19d87cee563b688fcff1970eb58d9d7493f8216

/storage/emulated/0/lbt.txt

MD5 72cf55dc26976fcde9c5c9258f9ea33c
SHA1 8170a3d023ad7155dace4dc2afbd07bdeef47d1f
SHA256 eb23232c1d94fffd0b377a18b5240e600680c16a3e97fd2f44acecad6a5cf2ce
SHA512 15cbcedc25fa6fbf0869090318c3660d69159ca0e3e60e1f7d9f18c21411217dee6fc31450397c5365b38e05e355b53a54e11892a544f299afc18d67979e00c2

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-08 21:42

Reported

2024-06-08 21:52

Platform

android-x64-arm64-20240603-en

Max time kernel

138s

Max time network

180s

Command Line

com.install.l

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

com.install.l

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
PL 212.59.240.32:7 tcp
PL 212.59.240.32:80 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
PL 212.59.240.32:7 tcp
PL 212.59.240.32:80 tcp

Files

/storage/emulated/0/lbt.txt

MD5 44b5180cc303d8218ac3c550b15bf078
SHA1 ee2d3f644d4faefde215bc82c72350c5c86b9d69
SHA256 73b0dee79b743b7be3acaaf08cd3fb498505befb1fdf70cb64d5016eae496c9e
SHA512 eb1d74b5a16b694768142576d3f2549d6450c4f48225f3e309dcd1e230f5b3eb5012bf0d338b8cdbc5fa2f7fa014a66438f21b54082a69f1e34a9393a9cf6f65

/storage/emulated/0/lbt.txt

MD5 a8ae2cb2fedef77e1047c16d7a00dcce
SHA1 20e3eb35bcc3bc662fcc736cbf842cbf84b4acdd
SHA256 9bafa5c142f03c97c564f0314832318a3985de42b5d0a30f2af01b4e90ed1ce5
SHA512 0abf44a2e4dd8634522569b81ec91748a296e3630e38a4b11a2038707f9cbc64184182b108979138394673b153108d2765c3e6cbbebf3338e761147802152e67

/storage/emulated/0/lbt.txt

MD5 7275c9cd7b5d1cd6b14770f999215769
SHA1 f10817362df96b27777330f7534ea57ccb98167d
SHA256 bffcdec3552ea31749ebd8c4f6492cddd739a55cd2c26d3a105f7dbcdd9a793c
SHA512 dcb9f8f5a3b46e11bcc2c7d3b8d84751a0542e71abe122db65a42ce5de7f67ff20e12c9ebefa315ff4ac1ea219e465003c403ba4cfc2ed636e37e82349c97107

/storage/emulated/0/lbt.txt

MD5 76b35749d65d14e46385dc67266e23b5
SHA1 9f743fbd5f7e951547223fb1971f451f186f7f76
SHA256 c373dc780f3541f72f771e7c68345201d894ccdc4c0a89e010a00fe46ac254cd
SHA512 d4c34d79176c05b3f2879ce11a4597ae2fbf81c8498f635bb29e5e72e4c8ab9771f3409fc1193895bcafe9e9324c668dfac4d957234d95208f25fc1318f1033c

/storage/emulated/0/lbt.txt

MD5 e79a8eb1e41a8b936357225f0f49944b
SHA1 6b062cafed8b7cfdae259fca0dfcc2a98a7bf3ae
SHA256 4d333684a44408fb6b6f8c218a383d1610684d996803f2983cc11994d7cb8c85
SHA512 9a4a5eb89c42e66f0ca3566732fbe4481e4fded8cba8ef1aa39448c421b81863ffec475bd268edb05fb598745d5b24ce06f09c28309957ad45034fc1a4cd4b13

/storage/emulated/0/lbt.txt

MD5 e5805ed650f7e793048a5bb84e76fbc6
SHA1 292b6246c60b5af9de80dacfad243d6611a994b7
SHA256 88205fc1396eac15f521c71e5c7871a21627ab6495f52830e84c192ea7548bad
SHA512 40a3960077602cfad133de025c6463708d30b84beca93d44025b064384709dc596394b6622dd40678e26cebaa05bd300bb7b89a5e2425fc7ab436e9862abe02a