Malware Analysis Report

2024-07-28 14:46

Sample ID 240608-vx83cadg41
Target VirusShare_e09e167e47a753b7eb20583ac507b231
SHA256 e24ad9004cb46df8047944c468c8e67581e88e35bd3ec7f9e9748543f3cb8d29
Tags
discovery evasion impact privilege_escalation stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e24ad9004cb46df8047944c468c8e67581e88e35bd3ec7f9e9748543f3cb8d29

Threat Level: Likely malicious

The file VirusShare_e09e167e47a753b7eb20583ac507b231 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact privilege_escalation stealth trojan

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Queries information about active data network

Reads information about phone network operator.

Tries to add a device administrator.

Queries the unique device ID (IMEI, MEID, IMSI)

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-08 17:23

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 17:23

Reported

2024-06-08 17:31

Platform

android-x86-arm-20240603-en

Max time kernel

133s

Max time network

171s

Command Line

com.install.l

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

com.install.l

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
PL 212.59.240.32:7 tcp
PL 212.59.240.32:80 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 216.58.201.110:443 tcp
GB 142.250.187.194:443 tcp
PL 212.59.240.32:7 tcp
PL 212.59.240.32:80 tcp

Files

/storage/emulated/0/lbt.txt

MD5 08334557de60428134e3a581b577cd8c
SHA1 1d84ee43f97b39b93da6f48040e96444fbc0e975
SHA256 a0b0314e7bf941e302fd1fafb4aad875fc1646cb44bf5beb3fb2c467f8879ef2
SHA512 1b6472ad5f878d4ca5a6c77381f749031b15acadfb477128f55f22bec9ba8574759b861d70d1084d973fa56fbd796f84a56d3c72e58bf06c13a08cf2e22f5804

/storage/emulated/0/lbt.txt

MD5 e966df3575a3aa06b2c3399cf2b244ff
SHA1 a19ea1f8556c44f9945faeff3f7887ca2f613a0e
SHA256 b4390e2a0d0eb22b9df6f26bd7a59985e2961ab17d9fb063024112282854dcda
SHA512 7c1993d81417b57af2c4f033f107138604e305ff2c40d9a3bd3dc4058df23ef513ba2c52d68c2444ae5c747f8e945c9b13e4ce8add1733c1ae7f3411164b82cc

/storage/emulated/0/lbt.txt

MD5 0b9ec47fa09a02783e4421bd5db2f715
SHA1 84195feb2d665ff820ca60de041d0d3eff8bad48
SHA256 0fc3586672e6031e1ae7a8f50b97647c407e59ce0ad2e793a3d264217b0e1739
SHA512 9e1ec90322760e31dfaeff653f1088059a320c8fe0a9c531c76a62c8ce051d0613b7bda55a73a0667ccdfefa2cca8ad8470f95bd1801690a1f7889a3a36d872b

/storage/emulated/0/lbt.txt

MD5 22e54f2dd356ea1030944ae3fbc7cd03
SHA1 ca8b5878ba422fe895ee0a00c8ad3d162fadda81
SHA256 56848e99960f4e097db9f0e4123a7749b32e81d797f6d8c3f3679fa791864466
SHA512 4a676a3ae4a2ac83187abc22c1edc617c0da8aef98fd3a6680453af6efe4becd5799465001ec0d1da78804869b42bbea191fb64731706fa15cf40d2ab516d290

/storage/emulated/0/lbt.txt

MD5 6498bf5889ff6f79ae43fa01cc92b468
SHA1 5ca5a6d0718175cd82c85edcc37740a900a043d2
SHA256 4811fb52cec00cd2cf55bf6660117de6abbeabfe623121d18b6358c1de15bbf0
SHA512 d023f4b3d4d133b8eb19e8f17be8b9966b8d1b1d0e2962090cb76347db71e032c4bfae08a82a29c8e2a32b944257fe072e6450652e3f85a9591f2545f1ef3a4b

/storage/emulated/0/lbt.txt

MD5 2fea15495262df764fae3a563d069362
SHA1 af85845342b30b24ca859007a36d2eecb86255b0
SHA256 11f855d61e4e086a0bf61833776b44d2c0cc7d4ec221ecb5b185c915e990d34e
SHA512 4729304f51796a5c0a9659f8bf877f072cd1f1f852be8879cfc62dc344aad60cf0104ff6f9b063a7f1f48679c406da3dce0e0d18739b8de8906e2effdc2369f3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-08 17:23

Reported

2024-06-08 17:30

Platform

android-x64-20240603-en

Max time kernel

140s

Max time network

180s

Command Line

com.install.l

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

com.install.l

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
PL 212.59.240.32:7 tcp
PL 212.59.240.32:80 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.78:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 216.58.204.78:443 tcp
PL 212.59.240.32:7 tcp
PL 212.59.240.32:80 tcp

Files

/storage/emulated/0/lbt.txt

MD5 088525454e3e7244196df38e5f81c273
SHA1 478fe226f125869d61a8e02e73623b5486c0b996
SHA256 e924b954e96fb8ae38a739659f8fb2762e94dfa3cedddbc3044b87c6acb0cc87
SHA512 a071edf88a17d8a0f65ddd8380187b613e2c680142cde7218638a3e4dee1102666a70685db62292acab987aabb4cd398394d3e6dae8e59f4502d34d26437790d

/storage/emulated/0/lbt.txt

MD5 3cac3db92381d625a2a80a00e526dfed
SHA1 4c37894e80625feb6ad5c9591a877f9e515c91ab
SHA256 99982d878240a3f38599e2f98995c80daea832e5fda929459960d419e7c5dff6
SHA512 d923cda049df2efe8268823d6c88f09a8bbec16a48c35cf88a5c8d9a2b0c09bc57623d27cf92a5b2ad0bfa74c7ef0058469fd18079337671437608967ea41b7d

/storage/emulated/0/lbt.txt

MD5 bc86441f0c29f82dd683ecf84d098dc6
SHA1 cd2e38407cfbbc1602d15eceec23c637bc8009fe
SHA256 87514face63a043903159c8a418b42460e8ed54e38e09b86b50463e745584e24
SHA512 9b67bf0b5619e0c242d51d165781c9ce4c29cc4a4fe2139b5b727b780d01e9ff9caf3f51d22cd27a4c86b4cf3ce2cf5190bec8d109aaf3ca38f1486c8773e92d

/storage/emulated/0/lbt.txt

MD5 52b58db3316b897edb13c5bdcdf14962
SHA1 024a75f1b8452c1eab8cf323cd4f82516fa92102
SHA256 c8caf54de58aad61381f640de744fb428bed745b866bdac94259c0889bd324ed
SHA512 1c543cb0c1d7c29dbda719abf62a1e995cda2f6af2f22b54bf7dd950a453b5232683656eb6042317234da01d89b3f2da16db3c818bcf16f48afb2db0c6502179

/storage/emulated/0/lbt.txt

MD5 73e8ea8b45a1d294438985e5fcb4ec28
SHA1 d3437b5d2662c6f733f817d1d4046425c9c50a02
SHA256 363fdb521398bb75c09db67efe125e8edaa94a5ca0e9ea99558db89f1a175115
SHA512 d3bed53132976db60278d3c4a63f80f35659846c9b6bd25927cf47e94fdf1592356181a79a995036655ea448d2650405a221d6bddcaeb72944308c3b3fd3212a

/storage/emulated/0/lbt.txt

MD5 dcf1f757e2d581b3ed8e81a8ea6dfdb0
SHA1 d26c224aca8f6b2c6d282523468ef2fe7894e249
SHA256 fae5c92bc50fbdb8d8a998a517787474f04e56b526023f67971b00defce515c7
SHA512 49833d5b6eb9e630528d47624f0b341bb8b8b72b9171e4be95a3f1446b9d92d1f052000d182dfcdbf824151b076d1f76f02a449052845c194c6451f936e5e8bd

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-08 17:23

Reported

2024-06-08 17:30

Platform

android-x64-arm64-20240603-en

Max time kernel

137s

Max time network

178s

Command Line

com.install.l

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

com.install.l

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
PL 212.59.240.32:7 tcp
PL 212.59.240.32:80 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
PL 212.59.240.32:7 tcp
PL 212.59.240.32:80 tcp

Files

/storage/emulated/0/lbt.txt

MD5 ef03f8f234dd0b3249c6d870a6c7aaad
SHA1 56661a14cd30db8ccce88c8ac6a5d19d66b16277
SHA256 ea3caf2750b92187dd18a627d619b55f32a218eac08854c835cd73a7a2a8b7df
SHA512 5713e839defce55753c45ed0b070265b73886633c68f42735141a4d7cb8944f06cfd9005f2adbd92c0184f70a658779f256cd87e790a4f38460acbf2f35c40e3

/storage/emulated/0/lbt.txt

MD5 2158fa7dd0add76533e5aaa39d2f274d
SHA1 592ff7f8d955633ddab33d32fee79425785ac8a4
SHA256 5dbb1973ebb202d4b7d29c3eadc941c1a7027af92373e48926bac6bff56402b4
SHA512 fe4b565ee356d6eda8207f630f9f8e4b9f8fb4088e07e216e684daa787d4168118ccfa92b1b0cd6117daead87cecda0de7248274a23165de1db5d71cea081d11

/storage/emulated/0/lbt.txt

MD5 fc21a217f29e6c0ad8c651c1625fd104
SHA1 3e59c608b4599d33f24318d1b064b06041cafb8b
SHA256 e59405f41691787d84c86cf64672917ab7300011194ba774aaef187f9879c18d
SHA512 bb7a8325348ebad4cd90f3ce39d99e56325695311a07581d66357d0e235c4d8f57917c2cefc6e1c247620c2547524dce069e5861018650b24f4ca025ce90d09d

/storage/emulated/0/lbt.txt

MD5 1749f26f2a92ec8e74df5dad2db85d2c
SHA1 0c651903735113ba0a8d34401717cf03f78ebf7b
SHA256 6c331b5ffb457026bbe5f308ed2b7529bd88b590605f15c4c8c75839379ef1da
SHA512 0eb96954648e4cf2d38b8e134ba00a8c0c71fdf883c5ea739aa9f0172b14c1c828be6de05156ce9ed7966205fc279ef567be664a0accd1fc28e590bb58bfce2c

/storage/emulated/0/lbt.txt

MD5 7621f0653645a66c1cf6a32b7f84e6b7
SHA1 973370ffb05f0ff9c914582639808d3f9107e3f3
SHA256 e29cadb29f2d2edede7721e6dc21abdfdf54427a2223939dce854c615033f9a1
SHA512 dfb8b021af8053511887b7daa4ca85e2f02e6f5bc8eb1564aabbd8c2f1b989444defb2d0e4be685c9bea8bf7afd11cee2035d73f870fc2b5ba4be396ecf19856

/storage/emulated/0/lbt.txt

MD5 6cb2603bc247d50bae38bcb5e02b34a8
SHA1 53f31b7025a090ff0c82a1a52961c84db4e71d84
SHA256 72b92da45284f4153e3e515e1d81d5be9fee91294c3aa9347e7905b0aab4d49a
SHA512 b97fd681eddc68eae5f0b3e6d78c6de31ca91493c81093d06cc1b2670c8ac93f2c49b5c4a65842d81008e2aa7fa67995e2a9caa8f91aa4ca14292748a565a091