Malware Analysis Report

2024-07-28 14:50

Sample ID 240609-3twa3shc69
Target VirusShare_e09e167e47a753b7eb20583ac507b231
SHA256 e24ad9004cb46df8047944c468c8e67581e88e35bd3ec7f9e9748543f3cb8d29
Tags
discovery evasion impact privilege_escalation stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e24ad9004cb46df8047944c468c8e67581e88e35bd3ec7f9e9748543f3cb8d29

Threat Level: Likely malicious

The file VirusShare_e09e167e47a753b7eb20583ac507b231 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact privilege_escalation stealth trojan

Removes its main activity from the application launcher

Queries the phone number (MSISDN for GSM devices)

Queries information about active data network

Tries to add a device administrator.

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Reads information about phone network operator.

Queries the unique device ID (IMEI, MEID, IMSI)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-09 23:48

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-09 23:48

Reported

2024-06-09 23:53

Platform

android-x64-arm64-20240603-en

Max time kernel

137s

Max time network

178s

Command Line

com.install.l

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

com.install.l

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
PL 212.59.240.32:7 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
PL 212.59.240.32:80 tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
PL 212.59.240.32:7 tcp
PL 212.59.240.32:80 tcp

Files

/storage/emulated/0/lbt.txt

MD5 a6e019f24cc72ca3168f82156c054f20
SHA1 f0704395844e3151111dc9d3e2304fdc29a4942a
SHA256 9e0b975d91b3e17827560d691f408cc73cbd77c2b678455578447c2bffea4903
SHA512 ea47db6aac704eb69267763c47f90a683345c45faadaaad7457c4f78367b0f32a3ce98a66fdcb3ab4d9b182c0fc070c9dcc0e738beab4573bf4847c5849db725

/storage/emulated/0/lbt.txt

MD5 80b62a13b6628256fd53899405bcc58f
SHA1 2c454aed8364fef6e4e8871b28cd2f0e3c1f5ae6
SHA256 1e6bcf5cd7eb94a614c7a63119cd16645cabb237f9e1d4cb8f7465460f1f44e8
SHA512 ea32c65b44fda47047edcff14646b0cc579ff499f0191b0473ef6d1757f1a3799999a63a117105db15b3cc154b2536126aa4ebcf50596504155e8da05c2ab5e3

/storage/emulated/0/lbt.txt

MD5 07de6ef6c230019aa1c7992dc178e99a
SHA1 7fe36a41bd7cb8f0973f682b568e4e1e654f4537
SHA256 dfb6b2dbc8e937e866593ab8137dc803e556088f0c856a9c62d35def359a44b6
SHA512 a75c558e28c1e0db32aeece74eed9619b5b3463be116b4043002e745dde4fac47bf62c9f3cc9297efd5f1be4ce0b08e65ab28df802ed9391c8a28947ee71c846

/storage/emulated/0/lbt.txt

MD5 1bfd27255dd6c0bb69fce72f930d2b41
SHA1 56933d5aedf3899c7ee6cf3ae4d828aca1e2c14d
SHA256 77e46d8dbbab86d5373e2ac656153be8c1368015a6a44ef1cc733d3407691ecf
SHA512 ce68871ae8182e3ff3acea2cb360bf210569626b2d3aac5c4d4611d8b18c4c853d5cd5372e6a4ce2a4d1eeb8be1a2f557469ee3bd7464bdfbc11edea2e7f802a

/storage/emulated/0/lbt.txt

MD5 1e4fcaa0d345ae6b06790cf4be5b0e1f
SHA1 6cd0f0ab82bd010e759d5458421d5fddb1ef656a
SHA256 4cb92bf60dc8344a8400508e135a267654daa23583f34f773bac617e9deccddf
SHA512 ae9994093b6fcfc99555c60de133d45d1cce0e098f4ada3c484899efa1ffd27b3268b6d60bd2a56de94b70b4bed7f87738959414b0e9ae758376d6296060eac9

/storage/emulated/0/lbt.txt

MD5 6b073e05291f1508d72b28e080acf27b
SHA1 faf8ecafafd385243fa9abca4395ae385bc5f68e
SHA256 13088c270f8b0cc43f397fba507f407cfc31e889a759f1144077cb5515041b1e
SHA512 f2c608cd6340db3d54c451d22807597b6b048b39c28a42aa9e43f8ee50d16c7597987d6d75bfbb9380ee138d194ed19baaec6d76dec547f9b137db7f347ca9b1

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 23:48

Reported

2024-06-09 23:53

Platform

android-x86-arm-20240603-en

Max time kernel

134s

Max time network

174s

Command Line

com.install.l

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

com.install.l

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
PL 212.59.240.32:7 tcp
PL 212.59.240.32:80 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.201.110:443 tcp
GB 142.250.187.194:443 tcp
PL 212.59.240.32:7 tcp
PL 212.59.240.32:80 tcp

Files

/storage/emulated/0/lbt.txt

MD5 995511ee6af5bc9201cda023ce9f1091
SHA1 06d1b2a980519f5b39f4226e79ee135f5e99307a
SHA256 3a16cb409361ad6069771ca7b4ace626b7fdcc978594af69d2b38e7ba697e1b9
SHA512 f4d56e859ca41b80311a35e6985c11bfc69b9b72cb68b1e85ff50146f228c7b825583cba0fb11ca2fe8c7407346090b29de87ebd600c66cd7db2599d3bb50852

/storage/emulated/0/lbt.txt

MD5 395974b2700d034e93ec8d8adf8d7b4a
SHA1 6c4a28160755138700cfcaca010484af04fd9937
SHA256 e171e59cf3c3ca2cfc6eefd6f24f37b70af67abe2f6a80074c5eee1ce8ba82a8
SHA512 456e958856bcb494975fa14371f5c6bafbb7ad2cd6dca8ff499967afc1c420459f2e818d6368c268d8d2e016e5d3a741c08828b5fce9c4a5a5cf91326e15b049

/storage/emulated/0/lbt.txt

MD5 8b46a82b345f9ca1cf9760166a6b5acc
SHA1 e4fd2cb7b346aef46ae7eb3ea204e0ad6534d913
SHA256 70001c96e9fb85da340b75c187c17d18bb6a4c324058b8f3ff498ec1221a1116
SHA512 5d482c21199d5511572f3830190c09df3cce439428c35486a7992a0d123d83b55d7da67080f1a22908eb82dd3fc2a1f8905997a558fb5684ccee6361f837905e

/storage/emulated/0/lbt.txt

MD5 f701d4d53d7b9bfd69ec46831c9581f6
SHA1 06eb47cd30f7ef256206270c8fea6afd3a8ef5c3
SHA256 9a6575f391cf8f238bc139ce2fd8464ffb5a427dc23a4d6fdf90294219ab4e58
SHA512 2bcd5d2a31485ac609931c862d48fe374571aec95cc20253bbd966abc79b2145714b89a14dddb9a17b4ccb6302d62dea5cf7d476fb629ab26d33b12d08cb5d54

/storage/emulated/0/lbt.txt

MD5 7c17704e91a810c39f182031a6b42839
SHA1 4438af9b74c1c69d9cbd12a01c77e8a7823ddc71
SHA256 44b5eba68eb3469e6e843cfeef23c3b37dcff5099e9150e4021332f8364d8e48
SHA512 92c16435d534de169926299ef3d18c0d703fc4a1acfbae2a56155593ff0d31e8ee943a2ed9113718acfe3c8ee9434a0297fee42a9eecae1f090ab4077496529b

/storage/emulated/0/lbt.txt

MD5 1622371b54e25e735aabe2030078da7d
SHA1 433f4bd39f90174d657e626df445518de2d04253
SHA256 8fde55fc6e9326bf7e6d06d7d20f22aecb086a3a0da306002f652068c31e6cef
SHA512 da47ab4eff63565ce84aee411fb444d3241770b016f78914ac2abe3dcc8b75cfddeaa7bf2f0262a8fcaaf75788844aa74c0e826d98e3277d4ca322165496ffb0

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 23:48

Reported

2024-06-09 23:53

Platform

android-x64-20240603-en

Max time kernel

141s

Max time network

183s

Command Line

com.install.l

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Processes

com.install.l

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
PL 212.59.240.32:7 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 216.58.201.106:443 tcp
PL 212.59.240.32:80 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.179.238:443 tcp
GB 142.250.187.226:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 216.58.212.206:443 tcp
PL 212.59.240.32:7 tcp
PL 212.59.240.32:80 tcp

Files

/storage/emulated/0/lbt.txt

MD5 d7425d2bc8e3fc555cae203a9efb1a16
SHA1 c8ff7b85c9c294b16761771f45f196d1dae1cc47
SHA256 d787db9755a9b2d42f456daca6944f574c221dd908286f9f9d07bdcc7772d4e8
SHA512 6d95d0e8564d3007f6a60025175f6cedf266ec1deb022afbd4c31716426f65caa1e8968fecf712089be8c6e994f1ad85ea4a88f5dde4c660544a4efa4944b3f2

/storage/emulated/0/lbt.txt

MD5 1635b7c71ceb6182ff3b41f5a84c44b2
SHA1 23e63b2e2848d2e9fadc1d873953b9a2aea7d03b
SHA256 ea1ed04dbd4af18cb58ec76ee6ff8a514bd65b5c679701fa42e579aeb6f37b8c
SHA512 8a0ed281e495e4db8c54cd87f297f0f605c72e164b59833b18cd5ecf3867f751e70fc03b9bcdfbd606770c34efd61b1d4f8de9c656e7c958d1cedbf22647534d

/storage/emulated/0/lbt.txt

MD5 140fb4e811b6b6cf002d00565f90f6c0
SHA1 b1f21c26325851287606de4235c0d65830e0d40e
SHA256 5796f9a6b861fc54eda8934143398b8230581f4027e7907dfb4731d384908e00
SHA512 42dd609519d1f65a46f917718c4c676bb3f26dd257d70317af62fb8f0a066c65827722acf43a0dd8c38c7ad537cfb103e65dc3d5b2d5ad25c9cfb156a8011972

/storage/emulated/0/lbt.txt

MD5 1e4fcaa0d345ae6b06790cf4be5b0e1f
SHA1 6cd0f0ab82bd010e759d5458421d5fddb1ef656a
SHA256 4cb92bf60dc8344a8400508e135a267654daa23583f34f773bac617e9deccddf
SHA512 ae9994093b6fcfc99555c60de133d45d1cce0e098f4ada3c484899efa1ffd27b3268b6d60bd2a56de94b70b4bed7f87738959414b0e9ae758376d6296060eac9

/storage/emulated/0/lbt.txt

MD5 1bfd27255dd6c0bb69fce72f930d2b41
SHA1 56933d5aedf3899c7ee6cf3ae4d828aca1e2c14d
SHA256 77e46d8dbbab86d5373e2ac656153be8c1368015a6a44ef1cc733d3407691ecf
SHA512 ce68871ae8182e3ff3acea2cb360bf210569626b2d3aac5c4d4611d8b18c4c853d5cd5372e6a4ce2a4d1eeb8be1a2f557469ee3bd7464bdfbc11edea2e7f802a

/storage/emulated/0/lbt.txt

MD5 d2e9e0ac443f54409f616bc3bb45bfa1
SHA1 3d7132330ea5e3717d24dd33b102b73a42f5d6af
SHA256 d4fef4586aa924b8ff54f88d8c1b909abd6288ad4cde3d5ab65dfd9412bc82a4
SHA512 cbe6882583d3ef0ceadfca8605de6dd35050e4042b9e5056e00ba04757211597fc066ac3590988bcbe12b0a4eabfc7667394c120ec46a5eafa7ac69bb960c7ce