Malware Analysis Report

2024-09-09 16:29

Sample ID 240609-s7g1hacg63
Target Hamster Cоmbot Bывод.apk
SHA256 608bccf44f236542d708efc9e8d81372bb1a941969f267b315772acd370d2b06
Tags
collection credential_access impact discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

608bccf44f236542d708efc9e8d81372bb1a941969f267b315772acd370d2b06

Threat Level: Shows suspicious behavior

The file Hamster Cоmbot Bывод.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access impact discovery persistence

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Requests changing the default SMS application.

Declares services with permission to bind to the system

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-09 15:45

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 15:45

Reported

2024-06-09 23:15

Platform

android-x64-arm64-20240603-en

Max time kernel

320s

Max time network

1164s

Command Line

com.example.application

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.example.application

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.202:443 tcp
GB 216.58.212.202:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
FI 77.91.124.14:260 77.91.124.14 tcp
GB 172.217.169.42:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.201.97:443 tcp
GB 172.217.169.1:443 tcp
GB 172.217.169.42:443 tcp
GB 172.217.169.42:443 tcp
GB 142.250.180.2:443 tcp
GB 216.58.212.202:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/com.example.application/primary.prof

MD5 b6d3ca5f8b1bea3f243673abdcbc25f4
SHA1 917a67c3b5fd9814adc01e81c59ed08c70db70ac
SHA256 1eadd2d3de1286832ab2ff6ee7eaba4fc116b53981008593219e9afe543cc9df
SHA512 03bbd5bff2f967445e1f62da8570063f2aae822c3f0bfc67a42d7d0afc893ba5394e3d5d525dcd7c4569fe0f0e9a904b0fe5044c138a2427c46879bd7ae6a4e7

/data/data/com.example.application/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 94026b66129c9c3583478d7b9c72de11
SHA1 80e90e5a8006ae27af5b866bcee700e28a6c8817
SHA256 3248a5a10201772ca3a90c17cac1c3972c658459dd653a25cf3bb4422d4a5adc
SHA512 521c0b66840b98dae42603b1720ec83694c59f2346fc0c100bac1d43ad81d36bc8257ad8a19e0f912a7da363159e7992bae952632325318764242cc21713f94c

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-09 15:45

Reported

2024-06-09 23:15

Platform

android-33-x64-arm64-20240603-en

Max time kernel

280s

Max time network

1165s

Command Line

com.example.application

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.example.application

Network

Country Destination Domain Proto
GB 216.58.213.4:443 udp
GB 216.58.213.4:443 udp
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 udp
GB 216.58.213.10:443 tcp
GB 216.58.204.67:443 tcp
FI 77.91.124.14:260 77.91.124.14 tcp
GB 216.58.213.10:443 udp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 216.58.204.67:443 tcp
US 172.64.41.3:443 udp
GB 216.58.204.67:443 udp
GB 216.58.204.74:443 remoteprovisioning.googleapis.com tcp
GB 216.58.213.4:443 udp
GB 142.250.179.228:443 udp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.8:443 tcp
GB 142.250.178.2:443 tcp
GB 142.250.179.230:80 tcp
GB 142.250.178.2:443 tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 www.google.com udp
GB 216.58.213.4:443 udp
US 1.1.1.1:53 www.google.com udp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 216.58.204.67:443 tcp
GB 216.58.204.67:443 tcp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com udp

Files

/data/misc/profiles/cur/0/com.example.application/primary.prof

MD5 86800d48a00de0a211011e9356cd7371
SHA1 aaba899af40fc1aba33cbdf52d4f8e2a0b9dcd71
SHA256 4c3f5ad9ca5623b2ab5f655be042f18fb156101295381757fa76d524143a25f5
SHA512 71c6ecf46af762b87f05c5b2253711b641f62c0381623364d98181171566b7c879eec22884af047f1d4563de2a7ca78d7a073d1ab5625bb8c171f4941b26edd7

/data/data/com.example.application/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 b9c20643eb7461e73831329c81ce05fe
SHA1 09d27c7fa559b7338c42e1eb0c78d914a0582609
SHA256 e3e9c4ff6b53cccecdef54166086417b3774103c323e0258b06287eabd1cc189
SHA512 f80d1c62743411feafcad9a591712b6df16366c51682c356ff02404354463dab4680de9f37d0f45ff97fdcafc773d927a6f342aee4c66a99bb34e88ffd798905

/data/data/com.example.application/files/profileInstalled

MD5 2da75e4ed882beaea540d8d5df029a79
SHA1 6418bfe21f86c7967901d7234415fb54b7936968
SHA256 61603d2f6d8ded1f66bf90eb0cc22cce980fdf456b319eb8498efef59896d0ae
SHA512 850fd426bec5bc4a97881c45623721310fc81ca15725741f9c03112fa2f77f86cd841eb6f811135d72497817142049297323df53db26871b2c44df7cca494c2f

/data/misc/profiles/cur/0/com.example.application/primary.prof

MD5 edf8c9b5173cb9dc90c78f7dcd981979
SHA1 0a82e6a4b93866f3bc64d5be7f23151a6795b3ef
SHA256 fe844d4ffecf8f271643a213b251e8223df4f902dc707ec08ec145b5f058598d
SHA512 5dab3257d3ebd286bfaaaa9b827e971e6e30dd9bc1f7a82e8c89511b9005dc238b2553c7c48cf4c68fa125f0dbd4bc34aab3bf7bf00c9df34798acbcf0148b8c

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-09 15:45

Reported

2024-06-09 23:17

Platform

android-x86-arm-20240603-en

Max time kernel

319s

Max time network

1222s

Command Line

com.example.application

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.example.application

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
FI 77.91.124.14:260 77.91.124.14 tcp
GB 216.58.212.202:443 tcp
GB 216.58.201.99:80 tcp
GB 142.250.200.36:443 tcp
GB 142.250.187.194:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/com.example.application/primary.prof

MD5 b6d3ca5f8b1bea3f243673abdcbc25f4
SHA1 917a67c3b5fd9814adc01e81c59ed08c70db70ac
SHA256 1eadd2d3de1286832ab2ff6ee7eaba4fc116b53981008593219e9afe543cc9df
SHA512 03bbd5bff2f967445e1f62da8570063f2aae822c3f0bfc67a42d7d0afc893ba5394e3d5d525dcd7c4569fe0f0e9a904b0fe5044c138a2427c46879bd7ae6a4e7

/data/data/com.example.application/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 9dbfdbe41ac7335d680cfa66760ac2ba
SHA1 4b8fde52ba85f00515cd799041376ac30c2841ed
SHA256 eac890424e26427daba9fa22f3648a62fda6abc23ce76ab34f906012f029fae8
SHA512 60319003bd9a2e64ce76afa6a871e5a7d94d5979935a62ea7b74693d01c6cbe577deceb729747f376715c8f37f16b34a5a72ad86b3f2894af55ba9a435683c91

/data/data/com.example.application/files/profileInstalled

MD5 93656f875907e1c5f2bd440c6a013001
SHA1 c192a245309f98c8c6cc0cd3b09462cbea202587
SHA256 74d423d160a5d3d375626c94de5da5f5555d6fd57b85bedc305f3b2959844a30
SHA512 be71d3b0b780393057f5ac47608f91a627798b9e21ed932d4be60282b5c323bde609b273075a60c4e7e67786e5b4676cf70539cbbc03ef790c9debad7a6a8953

/data/misc/profiles/cur/0/com.example.application/primary.prof

MD5 df0812d3979b481a070c881f225f4bba
SHA1 bd537237147d3d475a5b79d31b476555d353b791
SHA256 0e0a41f9d63e6b021f2f211a09b0f23e3852e233902eabdb82dd83d34941297c
SHA512 4e35c07adefbd7f7ed469cb6a316f6bbe870f53f63657aa3f425765c87dd9c752a58faa38a029f792c9601c2e37d7f2fc21d1fcd3bc664391f68b992ae9d2b47

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 15:45

Reported

2024-06-09 23:15

Platform

android-x64-20240603-en

Max time kernel

317s

Max time network

1229s

Command Line

com.example.application

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.example.application

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
FI 77.91.124.14:260 77.91.124.14 tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.78:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 216.58.204.78:443 tcp
GB 142.250.200.35:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/com.example.application/primary.prof

MD5 b6d3ca5f8b1bea3f243673abdcbc25f4
SHA1 917a67c3b5fd9814adc01e81c59ed08c70db70ac
SHA256 1eadd2d3de1286832ab2ff6ee7eaba4fc116b53981008593219e9afe543cc9df
SHA512 03bbd5bff2f967445e1f62da8570063f2aae822c3f0bfc67a42d7d0afc893ba5394e3d5d525dcd7c4569fe0f0e9a904b0fe5044c138a2427c46879bd7ae6a4e7

/data/data/com.example.application/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 80dacaec4af43f8c6c474f9ffe29cadf
SHA1 ad8fde2fa9e7041bce6ed4f770a355cb39590f65
SHA256 c3688996ce25fd0c81d6dbcfed3a4ea5aa8114e55f631af0035484862e494f4f
SHA512 1f41d8670d86eb730127d8dd97dbf20375505e1cf07ad35be7d26c743e89a3f3a09596fc7f36fd5a1b6f8401358255d7e1fe21ffe7faff5d28cfb738ad5ec8ce

/data/data/com.example.application/files/profileInstalled

MD5 1704524d9b30049b972ebeca4f19f82e
SHA1 0224a68fdd2aa8eae59ff1c32cd4545ec4c61377
SHA256 63b8f8f0998a54659ee46973f768f86f9a9e0a69bd657dc8abd3e71f965e48f1
SHA512 ffbbd20c6ef6b942f6dc1509e5564525be82fd76231a8cee5724b7daeb4c45aad55fdf422883960937324e57a1c768e694f0de2d2749df4cc5acccce982f3de2

/data/misc/profiles/cur/0/com.example.application/primary.prof

MD5 c99ee4d91c8b0fad10f084249f01241b
SHA1 478a3461519e1aa10d0225ff82b4edc79b74e747
SHA256 e1e1d4b0261babdff5f64c6a3a3e935224f733badcd50339c8b36351a118893e
SHA512 6e1e4449ec73c993885960a12d8a7994fec67bb804c0faca3081626c5c14fdb5650c320249ccbb988897c2b1288c95db8e56e7ab6b138bda750aba8a53a4d768