Malware Analysis Report

2024-09-09 16:29

Sample ID 240609-sxcysscf37
Target Hamster Cоmbot Bывод.apk
SHA256 608bccf44f236542d708efc9e8d81372bb1a941969f267b315772acd370d2b06
Tags
collection credential_access discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

608bccf44f236542d708efc9e8d81372bb1a941969f267b315772acd370d2b06

Threat Level: Shows suspicious behavior

The file Hamster Cоmbot Bывод.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access discovery impact persistence

Obtains sensitive information copied to the device clipboard

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests changing the default SMS application.

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-09 15:29

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-09 15:29

Reported

2024-06-09 15:35

Platform

android-x86-arm-20240603-en

Max time kernel

127s

Max time network

157s

Command Line

com.example.application

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.example.application

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
FI 77.91.124.14:260 77.91.124.14 tcp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 www.mamba.ru udp
DE 185.165.123.195:443 www.mamba.ru tcp
FI 77.91.124.14:260 77.91.124.14 tcp
US 1.1.1.1:53 static.wmbcdn.com udp
US 1.1.1.1:53 ams3.wmbcdn.com udp
US 1.1.1.1:53 ams1.wmbcdn.com udp
US 1.1.1.1:53 ams2.wmbcdn.com udp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
US 1.1.1.1:53 mc.yandex.ru udp
US 1.1.1.1:53 ph.mobile-api.ru udp
US 1.1.1.1:53 websdk.appsflyer.com udp
RU 93.158.134.119:443 mc.yandex.ru tcp
GB 2.19.117.97:443 websdk.appsflyer.com tcp
RU 193.0.170.25:443 ph.mobile-api.ru tcp
RU 193.0.170.25:443 ph.mobile-api.ru tcp
US 1.1.1.1:53 wa.onelink.me udp
GB 108.156.46.128:443 wa.onelink.me tcp
US 1.1.1.1:53 mc.yandex.com udp
US 1.1.1.1:53 wa.appsflyer.com udp
GB 13.224.222.49:443 wa.appsflyer.com tcp
US 1.1.1.1:53 cdneu.wmbcdn.com udp
NL 138.113.211.225:443 cdneu.wmbcdn.com tcp
FI 77.91.124.14:260 77.91.124.14 tcp
RU 193.0.170.25:443 ph.mobile-api.ru tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
US 1.1.1.1:53 static.xx.fbcdn.net udp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
GB 142.250.200.36:443 www.google.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.178.3:443 update.googleapis.com tcp

Files

/data/misc/profiles/cur/0/com.example.application/primary.prof

MD5 b6d3ca5f8b1bea3f243673abdcbc25f4
SHA1 917a67c3b5fd9814adc01e81c59ed08c70db70ac
SHA256 1eadd2d3de1286832ab2ff6ee7eaba4fc116b53981008593219e9afe543cc9df
SHA512 03bbd5bff2f967445e1f62da8570063f2aae822c3f0bfc67a42d7d0afc893ba5394e3d5d525dcd7c4569fe0f0e9a904b0fe5044c138a2427c46879bd7ae6a4e7

/data/data/com.example.application/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 02c01db493487e375d9657165bc37d81
SHA1 533b7b4b473818fb5d423bbf31fbd30ac7e150fa
SHA256 0809620a849f4263edf23d5c5a07cd9e42818299fe83a10f4516fab276f2946d
SHA512 e0af9de68e776ac88d0cad5ba300aef99c73a09c5c372f171e3b4b33acc0260696b6157fd2276d87019664021ed0415dcf95c489576053c13222c0172ff9ef1a

/data/data/com.example.application/files/profileInstalled

MD5 362dcf0f59700f2733c3e0e86962635c
SHA1 45e2282d6ea3c0ce1bc5477789eeb3eb6b9289f5
SHA256 7d6c86df2b207638c7b5c039e7fc22d64f6c42e14373fbf55c08feed0f22441b
SHA512 b2910804df27056e743b95239b562ef9f824dd78b251901ae65fb1fb7bb9e31a0c6bdff51461b83f0263896105d69583d9183ce311520547b1d42c4852ab5528

/data/misc/profiles/cur/0/com.example.application/primary.prof

MD5 3e0984b273aec90badb3c1aa340c8042
SHA1 213e1dad39b1fd1ecffd7143d6bf46e57dedf161
SHA256 caa13bfd9af21fa115e1c65ca8b174029b09ef603b8cc8f921375d27948cf43c
SHA512 df9570e6b240533b92ad1d0e9f231a35b8f83bd9ebeb14296ca12e35afaa03bef424adc6955b161a696fb6ee1d55a03828a2f0a77cbc93bdd44c4d792308f826

/data/misc/profiles/cur/0/com.example.application/primary.prof

MD5 4820e5c745058b00f4ca5df9c5e2ed37
SHA1 6f0bc59bc87bcb51a1d86e30a79d2f9ccc94bc61
SHA256 380b7d08a5fe685631a8991308a90816a6580c0b9e01f831c69ff43ec212d6e5
SHA512 5a9bb2fc880158a35412037b9d986468bfe8bc05e9a96643fb2e9244431c48c577ce4706955ebaa94340969d21bb4d47736d1318984c6e526ea27f0c3cc1afcc

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-09 15:29

Reported

2024-06-09 15:35

Platform

android-33-x64-arm64-20240603-en

Max time kernel

119s

Max time network

172s

Command Line

com.example.application

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.example.application

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.196:443 udp
GB 216.58.212.196:443 tcp
GB 216.58.212.196:443 tcp
GB 216.58.204.67:443 tcp
FI 77.91.124.14:260 77.91.124.14 tcp
GB 216.58.212.196:443 udp
GB 142.250.180.4:443 udp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 udp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.180.10:443 remoteprovisioning.googleapis.com tcp
US 1.1.1.1:53 www.mamba.ru udp
DE 185.165.123.195:443 www.mamba.ru tcp
FI 77.91.124.14:260 77.91.124.14 tcp
FI 77.91.124.14:260 77.91.124.14 tcp
FI 77.91.124.14:260 77.91.124.14 tcp
US 1.1.1.1:53 static.wmbcdn.com udp
DE 138.113.209.188:443 static.wmbcdn.com tcp
DE 138.113.209.188:443 static.wmbcdn.com tcp
DE 138.113.209.188:443 static.wmbcdn.com tcp
DE 138.113.209.188:443 static.wmbcdn.com tcp
DE 138.113.209.188:443 static.wmbcdn.com tcp
US 1.1.1.1:53 mc.yandex.ru udp
US 1.1.1.1:53 websdk.appsflyer.com udp
US 1.1.1.1:53 ph.mobile-api.ru udp
RU 87.250.251.119:443 mc.yandex.ru tcp
GB 2.19.117.97:443 websdk.appsflyer.com tcp
RU 193.0.170.25:443 ph.mobile-api.ru tcp
US 1.1.1.1:53 ams3.wmbcdn.com udp
US 1.1.1.1:53 ams1.wmbcdn.com udp
US 1.1.1.1:53 ams2.wmbcdn.com udp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
DE 138.113.209.188:443 ams2.wmbcdn.com tcp
US 1.1.1.1:53 wa.onelink.me udp
GB 108.156.46.20:443 wa.onelink.me tcp
RU 193.0.170.25:443 ph.mobile-api.ru tcp
US 1.1.1.1:53 mc.yandex.com udp
US 1.1.1.1:53 wa.appsflyer.com udp
GB 13.224.222.49:443 wa.appsflyer.com tcp
US 1.1.1.1:53 cdneu.wmbcdn.com udp
DE 138.113.209.188:443 cdneu.wmbcdn.com tcp
GB 172.217.16.234:443 remoteprovisioning.googleapis.com udp

Files

/data/misc/profiles/cur/0/com.example.application/primary.prof

MD5 86800d48a00de0a211011e9356cd7371
SHA1 aaba899af40fc1aba33cbdf52d4f8e2a0b9dcd71
SHA256 4c3f5ad9ca5623b2ab5f655be042f18fb156101295381757fa76d524143a25f5
SHA512 71c6ecf46af762b87f05c5b2253711b641f62c0381623364d98181171566b7c879eec22884af047f1d4563de2a7ca78d7a073d1ab5625bb8c171f4941b26edd7

/data/data/com.example.application/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 a0dcbfb8f6965904989a4b8369783e88
SHA1 3035406fe88153dfb24cc091820e1b0fd5d6a1a2
SHA256 913f7fb68fb2d4b3d2920f74631411670035fdf1b80df179f8431f8430e6dce5
SHA512 aafcdd4f9c7d20a6d0cf781b148a662d5394bf603b99c5722a9e64d5333f7f2e0f4923a56d917533328c7357cb1ab5781e499f114392563ef6475a8804876d49

/data/data/com.example.application/files/profileInstalled

MD5 14c7bba7909c882fc73bab481d02d220
SHA1 4751ac93ae38a4a718d3be25c9b0162f55e5aa1a
SHA256 ab44bf3f73682497062f25d0f4d6e79563d31680c06280ec95a8f45a52b7d1cc
SHA512 7dbc9a40901cf10133768668dd8487bf823959a532b2d7060de778094919c112c0bedbea32482b9bb10dceea36aa6806e8d58fee845ac2a4418c616b74b2a023

/data/misc/profiles/cur/0/com.example.application/primary.prof

MD5 42e679fc47033f62126cf2e4262b4029
SHA1 e03a5447b7a0c90b0704f57692b83b78f5c535b1
SHA256 70a25dc684aa6f80410c543eff7cb76aae57dd7a76419a05a4f95e003690aeee
SHA512 8f050d1785ae93a84510abd790156a9c676429078c423646012eafb9f8aed1c2346a13475d56ac504327e3be60e9320bd668cf0c8fec745073bd892e3bfa890d