Malware Analysis Report

2025-01-19 07:54

Sample ID 240610-l8pcmsgc35
Target 58dc2a96f9875a5288f3f145f24cd6df51d5205872cb40eec30abd2edc3b237c
SHA256 58dc2a96f9875a5288f3f145f24cd6df51d5205872cb40eec30abd2edc3b237c
Tags
banker discovery evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

58dc2a96f9875a5288f3f145f24cd6df51d5205872cb40eec30abd2edc3b237c

Threat Level: Shows suspicious behavior

The file 58dc2a96f9875a5288f3f145f24cd6df51d5205872cb40eec30abd2edc3b237c was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery evasion

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 10:12

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 10:12

Reported

2024-06-10 10:20

Platform

android-x86-arm-20240603-en

Max time kernel

8s

Max time network

131s

Command Line

uz.ipakyoli.mobile

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

uz.ipakyoli.mobile

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 avovalid.in udp
US 172.67.202.132:443 avovalid.in tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
US 1.1.1.1:53 encrypted-tbn0.gstatic.com udp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
US 1.1.1.1:53 static.xx.fbcdn.net udp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.187.227:443 update.googleapis.com tcp

Files

/data/misc/profiles/cur/0/uz.ipakyoli.mobile/primary.prof

MD5 3fe3bf37671e974f633d774aa0ab0895
SHA1 565e594ef3e42ced0798ab4c53db05958b2221dc
SHA256 e5e81f1619dc6ea1313393d81f81e37a834a82fcb1bf60e1e5aca1c34ffd6b1a
SHA512 200c77fe0b177e710037b1774d7ddd5c492e5e39787429399d2c97d4a12aba1bff3b5e09d1b9ebf2f3ec80862c910207af47fad8a8a1364a559ba698b9b0e1d4

/data/data/uz.ipakyoli.mobile/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 8484ed3837acf941371488a5dd4b338e
SHA1 a9707f4b84f26af7f229478b44b6b0b97eb4bd7b
SHA256 d4968d7fbd7e1016442c424acc56f72352c81a98770221d29bcc6fdd936bb359
SHA512 c94fb973f5f679aadce69475fe30a93aa0a2a81f0ace8f5506a7fd43e01f801612f683ce60e14e87471546041a80bcd5f5103549479c7e59a0b50f8b60142b51

/data/data/uz.ipakyoli.mobile/files/profileInstalled

MD5 ee035bf63795473ec60af853bd1162ed
SHA1 2c8496aec822733d61bd67272d5437a2f0cf84bc
SHA256 38162f1337bf07911b89799a6c929b38f995d6fa3a6bda7223b8d45069e4677d
SHA512 336b60e748c3c9ddd1fcce120d86dc506fb7171878870f3d2924bd0babc3781cac4b84778e30fb8b55cc3e7fd33a7f3b83281375763ba5988ae25a0a9eea2f82

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 10:12

Reported

2024-06-10 10:20

Platform

android-x64-20240603-en

Max time kernel

78s

Max time network

151s

Command Line

uz.ipakyoli.mobile

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Processes

uz.ipakyoli.mobile

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 avovalid.in udp
US 104.21.76.251:443 avovalid.in tcp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 216.58.204.78:443 tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.78:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.42:443 semanticlocation-pa.googleapis.com tcp

Files

/data/misc/profiles/cur/0/uz.ipakyoli.mobile/primary.prof

MD5 3fe3bf37671e974f633d774aa0ab0895
SHA1 565e594ef3e42ced0798ab4c53db05958b2221dc
SHA256 e5e81f1619dc6ea1313393d81f81e37a834a82fcb1bf60e1e5aca1c34ffd6b1a
SHA512 200c77fe0b177e710037b1774d7ddd5c492e5e39787429399d2c97d4a12aba1bff3b5e09d1b9ebf2f3ec80862c910207af47fad8a8a1364a559ba698b9b0e1d4

/data/data/uz.ipakyoli.mobile/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 0efac64b3be2037949513e00b43e229c
SHA1 f2dbcb58d75b11d061421ea77ccab486e4a7a011
SHA256 14584dab4cda7c25b2ec0a31977e715b3d4ccf9828d00690949ed8e2f1784ece
SHA512 28db5bcb75d23f5bc3cdb08fd7d2337542976cc0b7be118f15ea2d607bd0aea2e0b54dc1aa986784bada04602a613e6c52e1d08800970b451836dffb3e83c8dc

/data/data/uz.ipakyoli.mobile/files/profileInstalled

MD5 90110b04f976a7856479c7881affaa63
SHA1 edb911b282b2e63b1100b0d2e4822a8c58f569db
SHA256 6f5b39ba9190983c696972c043fd6cda262dce9188c43e5cc60f6810fd3e85e2
SHA512 1ceed153bc1cb75412844514721b8a83642adca70f6bd6c0da019693062d5fb60367f70ad7c4355e754b62ee07fb507abd69b2d56367a70475a4d4b22bf7eb71

/data/misc/profiles/cur/0/uz.ipakyoli.mobile/primary.prof

MD5 cee59407b88f23e5cc2f6d8eb1297922
SHA1 c02adccb8338e034038a647a4223d84812e06f74
SHA256 490b6e7d88e55ec99d1907598dd14a4ba80ebc12c085cd3327321671501e5625
SHA512 e67d3c0b6fb360c2dc85ea4eba02518a90b69a9b811860ef3a05b4470c727d853160e75573ec37f42967fa781fa7d8d9f32f12a02131acbdbd7e04cf80a0bacf

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-10 10:12

Reported

2024-06-10 10:20

Platform

android-x64-arm64-20240603-en

Max time kernel

8s

Max time network

132s

Command Line

uz.ipakyoli.mobile

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

uz.ipakyoli.mobile

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.234:443 tcp
GB 142.250.187.234:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 avovalid.in udp
US 172.67.202.132:443 avovalid.in tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/misc/profiles/cur/0/uz.ipakyoli.mobile/primary.prof

MD5 3fe3bf37671e974f633d774aa0ab0895
SHA1 565e594ef3e42ced0798ab4c53db05958b2221dc
SHA256 e5e81f1619dc6ea1313393d81f81e37a834a82fcb1bf60e1e5aca1c34ffd6b1a
SHA512 200c77fe0b177e710037b1774d7ddd5c492e5e39787429399d2c97d4a12aba1bff3b5e09d1b9ebf2f3ec80862c910207af47fad8a8a1364a559ba698b9b0e1d4

/data/data/uz.ipakyoli.mobile/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 3a6da5dda408c32614605a56a920daf3
SHA1 32a1e714217d044ca53ab1f1390faf24f4c9aeb9
SHA256 2932702faa9cb181ab9945f145e44f9de3c0e5b1a62bc0a0efa15a35c1981cf2
SHA512 67f6f0bb5d0fad60bb51d7b2bd1aa7ba65de1cd4e8c9a1fe881e0425d5ac40ec5f871b9d74a94bdc4aee7961bed306cdb97f4cc0fcfdd77218a4098dd1e423fd