Analysis Overview
SHA256
f363689df11b1848a39c585c04c9e6034384a037776004a7f34fec493ae38765
Threat Level: Shows suspicious behavior
The file f363689df11b1848a39c585c04c9e6034384a037776004a7f34fec493ae38765.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
Obtains sensitive information copied to the device clipboard
Requests dangerous framework permissions
Queries the mobile country code (MCC)
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks CPU information
Checks memory information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-12 13:20
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 13:20
Reported
2024-06-12 13:23
Platform
android-x86-arm-20240611.1-en
Max time kernel
46s
Max time network
157s
Command Line
Signatures
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
yes.debug.yesbnak
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.202:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | cdn.jsdelivr.net | udp |
| US | 1.1.1.1:53 | code.jquery.com | udp |
| US | 1.1.1.1:53 | cdnjs.cloudflare.com | udp |
| US | 151.101.129.229:443 | cdn.jsdelivr.net | tcp |
| US | 151.101.129.229:443 | cdn.jsdelivr.net | tcp |
| US | 151.101.2.137:443 | code.jquery.com | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
Files
/data/misc/profiles/cur/0/yes.debug.yesbnak/primary.prof
| MD5 | db5bc98d7b015767d8f585a53d714c16 |
| SHA1 | 52f1d6ebd0ab4271bf3c80df7a02f8b43e37ee1a |
| SHA256 | ddcc9451e13adb14ea8dc278406318468cab2109b8dcb0d20c63eac98bbf97e1 |
| SHA512 | cbb230a50cc4011a05b60bb28ef406c443a4554bd615acb447d167a521389c5479402316751a061ff437877c575ff2ad8ca2e2032da53dec20e41ad2250e3bd7 |
/data/data/yes.debug.yesbnak/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | b3b792f790a972b96a41639f150cc98b |
| SHA1 | ba243a6f4eb994e82e72b34dc58d436bbd173353 |
| SHA256 | 3a07573b62e67d79fe312b51bda5d9dcb062022c81ccf7f7ea5806deaf54e6d3 |
| SHA512 | c2a32d8caaa75dd7e67a58a8d9f1280a866f1ed96fa7b13f3e09cbd6656e69653a0c57ab78f838557d877490250c520ffc64bfd8353a4f3d1af99f9c5ddab7cd |
/data/data/yes.debug.yesbnak/files/profileInstalled
| MD5 | f73b5523ebbe7cb1205f1dd635802931 |
| SHA1 | e62bb4776ec278b43ed503cdde4a81ffb62dd830 |
| SHA256 | 94289929de3f2e26bab01c994c03e9359bb51787d2cce6c5371bdb1fab004073 |
| SHA512 | ed7825f7a06815c3802dcdb68c63992324c286949551a2e69fe9f4300e190e078b8399d2485a7135cf766f0f57f40da10156f85c7e0ef93438be8580bcedcb2a |
/data/misc/profiles/cur/0/yes.debug.yesbnak/primary.prof
| MD5 | 90c57992c3b15dca4a2f78fabe8a512f |
| SHA1 | 52f0e77c11e4357a6a0625e8e37daf29b1f2410b |
| SHA256 | 213623c069f0b0615f2e25815b3e8167073896789a0a4c4d072ccc23255d55e7 |
| SHA512 | 21f5944cbe9d523e926c09615f65bf13efb866f2b6e298d84b700d7d582bd2c2954d19b5309fcc4254bb5ae074bad8abfd73d9bdd0b2d1efbb6b0ea5a4cdf33d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 13:20
Reported
2024-06-12 13:23
Platform
android-x64-20240611.1-en
Max time kernel
48s
Max time network
129s
Command Line
Signatures
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
yes.debug.yesbnak
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.179.234:443 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.8:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | cdn.jsdelivr.net | udp |
| US | 1.1.1.1:53 | code.jquery.com | udp |
| US | 1.1.1.1:53 | cdnjs.cloudflare.com | udp |
| US | 151.101.65.229:443 | cdn.jsdelivr.net | tcp |
| US | 151.101.65.229:443 | cdn.jsdelivr.net | tcp |
| US | 151.101.2.137:443 | code.jquery.com | tcp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.238:443 | android.apis.google.com | tcp |
| GB | 142.250.200.46:443 | tcp | |
| GB | 142.250.179.226:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.200.46:443 | tcp |
Files
/data/misc/profiles/cur/0/yes.debug.yesbnak/primary.prof
| MD5 | db5bc98d7b015767d8f585a53d714c16 |
| SHA1 | 52f1d6ebd0ab4271bf3c80df7a02f8b43e37ee1a |
| SHA256 | ddcc9451e13adb14ea8dc278406318468cab2109b8dcb0d20c63eac98bbf97e1 |
| SHA512 | cbb230a50cc4011a05b60bb28ef406c443a4554bd615acb447d167a521389c5479402316751a061ff437877c575ff2ad8ca2e2032da53dec20e41ad2250e3bd7 |
/data/data/yes.debug.yesbnak/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | c0b049639960176d7bf8f647002bedde |
| SHA1 | bb38297ed58881e81f1920c6253f6ba488da40a9 |
| SHA256 | f386c5ca6e11d30d8b7ee173a1239015173c08f4012eaa49815b80439ee75c11 |
| SHA512 | 003d981c68486e90771528c8a0c695229563e46b93b4afa314c63c38225a109f30d1752944618ff8a8fce387f6f13572d9829932fb98ba931e74c50367ec5b36 |
/data/data/yes.debug.yesbnak/files/profileInstalled
| MD5 | 28679ca55c0b5d43fcb0d380eba4cc4c |
| SHA1 | 90dbd73a2a0b2ecee6120cf79a62876072a1166f |
| SHA256 | 564f9265ec8480f2bc5b9839d696f82d6ba6a2ac86e9534560990df0938f1b38 |
| SHA512 | 1dd994847368b98728cd256721731cccf913dc6682bfb770a651fad344c39a906190c73e98ebaa47c7130962f8266e82b352826cb1de90003a5fe992cc9e3b18 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-12 13:20
Reported
2024-06-12 13:23
Platform
android-x64-arm64-20240611.1-en
Max time kernel
75s
Max time network
143s
Command Line
Signatures
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
yes.debug.yesbnak
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.213.8:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | cdn.jsdelivr.net | udp |
| US | 1.1.1.1:53 | code.jquery.com | udp |
| US | 1.1.1.1:53 | cdnjs.cloudflare.com | udp |
| US | 151.101.193.229:443 | cdn.jsdelivr.net | tcp |
| US | 151.101.193.229:443 | cdn.jsdelivr.net | tcp |
| US | 151.101.130.137:443 | code.jquery.com | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| GB | 142.250.180.4:443 | tcp | |
| GB | 142.250.180.4:443 | tcp | |
| GB | 142.250.180.3:443 | tcp |
Files
/data/misc/profiles/cur/0/yes.debug.yesbnak/primary.prof
| MD5 | db5bc98d7b015767d8f585a53d714c16 |
| SHA1 | 52f1d6ebd0ab4271bf3c80df7a02f8b43e37ee1a |
| SHA256 | ddcc9451e13adb14ea8dc278406318468cab2109b8dcb0d20c63eac98bbf97e1 |
| SHA512 | cbb230a50cc4011a05b60bb28ef406c443a4554bd615acb447d167a521389c5479402316751a061ff437877c575ff2ad8ca2e2032da53dec20e41ad2250e3bd7 |
/data/data/yes.debug.yesbnak/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 6be169a26b777436d8d2fab1bee34d61 |
| SHA1 | dcabdd4bcc5017d31b019b78aa04b507beef890a |
| SHA256 | 45d125778a2b483d56205bb8cbef1fc43a12988680884eef0752306e901cf364 |
| SHA512 | b6dc5e51378a990dd839f2238b83519081b7faffe0f2fc59d89b3995030fba203a1e0899ae202ac8306289870de9cc06413529ffb6177c079603b3cbe47faf44 |