Malware Analysis Report

2024-09-09 16:19

Sample ID 240612-qlel5szdrj
Target f363689df11b1848a39c585c04c9e6034384a037776004a7f34fec493ae38765.bin
SHA256 f363689df11b1848a39c585c04c9e6034384a037776004a7f34fec493ae38765
Tags
discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f363689df11b1848a39c585c04c9e6034384a037776004a7f34fec493ae38765

Threat Level: Shows suspicious behavior

The file f363689df11b1848a39c585c04c9e6034384a037776004a7f34fec493ae38765.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 13:20

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 13:20

Reported

2024-06-12 13:23

Platform

android-x86-arm-20240611.1-en

Max time kernel

46s

Max time network

157s

Command Line

yes.debug.yesbnak

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

yes.debug.yesbnak

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 1.1.1.1:53 code.jquery.com udp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 151.101.129.229:443 cdn.jsdelivr.net tcp
US 151.101.129.229:443 cdn.jsdelivr.net tcp
US 151.101.2.137:443 code.jquery.com tcp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/yes.debug.yesbnak/primary.prof

MD5 db5bc98d7b015767d8f585a53d714c16
SHA1 52f1d6ebd0ab4271bf3c80df7a02f8b43e37ee1a
SHA256 ddcc9451e13adb14ea8dc278406318468cab2109b8dcb0d20c63eac98bbf97e1
SHA512 cbb230a50cc4011a05b60bb28ef406c443a4554bd615acb447d167a521389c5479402316751a061ff437877c575ff2ad8ca2e2032da53dec20e41ad2250e3bd7

/data/data/yes.debug.yesbnak/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 b3b792f790a972b96a41639f150cc98b
SHA1 ba243a6f4eb994e82e72b34dc58d436bbd173353
SHA256 3a07573b62e67d79fe312b51bda5d9dcb062022c81ccf7f7ea5806deaf54e6d3
SHA512 c2a32d8caaa75dd7e67a58a8d9f1280a866f1ed96fa7b13f3e09cbd6656e69653a0c57ab78f838557d877490250c520ffc64bfd8353a4f3d1af99f9c5ddab7cd

/data/data/yes.debug.yesbnak/files/profileInstalled

MD5 f73b5523ebbe7cb1205f1dd635802931
SHA1 e62bb4776ec278b43ed503cdde4a81ffb62dd830
SHA256 94289929de3f2e26bab01c994c03e9359bb51787d2cce6c5371bdb1fab004073
SHA512 ed7825f7a06815c3802dcdb68c63992324c286949551a2e69fe9f4300e190e078b8399d2485a7135cf766f0f57f40da10156f85c7e0ef93438be8580bcedcb2a

/data/misc/profiles/cur/0/yes.debug.yesbnak/primary.prof

MD5 90c57992c3b15dca4a2f78fabe8a512f
SHA1 52f0e77c11e4357a6a0625e8e37daf29b1f2410b
SHA256 213623c069f0b0615f2e25815b3e8167073896789a0a4c4d072ccc23255d55e7
SHA512 21f5944cbe9d523e926c09615f65bf13efb866f2b6e298d84b700d7d582bd2c2954d19b5309fcc4254bb5ae074bad8abfd73d9bdd0b2d1efbb6b0ea5a4cdf33d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 13:20

Reported

2024-06-12 13:23

Platform

android-x64-20240611.1-en

Max time kernel

48s

Max time network

129s

Command Line

yes.debug.yesbnak

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

yes.debug.yesbnak

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 1.1.1.1:53 code.jquery.com udp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 151.101.65.229:443 cdn.jsdelivr.net tcp
US 151.101.65.229:443 cdn.jsdelivr.net tcp
US 151.101.2.137:443 code.jquery.com tcp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.46:443 tcp

Files

/data/misc/profiles/cur/0/yes.debug.yesbnak/primary.prof

MD5 db5bc98d7b015767d8f585a53d714c16
SHA1 52f1d6ebd0ab4271bf3c80df7a02f8b43e37ee1a
SHA256 ddcc9451e13adb14ea8dc278406318468cab2109b8dcb0d20c63eac98bbf97e1
SHA512 cbb230a50cc4011a05b60bb28ef406c443a4554bd615acb447d167a521389c5479402316751a061ff437877c575ff2ad8ca2e2032da53dec20e41ad2250e3bd7

/data/data/yes.debug.yesbnak/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 c0b049639960176d7bf8f647002bedde
SHA1 bb38297ed58881e81f1920c6253f6ba488da40a9
SHA256 f386c5ca6e11d30d8b7ee173a1239015173c08f4012eaa49815b80439ee75c11
SHA512 003d981c68486e90771528c8a0c695229563e46b93b4afa314c63c38225a109f30d1752944618ff8a8fce387f6f13572d9829932fb98ba931e74c50367ec5b36

/data/data/yes.debug.yesbnak/files/profileInstalled

MD5 28679ca55c0b5d43fcb0d380eba4cc4c
SHA1 90dbd73a2a0b2ecee6120cf79a62876072a1166f
SHA256 564f9265ec8480f2bc5b9839d696f82d6ba6a2ac86e9534560990df0938f1b38
SHA512 1dd994847368b98728cd256721731cccf913dc6682bfb770a651fad344c39a906190c73e98ebaa47c7130962f8266e82b352826cb1de90003a5fe992cc9e3b18

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 13:20

Reported

2024-06-12 13:23

Platform

android-x64-arm64-20240611.1-en

Max time kernel

75s

Max time network

143s

Command Line

yes.debug.yesbnak

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

yes.debug.yesbnak

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 1.1.1.1:53 code.jquery.com udp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 151.101.193.229:443 cdn.jsdelivr.net tcp
US 151.101.193.229:443 cdn.jsdelivr.net tcp
US 151.101.130.137:443 code.jquery.com tcp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.3:443 tcp

Files

/data/misc/profiles/cur/0/yes.debug.yesbnak/primary.prof

MD5 db5bc98d7b015767d8f585a53d714c16
SHA1 52f1d6ebd0ab4271bf3c80df7a02f8b43e37ee1a
SHA256 ddcc9451e13adb14ea8dc278406318468cab2109b8dcb0d20c63eac98bbf97e1
SHA512 cbb230a50cc4011a05b60bb28ef406c443a4554bd615acb447d167a521389c5479402316751a061ff437877c575ff2ad8ca2e2032da53dec20e41ad2250e3bd7

/data/data/yes.debug.yesbnak/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 6be169a26b777436d8d2fab1bee34d61
SHA1 dcabdd4bcc5017d31b019b78aa04b507beef890a
SHA256 45d125778a2b483d56205bb8cbef1fc43a12988680884eef0752306e901cf364
SHA512 b6dc5e51378a990dd839f2238b83519081b7faffe0f2fc59d89b3995030fba203a1e0899ae202ac8306289870de9cc06413529ffb6177c079603b3cbe47faf44