Malware Analysis Report

2024-09-09 16:33

Sample ID 240612-tsmswa1epf
Target bf2e33a85547bdc0c2c24bed5ee59c89b0fa1b9bd7ec33eaed8c57e8f4937d8b.bin
SHA256 bf2e33a85547bdc0c2c24bed5ee59c89b0fa1b9bd7ec33eaed8c57e8f4937d8b
Tags
collection credential_access discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

bf2e33a85547bdc0c2c24bed5ee59c89b0fa1b9bd7ec33eaed8c57e8f4937d8b

Threat Level: Shows suspicious behavior

The file bf2e33a85547bdc0c2c24bed5ee59c89b0fa1b9bd7ec33eaed8c57e8f4937d8b.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access discovery impact persistence

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 16:19

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 16:19

Reported

2024-06-12 16:22

Platform

android-x64-20240611.1-en

Max time kernel

171s

Max time network

153s

Command Line

com.usat.campuspro

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.usat.campuspro

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 intranet.usat.edu.pe udp
PE 190.223.55.10:443 intranet.usat.edu.pe tcp
PE 190.223.55.10:443 intranet.usat.edu.pe tcp
US 1.1.1.1:53 campus.usat.edu.pe udp
US 18.218.232.143:443 campus.usat.edu.pe tcp
US 1.1.1.1:53 player.vimeo.com udp
US 162.159.128.61:443 player.vimeo.com tcp
US 1.1.1.1:53 meet.jit.si udp
US 104.18.20.227:443 meet.jit.si tcp
US 1.1.1.1:53 coppernicous.github.io udp
US 185.199.109.153:443 coppernicous.github.io tcp
US 1.1.1.1:53 open.spotify.com udp
US 151.101.195.42:443 open.spotify.com tcp
US 162.159.128.61:443 player.vimeo.com tcp
US 162.159.128.61:443 player.vimeo.com tcp
US 162.159.128.61:443 player.vimeo.com tcp
US 1.1.1.1:53 f.vimeocdn.com udp
US 1.1.1.1:53 i.scdn.co udp
US 1.1.1.1:53 embed-cdn.spotifycdn.com udp
GB 146.75.74.109:443 f.vimeocdn.com tcp
GB 146.75.74.109:443 f.vimeocdn.com tcp
GB 146.75.74.109:443 f.vimeocdn.com tcp
US 199.232.210.248:443 i.scdn.co tcp
US 199.232.210.250:443 embed-cdn.spotifycdn.com tcp
US 199.232.210.250:443 embed-cdn.spotifycdn.com tcp
US 199.232.210.250:443 embed-cdn.spotifycdn.com tcp
US 1.1.1.1:53 i.vimeocdn.com udp
US 151.101.64.217:443 i.vimeocdn.com tcp
US 151.101.64.217:443 i.vimeocdn.com tcp
US 151.101.64.217:443 i.vimeocdn.com tcp
US 151.101.64.217:443 i.vimeocdn.com tcp
US 1.1.1.1:53 encore.scdn.co udp
US 23.1.106.35:443 encore.scdn.co tcp
US 23.1.106.35:443 encore.scdn.co tcp
US 1.1.1.1:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 1.1.1.1:53 o22381.ingest.sentry.io udp
US 34.120.195.249:443 o22381.ingest.sentry.io tcp
US 1.1.1.1:53 apresolve.spotify.com udp
US 35.186.224.24:443 apresolve.spotify.com tcp
US 1.1.1.1:53 fresnel.vimeocdn.com udp
US 34.120.202.204:443 fresnel.vimeocdn.com tcp
US 1.1.1.1:53 gew1-spclient.spotify.com udp
US 35.186.224.26:443 gew1-spclient.spotify.com tcp
US 35.186.224.26:443 gew1-spclient.spotify.com tcp
US 1.1.1.1:53 web-sdk-assets.spotifycdn.com udp
US 199.232.210.250:443 web-sdk-assets.spotifycdn.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 142.250.200.2:443 tcp

Files

/data/misc/profiles/cur/0/com.usat.campuspro/primary.prof

MD5 f263e4cc6828150eaa403f116192248e
SHA1 9631f73dfb5f4154bf9ed3fc1756198bf306f18e
SHA256 5b44b9e607573e4a346045be092f18504896ba34b75b3713f0583818f32475ce
SHA512 1153c08289bc9f6222e9906ecd47525c842c230e7c1d64c7c5294801d2e9f6ed6a0688b1255fe1dc9d9ce095f25448cfcc4048e18f1818c0dcda00a6e8789542

/data/data/com.usat.campuspro/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 f1da0ecd5fbd8929e17e73fb0e028f9b
SHA1 90efd1124e3464d157375145e28d55d408e0fdb0
SHA256 ddc0bcfa5145bf9e1db28de8ebd8eb248a29ce5cddefbab91215e9f4bcbff637
SHA512 15222773b0ec2ab714ccf30a1f7554d1e3402af158aa6011ec9f578a5f8db4e8fe10e0d647883ff76c0405684e2cc9cae5cceb3c786d18eefb6a3c09fddd3ee8

/data/data/com.usat.campuspro/files/profileInstalled

MD5 a47080d73bf794550b6db5389af6d3b6
SHA1 682071ba8c860d4bf5ed637fb5499c4e2781c54d
SHA256 9739b57cd386b5fe76fc728d844b81c2849e64a23e94f247944398d1cda51202
SHA512 937ae4101bb654196afe2e4e586584747ddb015c7d430ff831c31c224cd13361499c00ff4135e3295c2b8f95b2950b00859a735abf53d88c830eb654f8a0f1e4

/data/misc/profiles/cur/0/com.usat.campuspro/primary.prof

MD5 5dd0b8aa8029c47963338d888f5983ad
SHA1 62dfce114e44d3030493f3084a9e4feb6e1ab064
SHA256 653445b5ee30f8067eeb0392e85a4c1643bc087b693c5ba82cad705e2a58e50b
SHA512 15c32abef86a4722f011cfbda4c9dd5c11749748cad09b92b89f75b2cfad1099161df503ebb789ec34dcafc66384b63906d021f9d85b6d09f2d7bb2bdab209f9

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 16:19

Reported

2024-06-12 16:22

Platform

android-x64-arm64-20240611.1-en

Max time kernel

58s

Max time network

150s

Command Line

com.usat.campuspro

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.usat.campuspro

Network

Country Destination Domain Proto
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 intranet.usat.edu.pe udp
PE 190.223.55.10:443 intranet.usat.edu.pe tcp
PE 190.223.55.10:443 intranet.usat.edu.pe tcp
US 1.1.1.1:53 campus.usat.edu.pe udp
US 3.135.176.98:443 campus.usat.edu.pe tcp
US 3.135.176.98:443 campus.usat.edu.pe tcp
US 1.1.1.1:53 player.vimeo.com udp
US 162.159.128.61:443 player.vimeo.com tcp
US 1.1.1.1:53 coppernicous.github.io udp
US 1.1.1.1:53 meet.jit.si udp
US 185.199.110.153:443 coppernicous.github.io tcp
US 104.18.21.227:443 meet.jit.si tcp
US 1.1.1.1:53 open.spotify.com udp
US 162.159.128.61:443 player.vimeo.com tcp
US 162.159.128.61:443 player.vimeo.com tcp
US 162.159.128.61:443 player.vimeo.com tcp
US 1.1.1.1:53 region1.google-analytics.com udp
US 1.1.1.1:53 f.vimeocdn.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
GB 146.75.74.109:443 f.vimeocdn.com tcp
GB 146.75.74.109:443 f.vimeocdn.com tcp
GB 146.75.74.109:443 f.vimeocdn.com tcp
US 1.1.1.1:53 i.vimeocdn.com udp
US 151.101.128.217:443 i.vimeocdn.com tcp
US 1.1.1.1:53 fresnel.vimeocdn.com udp
US 34.120.202.204:443 fresnel.vimeocdn.com tcp
US 151.101.195.42:443 open.spotify.com tcp
US 1.1.1.1:53 i.scdn.co udp
US 1.1.1.1:53 embed-cdn.spotifycdn.com udp
US 199.232.210.248:443 i.scdn.co tcp
US 199.232.214.250:443 embed-cdn.spotifycdn.com tcp
US 199.232.214.250:443 embed-cdn.spotifycdn.com tcp
US 199.232.214.250:443 embed-cdn.spotifycdn.com tcp
US 199.232.214.250:443 embed-cdn.spotifycdn.com tcp
US 199.232.214.250:443 embed-cdn.spotifycdn.com tcp
US 199.232.214.250:443 embed-cdn.spotifycdn.com tcp
US 1.1.1.1:53 encore.scdn.co udp
US 23.1.106.35:443 encore.scdn.co tcp
US 23.1.106.35:443 encore.scdn.co tcp
US 1.1.1.1:53 o22381.ingest.sentry.io udp
US 34.120.195.249:443 o22381.ingest.sentry.io tcp
US 1.1.1.1:53 apresolve.spotify.com udp
US 35.186.224.24:443 apresolve.spotify.com tcp
US 1.1.1.1:53 gew1-spclient.spotify.com udp
US 35.186.224.26:443 gew1-spclient.spotify.com tcp
US 35.186.224.26:443 gew1-spclient.spotify.com tcp
US 1.1.1.1:53 web-sdk-assets.spotifycdn.com udp
US 199.232.210.250:443 web-sdk-assets.spotifycdn.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

/data/misc/profiles/cur/0/com.usat.campuspro/primary.prof

MD5 f263e4cc6828150eaa403f116192248e
SHA1 9631f73dfb5f4154bf9ed3fc1756198bf306f18e
SHA256 5b44b9e607573e4a346045be092f18504896ba34b75b3713f0583818f32475ce
SHA512 1153c08289bc9f6222e9906ecd47525c842c230e7c1d64c7c5294801d2e9f6ed6a0688b1255fe1dc9d9ce095f25448cfcc4048e18f1818c0dcda00a6e8789542

/data/data/com.usat.campuspro/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 f8793962918e056ca3bbe32fb9fe0a6a
SHA1 ad920a46267d6405f20be80b721d00b0146776d1
SHA256 fa748a27be20fd7d252012cb2c9a2438960e383261b9089858e1b8c64073624b
SHA512 d9701615cacc6b488dbfda91d8abdd0dcf5a6b452f5a358f73cad756aad8bbd483e1bd529065739dea6a352b68d37d3a3f3913fd2ab448012ca3a283ad25bca7

/data/misc/profiles/cur/0/com.usat.campuspro/primary.prof

MD5 d424ea2007305a47a4d21f8262b20831
SHA1 c17328207ef1d16e299ef00e97564e649c320887
SHA256 add93220cd7a8a4c0eb61d091e8daada44d9185dca6a0d8f72535e685ed8a515
SHA512 c9fcc8c16bad71b8356f0476c7a015b189863e46c71238dff78d00681b4e13f7a333f6d02c032852ef3d13408abc2a1f66d0fc0ae9cc188eee919c1cd2c30958

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 16:19

Reported

2024-06-12 16:22

Platform

android-x86-arm-20240611.1-en

Max time kernel

174s

Max time network

158s

Command Line

com.usat.campuspro

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.usat.campuspro

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 intranet.usat.edu.pe udp
PE 190.223.55.10:443 intranet.usat.edu.pe tcp
PE 190.223.55.10:443 intranet.usat.edu.pe tcp
US 1.1.1.1:53 campus.usat.edu.pe udp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 172.217.169.74:443 safebrowsing.googleapis.com tcp
US 3.135.176.98:443 campus.usat.edu.pe tcp
US 3.135.176.98:443 campus.usat.edu.pe tcp
US 1.1.1.1:53 player.vimeo.com udp
US 162.159.128.61:443 player.vimeo.com tcp
US 1.1.1.1:53 meet.jit.si udp
US 104.18.20.227:443 meet.jit.si tcp
US 1.1.1.1:53 open.spotify.com udp
US 151.101.131.42:443 open.spotify.com tcp
US 162.159.128.61:443 player.vimeo.com tcp
US 162.159.128.61:443 player.vimeo.com tcp
US 162.159.128.61:443 player.vimeo.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 f.vimeocdn.com udp
GB 146.75.74.109:443 f.vimeocdn.com tcp
GB 146.75.74.109:443 f.vimeocdn.com tcp
GB 146.75.74.109:443 f.vimeocdn.com tcp
US 1.1.1.1:53 i.scdn.co udp
US 1.1.1.1:53 embed-cdn.spotifycdn.com udp
GB 88.221.134.96:443 i.scdn.co tcp
US 199.232.214.250:443 embed-cdn.spotifycdn.com tcp
US 199.232.214.250:443 embed-cdn.spotifycdn.com tcp
US 199.232.214.250:443 embed-cdn.spotifycdn.com tcp
US 1.1.1.1:53 i.vimeocdn.com udp
US 151.101.0.217:443 i.vimeocdn.com tcp
US 151.101.0.217:443 i.vimeocdn.com tcp
US 151.101.0.217:443 i.vimeocdn.com tcp
US 151.101.0.217:443 i.vimeocdn.com tcp
US 1.1.1.1:53 encore.scdn.co udp
GB 23.200.147.32:443 encore.scdn.co tcp
GB 23.200.147.32:443 encore.scdn.co tcp
US 1.1.1.1:53 region1.google-analytics.com udp
US 216.239.34.36:443 region1.google-analytics.com tcp
US 1.1.1.1:53 js-agent.newrelic.com udp
US 162.247.243.39:443 js-agent.newrelic.com tcp
US 1.1.1.1:53 fresnel.vimeocdn.com udp
US 34.120.202.204:443 fresnel.vimeocdn.com tcp
US 1.1.1.1:53 bam.nr-data.net udp
US 162.247.243.29:443 bam.nr-data.net tcp
US 1.1.1.1:53 coppernicous.github.io udp
US 185.199.109.153:443 coppernicous.github.io tcp

Files

/data/misc/profiles/cur/0/com.usat.campuspro/primary.prof

MD5 f263e4cc6828150eaa403f116192248e
SHA1 9631f73dfb5f4154bf9ed3fc1756198bf306f18e
SHA256 5b44b9e607573e4a346045be092f18504896ba34b75b3713f0583818f32475ce
SHA512 1153c08289bc9f6222e9906ecd47525c842c230e7c1d64c7c5294801d2e9f6ed6a0688b1255fe1dc9d9ce095f25448cfcc4048e18f1818c0dcda00a6e8789542

/data/data/com.usat.campuspro/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 83846494d0280ba96c569d1359f67376
SHA1 858ded37f1bc611e51bc03731f6a828e154a4ded
SHA256 d5f5604d8dcf8b7581f59ce1bd7afb95c391370b17f60576cb1b23ca09cc0470
SHA512 7b330a573f3891bd7e8ef79c8a5c1e1aceae4be360e42091b34b4a5cf41a68259fa23d9f6be11f9e8019fec000d236cf0e144bae17d4fdef54df67cf7b7aa486

/data/data/com.usat.campuspro/files/profileInstalled

MD5 714395769562c06c22ed296de0747b1e
SHA1 60da8d102d48050180a3fb114ea4b36f77ce8a08
SHA256 8ec462e3756d9550a7317e226b1c2e02afec1e0a8c8cdc4e327e11d7b37e4543
SHA512 f041f70bc75644811a9a77d57287b28ceeed68a503a12211e3c8375cfa7366a6a77a4522bdabc93aa71b94ac1dfea8c12daa661cf6754ff49df5e8352b9b6ffd

/data/misc/profiles/cur/0/com.usat.campuspro/primary.prof

MD5 0a2231696355facd707cbc70fc21a02c
SHA1 f3a40f1c4fd34f8aa049f6830ec821f7816ba675
SHA256 f47ce7ed0a5449aa6b4a2d93bcaea98bcc1eb632702daf3a9fe1e1f80c2bec30
SHA512 6c221b76ec8faa58b580151e736160bd8e1a0b1b8c38564fd15d18c99ce08c2d3b35415ae1a96c40126f2fc6b5feacfcbaf6935346a5dfebea5bbddd725496e2