Malware Analysis Report

2024-09-09 16:33

Sample ID 240612-vkggkasdmd
Target ce7b2c0bf38dadb15743b5ab0f40889833123971a855d3674b73c2eab2ad7622.bin
SHA256 ce7b2c0bf38dadb15743b5ab0f40889833123971a855d3674b73c2eab2ad7622
Tags
discovery impact persistence collection credential_access
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ce7b2c0bf38dadb15743b5ab0f40889833123971a855d3674b73c2eab2ad7622

Threat Level: Shows suspicious behavior

The file ce7b2c0bf38dadb15743b5ab0f40889833123971a855d3674b73c2eab2ad7622.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery impact persistence collection credential_access

Obtains sensitive information copied to the device clipboard

Reads the contacts stored on the device.

Requests accessing notifications (often used to intercept notifications before users become aware).

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 17:02

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 17:02

Reported

2024-06-12 17:05

Platform

android-x86-arm-20240611.1-en

Max time kernel

3s

Max time network

160s

Command Line

sd5hj.twd

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

sd5hj.twd

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 17:02

Reported

2024-06-12 17:05

Platform

android-x64-20240611.1-en

Max time kernel

175s

Max time network

185s

Command Line

sd5hj.twd

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/data/phones N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

sd5hj.twd

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 howwelltobe-default-rtdb.firebaseio.com udp
US 35.190.39.113:443 howwelltobe-default-rtdb.firebaseio.com tcp
US 1.1.1.1:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 1.1.1.1:53 wellknownbyme-default-rtdb.firebaseio.com udp
US 34.120.160.131:443 wellknownbyme-default-rtdb.firebaseio.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.46:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 17:02

Reported

2024-06-12 17:05

Platform

android-x64-arm64-20240611.1-en

Max time kernel

176s

Max time network

186s

Command Line

sd5hj.twd

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/data/phones N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

sd5hj.twd

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 howwelltobe-default-rtdb.firebaseio.com udp
US 35.190.39.113:443 howwelltobe-default-rtdb.firebaseio.com tcp
US 1.1.1.1:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 1.1.1.1:53 wellknownbyme-default-rtdb.firebaseio.com udp
US 35.201.97.85:443 wellknownbyme-default-rtdb.firebaseio.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp

Files

N/A