Malware Analysis Report

2024-09-09 16:32

Sample ID 240612-vmcw6asdra
Target 071eaf49198b671df78c82fabe24851adfeb4b3f9e0d1f384bfd07663dd4113f.bin
SHA256 071eaf49198b671df78c82fabe24851adfeb4b3f9e0d1f384bfd07663dd4113f
Tags
discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

071eaf49198b671df78c82fabe24851adfeb4b3f9e0d1f384bfd07663dd4113f

Threat Level: Shows suspicious behavior

The file 071eaf49198b671df78c82fabe24851adfeb4b3f9e0d1f384bfd07663dd4113f.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 17:06

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 17:06

Reported

2024-06-12 17:09

Platform

android-x86-arm-20240611.1-en

Max time kernel

47s

Max time network

149s

Command Line

yes.debug.yesbnak

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

yes.debug.yesbnak

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 1.1.1.1:53 code.jquery.com udp
US 151.101.193.229:443 cdn.jsdelivr.net tcp
US 151.101.193.229:443 cdn.jsdelivr.net tcp
US 151.101.194.137:443 code.jquery.com tcp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/yes.debug.yesbnak/primary.prof

MD5 2fd51c2351b0f2eaa881142f88221c56
SHA1 ff7970a3b6d375f4792c7f281e83f6ba750fa2b6
SHA256 703a20a4e8af234859019c7dd9f879ac5b25f28d0e729afe1a09b03d9de9a50f
SHA512 a7dc50d4e5c175b150f88d8af6221fc565ec41d230f4a66f34fc5ab82f38a45a545e9332e75187702e10720d3b2e69269f008ea14e178a03eb1ae43883c3e0d0

/data/data/yes.debug.yesbnak/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 74890a4339bbacb9033bb5a2361247f8
SHA1 c1d0d899e7208fad85dd6a4144d9cae7478317fa
SHA256 a9d13134240e50d287565c61cf5df5a238d3db804099b4bb003389c1d7e0c980
SHA512 3ba8784133f4d489fb6ba632b149d601be534058463fbbca16d7ba1ec192cbcf98819ff74477b86338b5d37b32b9a82b4f3f32cd5a4baa2c93d69508ffcf0e87

/data/data/yes.debug.yesbnak/files/profileInstalled

MD5 35ee10a5f94e7f16f7444b4a92ae5d0b
SHA1 09fb897daaf7c64313b22bfd1ab595f4e6417ef1
SHA256 a9924718a7f84967c9908eb9fdbbb0c75d09204c80f7be0a1448a77164376c4a
SHA512 0e622dc7eb54c7809bd3558375e5d7af731641e8f78e9fc26890c280f29b5ac112d386980af86733c90aaacfba2ad1c41cdeaba83c0aec274009af0ccf3d1b81

/data/misc/profiles/cur/0/yes.debug.yesbnak/primary.prof

MD5 1e728250c012e94e2355e7057a113b80
SHA1 eaaabea18b89f4c104d5ebddf728c09edddfe508
SHA256 a31256d4a5fc50024f80997156db4d2baa2986b6bb3122e1c263603843d98bf6
SHA512 4b01b39b3172640369783e6243735c946aeba4c448e774a2ffab5840cbce26826f71252b6aa755e7e4504ca277528093dffb7b2d5729ee1b85178237926fa28f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 17:06

Reported

2024-06-12 17:09

Platform

android-x64-20240611.1-en

Max time kernel

26s

Max time network

151s

Command Line

yes.debug.yesbnak

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

yes.debug.yesbnak

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 151.101.65.229:443 cdn.jsdelivr.net tcp
US 151.101.65.229:443 cdn.jsdelivr.net tcp
US 1.1.1.1:53 code.jquery.com udp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 151.101.2.137:443 code.jquery.com tcp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.178.14:443 tcp
GB 142.250.187.226:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.204.78:443 tcp

Files

/data/misc/profiles/cur/0/yes.debug.yesbnak/primary.prof

MD5 2fd51c2351b0f2eaa881142f88221c56
SHA1 ff7970a3b6d375f4792c7f281e83f6ba750fa2b6
SHA256 703a20a4e8af234859019c7dd9f879ac5b25f28d0e729afe1a09b03d9de9a50f
SHA512 a7dc50d4e5c175b150f88d8af6221fc565ec41d230f4a66f34fc5ab82f38a45a545e9332e75187702e10720d3b2e69269f008ea14e178a03eb1ae43883c3e0d0

/data/data/yes.debug.yesbnak/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 68cef98a81b3d56713210e2b41b36e74
SHA1 cde241715804a40067a3b58ae6198f85d82e4421
SHA256 b6cc7f95fd873e6797036bd16e020404b8da205ac27663192235fd1b9b78f107
SHA512 24b1a6f70046a8b50c9db2ee88a4e72a3938d7940ad4e2988aa7598d7b9cabc5af3923cc19f4e01e2a36965b11f8f1e741b2472e206f37936a5461aaf458f006

/data/data/yes.debug.yesbnak/files/profileInstalled

MD5 140c56d9159e99e1ce7681685ded2ab4
SHA1 82c032962301a55b05feb1992b4b6ceb946565b9
SHA256 3ad2d65184d20dbd253a5ff871bcd0ea98ec9f67d850161a7b90c08aedc059e7
SHA512 01be1d559e0e23eaa6bafd51c972169ef68d865b860d43909c5a60fc01d3fe231f815dc5624b52d6593041d79aef178c8b1b140acb8105459e1c7983f2f636e0

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 17:06

Reported

2024-06-12 17:09

Platform

android-x64-arm64-20240611.1-en

Max time kernel

122s

Max time network

132s

Command Line

yes.debug.yesbnak

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

yes.debug.yesbnak

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 1.1.1.1:53 code.jquery.com udp
US 151.101.129.229:443 cdn.jsdelivr.net tcp
US 151.101.129.229:443 cdn.jsdelivr.net tcp
US 151.101.130.137:443 code.jquery.com tcp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/misc/profiles/cur/0/yes.debug.yesbnak/primary.prof

MD5 2fd51c2351b0f2eaa881142f88221c56
SHA1 ff7970a3b6d375f4792c7f281e83f6ba750fa2b6
SHA256 703a20a4e8af234859019c7dd9f879ac5b25f28d0e729afe1a09b03d9de9a50f
SHA512 a7dc50d4e5c175b150f88d8af6221fc565ec41d230f4a66f34fc5ab82f38a45a545e9332e75187702e10720d3b2e69269f008ea14e178a03eb1ae43883c3e0d0

/data/data/yes.debug.yesbnak/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 14ad1bda90e32dbd1fbe8cdd260eca40
SHA1 b258f3a4210183b2d6f4758cc4fb31f80d494248
SHA256 251d7f35581a31397dd5024710f03159d586f2e360478cd15d828094dce3f1ca
SHA512 4d1d13767a77dcce0c94ffc70d7433d3edee1272ec62cc1cdfa7dd83b86d78cb35defa8bcc16563fd771b4a3fb8103df0f430bbb6600c88b914244a4af715866