Malware Analysis Report

2024-09-09 16:33

Sample ID 240612-wt84lsyclm
Target ea2fb762893f2453d255a8efbc69fc4ae85af546adac4288dd1eaea9dc52af41.bin
SHA256 ea2fb762893f2453d255a8efbc69fc4ae85af546adac4288dd1eaea9dc52af41
Tags
collection credential_access impact discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ea2fb762893f2453d255a8efbc69fc4ae85af546adac4288dd1eaea9dc52af41

Threat Level: Shows suspicious behavior

The file ea2fb762893f2453d255a8efbc69fc4ae85af546adac4288dd1eaea9dc52af41.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access impact discovery persistence

Obtains sensitive information copied to the device clipboard

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 18:13

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 18:13

Reported

2024-06-12 18:17

Platform

android-x64-arm64-20240611.1-en

Max time kernel

144s

Max time network

133s

Command Line

com.google.massagg

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.google.massagg

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/com.google.massagg/logs/20240612181409747.log

MD5 b7a2e3403add4654910579a0410c8fc7
SHA1 def452b8c6c996ff5e662c2b5e11af4ef4cbdc1b
SHA256 e436f3e18c0f61ce29bb4c5efe4f57a286e032e39ad0cf55e696953ae0ddace0
SHA512 0fd5525e340d4da4697bc91bc258410b4cb10fe47bf6395fe10df614fbe60d45958244a93f576b6e30cdb82643b8fc0a4afac2d00299c02d69d66a113ab6cfd7

/data/data/com.google.massagg/logs/20240612181409757.log

MD5 84d073312fee519001a8c3c3c525f696
SHA1 218af3ea2d10aaedf09732855a5782ea0c2d3aad
SHA256 6b9d968433ba60099746b04e41c8b84ec853acd3b9c016c2dd0d735860432dba
SHA512 259ce9c3f8be266a913e4c8f63c34849dd81a9ab0d0e42d5bcb91be0898d94490cd2b1a8490deceb0fe4e68a8f36d04170867c9b8df19f5474ae9069c3406fbe

/data/data/com.google.massagg/no_backup/androidx.work.workdb-journal

MD5 e5ec5278fe3331527faf50e6ea8a3d1e
SHA1 75e5c272d84ec893bbb5f53f63bc285fbb4fd330
SHA256 8d627ddef88de4d74f827f6cbb818fe9314e2d150e746a79c603404d772112f0
SHA512 835a45e36f4fcafec0a317f20d4f1fb1a0b3b52106a2c6ee41f95b6cf5c3d15575875320e687c6566eed8415dc590bf641b23208ffda944c4fee33fe9f915d2b

/data/data/com.google.massagg/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.google.massagg/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.google.massagg/no_backup/androidx.work.workdb-wal

MD5 3a51e346fb9862397c54cb317ab94b15
SHA1 bed6fbab441f2ce91628bb3039fca8938aa025c2
SHA256 b849c5d2f4d063e5720deaea51af8fe9567dcac692f70d09f8b574abbf8b4e5a
SHA512 102bf5be818dee3d49079d34f53b0807cd68c4a1265fdb907667e00cf9d8bf7ace1b2e2c7f194d3f3d8444dad177a4654ab6afe2693891fa4640439ca6fe2787

/data/data/com.google.massagg/no_backup/androidx.work.workdb-wal

MD5 0e22e74cfafb2789ddd6862b802d145f
SHA1 72cbb815ce1db03a78a1560ed9ddf40055174aa0
SHA256 7019c496ba325c345cd5d02894998248c77b54f32f82f00d4bae730bb50fddaf
SHA512 7b24e81dec396a95ac99c099c0a2037502ff98b258be5912c6e0c833e35e65cce8ce102ff0abcd8672c68804fe4dad21153cb329f65281ae42651cf9f402da1e

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 18:13

Reported

2024-06-12 18:17

Platform

android-x86-arm-20240611.1-en

Max time kernel

49s

Max time network

140s

Command Line

com.google.massagg

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.google.massagg

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.google.massagg/logs/20240612181412781.log

MD5 1586303b44ba41c476102dd087ee756a
SHA1 0538e59418eede7b078f999c906e1bc9022efadb
SHA256 eb4b3a51a6ab56dd64cf44b4172414de7ef57bcbec3d40e86b7d2ffa93225e6d
SHA512 6e2127108fa8e1d386d6032a884e72bd356e799b5211dfb1d217503ea25da58ade243ddfea3f1788d80ff46b2971d69ce67edac75bda2a2cf725d12cab09be9b

/data/data/com.google.massagg/logs/20240612181412803.log

MD5 20516ba6653e661f645826831af8f764
SHA1 f66b4a443b6464f59231770983fa1ef646ecdc2c
SHA256 ec85e54bf541ff8e9cdd5476fcd282ab3cbc2f6d50083bd4969869fa22621e94
SHA512 5800b2cb4a23267b51e4ed5f4ad1040da14ea249c324a83d33a185472fa238fe85fbeda4b2280cc1651483a5901a3fe882ccfcb537e523a48309d2cface0b8ab

/data/data/com.google.massagg/no_backup/androidx.work.workdb-journal

MD5 2c478c807efa28284c6e18b5d2feb8c7
SHA1 f47d3b677c2a9ce05ddf92d236d91ce99ca54d83
SHA256 650a026ce3fcbc6cf42f26efd86a53b9e4b1f0d19729b453fba6f3025734b5db
SHA512 16f2c09442c0c60ce378d16907db6fe90a2fd46739864ea994775120b197b0d68ba2d157ded69d8535dc8e7908a0ee02672cb0796113cdb84dd8ad2f8efa28a8

/data/data/com.google.massagg/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.google.massagg/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.google.massagg/no_backup/androidx.work.workdb-wal

MD5 f9e47150328b0699121a3fa371fac14b
SHA1 4dcc50155da111ddd691a8510b197a98cb7b495c
SHA256 9ded29db5aed0b1a871459f5952d8f540bc3edae86147640c3ac0e263845ed6f
SHA512 7130e34a96b958796fc364af61958ed0ef70aaaaa2b69bcc555cd4cae013245258d2373be79c66382aad22e7fa93a00bb5908cc74fcb13d766014fd5c59270b1

/data/data/com.google.massagg/no_backup/androidx.work.workdb-wal

MD5 0aa730ef1ce581ea4b2fdb59fe85b902
SHA1 65bd8ac66630fe87c6fcd534648bd0cb35e26d1d
SHA256 0e467dd62682521f2ed8502da15e46926811c799854c66c73f9d423275bde05d
SHA512 fe413e20541510a76d99324b44f56c4b62f00a61f00a7c2bdc9c36477dde00bf552f60e0053bf89779a2c66d90e679949fae1945de31491c792e5c499e7a4323

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 18:13

Reported

2024-06-12 18:17

Platform

android-x64-20240611.1-en

Max time kernel

53s

Max time network

149s

Command Line

com.google.massagg

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.google.massagg

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.78:443 tcp
GB 142.250.179.226:443 tcp
GB 172.217.169.42:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 172.217.169.14:443 tcp

Files

/data/data/com.google.massagg/logs/20240612181410671.log

MD5 579d2d7b4cc1cc7162fd855bfd6c57b4
SHA1 f5673ef6674ccce2e26e613f855018b9c49c6ed6
SHA256 a527315c197b998b941bec8bd023afda48cd376ef49ff4d080c8150c7ec158b7
SHA512 88f8c86b27ed5d76406d97a883a32d1cf85c37f10b4ed5c77f037a2672363c5bad53d0861e189a20393f0b2d3e99c3f0c217821bf2896e55c2e6761548c58bde

/data/data/com.google.massagg/logs/20240612181410723.log

MD5 135decde98795c4bac0beda14a582e5b
SHA1 850e70b84146b8b948c39e8c98d51eb4112b20db
SHA256 0ec5ef602ff6d6e5bb2164cc6ad7228dc57c2f5bf821c664bb26a89638a53c74
SHA512 40e626fb170600e3502c0c6205b456127f5f6dc683dad3ea057363f7693beff01265b8af121bacc2c84937a11d3e598567246aaf6f9891c2dae8c0e45f186466

/data/data/com.google.massagg/no_backup/androidx.work.workdb-journal

MD5 08de36bbc82056dbd39fbe54a96efba5
SHA1 7f4034bf615b396175b931f31935577fd4b4fda3
SHA256 84f26c9e8edb9d03c63375714c41c516bbafcbc2da8b9c1863eee98ea0c52482
SHA512 59641d288291af8a0b4b90e14fdbd5981f52a88da0cd5dd555dc607cca70bd3606177280e8405be11e75dae572d28bff58d1b314f9bc80c8f46567385493e122

/data/data/com.google.massagg/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.google.massagg/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.google.massagg/no_backup/androidx.work.workdb-wal

MD5 92bba88649943bf52e03064266a95264
SHA1 0b7c3ecc23015a7ed1e2cc5ac42c08cee8777bfe
SHA256 65901d32c5bc64c342d6e1d53cfddbdce40ddb882c28e9c5a5cf49bc77ed205f
SHA512 41fa96bd3be6833b7c1bc013101aa5d1826dda3f66891edd0cfa8422ef394da6b0db79b261a5b5836fdf8c4366ffb0a1177a26013dad48d3f74ebb74f033756e

/data/data/com.google.massagg/no_backup/androidx.work.workdb-wal

MD5 3a046b829864018f62142f236dad063b
SHA1 8e3b0f427a74dbe70d340da739cbe6c609489970
SHA256 9e9c8d9d4f052ce448ede411f54b48899effcd612fef496a6eb3319f2e3fc3a9
SHA512 7e80260e04c7d6d611b83f1954698bd8c1127f65a65c51cdb551a40e943742c89753a60734e235b6f5095f66aaf3ae5725e430d32945a668a10c7cf3b540f16d