Malware Analysis Report

2024-10-10 10:55

Sample ID 240612-zbn79sshlr
Target https://itunes.apple.com/us/app/1-1-1-1-faster-internet/id1423538627
Tags
score
3/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
3/10

Threat Level: Likely benign

The file https://itunes.apple.com/us/app/1-1-1-1-faster-internet/id1423538627 was found to be: Likely benign.

Malicious Activity Summary


Enumerates kernel/hardware configuration

Reads runtime system information

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 20:32

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 20:32

Reported

2024-06-12 20:37

Platform

android-x64-arm64-20240611.1-en

Max time kernel

190s

Max time network

207s

Command Line

com.android.chrome

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 itunes.apple.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 itunes.apple.com udp
BE 64.233.167.84:443 accounts.google.com tcp
GB 2.19.0.23:443 itunes.apple.com tcp
US 1.1.1.1:53 apps.apple.com udp
GB 2.18.108.21:443 apps.apple.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 js-cdn.music.apple.com udp
GB 104.115.32.246:443 www.apple.com tcp
GB 104.115.32.246:443 www.apple.com tcp
GB 184.87.189.40:443 js-cdn.music.apple.com tcp
GB 184.87.189.40:443 js-cdn.music.apple.com tcp
US 1.1.1.1:53 amp-api-edge.apps.apple.com udp
US 1.1.1.1:53 is1-ssl.mzstatic.com udp
US 1.1.1.1:53 is2-ssl.mzstatic.com udp
GB 104.86.110.248:443 amp-api-edge.apps.apple.com tcp
GB 2.18.108.21:443 is1-ssl.mzstatic.com tcp
GB 2.19.0.23:443 is2-ssl.mzstatic.com tcp
GB 104.115.32.246:443 www.apple.com tcp
US 1.1.1.1:53 is5-ssl.mzstatic.com udp
US 1.1.1.1:53 is4-ssl.mzstatic.com udp
US 1.1.1.1:53 is3-ssl.mzstatic.com udp
GB 2.18.80.28:443 is5-ssl.mzstatic.com tcp
GB 2.19.0.23:443 is4-ssl.mzstatic.com tcp
GB 2.18.108.21:443 is3-ssl.mzstatic.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 172.217.16.227:443 update.googleapis.com tcp
GB 172.217.16.234:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 216.58.204.67:443 update.googleapis.com tcp
US 1.1.1.1:53 apps.apple.com udp
US 1.1.1.1:53 apps.apple.com udp
US 1.1.1.1:53 apps.apple.com udp
GB 2.18.80.28:443 apps.apple.com tcp

Files

files/dom-0.html

MD5 2e7c85f68feb7e537513f3c0499152d4
SHA1 155edbd1a631a0de26b15658590f4fa2bf83a702
SHA256 7a8eede4a38712cf5f79735b252b0a3d15a4966b54f782cf6ae9085c61eb0294
SHA512 24cb94e96e78adff873309236d0502e43d2b98d2543e61a8d4f94ed709ea88d3fbaaa374806e1929864a36327ae9a328de803603b2fedc8b9ae1e270a8fae13b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 20:32

Reported

2024-06-12 20:36

Platform

android-x86-arm-20240611.1-en

Max time kernel

117s

Max time network

139s

Command Line

com.android.chrome

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 itunes.apple.com udp
GB 2.18.108.21:443 itunes.apple.com tcp
GB 2.18.108.21:443 itunes.apple.com tcp
US 1.1.1.1:53 apps.apple.com udp
US 1.1.1.1:53 amp-api-edge.apps.apple.com udp
US 1.1.1.1:53 is1-ssl.mzstatic.com udp
US 1.1.1.1:53 is2-ssl.mzstatic.com udp
US 1.1.1.1:53 js-cdn.music.apple.com udp
GB 104.115.32.246:443 www.apple.com tcp
GB 104.115.32.246:443 www.apple.com tcp
GB 2.18.108.21:443 is1-ssl.mzstatic.com tcp
GB 104.115.32.246:443 www.apple.com tcp
US 2.18.190.73:443 amp-api-edge.apps.apple.com tcp
GB 2.18.80.28:443 is2-ssl.mzstatic.com tcp
US 1.1.1.1:53 is5-ssl.mzstatic.com udp
GB 184.87.189.40:443 js-cdn.music.apple.com tcp
GB 184.87.189.40:443 js-cdn.music.apple.com tcp
US 1.1.1.1:53 is4-ssl.mzstatic.com udp
GB 2.18.80.28:443 is5-ssl.mzstatic.com tcp
US 1.1.1.1:53 is3-ssl.mzstatic.com udp
GB 2.18.108.21:443 is4-ssl.mzstatic.com tcp
GB 2.18.80.28:443 is3-ssl.mzstatic.com tcp
GB 2.18.108.21:443 is4-ssl.mzstatic.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.180.3:443 update.googleapis.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp

Files

files/dom-0.html

MD5 364c8e83849b2c5d91a7b7c4231bc70a
SHA1 edb32c401f333293e075d63cf05f84fe3448d952
SHA256 bf4f57e261f4b2dd569854137c4a20fa34246f18a268596efcb7b8467a1b7bd6
SHA512 fdf2dac1e36abeec8bad1b402fafa5bea9af0d0e87e7582402139611725798e28624518e9088af7d9ab87bdf4334e1e300494644d00583d207d2342f2c55f8a2

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 20:32

Reported

2024-06-12 20:33

Platform

debian9-armhf-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-12 20:32

Reported

2024-06-12 20:33

Platform

debian9-mipsbe-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-12 20:32

Reported

2024-06-12 20:33

Platform

debian9-mipsel-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-12 20:32

Reported

2024-06-12 20:36

Platform

ubuntu1804-amd64-20240508-en

Max time kernel

0s

Max time network

210s

Command Line

[xdg-open https://itunes.apple.com/us/app/1-1-1-1-faster-internet/id1423538627]

Signatures

Enumerates kernel/hardware configuration

Description Indicator Process Target
File opened for reading /sys/bus/pci/devices/0000:00:01.1/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/class /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/class /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/class /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/class /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:03.0/class /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/class /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:00.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:05.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:02.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:06.0/vendor /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/device /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/class /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:04.0/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.1/irq /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.3/resource /usr/lib/firefox/firefox N/A
File opened for reading /sys/bus/pci/devices/0000:00:01.0/device /usr/lib/firefox/firefox N/A

Reads runtime system information

Description Indicator Process Target
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/filesystems /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/stat /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/fd /usr/bin/dbus-send N/A
File opened for reading /proc/self/task/1611/stat /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/task/1637/stat /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/stat /usr/lib/firefox/firefox N/A
File opened for reading /proc/filesystems /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/fd /usr/bin/dbus-send N/A
File opened for reading /proc/self/stat /usr/lib/firefox/firefox N/A
File opened for reading /proc/self/task/1624/stat /usr/lib/firefox/firefox N/A
File opened for reading /proc/filesystems /bin/sed N/A
File opened for reading /proc/filesystems /usr/lib/firefox/firefox N/A
File opened for reading /proc/filesystems /bin/sed N/A

Processes

/usr/bin/xdg-open

[xdg-open https://itunes.apple.com/us/app/1-1-1-1-faster-internet/id1423538627]

/usr/bin/dbus-send

[dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager]

/usr/bin/dbus-launch

[dbus-launch --autolaunch 11c67417355f45d397f6be11f62e85a6 --binary-syntax --close-stderr]

/bin/grep

[grep = \"xfce4\"$]

/usr/bin/xprop

[xprop -root _DT_SAVE_MODE]

/bin/grep

[grep -i ^xfce_desktop_window]

/usr/bin/xprop

[xprop -root]

/bin/grep

[grep -q ^Enlightenment]

/bin/uname

[uname]

/bin/grep

[grep -q ^file://]

/bin/egrep

[egrep -q ^[[:alpha:]+\.\-]+:]

/usr/local/sbin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/usr/local/bin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/usr/sbin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/usr/bin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/sbin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/bin/grep

[grep -E -q ^[[:alpha:]+\.\-]+:]

/bin/sed

[sed -n s/\(^[[:alnum:]+\.-]*\):.*$/\1/p]

/usr/bin/xdg-mime

[xdg-mime query default x-scheme-handler/https]

/usr/bin/dbus-send

[dbus-send --print-reply --dest=org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus.GetNameOwner string:org.gnome.SessionManager]

/usr/bin/dbus-launch

[dbus-launch --autolaunch 11c67417355f45d397f6be11f62e85a6 --binary-syntax --close-stderr]

/bin/grep

[grep = \"xfce4\"$]

/usr/bin/xprop

[xprop -root _DT_SAVE_MODE]

/bin/grep

[grep -i ^xfce_desktop_window]

/usr/bin/xprop

[xprop -root]

/bin/grep

[grep -q ^Enlightenment]

/bin/uname

[uname]

/bin/sed

[sed s/:/ /g]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/head

[head -n 1]

/bin/grep

[grep x-scheme-handler/https= /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/head

[head -n 1]

/bin/grep

[grep x-scheme-handler/https= /.local/share/applications/defaults.list /.local/share/applications/mimeinfo.cache]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/head

[head -n 1]

/bin/grep

[grep x-scheme-handler/https= /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/head

[head -n 1]

/bin/grep

[grep x-scheme-handler/https= /usr/local/share//applications/defaults.list /usr/local/share//applications/mimeinfo.cache]

/usr/bin/cut

[cut -d ; -f 1]

/usr/bin/cut

[cut -d = -f 2]

/usr/bin/head

[head -n 1]

/bin/grep

[grep x-scheme-handler/https= /usr/share//applications/defaults.list /usr/share//applications/mimeinfo.cache]

/bin/sed

[sed s/:/ /g]

/bin/sed

[sed -e s|-|/|]

/bin/sed

[sed -e s|-|/|]

/usr/bin/cut

[cut -d= -f 2-]

/usr/bin/which

[which firefox]

/usr/bin/cut

[cut -d= -f 2-]

/usr/bin/cut

[cut -d= -f 2-]

/usr/bin/cut

[cut -d= -f 2-]

/usr/bin/firefox

[/usr/bin/firefox https://itunes.apple.com/us/app/1-1-1-1-faster-internet/id1423538627]

/usr/bin/which

[which /usr/bin/firefox]

/usr/lib/firefox/firefox

[/usr/lib/firefox/firefox https://itunes.apple.com/us/app/1-1-1-1-faster-internet/id1423538627]

/bin/grep

[grep -q %s]

/usr/bin/x-www-browser

[x-www-browser https://itunes.apple.com/us/app/1-1-1-1-faster-internet/id1423538627]

/usr/bin/which

[which /usr/bin/x-www-browser]

/usr/lib/firefox/firefox

[/usr/lib/firefox/firefox https://itunes.apple.com/us/app/1-1-1-1-faster-internet/id1423538627]

/bin/grep

[grep -q %s]

/usr/bin/firefox

[firefox https://itunes.apple.com/us/app/1-1-1-1-faster-internet/id1423538627]

/usr/bin/which

[which /usr/bin/firefox]

/usr/lib/firefox/firefox

[/usr/lib/firefox/firefox https://itunes.apple.com/us/app/1-1-1-1-faster-internet/id1423538627]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

/bin/grep

[grep -q %s]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 185.125.188.61:443 tcp
GB 185.125.188.61:443 tcp
US 151.101.1.91:443 tcp
GB 89.187.167.3:443 tcp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 1527653184.rsc.cdn77.org udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 1.1.1.1:53 connectivity-check.ubuntu.com udp
US 151.101.1.91:443 tcp
US 1.1.1.1:53 daisy.ubuntu.com udp
US 151.101.65.91:443 tcp
US 151.101.193.91:443 tcp

Files

N/A