Malware Analysis Report

2024-09-09 12:45

Sample ID 240613-2yaphatgpe
Target 6b704420fd6578444089c28bc744b5bb2dff56bae1e2660bcdaa2d87c61f60e4.bin
SHA256 6b704420fd6578444089c28bc744b5bb2dff56bae1e2660bcdaa2d87c61f60e4
Tags
collection credential_access discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6b704420fd6578444089c28bc744b5bb2dff56bae1e2660bcdaa2d87c61f60e4

Threat Level: Shows suspicious behavior

The file 6b704420fd6578444089c28bc744b5bb2dff56bae1e2660bcdaa2d87c61f60e4.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access discovery impact persistence

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:58

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:58

Reported

2024-06-13 23:02

Platform

android-x64-20240611.1-en

Max time kernel

49s

Max time network

159s

Command Line

yes.debug.yesbnak

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

yes.debug.yesbnak

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 code.jquery.com udp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 151.101.2.137:443 code.jquery.com tcp
US 151.101.65.229:443 cdn.jsdelivr.net tcp
US 151.101.65.229:443 cdn.jsdelivr.net tcp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 172.217.16.226:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 172.217.169.46:443 tcp

Files

/data/misc/profiles/cur/0/yes.debug.yesbnak/primary.prof

MD5 590ccebcb35cb0cfc5707fa579c60be4
SHA1 818f7bbc56ce07c87fd0098b1013b4ad072e71ca
SHA256 76de1b06f1964dc8719c65feb5fe26c7d07e4763177d524849b5eee068017242
SHA512 dd028c7212aa6cb7df5ebd0f87affc7eb972e3986eff641d42d53e232c158a3b1bb5389253924b211ff1fad56d2ea6ec035054f92a8029da1b67180fa1587488

/data/data/yes.debug.yesbnak/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 a71e63b01507e246f6a3922e7444cafe
SHA1 f5df7fc1dc020a92b38a90c54ecaee33a7bd8b23
SHA256 25176e905fa5376ce7c3c8592dec16edd4e65db5771cea2f27b8792503bcff7a
SHA512 08c80dfd38b4eb2ff9199515321b92414621f857e5fa00dcbee16e3e1be9b25c0967b6d6c01b8408c8df78c1a7d4893b7a011d985e4042a6828e175d9e5b0db4

/data/data/yes.debug.yesbnak/files/profileInstalled

MD5 b2195d8710a4dc10fe456e68b8d6e78a
SHA1 9c0865b3464fb99bcb98f0baca9a66cdaeba2d89
SHA256 4aeb88f753b85cc561367913386436576be4b1e202644e59476dac1e78fdc062
SHA512 414953ff202f7540fb37d22889184e2f6bfaeee65d5b2a5d5b712d949e2e1ab0b6f23f527849ec52e168fd28464972ab768ab08f033848c3b01eafd39072c458

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 22:58

Reported

2024-06-13 23:02

Platform

android-x64-arm64-20240611.1-en

Max time kernel

27s

Max time network

132s

Command Line

yes.debug.yesbnak

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

yes.debug.yesbnak

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 1.1.1.1:53 code.jquery.com udp
US 151.101.66.137:443 code.jquery.com tcp
US 151.101.193.229:443 cdn.jsdelivr.net tcp
US 151.101.193.229:443 cdn.jsdelivr.net tcp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/misc/profiles/cur/0/yes.debug.yesbnak/primary.prof

MD5 590ccebcb35cb0cfc5707fa579c60be4
SHA1 818f7bbc56ce07c87fd0098b1013b4ad072e71ca
SHA256 76de1b06f1964dc8719c65feb5fe26c7d07e4763177d524849b5eee068017242
SHA512 dd028c7212aa6cb7df5ebd0f87affc7eb972e3986eff641d42d53e232c158a3b1bb5389253924b211ff1fad56d2ea6ec035054f92a8029da1b67180fa1587488

/data/data/yes.debug.yesbnak/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 7bfaf2628fafd8628ca93d288b2d57ce
SHA1 fb712484cabf354c648e2b66d2e953574144fe29
SHA256 c926cb60a6869bbadfa6062375d2b96e630d92271ced4cfcb8aa75acdbac7754
SHA512 b9bca68560482b4fab03cd38ddf468c22beb82d8d8047fd2599ae1bfbbf1ec04c8ba47e2175b218da95ba4440d30156079eba57e9332c59e323cbbc680010d6e

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:58

Reported

2024-06-13 23:02

Platform

android-x86-arm-20240611.1-en

Max time kernel

47s

Max time network

131s

Command Line

yes.debug.yesbnak

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

yes.debug.yesbnak

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 1.1.1.1:53 code.jquery.com udp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 104.18.186.31:443 cdn.jsdelivr.net tcp
US 104.18.186.31:443 cdn.jsdelivr.net tcp
US 151.101.130.137:443 code.jquery.com tcp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/yes.debug.yesbnak/primary.prof

MD5 590ccebcb35cb0cfc5707fa579c60be4
SHA1 818f7bbc56ce07c87fd0098b1013b4ad072e71ca
SHA256 76de1b06f1964dc8719c65feb5fe26c7d07e4763177d524849b5eee068017242
SHA512 dd028c7212aa6cb7df5ebd0f87affc7eb972e3986eff641d42d53e232c158a3b1bb5389253924b211ff1fad56d2ea6ec035054f92a8029da1b67180fa1587488

/data/data/yes.debug.yesbnak/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 eb962e32fd38c5de1900e0dee583b87c
SHA1 b58a8124655a57b77833a351a2f91eef0107561c
SHA256 36aa677e4aebb058a0918ee3643679f26a193048b69527a7096fb20b38357ee3
SHA512 91144bd3cc715da2a53f0f54ece6ea6b3e4f2fdf88401621cc970148db7b00471e8b9dfb9fdda891f1723931d0b0104fc7c6972bb8bee15bdd9b6656530ef953

/data/data/yes.debug.yesbnak/files/profileInstalled

MD5 c9223151aa382772f7d40501466066d2
SHA1 3e06b12470c88770026c12b8b0e85f419f058204
SHA256 5bca9c01856c6e1c86399d818557fd163a878838f13c85dacfd9b20d683fad0a
SHA512 34569cba341eaee63268fe060eb3dc310db293ab7bb10269c01dded94c1415f9cc071c9bf29485aa79f46a22e0449c36aa29eb4f7394564520ed41850564e2b9

/data/misc/profiles/cur/0/yes.debug.yesbnak/primary.prof

MD5 3a1a32ecc8ae161b5a374a2b270f5110
SHA1 3cc899c38ac8b17f22ddb24c42a558ebdfb26b3f
SHA256 a518cc4a8e4b427067b2ea9cf5bfa44b80194dccfc8fe6cda93569a76b1bd385
SHA512 7647c3e3859e08c9b3175b3925a2fe8f65422f73eab8cee24d99b7fd5fa58f538e8f5e218b3810c2750251254cc1ec23a4f8df029b35f59850bbd356197460e2