Malware Analysis Report

2024-09-09 17:53

Sample ID 240613-cmbpzs1bma
Target c816d7513cb36becac080698ee3937bccfc5f8f3b2b0a436c8b46f7f0635197b
SHA256 c816d7513cb36becac080698ee3937bccfc5f8f3b2b0a436c8b46f7f0635197b
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c816d7513cb36becac080698ee3937bccfc5f8f3b2b0a436c8b46f7f0635197b

Threat Level: Likely malicious

The file c816d7513cb36becac080698ee3937bccfc5f8f3b2b0a436c8b46f7f0635197b was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 02:11

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 02:11

Reported

2024-06-13 02:15

Platform

android-x86-arm-20240611.1-en

Max time kernel

174s

Max time network

130s

Command Line

Aktualizacja.apps

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

Aktualizacja.apps

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.nxspy.eu udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/data/Aktualizacja.apps/files/libaudio.so

MD5 a6626b6be207dd28d7c5ec10292fb2c0
SHA1 2d78e6e096deb31d66d259f08d01ee130f1957c1
SHA256 7e1569b1ba9d29127668edf77c72b219ad41dfc3acfbc8ab6421db31ed3cb99f
SHA512 f07b98739861c25b1050c267a8e47dff6439e25065494dd388a772ba799652c9c80560c54fc0f3c117bd077e66c64d3520eba4af531496925d338487b9915fb9

/data/data/Aktualizacja.apps/files/libaudio.so

MD5 ceb082d7ebf7cd3e2aaf384f55c45176
SHA1 b72ee1069e96d014a358db9b277c429efa280e76
SHA256 f1b90b9829645401fe387475b5b89c6d37d8b72c47d0d70dec40b3ffd0019da0
SHA512 572269e1c2e29079fa33ee3819583923e484b7541c0fd53e84b4b2db37543208834260b6ff8a423c9a9345dc8d059d2190947c7bacee733da8d28739efbd4d6b

/data/data/Aktualizacja.apps/files/libaudio.so

MD5 5aa112577476305d1ef5dc61f054768d
SHA1 403a0ac6bf7d59aed5e745fd44bddb97f9f36bf1
SHA256 44929fdc916767454df31951b920ee0c3e4678d3ac5656ddb1f1083b1662dc0b
SHA512 5681d7e4b8bede319b6657b2a3059bea2e095bd04525fbba067c1d6a3bb3ff64988c1d58daf45437a61de2d91fe0e8c01c8575a484be64fb0fa196bb0760e1ac

/data/data/Aktualizacja.apps/files/libaudio.so

MD5 1e39907aa6017c469dd9e2d157140773
SHA1 ce63e97fa2c481a110ec82c8e832aad7f6745d16
SHA256 8744ecf753ca5a359cc816825a8891db39a0e24fcd2a690a8984b196fc49014d
SHA512 0d3bdc12e882bb3358714af15c59450cba0c82d657a865b183ac4e3906ffdc2379273502a404766e8e306639be979db1fbbfbd252bd012efb198af1a7bca56f1

/data/data/Aktualizacja.apps/files/libaudio.so

MD5 93430ad38934d8445d4b52d662dcd3f0
SHA1 88db180e5ea8d47482379f75179b24aa25752b48
SHA256 77cb9f4ebbda9aee86c26e632e70f68c54a0e3ab3d16e9fe857e41e7b7525864
SHA512 eb727b53ca472a56db5b67388547a3e6448435a92b42f661394e8b2b11bb05ac77e4b11869c2f8234606557523df135131ebfc17d196b0c30e96594e2a56d74a