Malware Analysis Report

2024-09-09 17:33

Sample ID 240613-mymlqszcml
Target snake_v_1.0.4.apk
SHA256 3bb22dda32dadbb8267566a538c5d7161bbe28c7a8a17ae4c883d1dc856be184
Tags
discovery evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3bb22dda32dadbb8267566a538c5d7161bbe28c7a8a17ae4c883d1dc856be184

Threat Level: Shows suspicious behavior

The file snake_v_1.0.4.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion

Loads dropped Dex/Jar

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

Queries information about active data network

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 10:52

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to recognize physical activity. android.permission.ACTIVITY_RECOGNITION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to access data from sensors that the user uses to measure what is happening inside their body, such as heart rate. android.permission.BODY_SENSORS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows the app to answer an incoming phone call. android.permission.ANSWER_PHONE_CALLS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Required to be able to discover and pair nearby Bluetooth devices. android.permission.BLUETOOTH_SCAN N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to use SIP service. android.permission.USE_SIP N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 10:52

Reported

2024-06-13 10:56

Platform

android-x64-arm64-20240611.1-en

Max time kernel

22s

Max time network

131s

Command Line

com.iron.pen

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.iron.pen/files/.plugin/version-1/base.apk N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.iron.pen

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
DE 213.136.68.185:9954 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
DE 213.136.68.185:9954 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 216.58.213.14:443 android.apis.google.com tcp
DE 213.136.68.185:9954 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/com.iron.pen/files/.plugin/version-1/base.apk

MD5 a98c28dc0272b24c29fc639821fad349
SHA1 f84b4df9fd21e1ca5e3e8193ddb3d2da044755d9
SHA256 f46ad8da663b59f8ef7e885aae2c792cdd2a31bf761863cb552ceb2ddeb67752
SHA512 d7faedda36d44e1e59ff1cc08d2652759eb698803cdecc0b9fab1abb1608c704c7e3c38979f10aeb96e695525d3b7b8fc9ebe1ab15b472fdce116a6687d4dc49

/data/data/com.iron.pen/files/.plugin/version-1/lib/arm64-v8a/libmultiapp.so

MD5 b778e63cf74eb658bd7e3bbfed2578a4
SHA1 fd30b92c3e1c15b67e20e7428aff3865079b1acf
SHA256 384a503a35fe38c9759e770834cee620db4acebcf63caff6d680271510009dc8
SHA512 7433c08d4cf748b3cc59e1cf0c990cebbb507a79abebba56241036f6d686c1fca200cc7477f3a0b9b18fbf4d32b400ffe09e522d1a6ed169ec60ce0095e1a0f3

/data/data/com.iron.pen/files/.plugin/version-1/lib/armeabi-v7a/libmultiapp.so

MD5 4dd11f21d6fab32bc40dcc941311eefb
SHA1 6dd088e75130dcffa988e5e77424e513a631d8b1
SHA256 8270640e722e069c88b7db84981a8a35aeb8801bb6002970dfaeaee3f7ef24f0
SHA512 2a6202359654d503ec93aeb03405176a1dca4e9bf22295e2e924f7921e8be7e0f8e90b485f819e0797fa62ef3c2f0522237f52d968106aa9d68e5fc48b8d6ede

/data/data/com.iron.pen/files/.plugin/version.json

MD5 901cbc4a87aa42cc0d0f78860152edf1
SHA1 04a8a2a2d7cd59346f9f782e02d65fe2a881303e
SHA256 94b71f6eea0faeec43b06faadfccf0d7e6cd302cf92fc986f9b58601c5a127d8
SHA512 e29d51cc0044e816d3148d53c57e9784af77c58cc780c2c147b4fe373d1120e19704247c6ab022d27e54954069e6547df7ce7ddec878513949531a8949fc49a9

/data/user/0/com.iron.pen/files/.plugin/version-1/base.apk

MD5 7837ddb24249f4ea00e698cc428f43be
SHA1 a64cd3bc41f95fe2dc6ec4dd179f7070ed9d17f6
SHA256 ffab4110e1d89a25eb791f37d364faabc39b1d5a2a194ae1b22013ded287177a
SHA512 c4bd14e74ed1473cc8bbad17b9777458b73b768a9428590de82475678246dfa729a1ac65abfc27bd48fb459edcf0d19fd9c2933aae43220534ed5ed4e8e23644

/data/data/com.iron.pen/databases/com.google.android.datatransport.events-journal

MD5 f5a8b43a5b3e432523fd74e142460ae4
SHA1 360cbf8aff5af6cc108c4bf4e1e3393a55a44a89
SHA256 712bc31e77a3b55ec002f54a7c9db181e421a0ce07315a90ad865f147075273a
SHA512 fda325da70bd4398a9c87c498d429e5b08796527b40c2e59a11e983802fc1c78bb2a3d5eb8823bdb2c5f27f3e0cf555844fbbd51b8059023997fe183ec4ad193

/data/data/com.iron.pen/databases/com.google.android.datatransport.events

MD5 3e969e93446ce925055b936e0def784d
SHA1 7f32f3198d3262a59af76f3c6cab342646689846
SHA256 ad39e0b65d129326204732cd03abd2de53cbadfb59011b440d583de4cc262e48
SHA512 a35bf2a0360c9d26ff9b68ce8e1a58736c2e615e057ff4346c3b7591889c5348d9283684160ecd3a53fbfa9a44429fe0feb46289f24c1718f553f1b0d81303bc

/data/data/com.iron.pen/databases/com.google.android.datatransport.events-journal

MD5 8a3f193de689ce17a2581da000ed8a71
SHA1 573e0f2cb577aca6ea67d1c4977a74383ad91f08
SHA256 ba1842bda85ddd287466a690a3278372dba22e6cc195fd57c882da7f4f6df738
SHA512 d787489df85139f588883338f509d157d4625126bfef0552c1dea2dcc7507b4279ddd36f2ca3ea6a4d9b52fd165b9ef778da256cbe113522556914a7b4918b7c

/data/data/com.iron.pen/databases/com.google.android.datatransport.events-journal

MD5 ec874502b2c7e8deaa8212f83548c165
SHA1 16880698e1adfa20d6898ec3ef8754e6a6bb1712
SHA256 8996cf511ec265a7264098ce151d824207f80c99b797338809b8d40f0698c543
SHA512 2b7c84d28dd20e625d7ad580da57634a4421fb89ac336c74ccb8c3c55eea7598a346030bd165989fd09024b426742fa7e21ece6821b60501646a55d2c4486397

/data/data/com.iron.pen/files/PersistedInstallation6066816235796814978tmp

MD5 1a1ebe207c6c354049fe71e0a4d0e49e
SHA1 768befc646f65796d25566e07cdd43bfb2092b25
SHA256 7f3c98921655380a303014b3351a2efbb688f3337e339fb749cd323c01abeabf
SHA512 1d3db841cbf36bb96fba233be58db9b38a4c8c98171e4f4f4eb12dba7f6b816c1b752f9e32b9f246a7ae50fc89bbd6cb68a999f4a66d15dd52e4c93fb4a4605d

/data/data/com.iron.pen/databases/google_app_measurement_local.db-journal

MD5 008c096b2671070698988062e4dc0d37
SHA1 f8b0ab93b03d4cbd10c076d54c5bcc72e6ae6bd8
SHA256 70f2be87f453a9edfbde58cb99077965ad4f7247f5b75ea32267e3419ee3b80e
SHA512 7ee406e1b4e311fef79dcb443377f0d5d6ff279945e39184a263685569d56f6ede712868f35a2166107174d2c50f5b2e79cc859e66535f14077d64e36367938d

/data/data/com.iron.pen/databases/google_app_measurement_local.db

MD5 d9cf75fdd1c2292d986f6c3d5d60f2c8
SHA1 07ecb1d3a26d952ae5fecf54f36699ab498510b1
SHA256 2d227e9b7a044c8e10294f6a831fb92d81ea9582381796d87f35bd268e37538a
SHA512 442c96e4b4c79b8d1c64dd3a6d6088ae1dace441e78d830dfb3190ee1c0fafebc606fb432071b4a1ad1a4ba9b68c7877b0bce520ccc88708feaf82bbc474e0cb

/data/data/com.iron.pen/databases/google_app_measurement_local.db-journal

MD5 7c87bce8bcd7d0f9268e1d20304f6b01
SHA1 7112aaa17af953641d05dd2fa2ed29aa55dc0726
SHA256 043a5a8ed6eb1b2be4a69f82773b92b760e824ebf495ab63699ef41d69ef9477
SHA512 6bc7beb4b4539c98fc0d974bf99b79a7eb9ac7ecd2b6bdfbdf8984b8dc4cb15f8babf6da1682f42ef1770b9cd6a9ba7d938cba6bd737dfe79c69fcf3a83c4ac5

/data/data/com.iron.pen/databases/google_app_measurement_local.db-journal

MD5 6f66771cecbd3ae51aedbdfcd7742db1
SHA1 1c936f6205c86fc6ea264a3fd8326c70323b4bdc
SHA256 fe36ba433e7fdfffea0c1f330aa766091aac22466166166d02a574f811b7334a
SHA512 62eb9dfdcd28185096a35bdc77fd74edb8f32bb99cbb0fd73f027971905596ad8a8ced20da131138c6c064f29dda529c14b6e1b27f873745b0765188a76a2536

/data/data/com.iron.pen/databases/google_app_measurement_local.db-journal

MD5 eee59ab35a2688546c6e51a88d32f076
SHA1 ad36954faf314d947a1927cd67fa120b72410f52
SHA256 56bdf61ab7cabf2e928fe3655eb8823b46343c9ef50c5c83622bff1af5fa2b0a
SHA512 0b950e620c6275b1feed53383b0f4d64fe059d6160cccac1b142c4935b0fb8240e17fe0193b915deda1517c5f58d2a4211d76645e9b0541f2f645169add650cd

/data/data/com.iron.pen/databases/google_app_measurement_local.db-journal

MD5 ae988b8eb3bcbddb2e8ba94db815b185
SHA1 59f283cefa9c5dedb65d8802b4aed2bfaf9be5f9
SHA256 6530f28c876f7ba6ede29df729fca427f0073c50dc699e85a1adc65013d18231
SHA512 0e207682b85139f518c2eeebad333135edfe1a8c7f365cf60d758d1bc46976284760fbe945e158632fd9b234d09e930cb414b5b6820cb474c9c9de23c1be3653

/data/data/com.iron.pen/files/PersistedInstallation2556028367769923661tmp

MD5 7d8d5047a78f433e2cbd934930771700
SHA1 5dbca156cf6db54011ccce806db93bc955c477fc
SHA256 4789f2f506c45fafd91a72d86710868c0a7de6f33ee08bd3f77598eab28eb9fd
SHA512 7a445964d6c5cfc4aa1475b01e0f87b17c95c34d0bcab46ff416b78c6323a5802a6bf4b13228a4e70edf802e0fade8553c85d89c840701b2d41a8312d1e96a11

/data/data/com.iron.pen/databases/google_app_measurement_local.db-journal

MD5 18386253ef0b6d719cd5833d9068b861
SHA1 7882c8ba5f503d1bbaf23e9a39280c56baacbd01
SHA256 f5ed295712bba485b596559e185330ebddcbd711a86b1a1039b235f1cf0f579b
SHA512 c91cceccc79d4bf3364b3aae5dee321f93976d592ec117819ace013d9c368189da618f5b6760e78bd8fe3efd8c6a47b9030cbc07af6fd2ec10b5f19ad0ba2e8a

/data/data/com.iron.pen/databases/google_app_measurement_local.db

MD5 d847988b90a104a263ded867eb1bb3e4
SHA1 457b24361cde6dd38fc386865d169f8a0c808a1f
SHA256 c972e89bfe788a25a42583e9de1b34a4d2985192504dc763b93a0f3d1af10ad8
SHA512 e66b0cc509a361d2a4ab1c153bf54a8fee77e2d80c6cb0aadbdd54f070f48f24ab0414440b04576416f477f0febccc69c0f817b0440863f76bd02696d8dceb49

/data/data/com.iron.pen/databases/google_app_measurement_local.db

MD5 128eca0a5cd7012d8a8ba29d4db9b7fe
SHA1 ff8e94c5e381d0814aa0ff3f4200a45e59bfdc3c
SHA256 2d6f7ca0384b7bb1946ae28ea4b81cdfe8cd93746909b0678c37745354153a6e
SHA512 0ee7f802e511a18591a2af99de2e7a9570047d7bb20e7ac10e6be0fda25eb3dc6d8c8917d183e877a6944bc59c580a648f1afe4fe766e4363b184b19ab2a68ce

/data/data/com.iron.pen/databases/google_app_measurement_local.db

MD5 02ec303130702bbb9d86f6e8017d77a8
SHA1 0b67d89e0cdd314c52bb43a238ec4a766a9de3e1
SHA256 d995229e092f9d404e1a63fda0e52fbbb0b15744f168199a1b50e82e18dec73e
SHA512 bde124babd2d58d7555d217199e4d74d205926d2a2f0d2933a7d4bfb8923eccdd6e87c41fd19d2d7240c218d113948f8ec59d07a555302100644125d6514df23

/data/data/com.iron.pen/databases/google_app_measurement_local.db

MD5 1871819dd6adfaf2e1fdfc33ceeb5fc7
SHA1 b9d321708684120a082d2fcee5b733fde61aac78
SHA256 f29a8203101932ebe5a849fb9a4923e2a53b2c63eb7539262030114516c1165d
SHA512 4e7a232ae0191bced31143b47cf7248365badceaa4ef56c471d53df59854e5a79aa37e95c135baa53417a4d60f1a6b8572df38d747559cc6ed63b3dd5995858f

/data/data/com.iron.pen/databases/google_app_measurement_local.db

MD5 16f533629bffc4a45081e276f224adc7
SHA1 d6192439f7c6ece5a63b1917af5f8f459c21e689
SHA256 3538a246b74d61f4638b378ac3706c0695e234f830659c3afe42ef57785c9f41
SHA512 059c45505d3772925e2b72770c5f9f1d72b331a66a5fd3d9e7e3f43e312097ba11f795040c851fce72f0ca7e63948e7c1a869566906fdf7666a62362466a1dac

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 10:52

Reported

2024-06-13 10:56

Platform

android-x64-arm64-20240611.1-en

Max time network

160s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
BE 108.177.15.188:5228 tcp
GB 216.58.213.14:443 tcp
GB 142.250.187.194:443 tcp
GB 142.250.180.3:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.180.14:443 www.youtube.com tcp
US 1.1.1.1:53 growth-pa.googleapis.com udp
GB 142.250.180.10:443 growth-pa.googleapis.com tcp
US 1.1.1.1:53 lh3-dz.googleusercontent.com udp
GB 216.58.212.193:443 lh3-dz.googleusercontent.com tcp
US 1.1.1.1:53 lh3.googleusercontent.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.1:443 lh3.googleusercontent.com tcp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.71.84:443 accounts.google.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 142.250.180.14:443 www.youtube.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 172.217.16.227:443 update.googleapis.com tcp

Files

N/A