Malware Analysis Report

2024-09-09 17:25

Sample ID 240613-smthssybkk
Target Vega_X.apk
SHA256 5f8680ae544ef0a4b9bb26cf56a75a74766ac914dae98721477955477812cd53
Tags
discovery
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

5f8680ae544ef0a4b9bb26cf56a75a74766ac914dae98721477955477812cd53

Threat Level: Shows suspicious behavior

The file Vega_X.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Requests dangerous framework permissions

Acquires the wake lock

Queries information about active data network

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 15:15

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 15:14

Reported

2024-06-13 15:19

Platform

android-x86-arm-20240611.1-en

Max time kernel

7s

Max time network

164s

Command Line

com.roblox.client

Signatures

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.roblox.client

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 digitalassetlinks.googleapis.com udp
GB 142.250.178.10:443 digitalassetlinks.googleapis.com tcp
US 1.1.1.1:53 clientsettingscdn.roblox.com udp
GB 18.165.242.74:443 clientsettingscdn.roblox.com tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 static.xx.fbcdn.net udp
GB 157.240.214.11:443 static.xx.fbcdn.net tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.200.3:443 update.googleapis.com tcp
US 1.1.1.1:53 consent.google.com udp
GB 216.58.204.78:443 consent.google.com tcp
US 1.1.1.1:53 xxxi.porn udp
US 104.21.43.103:443 xxxi.porn tcp
US 1.1.1.1:53 87f81e4343.d7ea5cbf87.com udp
NL 45.133.44.53:443 87f81e4343.d7ea5cbf87.com tcp
US 1.1.1.1:53 js.capndr.com udp
NL 45.133.44.53:443 js.capndr.com tcp
US 1.1.1.1:53 storage.multstorage.com udp
US 1.1.1.1:53 d222f456fa.4cc4a19f72.com udp
US 1.1.1.1:53 js.wpshsdk.com udp
NL 45.133.44.53:443 js.wpshsdk.com tcp
US 104.21.30.242:443 storage.multstorage.com tcp
NL 45.133.44.52:443 js.wpshsdk.com tcp
US 1.1.1.1:53 fp.metricswpsh.com udp
NL 45.133.44.52:443 js.wpshsdk.com tcp
DE 157.90.84.242:443 fp.metricswpsh.com tcp
DE 157.90.84.242:443 fp.metricswpsh.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 142.251.168.84:443 accounts.google.com tcp
US 1.1.1.1:53 nereserv.com udp
US 1.1.1.1:53 5f69343b4b.cb8ef6fb70.com udp
DE 167.235.163.216:443 5f69343b4b.cb8ef6fb70.com tcp
DE 157.90.84.246:443 5f69343b4b.cb8ef6fb70.com tcp
US 1.1.1.1:53 sw.wpushorg.com udp
NL 45.133.44.52:443 sw.wpushorg.com tcp
US 1.1.1.1:53 sw.cowtpvi.com udp
NL 45.133.44.52:443 sw.cowtpvi.com tcp
NL 45.133.44.52:443 sw.cowtpvi.com tcp
US 104.21.43.103:443 xxxi.porn tcp
US 1.1.1.1:53 counter.yadro.ru udp
RU 88.212.201.198:443 counter.yadro.ru tcp
US 1.1.1.1:53 static.bookmsg.com udp
US 1.1.1.1:53 imdn.pics udp
US 1.1.1.1:53 p.a64x.com udp
DE 157.90.84.246:443 5f69343b4b.cb8ef6fb70.com tcp
NL 45.133.44.24:443 imdn.pics tcp
NL 45.133.44.24:443 imdn.pics tcp
US 104.21.19.82:443 p.a64x.com tcp
NL 45.133.44.25:443 imdn.pics tcp
US 1.1.1.1:53 xxxi.porn udp
US 172.67.178.33:443 xxxi.porn tcp
US 1.1.1.1:53 cdn-01.viidoos.com udp
US 104.21.33.92:443 cdn-01.viidoos.com tcp
US 1.1.1.1:53 cdn-01.viidoos.com udp
US 172.67.189.125:443 cdn-01.viidoos.com tcp
US 1.1.1.1:53 sunofmonaco.site udp
NL 109.234.38.57:443 sunofmonaco.site tcp
US 1.1.1.1:53 chikaveronika.com udp
NL 85.17.54.67:443 chikaveronika.com tcp
US 1.1.1.1:53 m.spdate.com udp
NL 23.111.80.246:443 m.spdate.com tcp
US 1.1.1.1:53 mrlscr.com udp
US 1.1.1.1:53 overdates.com udp
US 1.1.1.1:53 datetrackservice.com udp
US 1.1.1.1:53 static.spdate.com udp
US 1.1.1.1:53 comentando.net udp
US 1.1.1.1:53 i.phts.io udp
NL 34.90.10.178:443 comentando.net tcp
US 1.1.1.1:53 node.phts.io udp
NL 23.111.80.246:443 datetrackservice.com tcp
NL 23.111.80.246:443 datetrackservice.com tcp
US 104.26.5.231:443 static.spdate.com tcp
NL 34.90.10.178:443 comentando.net tcp
US 1.1.1.1:53 i.phts.io udp
US 1.1.1.1:53 cdn.icalendars.app udp
NL 23.111.80.246:443 datetrackservice.com tcp
US 172.67.134.35:443 cdn.icalendars.app tcp
US 1.1.1.1:53 api.icalendars.app udp
NL 34.90.134.29:443 api.icalendars.app tcp
NL 23.111.80.246:443 datetrackservice.com tcp
NL 172.255.233.92:8083 node.phts.io tcp
US 1.1.1.1:53 images.jucydate.com udp
US 104.26.9.171:443 images.jucydate.com tcp
US 104.26.9.171:443 images.jucydate.com tcp
US 1.1.1.1:53 s.magsrv.com udp
US 1.1.1.1:53 s.opoxv.com udp
US 1.1.1.1:53 s.orbsrv.com udp
US 1.1.1.1:53 s.pemsrv.com udp
US 1.1.1.1:53 syndication.realsrv.com udp
US 1.1.1.1:53 s.zlinkd.com udp
NL 95.211.229.245:443 s.zlinkd.com tcp
NL 95.211.229.248:443 s.zlinkd.com tcp
NL 95.211.229.246:443 s.pemsrv.com tcp
NL 95.211.229.245:443 s.zlinkd.com tcp
NL 95.211.229.245:443 s.zlinkd.com tcp
US 1.1.1.1:53 images.mrlscr.com udp
NL 95.211.229.248:443 s.zlinkd.com tcp
US 172.67.157.190:443 images.mrlscr.com tcp
US 1.1.1.1:53 vlm.spdate.com udp
GB 18.172.153.91:443 vlm.spdate.com tcp
GB 18.172.153.91:443 vlm.spdate.com tcp
US 1.1.1.1:53 wpai9m3pvplnk7023ao5ssh0.find-singles-online.com udp
US 34.75.238.37:443 wpai9m3pvplnk7023ao5ssh0.find-singles-online.com tcp
US 1.1.1.1:53 ilndngs.romanticboo.com udp
US 172.67.195.62:443 ilndngs.romanticboo.com tcp
US 172.67.195.62:443 ilndngs.romanticboo.com tcp
US 172.67.195.62:443 ilndngs.romanticboo.com tcp
US 34.75.238.37:443 wpai9m3pvplnk7023ao5ssh0.find-singles-online.com tcp
US 1.1.1.1:53 wrr663d273bff7023oob9b50.find-singles-online.com udp
US 1.1.1.1:53 5f69343b4b.cb8ef6fb70.com udp
DE 94.130.198.6:443 5f69343b4b.cb8ef6fb70.com tcp
US 104.21.43.103:443 xxxi.porn tcp
US 104.21.33.92:443 cdn-01.viidoos.com tcp
US 1.1.1.1:53 cdn-02.viidoos.com udp
US 1.1.1.1:53 cdn-02.viidoos.com udp
US 172.67.189.125:443 cdn-02.viidoos.com tcp

Files

/data/data/com.roblox.client/cache/journal.tmp

MD5 37e8e716e0e2f4a0b05cd9571d95b84d
SHA1 f8d068f6931707bddb8cd69f706f2224ad1fea3c
SHA256 7080cb592d5149c858b206d3fd0d5e3e7d601f120af00b2616bee928ee1291ca
SHA512 e62b850901835fdb73fa6224618422f721dd765861d42f6bc2dd013413e96bd910ac5313afd9b4f63da74beb12a15fac81b5157456c9caa3031862dab84423f6

/data/data/com.roblox.client/no_backup/com.google.InstanceId.properties

MD5 9bf1a0f7ef314539728dde4f3bb116ae
SHA1 b206980466b5013328a57229b8c8a034945d5169
SHA256 6492df3ed83ad2d1db152a483a72138eaaf2948e1952e1bd5bc31d8a8a46b643
SHA512 c4cc37d552ca4f5558a2b011130d688252bfa15e7f3849efe1d9254266feb6f66cfe72f895bd72857b66aa242afc391962903a9552bd76ca4997212dbac238b6

/data/data/com.roblox.client/cache/journal

MD5 4baeafcc8e7430507dc2dc3400db7e93
SHA1 198ab86c2643d74255bedd14fe4fe7dd35192191
SHA256 1863e4ab323b5c3a3a1625824f96aebb728ebda4613a2c632127c717468e6c56
SHA512 fd3d86b14086a5d4bb15b7bb6b54a4ab29f540186c2a2ddeb7553d424eaf7cad82e19b25fbe66c22d1a2f3269ce5915148f2e46ba9496fef491396383623528f

/data/data/com.roblox.client/cache/0de3774d53f29efb27fa09a940a0ec5f.0.tmp

MD5 3d94509345e3864f3ced624de3c93889
SHA1 1c8f7ce28dfe41959e51e46277d3041052fb08c3
SHA256 12c3294a160fbb98c423f3c5b066780c31dae56233d68dde4b750aa6bfbd39a0
SHA512 de0beeb6f392c9c9e5d90d776ce27fa26c4dd21d196cd1620aefef91292e17c5d609b929f1c537fa993dfb8410b5cb6295f1c140a83b2453a36ef81db5fa616d

/data/data/com.roblox.client/cache/0de3774d53f29efb27fa09a940a0ec5f.1.tmp

MD5 ea805f25505aa0c71a7cfd1d0d435203
SHA1 73589a3acf0bee94828cbc74b2c968fb969dc78a
SHA256 eaee1ec5cc94b158787e68c44a675ca842db85d4a85e29d0f378d4812cbfeb49
SHA512 5e049ca8dd13997d73ff828f4aca62a1297af75a4dfca200f6963205612772aa17ea7528d50d0de55185c6e106b170ffa13bf934e4621f56d65134fa0ee2533f

/data/data/com.roblox.client/files/PersistedInstallation8848661033768919442tmp

MD5 283a07391cd7d49577651898b132dbb7
SHA1 6f3e0171011f162d93e14678eaa7acb721b90f6f
SHA256 0cb9c18c17fa6df4bd316c50e046794b85b117de0cab66ef56672adddf6499fe
SHA512 29140a52f374d3e6a64caceeba04c73472ae1a5d69e66fe6793c29dcf0bcaae9fc92962e19a2934453bacb87b39481260fb43a776ef3ba2fffb327e87214a0fc

/data/data/com.roblox.client/databases/google_app_measurement_local.db-journal

MD5 57de2cb4c58a0eacafcbeb3577ad9c5a
SHA1 8b6ab3bb88b5a6e58545100084b40e5e06827e45
SHA256 fe66e6eb680e5a53c1c17f6e8749322282d0cecbc243eaec76f9423ea7d9f3b0
SHA512 686570d43456f4ec62c852c27c3f1929b0488d7f2c836f77dbbb34a7f79a4ec34aa4cc8d90a84d682621535a33a4ac8608245b96c9d90c78226d90f7f85730e7

/data/data/com.roblox.client/databases/google_app_measurement_local.db

MD5 7237409e0640cfab7bdbd429bf821a3b
SHA1 4c3da934842f8d4835dfe2a9c275a300e5123309
SHA256 5c8e1b63d187efafe1e09bfadd83fd360176d689b57b5a0cc40e6854c12449fa
SHA512 c8afaf6a8ee43ce3601feff417bfaec563c01bcff0aae24577054034112b2020967f25b0b1a919c3c9e5e81d62a21a87e908b782c4d5cb8bba8ac259108e9c1f

/data/data/com.roblox.client/databases/google_app_measurement_local.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/com.roblox.client/databases/google_app_measurement_local.db-wal

MD5 773d75359c1a96bed2729fbbb1d07858
SHA1 a383e13c715e978d1a9e0f5b64d59555973106d6
SHA256 c8f634c41bd6742ef46c0f95f5999d90be304c663c9ff04b65c305867a0067b0
SHA512 f1aca9772afd03736ebcac0f1d53932b93df71e51159f70bfe6602d877ac11b6d24fd5df6989da0035b0077242a2ab2e1b2cba36fbe48a3bc20db0e13385f9a0

/data/data/com.roblox.client/files/PersistedInstallation6832891315698523449tmp

MD5 60c49568978346253d1cc456dfc848c4
SHA1 60c1b1db2e2faf13fe4507b65e93d65a47b04ff3
SHA256 c8a62dcce27dbd5c60b46e444d9bad010abc2bd51cf3def2b54ce74e877785cb
SHA512 a502dc9de165e69df15786bbc08ad3b896a4646db52df8889fe19f9aff3fcfdfff1c38f19d7fb55fb43bf8c44ebcebd0e4d98cad4a7119fc90c47a4e5ecf1b5d