Malware Analysis Report

2024-09-09 17:39

Sample ID 240614-ckv1va1fqa
Target c816d7513cb36becac080698ee3937bccfc5f8f3b2b0a436c8b46f7f0635197b
SHA256 c816d7513cb36becac080698ee3937bccfc5f8f3b2b0a436c8b46f7f0635197b
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

c816d7513cb36becac080698ee3937bccfc5f8f3b2b0a436c8b46f7f0635197b

Threat Level: Likely malicious

The file c816d7513cb36becac080698ee3937bccfc5f8f3b2b0a436c8b46f7f0635197b was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries information about active data network

Declares broadcast receivers with permission to handle system events

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 02:08

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 02:08

Reported

2024-06-14 02:12

Platform

android-x86-arm-20240611.1-en

Max time kernel

173s

Max time network

131s

Command Line

Aktualizacja.apps

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

Aktualizacja.apps

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.nxspy.eu udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp

Files

/data/data/Aktualizacja.apps/files/libaudio.so

MD5 4be2eaed53169b771a6ccd981d036c84
SHA1 067bd4f945f378f6e985e483ff79b8cb060be6ef
SHA256 284d5290a1be948a2a4b045e11069264d1524b44e907632b5ab48155cc37a5d6
SHA512 9306158e3d7440accc21ab5161bdd9bda9efde7bb2fd0c19a8f96e5ea26cb0e3c4d9eaabc3c0b55f1a94fa750c458595223df11f891f93c726f6e349b761fec5

/data/data/Aktualizacja.apps/files/libaudio.so

MD5 29a03e733c77329f5651c192bddf1b5f
SHA1 3301f20b23ebee07f149ad08ad48d528e14f53db
SHA256 30aa08b699aa2fd342f623c0281c8341a09ceaef5ac98116be64b42f6e6223b1
SHA512 94283c3cbc689a03bd2ad0f73abe8f141c4dd4a6054e51d0eb0832abcfc9e8c9961ef646c3b2d9eae287184324614cdca1292c4af9b043f01b9ce6998414a1c9

/data/data/Aktualizacja.apps/files/libaudio.so

MD5 d891747b46097dba218c1c0ebe40b31d
SHA1 3c98b53681e20339bd3e731efd4cbebc131b6bb3
SHA256 7200e0db0a0f003bbdacc23a490bf2aea4fd8be851d1eb9086f10d76c67e299a
SHA512 0eb4adcc3bf4150c0075e30c87f646961776c9dfb7c231f7ffbef5fa2927958965072aab3f33f07c6066ec9989b98f2f5a1b37c01e22a43765972e9c7427d94b

/data/data/Aktualizacja.apps/files/libaudio.so

MD5 9c623943e4c178c83d9ca76cffd8a92f
SHA1 edef35c5d7cce805fa5dd981c0b039f8868c8905
SHA256 7fd1ffb32a91cabc33d2c177252993d962139fb3753de41ad2b9da3e79374c5a
SHA512 424c9ac3c5180b7ff32059cb95e85748d37b10fb92c3c541a3c3b2151abf9aac88d5d1b56e4a0b0a421c7d0f215ff5ebf11fe0b21815e1fcb54b8a75377365b4

/data/data/Aktualizacja.apps/files/libaudio.so

MD5 804a1fb0f054bbd3b8d961c401e9469c
SHA1 9fdfebab898bf9b4ab3871f7c85a37034e729028
SHA256 902915b2ee5717c3e78ffe2573d83198035183cca53126a12c6335d2ae58de4d
SHA512 04ec6b0de413ee37e0d2ac6053fc80590fde5ad447e3bf53ad91096c56a9d1d6f1c548ea67d69ce6de7993dc90bb1e223c958ed5e9234d93afeb89667832ce54