Malware Analysis Report

2024-09-09 17:09

Sample ID 240614-cp3aqavhmm
Target a2840cf48a0f8b89710bac1441143c9b.bin
SHA256 53c96ae9d703dbd4a7d7bd0222276abdf2eec489b30798b248e9830a55f9b8c1
Tags
banker discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

53c96ae9d703dbd4a7d7bd0222276abdf2eec489b30798b248e9830a55f9b8c1

Threat Level: Shows suspicious behavior

The file a2840cf48a0f8b89710bac1441143c9b.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery evasion persistence

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Checks Android system properties for emulator presence.

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Requests dangerous framework permissions

Queries information about active data network

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 02:16

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 02:15

Reported

2024-06-14 02:19

Platform

android-x86-arm-20240611.1-en

Max time kernel

10s

Max time network

131s

Command Line

org.chromium.caster_receiver_apk_FMMusic

Signatures

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/org.chromium.caster_receiver_apk_FMMusic/dex/qcast_sdk_core_client.dex N/A N/A
N/A /data/data/org.chromium.caster_receiver_apk_FMMusic/dex/qcast_sdk_core_client.dex N/A N/A
N/A /data/data/org.chromium.caster_receiver_apk_FMMusic/dex/qcast_sdk_core_client.dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Domain associated with commercial stalkerware software, includes indicators from echap.eu.org

Description Indicator Process Target
N/A alog.umeng.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

org.chromium.caster_receiver_apk_FMMusic

chmod 755 /data/user/0/org.chromium.caster_receiver_apk_FMMusic/asset_res

org.chromium.caster_receiver_apk_FMMusic:castlinkerservice

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/org.chromium.caster_receiver_apk_FMMusic/dex/qcast_sdk_core_client.dex --output-vdex-fd=129 --oat-fd=118 --oat-location=/data/data/org.chromium.caster_receiver_apk_FMMusic/dex/oat/x86/qcast_sdk_core_client.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 alog.umeng.com udp
CN 223.109.148.177:80 alog.umeng.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp

Files

/data/data/org.chromium.caster_receiver_apk_FMMusic/asset_res/system_js/my_app.html

MD5 2006b55c4caf055c1a6b00c74723b350
SHA1 94b770f7025272663e9c51fa6e08a7d035efbb48
SHA256 0db90b69922c0727f510d3b31f7cef18ce9392068ac07d542e86cff48093ffe4
SHA512 0f6dcb728081348f4958e6d4893fc149cc7b6c6fb7a31bc0792a73cf8f2386148cf17b3e940ec66a54cb9c954b6134af23c21cf5778b2a2de7a2410cacba5850

/data/data/org.chromium.caster_receiver_apk_FMMusic/asset_res/system_js/my_app.js

MD5 05851f630bda9f90312d8200a297091c
SHA1 4c3af46a6342fc43011f8a7b171f3a40ac11c2af
SHA256 01818ee03df489eca9456c6712e9b83996aa77ac655f8836c132bd6b5fe628ab
SHA512 f8d2bbba02b0b690a54cc01b7100e152e351e947701edb241c37f4c194245b4ee30f73b70485daaeb7a1132397cda72550e43ad626a43bae19c353315d58e20e

/data/data/org.chromium.caster_receiver_apk_FMMusic/asset_res/system_js/README

MD5 c4288ed9d3016d465022c7ef863355b5
SHA1 0c0af8a2fc83cf1a218738c7bf34c8d86e970071
SHA256 2a3bf3ded94bbd21f46a59c2bd621daca17fea709b2ad0da6cb65aa386b582b6
SHA512 08d171df29c4ae860c766ec6793953e87ca0b24f29db2eab0a9429c5e8f64ce9b7ccbbf6637455acc44189c3637a864f798520d8bf297ffadd345c600b0f9a68

/data/data/org.chromium.caster_receiver_apk_FMMusic/asset_res/system_js/tab_blank_root.html

MD5 2603e3a7eba8b03af315c590c0ebeb76
SHA1 1843c16eaa2dac0570d41c0e3d306151289eef68
SHA256 501b8e6adc184ee1a1ccd7904e60566abf509cbcb1d17580fcd062d28b6b1e50
SHA512 1858d96de812f90e9a8d9d38ad397916e1fc606138708aac765bec26d3ded3d950852f1ee0ea5075140da6f646c4206178d58f066ef782ab15b7e8465579e152

/data/data/org.chromium.caster_receiver_apk_FMMusic/asset_res/system_js/utils.js

MD5 8d7b680dd495c8f0809369ce07043831
SHA1 a110f9675184357f10095cc3eb04b325f2413858
SHA256 4f9f84a9a5133f48e07c63a4541c281a4abe49097ad836414b7eec540426f45a
SHA512 8007a03cb9789345998a1e1daa015ab0daf57d2dbf346642e8af9b85964f6b2756c01acf1738e505e00490d98abe52e7e52e1aba83e3571b29572a7cd5a60556

/data/data/org.chromium.caster_receiver_apk_FMMusic/asset_res/system_js/websql.js

MD5 245fec9d9d270655ee9ab2dbc4fdf49e
SHA1 eb732387caa247982a3dde4992e2676080056188
SHA256 fe3b1e92f29e5340b2e649259aaaf4e943254300474ae167fba07bc24610ee95
SHA512 be7a2aff73dac381f2262f011ddc2ee76c6510cb55d1aa901426f7e8dab75a6e5b6f6ef919e2e2a70403e194472f320ffee5a14dc16d8f935bc371c9376b2900

/data/data/org.chromium.caster_receiver_apk_FMMusic/asset_res/system_js/appcontext.js

MD5 158ceeaff80e69ceeccbd64c4a491b5d
SHA1 e954b461c6098e284ead092b81f24a8080b58a65
SHA256 07e822150a037bf159a0495f234384ca9c1ae8cf7218a49f759bf388bea2f74b
SHA512 3a44a512e2b0edd96b25ceeb80a771d3147f61f98289d3443371924fde5a14d3de9d65cfa2a1d9176b63e60d0f6c843eddad03aa5e78ad147ee97ff52868d3fe

/data/data/org.chromium.caster_receiver_apk_FMMusic/asset_res/system_js/blank.html

MD5 b8639ac0df7466d734bb2a29d9da93a6
SHA1 3000732c8cbc68a569a3925d0a6a2700e07f415e
SHA256 12333f0a11a4c58c8bff33b44d4585b6bb142caf1b898985a69e44be7c6a8371
SHA512 550e8011fa7357a56aa0c1a9734767434342dacf2658d6781c03ebc226a5a7f02e82a874fec811f4c9603a48f7740debab0f8d2421682fd2f3fb42b3196a8ef9

/data/data/org.chromium.caster_receiver_apk_FMMusic/asset_res/system_js/call_by_java.js

MD5 07e7eb9912ab457bc8fcc17c77976c75
SHA1 c3534c94bd1065078f6305e13fe2307d2016b070
SHA256 e73ac11ab21faf81953216d009fbe800e68918774fecc945da168b6a49b5a3f4
SHA512 bdd84d2ca87241151eea7990e39e3c15683fdefb48215341257957c9a6e30a572937c54cfe4dc292754d58b11c5b34b8158a66886ddd5432c1a4db8130356bb3

/data/data/org.chromium.caster_receiver_apk_FMMusic/asset_res/system_js/console_log.js

MD5 1f5cac225639ab360f6967cbeec1f59f
SHA1 0557a0e7360a02580c0fe13163779b0a60df9ee8
SHA256 97b71713e185d0cce6969c5b8f5fe9ef98aadfa523b60a20727febe6fae99cac
SHA512 ea5318e437923964ee516527d0455a124197e2130a4b87c114b3b82e9633c5236aa30f0faa7c58e643d2105b6429e587278de16f9d9620934e03b0fa8780d8ed

/data/data/org.chromium.caster_receiver_apk_FMMusic/app_content_shell/paks/content_shell.pak

MD5 736b282401615ae39eb0f278759258f7
SHA1 730db06ab2a8409bb2ab2441848b7706bb120c47
SHA256 c487e0133b3a7e5772d5147365e41d2648a635c2ca2e66047661fc5222bf2874
SHA512 14ada472efbeaf0625e0a55f7e46b91aa2ce2a11cb86e235409f39532b2d68d904ddcc4d8c10b6e537d3e9ed9c3f43c981226f1aea752e7c5c5f34838533006f

/data/data/org.chromium.caster_receiver_apk_FMMusic/app_content_shell/icudtl.dat

MD5 016b7c560b53fe4fcf41f4b2eca9f61f
SHA1 b7e60915aeb077c7e4ba54f87b4b8b8c4f335956
SHA256 86030aafd3e4128b37d50bfa63aecad20bcccacd8037925f9ada49a40620394c
SHA512 867b84f196609c212736904ed733ca9c24a0e9d1a4d3b5246955c053b743801b4e7f1d0b44aceaf2cc108b80c06b016399bb8b27b97e91e0eeca1ce95b56a609

/data/data/org.chromium.caster_receiver_apk_FMMusic/databases/download_v3.db-journal

MD5 8d10ff1dcbe128553cdd411f1e6068b7
SHA1 be2a94bc3030b05d5f3758eaa6a34118f9e9ca63
SHA256 11ded6103effec72119f6edd8517d4bc22faf569cd498f67cbe634c24e52e07a
SHA512 4aa3ee195bf2a47a43095ca0fa59316980c56f9d3aaa7c303bc6fe72069979945432dee739d24c551a2af6c7a913601834f4e0b0179c057ebab7ccada8b06485

/data/data/org.chromium.caster_receiver_apk_FMMusic/databases/download_v3.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/org.chromium.caster_receiver_apk_FMMusic/databases/download_v3.db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/org.chromium.caster_receiver_apk_FMMusic/databases/download_v3.db-wal

MD5 ebd80f82f418814d6a9c15d9a558b316
SHA1 185fb0b6649f35571f6f5aa22af5811a7aff8103
SHA256 16c279a07cf6027a7d1d2c9c9d7391dfb7483387fedc68964425b8c6dead87cb
SHA512 a42a5d36b6a8b2acddddd405053c9967dbed02091f0c762546faec0735f3d7ffc26e15b4abc37eaa6707dbde5de2d03e955ced25764a91efdcb898d9935d21ca

/data/data/org.chromium.caster_receiver_apk_FMMusic/files/umeng_it.cache

MD5 fff82795847a14a13dc428da397282bf
SHA1 7e9794570f244d30e799156edf15eaa7d7717b1f
SHA256 27959ed76bc36976519014b7c34babd4bc1c5058cc84fc3230fe562b07faa755
SHA512 3767c0d170a86a3b2f0cb52f0150d3b561175fc2ffae8e87ab374b2cbe98a05d1cdaf440d923b16f29d1187927c2bb4b239bbd9d2aeb64289402bf9e42801f19

/data/data/org.chromium.caster_receiver_apk_FMMusic/dex/qcast_sdk_core_client.dex

MD5 b1462e56181456dd4bedfb16fef8189f
SHA1 82896990bd10b15e3712dcb51ce946c46753d3b9
SHA256 d0f52df9d71bbd3874b1344e2be0a30673b22921cdd9b10601b97373c779ec33
SHA512 ca2165ddf41feb97f3db45669d684fa9d470305903257fd12ac95f07625f5c08474214a99577caf4827ff3e290c88cd78a3166bd95e2d5b1e8f1b79b69573c6b

/data/data/org.chromium.caster_receiver_apk_FMMusic/files/.imprint

MD5 1c4cb1eb5c1485e1ed2b47724f9fa644
SHA1 5c80a87930b60a1961b7d8830eb5752312fbf57d
SHA256 ec78203e486b56c97b9163390f4eb5faa109aeb63864dbdf44117e5e6dab3566
SHA512 2ca634bb2576c7a66a8a27c3e6982f97ae74db325f47c5bcdaa94ee9e882edfd3d29f7e191204cf66b088267460ae978a11dff17c9173479a0f6a6e73daba38b

/data/data/org.chromium.caster_receiver_apk_FMMusic/files/umeng_it.cache

MD5 3f2b8f6e3dd81a71cbb618d1b6a9cb1c
SHA1 abe66c1faa38a0128d34634c836fd179e7e85943
SHA256 5971de7202d1cd0914201b6ade564bdf885330f6efb545cab94eaf87d40f1388
SHA512 b5833fe7d77f1c895f4436bc9199bd0064c52f500e72ed36c4eea7f6ce71dcdbc93ec2a8b6a1a9528056d26c843fc2f080019339a3433e4b3364c50ba51a6085

/data/data/org.chromium.caster_receiver_apk_FMMusic/dex/qcast_sdk_core_client.dex

MD5 c685d79e113105147b2cc9dcc3613515
SHA1 499acecc16aaf4bee75cdae45c14fd45eac09c61
SHA256 9d90b895050b20e2eaed3b15d1c79067c113c2bf743030aa4e70f7fca24cb5ca
SHA512 d83f619266bfe8dd05b25ea26178174e1ec575a8381a6151fcc1f20b7dcced72476323d5818606a0b5d56dfff3a0ab3c90d8420aac14ee3830c06c5ae47a255c