Malware Analysis Report

2024-09-09 12:52

Sample ID 240614-gt6wxs1gql
Target app-release-BE61yqic.apk
SHA256 944d0e1b3e5c04ca10493860f3eace651dea6f3dfa2f5d80860f784d40567d9e
Tags
collection evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

944d0e1b3e5c04ca10493860f3eace651dea6f3dfa2f5d80860f784d40567d9e

Threat Level: Shows suspicious behavior

The file app-release-BE61yqic.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection evasion persistence

Reads the content of SMS inbox messages.

Reads the content of outgoing SMS messages.

Loads dropped Dex/Jar

Acquires the wake lock

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 06:06

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 06:06

Reported

2024-06-14 06:09

Platform

android-33-x64-arm64-20240611.1-en

Max time kernel

110s

Max time network

120s

Command Line

com.rms.induia

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /system_ext/framework/androidx.window.extensions.jar N/A N/A
N/A /system_ext/framework/androidx.window.extensions.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Reads the content of outgoing SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/sent N/A N/A
URI accessed for read content://sms/draft N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Processes

com.rms.induia

Network

Country Destination Domain Proto
GB 172.217.169.36:443 udp
GB 172.217.169.36:443 udp
GB 172.217.16.228:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 firebasestorage.googleapis.com udp
US 1.1.1.1:53 firebasestorage.googleapis.com udp
GB 216.58.212.195:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 udp
GB 172.217.169.36:443 udp
GB 172.217.169.36:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 induskct-default-rtdb.firebaseio.com udp
US 35.201.97.85:443 induskct-default-rtdb.firebaseio.com tcp

Files

/system_ext/framework/androidx.window.extensions.jar

MD5 3056e1bdb7d4e19789d0319eff484bd0
SHA1 6791ae47aa9466fe0bca27ad6643f846853bbee4
SHA256 8e6331a07c9f2ac139214c527dcaff2c82d126bbe7bd3420cdc36d6a8c9204b0
SHA512 c790980fd68d9f89e32743bc28846807d5e5947c555f494de47714dec5cbd0c08d81c3260fa463759d1b17a953af3c44ec30b14fb08bf6b29db3837346c9f658

/system_ext/framework/androidx.window.sidecar.jar

MD5 29469324e59dfcc052f24b5af4e7b2c4
SHA1 10c1e17ac6f598037bb51baa07945663645de4eb
SHA256 9195dc6a1c75a841384050240dfc972e48178964993fba6619788625f4b40d1a
SHA512 5e27c2b1431369a248298f2f749136a575005584f9999f2a4c204a0c47adce2e33c8df9f058bdafa1bde1c99e46d175560cedfcddcd8581718ed1d9973c37cc2

anon_inode:[eventfd]

MD5 33cdeccccebe80329f1fdbee7f5874cb
SHA1 3da89ee273be13437e7ecf760f3fbd4dc0e8d1fe
SHA256 7c9fa136d4413fa6173637e883b6998d32e1d675f88cddff9dcbcf331820f4b8
SHA512 991294f43425a5b80f8a5907ca7cdbb611401282585a58bb415077005428e3b4c0f661fc07ba5c45f627bd8bdcb172389ce2fda461c029b837abc70f0abbea20