Malware Analysis Report

2024-09-09 17:38

Sample ID 240614-jbh39azfkh
Target com.tmart.pesoq_2023-11-28.apk
SHA256 a0cd3f8e1907f6002478ac1ea1726a97ccd9c7f1b2d933353377c8f946fba365
Tags
discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a0cd3f8e1907f6002478ac1ea1726a97ccd9c7f1b2d933353377c8f946fba365

Threat Level: Likely malicious

The file com.tmart.pesoq_2023-11-28.apk was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion impact persistence

Checks if the Android device is rooted.

Checks known Qemu files.

Loads dropped Dex/Jar

Checks Android system properties for emulator presence.

Checks known Qemu pipes.

Queries the mobile country code (MCC)

Acquires the wake lock

Queries information about active data network

Requests dangerous framework permissions

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 07:29

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 07:29

Reported

2024-06-14 07:40

Platform

android-x86-arm-20240611.1-en

Max time kernel

115s

Max time network

130s

Command Line

com.tmart.pesoq

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.hardware N/A N/A

Checks known Qemu files.

evasion
Description Indicator Process Target
N/A /system/lib/libc_malloc_debug_qemu.so N/A N/A
N/A /sys/qemu_trace N/A N/A
N/A /system/bin/qemu-props N/A N/A

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A Anonymous-DexFile@0xde4fc000-0xde4fed00 N/A N/A
N/A Anonymous-DexFile@0xd5aed000-0xd5aef020 N/A N/A
N/A Anonymous-DexFile@0xd5a1a000-0xd5a1cea4 N/A N/A
N/A Anonymous-DexFile@0xc37d8000-0xc37ddba8 N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.tmart.pesoq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 graph.facebook.com udp
US 1.1.1.1:53 graph.facebook.com udp
US 1.1.1.1:53 graph.facebook.com udp
US 1.1.1.1:53 graph.facebook.com udp
US 1.1.1.1:53 0hxe8v-cdn-settings.appsflyersdk.com udp
US 1.1.1.1:53 0hxe8v-cdn-settings.appsflyersdk.com udp
US 1.1.1.1:53 pesoapi.pesoq.com udp
US 1.1.1.1:53 pesoapi.pesoq.com udp
US 1.1.1.1:53 graph.facebook.com udp
US 1.1.1.1:53 graph.facebook.com udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 0hxe8v-conversions.appsflyersdk.com udp
US 1.1.1.1:53 0hxe8v-conversions.appsflyersdk.com udp
US 1.1.1.1:53 pesoapi.pesoq.com udp
US 1.1.1.1:53 pesoapi.pesoq.com udp
US 1.1.1.1:53 pesoapi.pesoq.com udp
US 1.1.1.1:53 pesoapi.pesoq.com udp
US 1.1.1.1:53 0hxe8v-cdn-settings.appsflyersdk.com udp
US 1.1.1.1:53 0hxe8v-cdn-settings.appsflyersdk.com udp
US 1.1.1.1:53 0hxe8v-conversions.appsflyersdk.com udp
US 1.1.1.1:53 0hxe8v-conversions.appsflyersdk.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 graph.facebook.com udp
US 1.1.1.1:53 graph.facebook.com udp
GB 216.58.212.202:443 tcp
GB 216.58.212.202:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 pesoapi.pesoq.com udp
US 1.1.1.1:53 pesoapi.pesoq.com udp
US 1.1.1.1:53 pesoapi.pesoq.com udp
US 1.1.1.1:53 pesoapi.pesoq.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp

Files

/data/data/com.tmart.pesoq/databases/com.google.android.datatransport.events-journal

MD5 dc28406753ed31d6430add11b26349e2
SHA1 f7f7216cc4de65e52a3cde313dad2afdcdd12f0d
SHA256 42d8d44ba96b7705b3aca3e07710f710ee9c91f788e14212f89aaacb9e0c3e9a
SHA512 ba2337ee7fded0dfc023ffaa5d69d36361a5f97f5366d9c5590b8268aea948fb22f6411860fcaf91892559c350daa79b62a5e0d4dfaa383121896aafe862db9d

/data/data/com.tmart.pesoq/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tmart.pesoq/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tmart.pesoq/databases/com.google.android.datatransport.events-wal

MD5 5ca37a7cc34b48ffdf0d1ceb7a11a3a2
SHA1 0b307e10b72b04a22e358add2bcc246ddd49e99f
SHA256 2db75fe406051fc6382ac5a95a7daed54e8bd12672a48175ca9a3422fb32b0a7
SHA512 a389203811dcfd11d3d17215528da91f7a68f229dfe4a1560d5370bfb72bae4fb51a2446dfc22919bf3466a9aa453772da65c70467ee8d3e8b0104ef4b87f3e3

/data/data/com.tmart.pesoq/files/PersistedInstallation2176961453363028995tmp

MD5 c8a7d7e676b395938ed92e25aaa3aacd
SHA1 90f43a3b6600c7493f99b7e194ec7dc164b0998b
SHA256 d382416e8cb67592c71cf53296ac31d15fddaf2e00117f29448967bfef2b5188
SHA512 f121248ce1d6444d26d951e8d0d8a13b268f616bf6d929f69f01449b7b334068771a0533ef36e722ada2441c8850e61276d7aef60182207c66cedc81712a1851

/data/data/com.tmart.pesoq/databases/google_app_measurement_local.db-journal

MD5 f05a68ccf62babc132f0dca658962245
SHA1 5e3218219f11fa7de7296aca4b2624529fc2f980
SHA256 19e58de939aae579a8a43c91aceb29d48500516d7e61f2342e5932e7a3c52bbb
SHA512 0f485c340118f00e8f4d053a99a5152e68c385004c6053ba3908c95862ced79da21c2046297da1c6292ca88219290545a6dd890486358b9e1960bd56babd77bd

/data/data/com.tmart.pesoq/databases/google_app_measurement_local.db

MD5 7237409e0640cfab7bdbd429bf821a3b
SHA1 4c3da934842f8d4835dfe2a9c275a300e5123309
SHA256 5c8e1b63d187efafe1e09bfadd83fd360176d689b57b5a0cc40e6854c12449fa
SHA512 c8afaf6a8ee43ce3601feff417bfaec563c01bcff0aae24577054034112b2020967f25b0b1a919c3c9e5e81d62a21a87e908b782c4d5cb8bba8ac259108e9c1f

/data/data/com.tmart.pesoq/databases/google_app_measurement_local.db-wal

MD5 b447b649ca72538d73a7b0820d395e52
SHA1 e920f54fa2950af385e1160497e4aa471ecd547d
SHA256 3e593606b8511df646df7ac8126a7f47456364da3e325ebd51bb384d3dba4db2
SHA512 035cdbb08e820e9cc71310d583d5000f54f1e81d3c4dda4f778225af678bed446b4e0f4b544bd80c8c7192b0ae6450bc642e800025acfe0f916d4c977555290d

/data/data/com.tmart.pesoq/databases/google_app_measurement_local.db-wal

MD5 ebe1e65db80cc46a6520193882d6b821
SHA1 1d37a0ea8055eff8498b41578f7e120a142efb77
SHA256 3c5ea0d97e3d7656bc55f17fb16a6e5ec1305adb49a39622a04d0c755c66297c
SHA512 54050d487d2eab212402a399c5586f07a25a1b8d0b8105f93d15edce2db242d5b77dc54b2004d16644c89a40fa3353c5feeb9a37eba9f40137f7a30d7c1f8e51

/data/data/com.tmart.pesoq/databases/google_app_measurement_local.db

MD5 45646b26fa47a22af9dad856aed189e6
SHA1 1788fd80b960046180a0a36854f2a19f430a237d
SHA256 017a041a400fdcf28f320b1232f1aec8d74935d2d1b036782e440ed3cb3438ab
SHA512 dc29cfdfe4d1e7cc24055445c523400f77166d746752dff0e1bd5bc8e684769d866be95c809704c44a58ec1278846208841a163aa473dd3baf487847a76b596b

/data/data/com.tmart.pesoq/databases/google_app_measurement_local.db-wal

MD5 2a3122cd975308fd90fec45d03a5676f
SHA1 22f33f127665cf6e7db9708df68492902c5b329c
SHA256 c7cc7f86b6145af1d0e8333f2d3e8c00922b469a8984fa0315e15e3d896b9339
SHA512 03389d0ab9cbcfb621c8060bdaf4cf137b8ee7e1b0a331bada8dd67da7bbf64561670da55adc6b249700707feebc08fcab6a2967ba5ea23003b97561f53d45be

/data/data/com.tmart.pesoq/databases/google_app_measurement_local.db

MD5 a4675b3b99c392fcc654dce672e8a37c
SHA1 04ce10ce0382385081ea84a4d9513f29d043a9f3
SHA256 f6e304fe5c5e96920b63466c4c544fc8bf08c94cd8279bfdbae407a296556ebf
SHA512 a09aad61458fe1c620e1331f2557d36ce7f9ff2a040874dc3b75e18b598eafbe0a221bfa1db80aa8f127cb88a52f70058e545529a301b22804616ce57bab5b81

/data/data/com.tmart.pesoq/files/mmkv/mmkv.default

MD5 620f0b67a91f7f74151bc5be745b7110
SHA1 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d
SHA256 ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7
SHA512 2d23913d3759ef01704a86b4bee3ac8a29002313ecc98a7424425a78170f219577822fd77e4ae96313547696ad7d5949b58e12d5063ef2ee063b595740a3a12d

/data/data/com.tmart.pesoq/databases/google_app_measurement_local.db-wal

MD5 990ac9fd2f4296644b960851a3c1d544
SHA1 745a4b0ace6974f3cc68525c07897a97a4a8ce5c
SHA256 ff2f2458ba76196ab4f806d122b99fd0a0cdc549c1b783cfbcfc74da7e0982d1
SHA512 5ed651750a3adcb9bebdcfcc0142e176df5b529351f2c6e60fdbb41716c5b8a988b21e5b094e6724df38567c9ef5fc11e101ae06668d683db9d0d6887fe3ced5

/data/data/com.tmart.pesoq/databases/google_app_measurement_local.db

MD5 2edeed0839752edda2441d11d680d72f
SHA1 62bc41e92a67addcdb4dbda888705a2d3f732dbd
SHA256 ede3f3491759b4d9715c377be6b4ef31815e02cb14781e80f8d6786f6d5d4a23
SHA512 7bb4ae7d296056940313218dc06a0aa21b6f5af6866308d26ba7e9e584d2976bd79a79a1516646153d7fb112b8451f45f882eec32568e13d835571517c01683f

/data/data/com.tmart.pesoq/files/AppEventsLogger.persistedevents

MD5 3033a964d6bb93b1ad7bc33f411ca885
SHA1 91857eecfad800a949c5162cf9d38ed2034e49f7
SHA256 2b440bf1f71108c22631b691889344d2e8967d919af92af8bd3c1566ab97f444
SHA512 7a3e6bb24040dcf40a81b51535e1dbbb9bf57ec9cd6073191b5bd76b77b439a2524b422be5b46a91982c4e069b2e0458a94f994832402f7b845ca90bda585ccd

/data/data/com.tmart.pesoq/databases/google_app_measurement_local.db-wal

MD5 ca40a51ffd16c25aa4235ac7a7fff6b4
SHA1 7671d877a0e726ea3d81b543e57f4776c53857a2
SHA256 4c7e087708423c78e54c7932e5faa5ef5237fd8c0af8bed2207771e1ceec2f5b
SHA512 5d4a46c9db937da23df79ced208a06f2c4ccc9404deb136a297c09bfe4858278e28bc6dcc94a195490fb9fe3fc0ced06618b4bd3a4d3da61a55ff480f506af71

/data/data/com.tmart.pesoq/databases/google_app_measurement_local.db

MD5 d3039513e984e13d9b94cfefea1ca144
SHA1 6a9997d8e052a3932e84728293811bbfda5d7736
SHA256 6262673fc3a5a6eaa662e0328f41fe8956ccac3ea5822c8bb81d41bf039689e9
SHA512 54788f957e60099e5e6d047a1c98be65940b4b8aed59336c40aedad2ac5d14020039abf0f18ff8a86d9c1efa45a0b4952a4af27025954d7edbdc894580d45949

/data/data/com.tmart.pesoq/databases/google_app_measurement_local.db-wal

MD5 8e47a7875981161e83a60e9843827f7a
SHA1 9d530945cfae44f4655fde58628d204a9fe41f7a
SHA256 d7ea30758016579fc5d7dc0e9c00a9217213934a1d34fc6e5990d99bb95511f1
SHA512 91bbc6a134eca6b64471000e5e7936d4513965c2d280438e6a53297a8ede1f6ea66e1081d528e2a43e1ed22c3f5015603e4bfaadee0d8c59f2c13bc41c8667c9

/data/data/com.tmart.pesoq/databases/google_app_measurement_local.db

MD5 4bbdbdb4ffd37a349beec0d558da5432
SHA1 e4080f9a9f4b7b00a63d3d33efec9d63f22e49b5
SHA256 55a3062428fbe7d725ac62a357e739f909e5ffd2738b3175c08bcfdbc7b52670
SHA512 71ad64294275cc5877ee05748061f9b6cb5c2bdbda429b9c46ab429c0290155bd97681147561963047644afae77c4c0a9d04d9fe052a1422e830d1dfb7774659

Anonymous-DexFile@0xde4fc000-0xde4fed00

MD5 c4d6d35e8dc357f7b63b6eed2d76df9e
SHA1 82d1922fd10346d3001d2575dbd89c8836bdb931
SHA256 2d286b7081c586db4c2eeeabd8284d7dfec04ec3ff3dd8b15b75dd320dd9f452
SHA512 f5e4c28860cc8722f62da3883746a92e65348f9a338c8ad9a3a20212ab5e74485b3c049cc74da6fc085292e478fc18fdb970e6e0a6aa0b181db3521383b047e6

Anonymous-DexFile@0xd5aed000-0xd5aef020

MD5 ac209a0b4dd8c3908ca8e0ec2e5c77d4
SHA1 beb86f3c2637666dc238aa2dcfeb78169cbebf62
SHA256 f7f2390997b68beea68efa62e75a8c38d2c125b8d2c1a4c25ed00ea5d1e203fa
SHA512 d8339e188423223f49f2b4b4521f9e014ecf2f9a17242a6394625ca43686fb86bd4978c0ba79b704137155ec4a89b08e302ac6ed1cf14f8d8bfb0adaaae29c13

Anonymous-DexFile@0xd5a1a000-0xd5a1cea4

MD5 0bba2eda283057834590001bf869edb7
SHA1 e82dc44a92e9607e112a845d8c458afbac7dc6c1
SHA256 090eea545887cf6b28c51f795bfef902cdc03cd3f4c02695761086d9fd51d4f2
SHA512 cdc0d9a03f4f5bdad02b46bb40f8663cfa6bed0a2a7065422837b4f5439dcb8987eec03df76f104ca06b1cf61988b8ce9965997d9d454aed3bd2c8630eac5bc7

Anonymous-DexFile@0xc37d8000-0xc37ddba8

MD5 ef1a7adb109b0ad4da578f51e3efc1ae
SHA1 39672e1c975ff4ae759b869d0410b90fe1ef7b4a
SHA256 3ecedeb07b6b3a7d1bd235b387ce65894d83042a1c1bb641cba0a19c1a1f7146
SHA512 936257fe696b8434f5d9cc0aad30736d07f97d14c6b1ff968ca3ba405574a0018d813a3126ce25635c255e8717d0abee485cd6ec974722082fdadc6689acf138

/data/data/com.tmart.pesoq/files/AFRequestCache/1718350670409

MD5 b4f6bd1a4dc5f70034d39d523d2bc135
SHA1 23e848bf2e572b4cf5b84179a608925dd012e446
SHA256 9bb4109babc6bfb87f41b2068d1515593d2267cf6b3b2a9358391a499fe86144
SHA512 4b4b22f947216a37b5b93b7a05b31e0f0cc16059ae670fd9a081c0c52c9f2033d51fd77b097057aa438ad16703f02043f68873c5f059baeaac2f503495ec0152

/data/data/com.tmart.pesoq/files/AFRequestCache/1718350670778

MD5 5cf2d8f5ceb27d1817bcccf84a30e446
SHA1 36f73751c0a03bab781a56ed04f7df7f1868d7f6
SHA256 6e3dcfbf6c68eb4c971c1019901c55f924c585c1e01c836ff41b4b28ab89bcd4
SHA512 ab0b58a71e67607a6185caafeecaf768d14c0093697d6a4ad1765752cbae63eea46cbd78e187091839bdea5e86ccab0125f9574c83ebf0903eabdfdbcee61575

/data/data/com.tmart.pesoq/files/AppEventsLogger.persistedevents

MD5 31875e533cb7d25d203a8bb314df5aa0
SHA1 77afb30ab3c45ac89792c130ed319c75d13bc694
SHA256 f0f2e615ac1050359ec1a6d72c18fb7efe2335b900e719618f9eaaa0df00fd94
SHA512 e1648f2319e085faf1cb2fae952d527a1ec7074ec9152c356456a370a41ad4eccca2ebbb0fb92960b118f989a2799812e5f95a02b046d42e89946983a29989ad

/data/data/com.tmart.pesoq/files/AFRequestCache/1718350672798

MD5 be9e4c6819eb43df26406391823351c6
SHA1 6aec84071a10ac0c8eafc87fc9fd6d73fe370477
SHA256 ec1254412b92802745ad8604f76b7fcddb6fb907c563eccf244de606c5b186ba
SHA512 6b5a4cc8df8463a80fa738e4b5686fd7cd38276e2a15e38ec34526ae5af67da2c0d54eb9a178995fbf6565c59e9d7011d15059db43bade28928984b4059375e8