Malware Analysis Report

2025-01-19 07:45

Sample ID 240615-a63ayatalb
Target 1c3d77e05700fce8747e1de9d952fc8566f0db1ba188841746215a20a2ba63a1.bin
SHA256 1c3d77e05700fce8747e1de9d952fc8566f0db1ba188841746215a20a2ba63a1
Tags
discovery evasion execution persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1c3d77e05700fce8747e1de9d952fc8566f0db1ba188841746215a20a2ba63a1

Threat Level: Shows suspicious behavior

The file 1c3d77e05700fce8747e1de9d952fc8566f0db1ba188841746215a20a2ba63a1.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion execution persistence

Loads dropped Dex/Jar

Queries information about active data network

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Acquires the wake lock

Schedules tasks to execute at a specified time

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-15 00:50

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 00:50

Reported

2024-06-15 00:53

Platform

android-33-x64-arm64-20240611.1-en

Max time kernel

155s

Max time network

132s

Command Line

com.goosmksesmscom

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.goosmksesmscom/.arm/6E4D52BA.dex N/A N/A
N/A /data/user/0/com.goosmksesmscom/.arm/6E4D52BA.dex N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.goosmksesmscom

com.goosmksesmscom:remote

Network

Country Destination Domain Proto
GB 172.217.169.36:443 udp
GB 172.217.169.36:443 tcp
BE 173.194.76.188:5228 tcp
GB 172.217.16.228:443 tcp
N/A 224.0.0.251:5353 udp
TW 118.166.42.141:8090 tcp
US 1.1.1.1:53 github.com udp
GB 20.26.156.215:443 github.com tcp
KR 103.151.229.187:8081 103.151.229.187 tcp
TW 118.166.41.168:8090 tcp
TW 118.166.41.168:8090 tcp
US 1.1.1.1:53 github.com udp
GB 20.26.156.215:443 github.com tcp
KR 103.151.229.187:8081 103.151.229.187 tcp
TW 118.166.41.168:8091 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 udp
GB 172.217.169.36:443 udp
GB 142.250.179.228:443 udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.212.195:443 tcp

Files

/data/user/0/com.goosmksesmscom/.arm/6E4D52BA.dex

MD5 cbfc5117533f02d74f885eb3caa48c42
SHA1 ef3e6e3c15cce4cadb932d5cced6ffbec0322327
SHA256 021961d52797efef9bb51a8c908b9ebbde9688e748dd2a8874cd814eb80d1540
SHA512 f4dc6ec1d670b43572ea1151f8a0d8c55e9d03b49662206041ad32a48c95963411df9ebf70cc91d868085d110fccfb01898d7ad36cdbbbfb3dfb7ac5757d5146

/data/user/0/com.goosmksesmscom/files/config

MD5 bdab00f3731c5583044e7ad377dc2d62
SHA1 154e515a6623fb3d144c44eaab844dbb1bc01657
SHA256 21250b025f698caa9b860a49c485356205fcc06e7b30edf55ad2b3eb03709aff
SHA512 3f56f9884ef6af770e438359e44ffe9ca15e76426f1bf30e5314a5c4517852498a9ca15d2a53cac78e2ddae190032627fe9b03fb98577ff83ddeb42adccaf614

/data/user/0/com.goosmksesmscom/files/config

MD5 1f01667fd267e0fe3d83889d839c5d2b
SHA1 b0e2ecd26695bf53f3a60fa4bcc75a10450881da
SHA256 341146b6b622c6baf6b05192365073d0bdc9997f82ff8ace11603dd08020523d
SHA512 ed3de476c2d851d89ce8c633dc7de244eaeffd02c5f638c46a976355935b85f71301956c9e05cdbc0af6180f88542413f255e21b092b471efa48a13936a94187