Analysis Overview
SHA256
1c3d77e05700fce8747e1de9d952fc8566f0db1ba188841746215a20a2ba63a1
Threat Level: Shows suspicious behavior
The file 1c3d77e05700fce8747e1de9d952fc8566f0db1ba188841746215a20a2ba63a1.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped Dex/Jar
Queries information about active data network
Requests disabling of battery optimizations (often used to enable hiding in the background).
Declares broadcast receivers with permission to handle system events
Requests dangerous framework permissions
Acquires the wake lock
Schedules tasks to execute at a specified time
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-15 00:50
Signatures
Declares broadcast receivers with permission to handle system events
| Description | Indicator | Process | Target |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 00:50
Reported
2024-06-15 00:53
Platform
android-33-x64-arm64-20240611.1-en
Max time kernel
155s
Max time network
132s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.goosmksesmscom/.arm/6E4D52BA.dex | N/A | N/A |
| N/A | /data/user/0/com.goosmksesmscom/.arm/6E4D52BA.dex | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Schedules tasks to execute at a specified time
| Description | Indicator | Process | Target |
| Framework service call | android.app.job.IJobScheduler.schedule | N/A | N/A |
| Framework service call | android.app.job.IJobScheduler.schedule | N/A | N/A |
Processes
com.goosmksesmscom
com.goosmksesmscom:remote
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.169.36:443 | udp | |
| GB | 172.217.169.36:443 | tcp | |
| BE | 173.194.76.188:5228 | tcp | |
| GB | 172.217.16.228:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| TW | 118.166.42.141:8090 | tcp | |
| US | 1.1.1.1:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| KR | 103.151.229.187:8081 | 103.151.229.187 | tcp |
| TW | 118.166.41.168:8090 | tcp | |
| TW | 118.166.41.168:8090 | tcp | |
| US | 1.1.1.1:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| KR | 103.151.229.187:8081 | 103.151.229.187 | tcp |
| TW | 118.166.41.168:8091 | tcp | |
| US | 162.159.61.3:443 | tcp | |
| US | 162.159.61.3:443 | tcp | |
| US | 162.159.61.3:443 | udp | |
| GB | 172.217.169.36:443 | udp | |
| GB | 142.250.179.228:443 | udp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 216.58.212.195:443 | tcp |
Files
/data/user/0/com.goosmksesmscom/.arm/6E4D52BA.dex
| MD5 | cbfc5117533f02d74f885eb3caa48c42 |
| SHA1 | ef3e6e3c15cce4cadb932d5cced6ffbec0322327 |
| SHA256 | 021961d52797efef9bb51a8c908b9ebbde9688e748dd2a8874cd814eb80d1540 |
| SHA512 | f4dc6ec1d670b43572ea1151f8a0d8c55e9d03b49662206041ad32a48c95963411df9ebf70cc91d868085d110fccfb01898d7ad36cdbbbfb3dfb7ac5757d5146 |
/data/user/0/com.goosmksesmscom/files/config
| MD5 | bdab00f3731c5583044e7ad377dc2d62 |
| SHA1 | 154e515a6623fb3d144c44eaab844dbb1bc01657 |
| SHA256 | 21250b025f698caa9b860a49c485356205fcc06e7b30edf55ad2b3eb03709aff |
| SHA512 | 3f56f9884ef6af770e438359e44ffe9ca15e76426f1bf30e5314a5c4517852498a9ca15d2a53cac78e2ddae190032627fe9b03fb98577ff83ddeb42adccaf614 |
/data/user/0/com.goosmksesmscom/files/config
| MD5 | 1f01667fd267e0fe3d83889d839c5d2b |
| SHA1 | b0e2ecd26695bf53f3a60fa4bcc75a10450881da |
| SHA256 | 341146b6b622c6baf6b05192365073d0bdc9997f82ff8ace11603dd08020523d |
| SHA512 | ed3de476c2d851d89ce8c633dc7de244eaeffd02c5f638c46a976355935b85f71301956c9e05cdbc0af6180f88542413f255e21b092b471efa48a13936a94187 |