Malware Analysis Report

2024-09-09 16:00

Sample ID 240615-dq66qs1dlj
Target CLIENT.apk
SHA256 2bbe9cd94760ffe4f2ac5058343c25d7e9a24c5c678a1d3493999de2a5ea18dc
Tags
collection credential_access discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2bbe9cd94760ffe4f2ac5058343c25d7e9a24c5c678a1d3493999de2a5ea18dc

Threat Level: Shows suspicious behavior

The file CLIENT.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access discovery impact persistence

Obtains sensitive information copied to the device clipboard

Declares services with permission to bind to the system

Requests dangerous framework permissions

Requests enabling of the accessibility settings.

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 03:13

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 03:13

Reported

2024-06-15 03:15

Platform

android-x64-20240611.1-en

Max time kernel

63s

Max time network

73s

Command Line

cybershieldx.rainbow

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

cybershieldx.rainbow

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 dogerat-free.onrender.com udp
US 216.24.57.4:443 dogerat-free.onrender.com tcp
US 216.24.57.4:443 dogerat-free.onrender.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 1.1.1.1:53 apis.google.com udp
GB 216.58.204.78:443 apis.google.com tcp
US 1.1.1.1:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
GB 172.217.16.226:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 policies.google.com udp
GB 172.217.169.14:443 policies.google.com tcp
US 1.1.1.1:53 www.youtube-nocookie.com udp
US 1.1.1.1:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.202:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 jnn-pa.googleapis.com udp
GB 142.250.179.234:443 jnn-pa.googleapis.com tcp
GB 172.217.169.46:443 tcp
US 1.1.1.1:53 i.ytimg.com udp
GB 172.217.169.22:443 i.ytimg.com tcp
US 1.1.1.1:53 yt3.ggpht.com udp
GB 142.250.200.33:443 yt3.ggpht.com tcp
US 1.1.1.1:53 ssl.gstatic.com udp
GB 142.250.200.35:443 ssl.gstatic.com tcp
GB 142.250.200.46:443 www.youtube-nocookie.com tcp

Files

/data/misc/profiles/cur/0/cybershieldx.rainbow/primary.prof

MD5 d64d8c71437f992a836c456e7c64f475
SHA1 143d5caa7da681824e4ca673dbf8dda6f8eeff66
SHA256 fff9514ad0440f098a41a8c1fd1a3179b475b3fe7cb055fde5400a4b9c40b4bb
SHA512 937a90737e940cbea207bb15609f73326d8a0cb3f15c3103dae6e4b29c878f6f3793e4c40ddc82ef97bb310ed9b148ae2e1384cf758d79528aeef56204a777c9

/data/data/cybershieldx.rainbow/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 b2a4dd127329a72a83f557ab026fb05c
SHA1 d2565a3db905b1380c81e1f37519315ce739f7d5
SHA256 5d45c9e7f23e2eb06818995b6ca6e9aa49e2edab3377a11dedca3aaf1856fee6
SHA512 81932ccf02ce97efc9a6d6c40b58eca4cae051bbf0840455773ad63a1996c28582578346760e2d23d14ded85e6d85a5731fffba30b6d1893d09602e6b50c399e

/data/data/cybershieldx.rainbow/files/profileInstalled

MD5 ef227a4bf3a55dd8ced630012fc89354
SHA1 9f451790895fdf87ddf9cc7c0d2be99caa7b00dc
SHA256 f467c4aaf9ee324bd463657fb642d6c2aff425b00be377e808221819b9e628d7
SHA512 83a15bb4bfb646c4c2d5ade26873edf45d33ccf70fce08156faecdcd8ae379e40fc1684f01472151795bbc94016217a948152b582d8fd3b39c2dff101f38783b

/data/misc/profiles/cur/0/cybershieldx.rainbow/primary.prof

MD5 f472fe8af462c540a583ae7e7a70eda3
SHA1 d4fb7156496c00465b963cafa45d19798bc94a59
SHA256 c83d4ca2698f374cec233cbaab8156fc8b401f2aafce694eb6c9f2ae96621a79
SHA512 d9f00ba7ef039f86662c64716c7163d4aec835fbfefbf51dd07a8dac24692fe3b780feb7560432c23225bcd1af829500f351898edeeb79bb7de2dbc5efc8c1c8

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 03:13

Reported

2024-06-15 03:17

Platform

android-x64-arm64-20240611.1-en

Max time kernel

175s

Max time network

183s

Command Line

cybershieldx.rainbow

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

cybershieldx.rainbow

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.10:443 tcp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 dogerat-free.onrender.com udp
US 216.24.57.4:443 dogerat-free.onrender.com tcp
US 216.24.57.4:443 dogerat-free.onrender.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 1.1.1.1:53 apis.google.com udp
GB 142.250.180.14:443 apis.google.com tcp
US 1.1.1.1:53 play.google.com udp
GB 142.250.200.46:443 play.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/misc/profiles/cur/0/cybershieldx.rainbow/primary.prof

MD5 d64d8c71437f992a836c456e7c64f475
SHA1 143d5caa7da681824e4ca673dbf8dda6f8eeff66
SHA256 fff9514ad0440f098a41a8c1fd1a3179b475b3fe7cb055fde5400a4b9c40b4bb
SHA512 937a90737e940cbea207bb15609f73326d8a0cb3f15c3103dae6e4b29c878f6f3793e4c40ddc82ef97bb310ed9b148ae2e1384cf758d79528aeef56204a777c9

/data/data/cybershieldx.rainbow/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 143a7ae43e90c76a58adf2c16c07a4c0
SHA1 4e02cf2ca45d4a571ab5fb308afbaf744467db67
SHA256 5d9b899819f17d6c1b84ee2953ad146e397103c9c06d8fdd0deebd37c381bc1f
SHA512 d056b30422ee837af3ff203d8b4a03f0293f5b09383711e6f10f2cdf5a3446b455bee7105c06f338a963ce178e755d684bd5c043eb16ad5f9463eb8d16972d1a

/data/misc/profiles/cur/0/cybershieldx.rainbow/primary.prof

MD5 b31af44db5a55ffb745476153c624a31
SHA1 91bd45d2742b3853e28013c2423323efa08d85a0
SHA256 54391d38d9539f2a47b590a9a82c271bcbe6f29a45bdd081375e892f945cd5c5
SHA512 f0ac1cccc3581c897923e39f22a296db56ff68260c64c78e98097e8af876f5172d7c833660ae41d386a6f74d15592c5d5aca9e26357708e5884eccecf7e37882

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 03:13

Reported

2024-06-15 03:17

Platform

android-x86-arm-20240611.1-en

Max time kernel

177s

Max time network

183s

Command Line

cybershieldx.rainbow

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

cybershieldx.rainbow

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 dogerat-free.onrender.com udp
US 216.24.57.4:443 dogerat-free.onrender.com tcp
US 216.24.57.4:443 dogerat-free.onrender.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 1.1.1.1:53 ssl.gstatic.com udp
GB 172.217.16.227:443 ssl.gstatic.com tcp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 clients1.google.com udp
GB 142.250.178.14:443 clients1.google.com tcp
GB 142.250.200.14:443 tcp
GB 142.250.178.2:443 tcp

Files

/data/misc/profiles/cur/0/cybershieldx.rainbow/primary.prof

MD5 d64d8c71437f992a836c456e7c64f475
SHA1 143d5caa7da681824e4ca673dbf8dda6f8eeff66
SHA256 fff9514ad0440f098a41a8c1fd1a3179b475b3fe7cb055fde5400a4b9c40b4bb
SHA512 937a90737e940cbea207bb15609f73326d8a0cb3f15c3103dae6e4b29c878f6f3793e4c40ddc82ef97bb310ed9b148ae2e1384cf758d79528aeef56204a777c9

/data/data/cybershieldx.rainbow/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 6a6a72eb7fd73f87bd0dedf33bd5aecb
SHA1 586293c1596f9500e089f12af3b5e5bc9707f74f
SHA256 818aa79ecff8f7bf6bd79b65730af28366d5ea610c29bfa372936a33cb793dc2
SHA512 202fa850647ab59343ef2b5ea377dfc158f2260d5ad989bc26d9d784538e651cf11cc0d060474cb7862080dc42e5c92260ab1a5861b608ebbd2a0d895e2dd4af

/data/data/cybershieldx.rainbow/files/profileInstalled

MD5 64785e086e963faa94b8a752eebccbd9
SHA1 a375aa22ea2a58e83df921275d8c7ac15033ed6e
SHA256 40ae81014afc40eb2eb136d7eecc62a7c4cf0fef48f3f1f18df975cf802e044d
SHA512 5f0dfb21d1daae5a8fe20ee9b9fba048868b2000dfdef34616b4f95b0948d960e825891bd1dd8df3812aa4a77a65204f382ffafc5005efeb1589da6fcfeb7c92

/data/misc/profiles/cur/0/cybershieldx.rainbow/primary.prof

MD5 feb57e6ed95b94e012b0120b514501fb
SHA1 2c59ec47c2101603ea109955d1d36be4dec502c4
SHA256 e75e66aa373be1d42026485c4cfd136a97a70febfe77cbb8dc2482bd9c538ee6
SHA512 5e4f9ae6a57d58d61be45f9c3264badb4631c63726db0bf0c0687bda73e14b939cda7e6b8cd304ac3d02c3983bc5704cfbdf01912a60c2411902e178a47dc2ef