Malware Analysis Report

2024-09-09 16:00

Sample ID 240615-kapp3steqc
Target unionbank statement.apk
SHA256 933e823fcac69434b507369868aac534cd097d8d4b2d2fb20c0f2937c9ffd5e8
Tags
discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

933e823fcac69434b507369868aac534cd097d8d4b2d2fb20c0f2937c9ffd5e8

Threat Level: Shows suspicious behavior

The file unionbank statement.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 08:24

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 08:24

Reported

2024-06-15 08:27

Platform

android-x86-arm-20240611.1-en

Max time kernel

26s

Max time network

149s

Command Line

com.smsreceiver.dhruv2

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.smsreceiver.dhruv2

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 1.1.1.1:53 code.jquery.com udp
US 151.101.2.137:443 code.jquery.com tcp
US 151.101.193.229:443 cdn.jsdelivr.net tcp
US 151.101.193.229:443 cdn.jsdelivr.net tcp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/com.smsreceiver.dhruv2/primary.prof

MD5 a5012cad2232c9f963f1d90cde29c739
SHA1 499ba125fb441ca3a90399d5f3b8311583df7c09
SHA256 1c49f2e969073c0fc77852512b0b1642aea26260e421c9bf1ffc93134ff06202
SHA512 664ca07f4425e5cafc9b49d2a7c407c35fc349539ba620b080a3ee0635b92c839dd981da2d2d65403e25f59556b71e33b85a9607f86942b1d93d1e9490abccb2

/data/data/com.smsreceiver.dhruv2/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 78810d6ddb4e2f5638636fff2b9cf374
SHA1 f9f78320044fe9f88283daa51e2ab632d9a01d94
SHA256 30bdddb386bd15e5b76a5ff2212aaef90ac85e0c09487ee40c5e261af54a597a
SHA512 138e1420f805b73f2ddf430778391b79a97a5907b3a22228bc7ca4f84c772c0c6722d0f46a20a22bacbd842c911640c976fc1bd90390a8ed320a7bd0e7a2552a

/data/data/com.smsreceiver.dhruv2/files/profileInstalled

MD5 e8872f1fdde8018891368f4c9ae2d9f8
SHA1 6efc8507578f7aa3c91f88c1425e31c00b3b9edf
SHA256 ad2d5cd7bb9ad5e1ddba02e2455740a2b84f83f2a929ff8e862b6ef77dddf12f
SHA512 5c28e3ae7a3735b66c220999823522a20242ccd88977ae85f557ebb3c62b76417a496a6c74d2cf7a1592666e9f6ff2cd32492c18a8b69e67485849ae5f7dc883

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 08:24

Reported

2024-06-15 08:27

Platform

android-x64-20240611.1-en

Max time kernel

48s

Max time network

149s

Command Line

com.smsreceiver.dhruv2

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.smsreceiver.dhruv2

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 1.1.1.1:53 code.jquery.com udp
US 151.101.2.137:443 code.jquery.com tcp
US 151.101.65.229:443 cdn.jsdelivr.net tcp
US 151.101.65.229:443 cdn.jsdelivr.net tcp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp

Files

/data/misc/profiles/cur/0/com.smsreceiver.dhruv2/primary.prof

MD5 a5012cad2232c9f963f1d90cde29c739
SHA1 499ba125fb441ca3a90399d5f3b8311583df7c09
SHA256 1c49f2e969073c0fc77852512b0b1642aea26260e421c9bf1ffc93134ff06202
SHA512 664ca07f4425e5cafc9b49d2a7c407c35fc349539ba620b080a3ee0635b92c839dd981da2d2d65403e25f59556b71e33b85a9607f86942b1d93d1e9490abccb2

/data/data/com.smsreceiver.dhruv2/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 3d7c92e8726e900db680b5d44c0ea017
SHA1 1d2df87fb47a10d906584dcb66725784b652c33d
SHA256 4db0d0b5507badc62c077135631a936c03e64430732cb7001c0c1c896180160d
SHA512 3e4b66c555c6c69f21ee9aeb92bc3377e3fbfd11e0c3ab04f3214c86adc23b3ce0527aa957984e38bfede5df07f73c0957fc9c1972a483e2745c8f9c4a227501

/data/data/com.smsreceiver.dhruv2/files/profileInstalled

MD5 e802c755af9c63ab7e387a1c0ff334bb
SHA1 61fba6aae44723a3a607470b995e8b186d03e904
SHA256 229536c9461445cd2edc997efb3440807c66b1adf9784e80883d6a697c962dec
SHA512 8a1470b7d418c4826d6f1e6d7e40ecc1c110f2da128c6ff75c7f63332571881c590d60de5ef4d8301dc885530095a2ffdf59f9e396ef383feb11015c24f98fab

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 08:24

Reported

2024-06-15 08:27

Platform

android-x64-arm64-20240611.1-en

Max time kernel

27s

Max time network

132s

Command Line

com.smsreceiver.dhruv2

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.smsreceiver.dhruv2

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 1.1.1.1:53 code.jquery.com udp
US 151.101.129.229:443 cdn.jsdelivr.net tcp
US 151.101.129.229:443 cdn.jsdelivr.net tcp
US 151.101.2.137:443 code.jquery.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/misc/profiles/cur/0/com.smsreceiver.dhruv2/primary.prof

MD5 a5012cad2232c9f963f1d90cde29c739
SHA1 499ba125fb441ca3a90399d5f3b8311583df7c09
SHA256 1c49f2e969073c0fc77852512b0b1642aea26260e421c9bf1ffc93134ff06202
SHA512 664ca07f4425e5cafc9b49d2a7c407c35fc349539ba620b080a3ee0635b92c839dd981da2d2d65403e25f59556b71e33b85a9607f86942b1d93d1e9490abccb2

/data/data/com.smsreceiver.dhruv2/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 48d6ebbf62af62cc19188bd1c82360db
SHA1 ca1479ff687095df1b79816ed88d194085cab0c7
SHA256 032cd8b2ef310192dd3c2705cb62ca43da8d14dd7e59972c2b6b10e083df07fc
SHA512 1b5b82774b905d370e1c9d382bde7302f87d21c71e2002a08c0c4a4042997ecae0356b126a1364318f6f1be21332822b1b552877341d9c193b9c95c4ee46e856