Malware Analysis Report

2025-01-19 04:50

Sample ID 240618-hd7c7a1enf
Target Pm Muft Bijli.apk
SHA256 92c9360682de82643f4b08ef95e8ed86cdbcb96a5d11e1fd140d402c3707f0c4
Tags
collection discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

92c9360682de82643f4b08ef95e8ed86cdbcb96a5d11e1fd140d402c3707f0c4

Threat Level: Shows suspicious behavior

The file Pm Muft Bijli.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery evasion persistence

Reads the contacts stored on the device.

Acquires the wake lock

Makes use of the framework's foreground persistence service

Queries information about active data network

Requests dangerous framework permissions

Legitimate hosting services abused for malware hosting/C2

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 06:38

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-18 06:38

Reported

2024-06-18 06:41

Platform

android-x64-arm64-20240611.1-en

Max time kernel

179s

Max time network

132s

Command Line

com.saka.kayo

Signatures

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.saka.kayo

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.234:443 tcp
GB 216.58.212.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.196:443 tcp
GB 216.58.212.196:443 tcp

Files

/data/data/com.saka.kayo/databases/com.google.android.datatransport.events-journal

MD5 3eb4c3dd2fac7205c17204cc2f79ebc7
SHA1 c6326fc21a276e632268f611dd2f62692ebc33e1
SHA256 f93e193a335d04ef8c52b60c4c2b782a24c663fb6b7185878a51dc1c532a2bf4
SHA512 708dd15e2eb459e592de8641a7bf59b8b814b7d7be15ce7626381a998952c6f830ed3617819160a575a7071de8d76eb25177361bde72d636b72fb2db7fbb6f28

/data/data/com.saka.kayo/databases/com.google.android.datatransport.events

MD5 a4b0755b91a1300824bfeca0ff1bc59c
SHA1 ec4b36b1b87a4e5ea699662b265a308c19f44c0a
SHA256 c27323113c3436579309d8b80252c49ba38e199799e45ea867635bb6095ff6a2
SHA512 1318f951f86f1102be978ad8c8e587482a7c5fcfd7d3e7f77be14030b0befba05c4c327aac9b6a33bd9d66ec795380fe13019fe1be4bad69bed137d94874dcc7

/data/data/com.saka.kayo/databases/com.google.android.datatransport.events-journal

MD5 c1aede5d3ab88ca57ba21183210bcfb0
SHA1 b303cc4b366fe4fa07320903f395308c1b23f220
SHA256 b297eaaaa3ac17128e624f817d7b17195b7a2f65771df09c886dbaf7b6dc3cd6
SHA512 0e0739a21027e4b7642aa8b07f353e0cd337ba278c6a1cf45044e5e71668920e40e30f60bd69334cc49d23d75f5aaaed25fb2bd7df32280561c7e1d2b94a9514

/data/data/com.saka.kayo/databases/com.google.android.datatransport.events-journal

MD5 2dae8c08efd86b8b2e35f327a62bb202
SHA1 165fe36fdf2cc9536429a72e7de4bc8d0c9671c6
SHA256 788f86634e6f362d23286401b731d526c7aee445492b6c8fde1e7f1f9ae53ddf
SHA512 efd9b4c241b8ecda6460a35791c19370d2a7271046a86f0b4443b597c9984c32ddd15a50f8a9cc5ce66445f982b46ededc1bae8310041edfb54f1ef8c77c0f7b

/data/data/com.saka.kayo/files/PersistedInstallation7291973696633819787tmp

MD5 056b13aa16a12562d9c21e01a1259e33
SHA1 b6dfca9bc33e29b89721077c91b7d8cfb2ee6d74
SHA256 271838d6012eaa8dcc522b6542653cf893064cdd9d07bbc74f9da3e8548dfc40
SHA512 5618f554566a7e048526cc7a7fac4806b821d7e5f7151ac495b385a03326d0aadda1d6808ea9521c67dd0df3abea26d4fb3eda3d198b6db7f3fdb1d0c12dcb9a

/data/data/com.saka.kayo/files/PersistedInstallation7945467844184929784tmp

MD5 bf23c360d653f9d53803067d91b1cd93
SHA1 95b4b47cb03df49c6a13b8245c2428d4d647acb3
SHA256 ee33d2c95224ffa28c4899c5e5d63a15587de9ab85850e4af3740f37ce429c5a
SHA512 d103694379437ef25f8b3114c6807f0c2d1270682921e6d23338f70f03e855c2a9d2028376ce7dd6c46858ba49811759aac6d336c0d3cba383a6a6621e058851

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 06:38

Reported

2024-06-18 06:40

Platform

android-x86-arm-20240611.1-en

Max time kernel

113s

Max time network

92s

Command Line

com.saka.kayo

Signatures

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.saka.kayo

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 rebrand.ly udp
US 3.33.143.57:443 rebrand.ly tcp
US 1.1.1.1:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 sqcepo.replit.app udp
US 34.117.33.233:443 sqcepo.replit.app tcp
US 1.1.1.1:53 code.jquery.com udp
US 151.101.66.137:443 code.jquery.com tcp
US 34.117.33.233:443 sqcepo.replit.app tcp
US 1.1.1.1:53 www.freeiconspng.com udp
US 1.1.1.1:53 i.pinimg.com udp
GB 199.232.56.84:443 i.pinimg.com tcp
DE 144.76.109.178:443 www.freeiconspng.com tcp

Files

/data/data/com.saka.kayo/databases/com.google.android.datatransport.events-journal

MD5 bb3bd20eefdfa4964e98532ead3ad81d
SHA1 c0e6d99a819b4e75235ded460cdcb972979d77f7
SHA256 f7c07f5602b1ae082096cadb05ff41ee9bccd245249249a2c2d3834a584c99d4
SHA512 59050ab1d51d10fa775385b95039b892b413fa8c084ba159f3b2cd782d8f7a3aef03243d6040ba33c5cd0933eb4a34b6a45f7da65e252441cbfab9c6986b7ca5

/data/data/com.saka.kayo/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.saka.kayo/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.saka.kayo/databases/com.google.android.datatransport.events-wal

MD5 8c758aaefc1523c39c316d4fc4fe62a8
SHA1 9334d0b3b0d4ab7cdb8a7b2cbac904bffd0bbd97
SHA256 a15fcf97d614413f07fed87bdcda3c65d3d6b7ecf3bd94dc7d5c2a09c86b03ab
SHA512 95050d8ca572f7bb2c753d600a110045068492abad8e564a3b3ec1bad22c920445bb8f85c4d0352bdf3ec2487cf6d55a6d41e67cc5887997498bcaf4fef27a90

/data/data/com.saka.kayo/files/PersistedInstallation2592309362504890263tmp

MD5 94d4251ab62f027cff0a6a8454e7a021
SHA1 67076eb89d67b769d0226c470158fe4237c8849c
SHA256 7c80064f35acd0e7e600ccbbabe544d80c717156dae571fe91ec85e4168ab9e3
SHA512 d37e142621b7f1c34d5dfc7ef7a121b122087c48e0cbf2e5e9b214c5bb99dae4ecfe11f3bb889529cc27a04bb8baec9e8cb25272e86a748afcdeabb69d2fb95d

/data/data/com.saka.kayo/files/PersistedInstallation4546415198479476456tmp

MD5 46e5935d62a99f510b34752a315a30d0
SHA1 9e118fb07ebb07986f35f2117a6b7e81372a915b
SHA256 85b68a3bd176dabdef8eff86810708fa7fb2f3f524e0f4fd44f80f142c5db1ad
SHA512 121533a050d4c93c32c89723b5b91e56ec2714fb11805109d36bc1ce0251221e3e272b13de57a1dca190ac97ea21b40ffb701bb042c21fc2f49d1a0122cbee96

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 06:38

Reported

2024-06-18 06:41

Platform

android-x64-20240611.1-en

Max time kernel

177s

Max time network

149s

Command Line

com.saka.kayo

Signatures

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.saka.kayo

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.178.14:443 tcp
GB 216.58.201.98:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.213.14:443 tcp

Files

/data/data/com.saka.kayo/databases/com.google.android.datatransport.events-journal

MD5 2a3f804b04389f354d6c160bb284c3d8
SHA1 5fc7c03d54086792496e4ea778ce56b590a878f6
SHA256 2167310e91590849499b9202f5dbf39c4bfa83a01a02b73a4c8d3d42e72417ce
SHA512 4488e2b408e279c44a04a14b4983e73a0144abfc4f8bb98b48e5fe060cf52b22ae902df9f3ad58ef959d682585f31dad61e545351997a41b708149caa2dc54e5

/data/data/com.saka.kayo/databases/com.google.android.datatransport.events

MD5 fb1c7ff2724b974950ca93f7a8f49f56
SHA1 01e315b7218caf4515591dfe7e1608dc9a2fccee
SHA256 4862fa4db96251556ef092304be24c8071bce0cc18f7aa69e22609febc8b29ec
SHA512 987bf620a5e38f400ecde537c51f121f4235d04d63250b8926af72aea13b2a5c1f6e2b77e23b38b3a2fc1501cdc405dee89c0d1bbafc12a73b191863709372d9

/data/data/com.saka.kayo/databases/com.google.android.datatransport.events-journal

MD5 b0900ec04db8d531dc3d360f2ffb21d8
SHA1 21ec371f7711f191befe6d43070932e28c342f27
SHA256 131a32e187631d8748d8d271925c015c0c07f942e59cff43ff8afd6902bda4b7
SHA512 3d3135544844bcb6a63d4550dbe74ec3a2646002164b40b140916064ee382c436c036ac692d9bc71614c63e3942e2534fe17dc73e56d451225a650164c9c256d

/data/data/com.saka.kayo/databases/com.google.android.datatransport.events-journal

MD5 facb35671ccecbf2d5040a1d05e30569
SHA1 789756f4d3f6548cd6091b12ed3165ee4243f086
SHA256 8a3654304bc0304e7eb4e7c20708d44d53276dfa74e237a28ea9eb27e0721e72
SHA512 e870eb2de72f53cae784553ded2c1b864bdfbd650e63ad68bea2831ee11fd74f1589b77cb370ffe6d2bbdb903d1b5412ac35a3a736f442a45943c5de44f5d849

/data/data/com.saka.kayo/files/PersistedInstallation7723272005166938230tmp

MD5 e5aff1d5d6eabf095bfff52b3c00fe20
SHA1 cafcb48327042427f2bc1c2afb9d665b69494839
SHA256 b3a95a0b29891491d47ee0b9c9858205e496b9625b9ab5762079e48d6dabbee6
SHA512 7e29850ce35bacbaf0c43a80969d98537bfdb1d21a2d0163718e983435496e30b57c3d76cb5e9ee7de1a65544ef6d98f9855f053b9a73c52d7b4e5195d7dfad9

/data/data/com.saka.kayo/files/PersistedInstallation5869530699117234757tmp

MD5 9db9754c0bd422455a744b88fc2ed9a9
SHA1 8ed966363bc66b40669cea7bfb2f281400266537
SHA256 33428afae93b8831eab33db28c7e32d9ad87dbfdcfb4aee149f491840dea4580
SHA512 ecff154ba3d80bba84c8ab18e8c865ba1bff19304388410740f33e76512fcd7b0e67c26851d552d86a452fc2ede00c6a8e02bfefd7b6b4d4420fb333131bda71