Malware Analysis Report

2024-09-09 13:26

Sample ID 240621-l525bszbkl
Target Skygofree_pe.jar
SHA256 af848999a4b8df0e33f5a05a618c83d1f3052d4026ab77b2acf66def71df754e
Tags
discovery evasion stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

af848999a4b8df0e33f5a05a618c83d1f3052d4026ab77b2acf66def71df754e

Threat Level: Likely malicious

The file Skygofree_pe.jar was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion stealth trojan

Removes its main activity from the application launcher

Queries information about running processes on the device

Queries information about active data network

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-21 10:07

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 10:07

Reported

2024-06-21 10:20

Platform

android-x86-arm-20240611.1-en

Max time kernel

7s

Max time network

158s

Command Line

core.syncsystem

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

core.syncsystem

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
IT 217.194.13.133:80 tcp
IT 217.194.13.133:80 tcp
IT 217.194.13.133:80 tcp
IT 217.194.13.133:80 tcp
GB 142.250.200.14:443 tcp
GB 142.250.178.2:443 tcp

Files

/data/data/core.syncsystem/databases/google_app_measurement.db-journal

MD5 3d152de58b51d52e605d9b96608a4cac
SHA1 2a7063e518ae503f6fd575cb26c710c144f60d7c
SHA256 b1d3f5e36122799f89e0096c09ac3f9a8b294d98239ac96f4a66791019583fab
SHA512 db5f8a4fda13614963c0830476e32e70eefe4e919bbb126ac56c266f0adc9293414fe0ffd6a38dd2c29f8a01084e874d56883cc95218e896f20b751a18591af8

/data/data/core.syncsystem/databases/google_app_measurement.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/core.syncsystem/databases/google_app_measurement.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/core.syncsystem/databases/google_app_measurement.db-wal

MD5 fdefa6ff139fc6933c29f36f40f8ff97
SHA1 748c925db7787ae2fede724700ac6cdcdcb32bb1
SHA256 1ffae7077c1aa1dc41616236c088895476449d3451e47961e37e5230bfd06b78
SHA512 af2a721d827b312ef38ac82c85ab154ba99a756d340ab5d51d21c2da13e0988ea15c5629ac947afe931a1ad20c6cb8d274b5a79315bbeb6d7cc5fa753c28dc5c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 10:07

Reported

2024-06-21 10:12

Platform

android-x64-20240611.1-en

Max time kernel

7s

Max time network

188s

Command Line

core.syncsystem

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Processes

core.syncsystem

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.179.234:443 tcp
IT 217.194.13.133:80 tcp
IT 217.194.13.133:80 tcp
IT 217.194.13.133:80 tcp
GB 142.250.200.46:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.46:443 tcp
GB 172.217.169.42:443 tcp
GB 172.217.169.42:443 tcp

Files

/data/data/core.syncsystem/databases/google_app_measurement.db-journal

MD5 08247f5b6a4f916a987b86d24cecab18
SHA1 a4274dcedf8670f1810cb9d89df0f594e0e31d31
SHA256 8175d7ff32dff2cb42014ca00da96d2f53232cea27e5c595994d988ad5904536
SHA512 57b5978d02b8f754f4497f9b7b90ddda2e06c3aa1da4f108551f2458b778740fd10bc57ffb9df12509637737734111c106a35f183754ff7089930af35b32cd80

/data/data/core.syncsystem/databases/google_app_measurement.db

MD5 b320408f10590b30afabc56f070b96bf
SHA1 aaba052ef95cf54cfb4140069efcf31c57032873
SHA256 5a25e56b66b5cbb164ea421197eafb0bf9c18177eae90ecc707c352500f1f14e
SHA512 ce2967ca944c101aefaa3bf8e25771244c8e42ccff0fbb7927409f9da1dd10ebfe46982d7c508f9adf7f645f6cd975f594a5c7c97dd61f0a5a8d95ca9acfd197

/data/data/core.syncsystem/databases/google_app_measurement.db-journal

MD5 0a935e6b52127c54f2421f8e2507d6eb
SHA1 f8a977d481cdf6eea3d62543de530cc897a03ddb
SHA256 2ab2d6fb1c49441b65977a2b5fa92034eaf38225f4443b24d34590f63f18b1df
SHA512 7d430373232fce7dd892ee0aef696681ec8c65558040ce1e0c259ba85030e9180e9ce4dce899e60123c37977b9b656814a49022daf876bbdbbc73481bfebb43f

/data/data/core.syncsystem/databases/google_app_measurement.db-journal

MD5 575366a24ff7251d1adda3773c216944
SHA1 7f665050f9a4dc0d4b66fc06af071d10ef90ac7a
SHA256 d00b64201179257cdf4e5f6fd1990e943baef95a88d8532c6b2a686762ea7a73
SHA512 4192f315807a1cdbc733e6133d60791b0fe597ad2a7f67bb9f5c055c01d23822e9bf9bae5e7f0e5ccfe1a6c6944e7d21d06c1d309a6dab22b6b8907e493af539

/data/data/core.syncsystem/databases/google_app_measurement.db-journal

MD5 5387705a1769696b1f28fd3794519611
SHA1 c510bc1a0c69c2b2dc7dd273cf7c58ad7babd9d3
SHA256 6754c003841bf29e790286c3c0cff398ea44be9ce01f2faa2d170c6f919550ba
SHA512 3fcfc5edfbe161ec86ac6f10ad94892cd8cbd6a94ed86710c7008092e660451120850b63aa882bb9ad793720d9c6c2df0be48ef0de64c85354f814efea631112

/data/data/core.syncsystem/databases/google_app_measurement.db-journal

MD5 231034749fbb9c450a2c04e11365df75
SHA1 effcf3e3490ef429a0132f5d28548eabd9c0cf7d
SHA256 8dfeade5e3c1be0ebd49b22935f921a3f39e913ab5e997276d2c863d3a5033b1
SHA512 20956612058a66e52f2f8e693583b2e2c5581507f35e5d59a3211fdfacfb29ffc5cd0c4e281c0fff727c913af1adb4759e7fd00c4a04aa8d6981753c3a92f73c

/data/data/core.syncsystem/databases/google_app_measurement.db-journal

MD5 6ee9630830b5338258b4dec2741ee38c
SHA1 eebc65e1883e1d545046b0777bb8546a020b91df
SHA256 044daf2658a702a922c0dddc0e8c4d68541a94842e5123d81478c850d2362cc4
SHA512 d9c3f62a6a7c2e023672f41c3b54d96233c36d89af5d31af9c6c31b62059425e0553bce7914df221dfd30d6092def8a552dcebc3f0f0743bf0bbae56b8a953b0

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-21 10:07

Reported

2024-06-21 10:13

Platform

android-x64-arm64-20240611.1-en

Max time kernel

7s

Max time network

131s

Command Line

core.syncsystem

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

core.syncsystem

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
IT 217.194.13.133:80 tcp
IT 217.194.13.133:80 tcp
IT 217.194.13.133:80 tcp
GB 216.58.212.196:443 tcp
GB 216.58.212.196:443 tcp

Files

/data/user/0/core.syncsystem/databases/google_app_measurement.db-journal

MD5 701f39d41dd87d3a40373490779f068d
SHA1 34ae593732982da05b905e9b03f19b76d2f69dd1
SHA256 c77d46f8f2c6acf5055ade0d486525accef418a6036c27a2c2e09985b1c1e9cc
SHA512 03c55c45f56a6021a3a0d656e6d9646d7565a74acaa7d227154381635d1957f28183943a020fb79482087599a2e64d155172e3ceba20d92240d10e54ae00c77e

/data/user/0/core.syncsystem/databases/google_app_measurement.db

MD5 1bf13917264b6e68b2af9cfbcfe091b4
SHA1 f70f28219e488440e286d0ed5643e626935d278a
SHA256 2a2f245122946a34b94705745dbde198778edc4d2a965195ee7424a1906060d6
SHA512 1e0c2603bf954bc2aaaea5cab099c8b8a2b9ddb3b065b2fa42fb62a2d9ca999c0974fd4fbd6cd3563b10be2aad61cf52729cdf17764a57b7217ec7f4bcb483ca

/data/user/0/core.syncsystem/databases/google_app_measurement.db-journal

MD5 fb0317465f1af4c2b35c136273b457ea
SHA1 f58e0c5cf55a57aa515e1ff41c3beaba09823226
SHA256 b2d3b6bc69934a2c881871e770e5843975ad7db92e3b0b3016f44f8ddb415d55
SHA512 7ffbe259e726e50ab8285ac32305812780580e93bdeb9bec06dc4c1c89c031e07caf807b16f7575b2b06040ba6fd4b51dc74c26c82195ef6c04fc21e960fc746

/data/user/0/core.syncsystem/databases/google_app_measurement.db-journal

MD5 d0eb5da53f53e07691636ed03b2f6e57
SHA1 def5eebaa48d889bea4457bf0ef7de9743ccb0dc
SHA256 2d2ad677665f81f22776bb5bdaf5d0a87bc483e27d5bafaa7ba99ff4f3ea5434
SHA512 8583f8b31fd218c087f231f55676724f273c9500ab683f1e77c82ea18b5b91a4871d83fb21c54389d7c9956046d36d251e239bf31d6f61db10f1fc0b7b9598ec

/data/user/0/core.syncsystem/databases/google_app_measurement.db-journal

MD5 ce98b1bd185d31ab67341124efcbde84
SHA1 13f619fb2c92a6ef38c3cbbd5d250c26db3cd303
SHA256 73a7ec043c58a8ac2a369879968dcc502ebf2d08d905351171716f37c24eb71c
SHA512 05dd0fdc05c75e6de71d275b53de223959c3bc0ec95bf9b8bf973d7a32bdee65baef5d0d917ceee061a64cb1a08e853b033d3949ab1d4e75c8a664575dbaac6c

/data/user/0/core.syncsystem/databases/google_app_measurement.db-journal

MD5 0b3e0bfd4262b350f63f0110a0878c42
SHA1 dc285381c2895b7555a692509ec58f50a4601a90
SHA256 b50702f27d5933cd1f220bca3ac448307709d7459fd90d2258d9f74748729e1e
SHA512 f8de29825f7166b79ad024b05466ce3e23613e19f69d51359febdb09d989f4e2212fb8b99081ad2557809cab36484d41d545e078f8a7c8ed0fb460e79fc2a681

/data/user/0/core.syncsystem/databases/google_app_measurement.db-journal

MD5 c0612755e6587a2158b893523cd0675d
SHA1 fbce08a580d50f5f9047299b00a54d7d21c171b6
SHA256 1ffd196cf6580f6d4c4d0f873cc0a07294a0465dab05908884b1dda37ec48f74
SHA512 49dd6d4daedd5a66a2980ad4bbe695b5b211a53daa53a8e1706dd5d42cd095612a85cc8bfc23469a959c3d6a612384a8f471ce77738b891b5132e729f8bb9b24