Malware Analysis Report

2024-09-09 13:25

Sample ID 240621-mj3z6swdjc
Target 3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913
SHA256 3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913
Tags
collection credential_access discovery evasion impact stealth trojan persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913

Threat Level: Likely malicious

The file 3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913 was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion impact stealth trojan persistence

Removes its main activity from the application launcher

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

Resource Forking

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Checks memory information

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-21 10:30

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-21 10:30

Reported

2024-06-21 10:31

Platform

ubuntu2004-amd64-20240611-en

Max time kernel

0s

Max time network

1s

Command Line

[/tmp/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk]

Signatures

N/A

Processes

/tmp/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk

[/tmp/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-21 10:30

Reported

2024-06-21 10:31

Platform

ubuntu2204-amd64-20240522.1-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-21 10:30

Reported

2024-06-21 10:33

Platform

win11-20240508-en

Max time kernel

92s

Max time network

94s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-21 10:30

Reported

2024-06-21 10:34

Platform

android-x64-arm64-20240611.1-en

Max time kernel

175s

Max time network

134s

Command Line

com.AUTORUS.JapanDrag

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.AUTORUS.JapanDrag

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 three.nameapp.xyz udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/com.AUTORUS.JapanDrag/files/Config

MD5 3f2590d822b06751a77d616da1d2b5ab
SHA1 e5426e325d11b3851ff25936f8d953aa2b94a1a8
SHA256 df9bf5d54a727935bbe66548eba65bf2ff072cd77baf114f41e18ec299114f41
SHA512 44f10c45cd895f7e89c70f9fdbd623e65b07197da288a7248c6e3d7aeb6b6372167b45dc2ff25f07b752eb9fc9cb0e2dc1e38b6ce9cd527551a49507cf7a57cc

/data/user/0/com.AUTORUS.JapanDrag/files/Timer

MD5 7ef32354243dc0a7508f5818986935fb
SHA1 a2e933d4daedc392f49a13c87158663505dc4f06
SHA256 1a896cc29e594217a1ac1498e9635309bb2dc9e56be80d8c1c4f90deb444501c
SHA512 512e1fe3463897ee8854e5fbf4d91d86cf9635817d4f5f7a70767d3f85f23257bf9501dd5a4b404d63c50e734b11b9568500fa77f8c58b0840a617c87c331f55

/data/user/0/com.AUTORUS.JapanDrag/files/Timer

MD5 846b1b808b0ddb882e4cec1e50c92800
SHA1 dc778125a16a95d19528b11b82cccb03a99a9af4
SHA256 73ad2f257602237ee2714bce9cf5c8b142b76b56dd9e0b5d79151c412d80f080
SHA512 f88075cb55f39945d3ee20b87ae05b08bf4428d8f9221d65ef33dd3ac58d76c9363cc0900712dec37f081f440b356501660520c3756c86480c94f46d672e589e

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-21 10:30

Reported

2024-06-21 10:31

Platform

debian12-armhf-20240221-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-21 10:30

Reported

2024-06-21 10:31

Platform

debian9-armhf-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-21 10:30

Reported

2024-06-21 10:31

Platform

debian9-mipsbe-20240611-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-21 10:30

Reported

2024-06-21 10:31

Platform

debian9-mipsel-20240418-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-21 10:30

Reported

2024-06-21 10:31

Platform

ubuntu2404-amd64-20240523-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 10:30

Reported

2024-06-21 10:33

Platform

win10-20240404-en

Max time kernel

134s

Max time network

135s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.d.1.a.1.a.6.8.f.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 72.239.69.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 10:30

Reported

2024-06-21 10:33

Platform

win7-20240508-en

Max time kernel

121s

Max time network

121s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\apk_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\apk_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\apk_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.apk C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.apk\ = "apk_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\apk_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\apk_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\apk_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 701116fb8c8af56962175250f4eb7b43
SHA1 53127dfed3415c40e1b6bb5b43024b060d77deda
SHA256 b1fcfd9adaaa92ae1558bebd4f0c1bf2aa739e22a7c06f45ae87c99d70c45b4e
SHA512 bb4914b861ee6d3ede8d85041cd563f9d75a95274bdfbbb5d01cfdcd38a334d34a69b4fe57ff0af221cd0892e064a3e05862a6ea2280d862f048813157202dd7

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-21 10:30

Reported

2024-06-21 10:34

Platform

android-x64-20240611.1-en

Max time network

158s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.179.234:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.179.226:443 tcp
GB 172.217.169.42:443 tcp
GB 172.217.169.42:443 tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-21 10:30

Reported

2024-06-21 10:34

Platform

android-x86-arm-20240611.1-en

Max time kernel

175s

Max time network

170s

Command Line

com.AUTORUS.JapanDrag

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.AUTORUS.JapanDrag

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 three.nameapp.xyz udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp

Files

/data/data/com.AUTORUS.JapanDrag/files/Config

MD5 c763f628d20461f9e1a0725edd675b72
SHA1 95abfbffcdba1dc656adbf42a80592203c2e4aaf
SHA256 42525c157399c9e2c0fc69cc51120fe02815aa9df397116d328c203aada60cff
SHA512 27a4beb885ddbdddbd32d19f3c5e775d282f30ddc76ccf5de296e1294a03966cc79cbbe7dac9d0b7c72fca347436609e88beff1daefd29898150f3543e89d7de

/data/data/com.AUTORUS.JapanDrag/files/Timer

MD5 7f0fb662309224339999a9a0014eca9a
SHA1 21a540e6f6acf41fb443cd56bbeffe5d68b64622
SHA256 a1014328f1dc18efb803d227bc9dd31dd002d0488b79bfac169410933604fdd5
SHA512 96f6ec61d46f720dcfb71d61dcc698fde64b56649c9b5e95db5dec12e3ad753be917e3eb5cc1062c30a70b24eeda005e7f63384388ef8f97c702ab8b283cd3b2

/data/data/com.AUTORUS.JapanDrag/files/Timer

MD5 9833d74268b7cd6a4b497ace27bb85e0
SHA1 e3835211608f007f59d45db2dfa101c2556aa1d6
SHA256 581940d2b1bfb99cf3701c9fc236ebdaf52a979e2da506d2caf8a109bd04c00a
SHA512 134479701487c223e782f492ee82a7612c0c23e007769a6339c1aeaa540283f6d3ff3c52864b47353ec2568dce948ea4d79e7e654b71665985656cb0e0abd229

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-21 10:30

Reported

2024-06-21 10:34

Platform

android-33-x64-arm64-20240611.1-en

Max time kernel

176s

Max time network

135s

Command Line

com.AUTORUS.JapanDrag

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.AUTORUS.JapanDrag

Network

Country Destination Domain Proto
BE 173.194.76.188:5228 tcp
GB 172.217.16.228:443 tcp
GB 172.217.169.36:443 udp
GB 172.217.169.36:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.234:443 udp
GB 216.58.212.234:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 three.nameapp.xyz udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 172.217.169.74:443 remoteprovisioning.googleapis.com tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
GB 142.250.179.227:443 tcp
US 162.159.61.3:443 udp
GB 142.250.179.227:443 udp
GB 172.217.169.36:443 udp
GB 142.250.179.228:443 udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.212.195:443 tcp

Files

/data/user/0/com.AUTORUS.JapanDrag/files/Config

MD5 59c71e7d532bae6d5056d870aa7ce97b
SHA1 6f291bcc7fdbe709913d0ba50e38ddf5457c9cd7
SHA256 efe66ea8ccd08cf645e2df9be97450bbef97804dd3b9a1c65b6470de86bacb63
SHA512 6baf7fdad8b16382aa3ef67ae93258dcc3c09b866af31c94f62a5a47de1372d7d79e6a8684f7788a362a701939aba1fa78bddf36d050594f41ee7355d9bb7a9c

/data/user/0/com.AUTORUS.JapanDrag/files/Timer

MD5 f4597d4851da0b459761b1713fdd46cc
SHA1 c02a5a98e51595f65743d327d95cf0b99ce82695
SHA256 b275320ad4da58c9cd196c123e425df528d565f050600bf6b10c27ba662f6be7
SHA512 b33f6d6fcbc289e67526e0ff1c0952dfbe3ab846546c8427a4af2195202b0ce372efdfe12d5d05e6bcb802f210ab1441de202852f61fc44d9082fbdda2a064e9

/data/user/0/com.AUTORUS.JapanDrag/files/Timer

MD5 f284413075a08b31502c8dfb6b3c5983
SHA1 9745f9239f15f149e5da435262d4a0032b8c8710
SHA256 04372340b0cec8378ac9e28433c0deb2929028c37674761da9a332a412947158
SHA512 f883727ed02d85a54482d71f80afbd93c26ae0348bd2b0d9296aef147bb6d4ce6d898af0454a9e69fadc97088240be4ea50bbcc95af68245cb41295efe18587a

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-21 10:30

Reported

2024-06-21 10:31

Platform

debian12-mipsel-20240221-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-21 10:30

Reported

2024-06-21 10:31

Platform

macos-20240611-en

Max time kernel

13s

Max time network

18s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk]

/bin/zsh

[/bin/zsh -c /Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk]

/Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk

[/Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk]

/usr/libexec/dmd

[/usr/libexec/dmd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.systemsoundserverd]

/usr/sbin/systemsoundserverd

[/usr/sbin/systemsoundserverd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.AudioComponentRegistrar]

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar

[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

Network

Country Destination Domain Proto
US 52.182.143.213:443 tcp
GB 17.250.81.65:443 tcp
US 8.8.8.8:53 onedscolprdcus22.centralus.cloudapp.azure.com udp
US 52.182.143.215:443 onedscolprdcus22.centralus.cloudapp.azure.com tcp
US 8.8.8.8:53 h3.apis.apple.map.fastly.net udp
US 8.8.8.8:53 a1366.dscapi6.akamai.net udp
GB 23.59.171.27:443 tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 8.8.8.8:53 a479.dscg4.akamai.net udp

Files

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-21 10:30

Reported

2024-06-21 10:31

Platform

ubuntu2204-amd64-20240522.1-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-21 10:30

Reported

2024-06-21 10:31

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Command Line

[/tmp/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk]

Signatures

N/A

Processes

/tmp/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk

[/tmp/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk]

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-21 10:30

Reported

2024-06-21 10:33

Platform

win10-20240404-en

Max time kernel

133s

Max time network

136s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-21 10:30

Reported

2024-06-21 10:33

Platform

win10v2004-20240611-en

Max time kernel

139s

Max time network

109s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-21 10:30

Reported

2024-06-21 10:34

Platform

android-33-x64-arm64-20240611.1-en

Max time kernel

175s

Max time network

135s

Command Line

com.AUTORUS.JapanDrag

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.AUTORUS.JapanDrag

Network

Country Destination Domain Proto
GB 172.217.16.228:443 udp
GB 172.217.16.228:443 udp
GB 216.58.212.196:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 three.nameapp.xyz udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 udp
GB 142.250.179.228:443 udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 172.217.16.228:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp

Files

/data/user/0/com.AUTORUS.JapanDrag/files/Config

MD5 59c71e7d532bae6d5056d870aa7ce97b
SHA1 6f291bcc7fdbe709913d0ba50e38ddf5457c9cd7
SHA256 efe66ea8ccd08cf645e2df9be97450bbef97804dd3b9a1c65b6470de86bacb63
SHA512 6baf7fdad8b16382aa3ef67ae93258dcc3c09b866af31c94f62a5a47de1372d7d79e6a8684f7788a362a701939aba1fa78bddf36d050594f41ee7355d9bb7a9c

/data/user/0/com.AUTORUS.JapanDrag/files/Timer

MD5 fb53ceca0ccc8709c94f671fc4ec961b
SHA1 9fea81eebc52195b068d113420d34d8dfbae3993
SHA256 4043813dd19cf1d7fe6d5b141963a2aed8218f980a233a8725efbe326f489c50
SHA512 fa73154227f47f6cd8bc7a686759ff6f9626e0feb40e40e737ab1869bdb535f1cb3602f402f71a5e75558eb4a14c46aee100d35249a7360871e390cb4645da55

/data/user/0/com.AUTORUS.JapanDrag/files/Timer

MD5 09487e8605c9cce2ea0fca0d584b7806
SHA1 e2253e74f2a07da3fcf8b624e121d09a9733a145
SHA256 c78b001183fc21556c468874443564d7737288073c43a9bf21b0e2c8424b3fb5
SHA512 459dbc3139694b6caed57273f0260f5ef20ced8bbaf50ba260c55c5cdb9c9daa2ef813d580f2b254987e2a30191d38cf377037657330ea241ab51db29d76c88b

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-21 10:30

Reported

2024-06-21 10:33

Platform

macos-20240611-en

Max time kernel

133s

Max time network

146s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pluginkit.pkd]

/usr/libexec/pkd

[/usr/libexec/pkd]

/bin/zsh

[/bin/zsh -c /Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk]

/Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk

[/Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.systemsoundserverd]

/usr/sbin/systemsoundserverd

[/usr/sbin/systemsoundserverd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.AudioComponentRegistrar]

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar

[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater66017B75/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
US 8.8.8.8:53 lb._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.189.173.6:443 tcp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
US 8.8.8.8:53 h3.apis.apple.map.fastly.net udp
US 8.8.8.8:53 a1366.dscapi6.akamai.net udp
GB 104.91.71.16:443 a1366.dscapi6.akamai.net tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 8.8.8.8:53 a479.dscg4.akamai.net udp
GB 104.91.71.7:443 a1366.dscapi6.akamai.net tcp
US 8.8.8.8:53 cds.apple.com udp
US 23.219.244.63:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
GB 2.21.189.171:443 help.apple.com tcp
GB 2.21.189.171:443 help.apple.com tcp
N/A 224.0.0.251:5353 udp

Files

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 268fcc2f959120b5c34e0fc1ea2321dc
SHA1 de15482a5d3966da6a8ff94f8dd9825deb5de2ae
SHA256 48a08978f59f53777029a798ddda8fd06af02411447460350df0bce09330a51e
SHA512 9f138a38b61cf90a3d5c142c86f524b4b9aa457d759bf06fece1f52671987b2ad2a8d934214c0f6b51918c1aead750d3a37b9fc50f68232d283fb00fd4379434