Malware Analysis Report

2024-10-19 07:26

Sample ID 240701-12n6masfrb
Target app-release.apk
SHA256 2a9287911eea92821cdf5cbe945605ce2f654308c48fe213d271cfabb7f528c0
Tags
collection credential_access discovery impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2a9287911eea92821cdf5cbe945605ce2f654308c48fe213d271cfabb7f528c0

Threat Level: Shows suspicious behavior

The file app-release.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access discovery impact

Obtains sensitive information copied to the device clipboard

Queries information about active data network

Requests dangerous framework permissions

Legitimate hosting services abused for malware hosting/C2

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-01 22:08

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-01 22:08

Reported

2024-07-01 22:18

Platform

android-x64-arm64-20240624-en

Max time kernel

429s

Max time network

474s

Command Line

com.admin.minecraftjavaeditionapk1208021downloadforandroid

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A camo.githubusercontent.com N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.admin.minecraftjavaeditionapk1208021downloadforandroid

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ads.webintoapp.com udp
US 34.30.128.92:443 ads.webintoapp.com tcp
US 1.1.1.1:53 install.webintoapp.com udp
US 34.30.128.92:443 install.webintoapp.com tcp
US 1.1.1.1:53 modfyp.com udp
US 104.26.12.32:443 modfyp.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 1.1.1.1:53 ajax.googleapis.com udp
US 1.1.1.1:53 images.dmca.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 1.1.1.1:53 static.cloudflareinsights.com udp
US 1.1.1.1:53 static.addtoany.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
GB 216.58.201.106:443 ajax.googleapis.com tcp
GB 143.244.38.136:443 images.dmca.com tcp
GB 143.244.38.136:443 images.dmca.com tcp
US 104.16.79.73:443 static.cloudflareinsights.com tcp
US 104.22.71.197:443 static.addtoany.com tcp
US 104.22.71.197:443 static.addtoany.com tcp
US 104.22.71.197:443 static.addtoany.com tcp
US 1.1.1.1:53 fundingchoicesmessages.google.com udp
GB 172.217.16.238:443 fundingchoicesmessages.google.com tcp
US 1.1.1.1:53 lh3.googleusercontent.com udp
GB 172.217.169.1:443 lh3.googleusercontent.com tcp
GB 172.217.16.238:443 fundingchoicesmessages.google.com tcp
GB 172.217.16.238:443 fundingchoicesmessages.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 216.58.201.98:443 googleads.g.doubleclick.net tcp
GB 216.58.201.98:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 tpc.googlesyndication.com udp
GB 142.250.180.1:443 tpc.googlesyndication.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
US 1.1.1.1:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 1.1.1.1:53 www.okay.cz udp
CA 23.227.38.74:443 www.okay.cz tcp
US 1.1.1.1:53 csi.gstatic.com udp
US 172.253.127.120:443 csi.gstatic.com tcp
US 1.1.1.1:53 cdn.shopify.com udp
CA 23.227.60.200:443 cdn.shopify.com tcp
CA 23.227.60.200:443 cdn.shopify.com tcp
CA 23.227.60.200:443 cdn.shopify.com tcp
CA 23.227.60.200:443 cdn.shopify.com tcp
US 1.1.1.1:53 insiacare-shopify.hurass.cz udp
US 1.1.1.1:53 shop.app udp
CA 23.227.60.200:443 cdn.shopify.com tcp
US 1.1.1.1:53 sgtm.okay.cz udp
SE 185.146.173.20:443 shop.app tcp
DE 128.140.108.245:443 insiacare-shopify.hurass.cz tcp
US 216.239.32.21:443 sgtm.okay.cz tcp
US 1.1.1.1:53 cdn.pagefly.io udp
US 1.1.1.1:53 cdn.judge.me udp
NL 185.172.149.104:443 cdn.judge.me tcp
GB 52.84.90.39:443 cdn.pagefly.io tcp
US 1.1.1.1:53 region1.analytics.google.com udp
US 1.1.1.1:53 stats.g.doubleclick.net udp
US 1.1.1.1:53 www.google.co.uk udp
GB 64.233.166.154:443 stats.g.doubleclick.net tcp
US 1.1.1.1:53 connect.facebook.net udp
US 1.1.1.1:53 bat.bing.com udp
US 1.1.1.1:53 s2.adform.net udp
US 1.1.1.1:53 cdn.botx.cloud udp
GB 163.70.151.21:443 connect.facebook.net tcp
US 204.79.197.237:443 bat.bing.com tcp
US 1.1.1.1:53 front.boldem.cz udp
DK 37.157.2.250:443 s2.adform.net tcp
US 172.66.41.30:443 cdn.botx.cloud tcp
CZ 185.219.169.240:443 front.boldem.cz tcp
US 1.1.1.1:53 ct.pinterest.com udp
US 151.101.64.84:443 ct.pinterest.com tcp
US 1.1.1.1:53 c.imedia.cz udp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 151.101.193.229:443 cdn.jsdelivr.net tcp
CZ 77.75.77.163:443 c.imedia.cz tcp
US 151.101.193.229:443 cdn.jsdelivr.net tcp
US 1.1.1.1:53 c.seznam.cz udp
CZ 77.75.77.172:443 c.seznam.cz tcp
US 1.1.1.1:53 track.adform.net udp
DK 37.157.6.232:443 track.adform.net tcp
US 1.1.1.1:53 www.facebook.com udp
GB 157.240.221.35:443 www.facebook.com tcp
CZ 185.219.169.240:443 front.boldem.cz tcp
US 1.1.1.1:53 cf.storeify.app udp
US 1.1.1.1:53 d23dclunsivw3h.cloudfront.net udp
US 1.1.1.1:53 d5zu2f4xvqanl.cloudfront.net udp
US 1.1.1.1:53 cdn1.judge.me udp
GB 143.204.68.35:443 d23dclunsivw3h.cloudfront.net tcp
US 104.26.13.21:443 cf.storeify.app tcp
NL 185.172.149.104:443 cdn1.judge.me tcp
DE 18.245.45.33:443 d5zu2f4xvqanl.cloudfront.net tcp
US 1.1.1.1:53 monorail-edge.shopifysvc.com udp
US 34.111.94.218:443 monorail-edge.shopifysvc.com tcp
US 1.1.1.1:53 img.jena-nabytek.cz udp
US 1.1.1.1:53 img.okay.cz udp
CZ 185.115.0.6:443 img.okay.cz tcp
CZ 185.115.0.6:443 img.okay.cz tcp
CZ 185.115.0.6:443 img.okay.cz tcp
CZ 185.115.0.6:443 img.okay.cz tcp
CZ 185.115.0.6:443 img.okay.cz tcp
CZ 185.115.0.6:443 img.okay.cz tcp
CZ 185.115.0.6:443 img.okay.cz tcp
US 1.1.1.1:53 www.google.cz udp
GB 216.58.201.99:443 www.google.cz tcp
US 1.1.1.1:53 api.mapy.cz udp
CZ 77.75.76.182:443 api.mapy.cz tcp
CZ 77.75.76.182:443 api.mapy.cz tcp
CZ 77.75.76.182:443 api.mapy.cz tcp
CZ 77.75.76.182:443 api.mapy.cz tcp
CZ 77.75.76.182:443 api.mapy.cz tcp
CZ 77.75.76.182:443 api.mapy.cz tcp
CZ 77.75.76.182:443 api.mapy.cz tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 static.xx.fbcdn.net udp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 static.xx.fbcdn.net udp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 static.xx.fbcdn.net udp
GB 142.250.187.228:443 www.google.com tcp
GB 142.250.187.228:443 www.google.com tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
US 1.1.1.1:53 update.googleapis.com udp
US 1.1.1.1:53 encrypted-tbn0.gstatic.com udp
US 1.1.1.1:53 encrypted-tbn0.gstatic.com udp
GB 142.250.200.46:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.200.46:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.200.46:443 encrypted-tbn0.gstatic.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 64.233.184.84:443 accounts.google.com tcp
GB 142.250.187.228:443 www.google.com tcp
US 1.1.1.1:53 clients1.google.com udp
GB 142.250.180.14:443 clients1.google.com tcp
GB 142.250.180.14:443 clients1.google.com tcp
US 1.1.1.1:53 play.google.com udp
GB 142.250.178.14:443 play.google.com tcp
US 1.1.1.1:53 consent.google.com udp
GB 216.58.204.78:443 consent.google.com tcp
US 1.1.1.1:53 cdn.ampproject.org udp
GB 142.250.200.1:443 cdn.ampproject.org tcp
GB 142.250.200.1:443 cdn.ampproject.org tcp
US 1.1.1.1:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 1.1.1.1:53 github.githubassets.com udp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 1.1.1.1:53 avatars.githubusercontent.com udp
US 1.1.1.1:53 github-cloud.s3.amazonaws.com udp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 1.1.1.1:53 user-images.githubusercontent.com udp
US 1.1.1.1:53 collector.github.com udp
US 185.199.109.154:443 github.githubassets.com tcp
US 140.82.113.21:443 collector.github.com tcp
US 1.1.1.1:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 1.1.1.1:53 update.googleapis.com udp
US 1.1.1.1:53 harshalbenake.blogspot.in udp
GB 142.250.178.1:80 harshalbenake.blogspot.in tcp
GB 142.250.178.1:80 harshalbenake.blogspot.in tcp
US 1.1.1.1:53 harshalbenake.blogspot.com udp
GB 216.58.213.1:80 harshalbenake.blogspot.com tcp
GB 216.58.213.1:443 harshalbenake.blogspot.com tcp
US 1.1.1.1:53 www.blogger.com udp
US 1.1.1.1:53 www.blogger.com udp
GB 216.58.201.105:443 www.blogger.com tcp
US 1.1.1.1:53 blogger.googleusercontent.com udp
GB 172.217.169.1:443 blogger.googleusercontent.com tcp
GB 172.217.169.1:443 blogger.googleusercontent.com tcp
GB 172.217.169.1:443 blogger.googleusercontent.com tcp
GB 172.217.169.1:443 blogger.googleusercontent.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 172.217.169.1:443 blogger.googleusercontent.com tcp
US 1.1.1.1:53 resources.blogblog.com udp
GB 142.250.200.41:443 resources.blogblog.com tcp
US 1.1.1.1:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 1.1.1.1:53 tpc.googlesyndication.com udp
GB 142.250.187.193:443 tpc.googlesyndication.com tcp
US 1.1.1.1:53 redirector.gvt1.com udp
GB 216.58.204.78:443 redirector.gvt1.com tcp
US 1.1.1.1:53 r3---sn-5hnekn7l.gvt1.com udp
NL 74.125.100.8:443 r3---sn-5hnekn7l.gvt1.com tcp
US 1.1.1.1:53 r1---sn-5hne6nzy.gvt1.com udp
NL 172.217.132.166:443 r1---sn-5hne6nzy.gvt1.com tcp
US 1.1.1.1:53 r4---sn-5hne6nsr.gvt1.com udp
NL 172.217.132.73:443 r4---sn-5hne6nsr.gvt1.com tcp
US 1.1.1.1:53 r1---sn-5hne6nsy.gvt1.com udp
NL 172.217.132.102:443 r1---sn-5hne6nsy.gvt1.com tcp
US 1.1.1.1:53 r1---sn-5hne6nzs.gvt1.com udp
NL 74.125.8.102:443 r1---sn-5hne6nzs.gvt1.com tcp
US 1.1.1.1:53 r1---sn-5hne6nzd.gvt1.com udp
NL 74.125.100.230:443 r1---sn-5hne6nzd.gvt1.com tcp
US 1.1.1.1:53 r1---sn-5hne6nsd.gvt1.com udp
NL 172.217.132.6:443 r1---sn-5hne6nsd.gvt1.com tcp
US 1.1.1.1:53 r1---sn-5hne6nzk.gvt1.com udp
NL 172.217.132.134:443 r1---sn-5hne6nzk.gvt1.com tcp
US 1.1.1.1:53 r2---sn-5hne6nsz.gvt1.com udp
NL 74.125.100.71:443 r2---sn-5hne6nsz.gvt1.com tcp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 github.com udp
US 1.1.1.1:53 github-cloud.s3.amazonaws.com udp
GB 142.250.187.227:443 tcp
US 1.1.1.1:53 github.com udp
US 1.1.1.1:53 www.blogger.com udp
GB 142.250.178.1:80 harshalbenake.blogspot.in tcp
US 1.1.1.1:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
US 1.1.1.1:53 encrypted-tbn0.gstatic.com udp
GB 142.250.200.46:443 encrypted-tbn0.gstatic.com tcp
US 1.1.1.1:53 lh5.googleusercontent.com udp
GB 142.250.187.193:443 lh5.googleusercontent.com tcp
GB 142.250.187.193:443 lh5.googleusercontent.com tcp
GB 142.250.187.193:443 lh5.googleusercontent.com tcp
GB 20.26.156.215:443 github.com tcp
US 1.1.1.1:53 encrypted-vtbn0.gstatic.com udp
GB 172.217.16.238:443 encrypted-vtbn0.gstatic.com tcp
GB 20.26.156.215:443 github.com tcp
US 1.1.1.1:53 github-cloud.s3.amazonaws.com udp
US 1.1.1.1:53 encrypted-tbn0.gstatic.com udp
US 1.1.1.1:53 encrypted-tbn0.gstatic.com udp
GB 142.250.187.238:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.187.238:443 encrypted-tbn0.gstatic.com tcp
US 1.1.1.1:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 1.1.1.1:53 camo.githubusercontent.com udp
US 1.1.1.1:53 github-cloud.s3.amazonaws.com udp
US 1.1.1.1:53 twitter.com udp
US 104.244.42.129:443 twitter.com tcp
US 104.244.42.129:443 twitter.com tcp
US 104.244.42.129:443 twitter.com tcp
US 1.1.1.1:53 x.com udp
US 1.1.1.1:53 abs.twimg.com udp
US 1.1.1.1:53 api.twitter.com udp
US 1.1.1.1:53 api.x.com udp
US 104.244.42.194:443 api.twitter.com tcp
US 104.244.42.130:443 api.x.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 1.1.1.1:53 t.co udp
US 1.1.1.1:53 pbs.twimg.com udp
PL 93.184.221.165:443 t.co tcp
GB 199.232.56.159:443 pbs.twimg.com tcp

Files

N/A