Malware Analysis Report

2024-10-16 05:17

Sample ID 240722-xqc3fasfna
Target Domino.Pizza.ver.2.19.2.7.build.1.apk
SHA256 6008975dfd2aaa07fcb307b12d0c8a273aa6f4882749e29bac1f29e26a035c8f
Tags
banker discovery evasion impact persistence privilege_escalation spynote
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6008975dfd2aaa07fcb307b12d0c8a273aa6f4882749e29bac1f29e26a035c8f

Threat Level: Known bad

The file Domino.Pizza.ver.2.19.2.7.build.1.apk was found to be: Known bad.

Malicious Activity Summary

banker discovery evasion impact persistence privilege_escalation spynote

Spynote payload

Spynote family

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's foreground persistence service

Requests enabling of the accessibility settings.

Tries to add a device administrator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-22 19:03

Signatures

Spynote family

spynote

Spynote payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-22 19:03

Reported

2024-07-22 19:07

Platform

android-x86-arm-20240624-en

Max time kernel

42s

Max time network

45s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp

Files

/storage/emulated/0/service player/config22-07-2024.log

MD5 f39cc1f3099a9889dbe0e62fd512df9a
SHA1 ea8f0525256ceed2229107f9ee18b90cd7d8aa52
SHA256 10771b2ef95f10f10f03267e96aceda33bb8f4b7d20efedf443ae00210b88c43
SHA512 8d64ff150977b38d023aab9875e0ae31c3d030d28b3a1b0c859d7088d6d48479dc1176d0333766e60559ceeefc0d2688f26baa7aef3c40346e57dcb9b7720a9e

/storage/emulated/0/service player/config22-07-2024.log

MD5 1580e6caee8c4fcb3c6890f35d4c515e
SHA1 7002f5cbf1c7f2fe3d536b5152f86ccd18747985
SHA256 8f4d02be439709a2b88279b6d061842902d7f51497f7d6c0ceec82bb8b01c3e5
SHA512 394a8b83187e4f5d936ac6263c6f114febdfb6cc538373653dbf63a527958bcd5971aecd3ae044d82b1d8719017ae12ba2c52984bb844427eb583e9eb27fdf86

/storage/emulated/0/service player/config22-07-2024.log

MD5 8ea3a40e4b1353f5c2942e09bbbded20
SHA1 6036904b3e6725b506f129a1bdbc389c1b84c61d
SHA256 75bbcf10826f0683795807e39423def1f0fc44047c603b794a32bbadb9c885f9
SHA512 15775e257c1f3d19a32e53e96f39f9e3cb004323dde0165a1f036a92770b207a08c50cfefb8ad9315e9bf31e2c43db983f8009db11b0e629d32d83216abfbc19

/storage/emulated/0/service player/config22-07-2024.log

MD5 628c328fcbf5c68375916752c0fb77ad
SHA1 19a80950993b590099cd4971b86bdf3cebef2326
SHA256 bab9b42aac866c2697922e52553650ee2c7f02959b5864776a9be6ba9f3724b9
SHA512 9aceb94396d30ba72a107e93863655779190076107aecb8f948e8011231d970b5a65b489dc4c2c6b90fc9ae414bd81bd19a47f9b999636ec6f40a6bc17aa5b20

/storage/emulated/0/service player/config22-07-2024.log

MD5 9f28276e107412fffe0eb8c8d7ebb15f
SHA1 4f6d9655e12416125b71f2abdca2933c75c308bb
SHA256 cccf6f201b0ccf153bafad3cdb362118949d0c2cec949bacf8707e52b0bfad8e
SHA512 a077887cd53a69ea84e003d16eb7403fbc8027504de4ce1f5ef47750bff0a980ad2f1f5abae45972bae558cd67bcf961f7b30885d6197ef6007ab82c4285cdae

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 19:03

Reported

2024-07-22 19:07

Platform

android-x64-arm64-20240624-en

Max time kernel

48s

Max time network

52s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/storage/emulated/0/service player/config22-07-2024.log

MD5 3074887d1b65d73b0f68354ffc32983c
SHA1 6dc592cab5bdd34ae64105bc1abc683b2b222b67
SHA256 7daf52ed85e65f205c5539d52c86a5c600a05205468fc880481d858139a42015
SHA512 192a8c5aecdbd0bcf94a9031df7bdae739124c85c162b4d18ecabe24ada8d9a68194b6f7d1c95bdd7ba20cc6d44cbf3e7f92a6169cf8890128bf8cb759f14c65

/storage/emulated/0/service player/config22-07-2024.log

MD5 8ea3a40e4b1353f5c2942e09bbbded20
SHA1 6036904b3e6725b506f129a1bdbc389c1b84c61d
SHA256 75bbcf10826f0683795807e39423def1f0fc44047c603b794a32bbadb9c885f9
SHA512 15775e257c1f3d19a32e53e96f39f9e3cb004323dde0165a1f036a92770b207a08c50cfefb8ad9315e9bf31e2c43db983f8009db11b0e629d32d83216abfbc19

/storage/emulated/0/service player/config22-07-2024.log

MD5 628c328fcbf5c68375916752c0fb77ad
SHA1 19a80950993b590099cd4971b86bdf3cebef2326
SHA256 bab9b42aac866c2697922e52553650ee2c7f02959b5864776a9be6ba9f3724b9
SHA512 9aceb94396d30ba72a107e93863655779190076107aecb8f948e8011231d970b5a65b489dc4c2c6b90fc9ae414bd81bd19a47f9b999636ec6f40a6bc17aa5b20

/storage/emulated/0/service player/config22-07-2024.log

MD5 b80597d148ee8ac6caa7a777216cf0b4
SHA1 5c0729292046dc48cab09bb939d114bccc87602d
SHA256 902e0dcb1e84791d9c0d414e6864891de91b30a0a98a93fbd5410724cff7cc02
SHA512 f850adf83a758f47554862ea4ec4d9af7993ce4deac3420bcb99d322c132e57eba396f7d709e82fc9596621b0c983c1d47a7a4de37b32cd9edb1ed09aa24380f

/storage/emulated/0/service player/config22-07-2024.log

MD5 f39cc1f3099a9889dbe0e62fd512df9a
SHA1 ea8f0525256ceed2229107f9ee18b90cd7d8aa52
SHA256 10771b2ef95f10f10f03267e96aceda33bb8f4b7d20efedf443ae00210b88c43
SHA512 8d64ff150977b38d023aab9875e0ae31c3d030d28b3a1b0c859d7088d6d48479dc1176d0333766e60559ceeefc0d2688f26baa7aef3c40346e57dcb9b7720a9e

/storage/emulated/0/service player/config22-07-2024.log

MD5 9f28276e107412fffe0eb8c8d7ebb15f
SHA1 4f6d9655e12416125b71f2abdca2933c75c308bb
SHA256 cccf6f201b0ccf153bafad3cdb362118949d0c2cec949bacf8707e52b0bfad8e
SHA512 a077887cd53a69ea84e003d16eb7403fbc8027504de4ce1f5ef47750bff0a980ad2f1f5abae45972bae558cd67bcf961f7b30885d6197ef6007ab82c4285cdae

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-22 19:03

Reported

2024-07-22 19:07

Platform

android-33-x64-arm64-20240624-en

Max time kernel

2s

Max time network

53s

Command Line

cmf0.c3b5bm90zq.patch

Signatures

N/A

Processes

cmf0.c3b5bm90zq.patch

Network

Country Destination Domain Proto
GB 142.250.187.228:443 udp
N/A 224.0.0.251:5353 udp
GB 142.250.187.228:443 udp
GB 142.250.179.234:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
SG 4.194.25.153:5214 tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
SG 4.194.25.153:5214 tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
SG 4.194.25.153:5214 tcp
GB 142.250.187.228:443 udp
GB 142.250.178.4:443 udp
GB 142.250.187.228:443 tcp
GB 142.250.178.4:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 udp
GB 142.250.178.3:443 tcp
GB 142.250.178.3:443 udp
SG 4.194.25.153:5214 tcp
SG 4.194.25.153:5214 tcp

Files

N/A