Malware Analysis Report

2024-12-01 03:17

Sample ID 240723-sz77qaxcmp
Target golddigger.apk
SHA256 1d66dc652e3740a3fff4ec1ddefa923faec50a35cba8cd60219d7010fda888d4
Tags
golddigger
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1d66dc652e3740a3fff4ec1ddefa923faec50a35cba8cd60219d7010fda888d4

Threat Level: Known bad

The file golddigger.apk was found to be: Known bad.

Malicious Activity Summary

golddigger

GoldDigger payload

Golddigger family

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-23 15:34

Signatures

GoldDigger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Golddigger family

golddigger

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-23 15:34

Reported

2024-07-23 15:40

Platform

android-x64-arm64-20240624-en

Max time kernel

3s

Max time network

335s

Command Line

com.trinsmalw.ownnhavysz

Signatures

N/A

Processes

com.trinsmalw.ownnhavysz

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 216.58.204.66:443 tcp
GB 216.58.204.67:443 tcp

Files

/data/data/com.trinsmalw.ownnhavysz/files/.ss/l2884080a.so

MD5 20ed5de8eadfb9f5b84542604a06f4f6
SHA1 e5d1539a02f6233b3a6fe4fa3eb29f49810cc20a
SHA256 7c251be038cb524a2a8ac9b67f2832fb506cc147fa4b0bbbdf7abe89f8bfdf25
SHA512 bfad5b09d6b136b9d10c37a4ee618f7b5d882352a0d9bfcc88ef20e5e5a3a942185f9f4553b2c31c99b4b012ba03a06e4ed610eb25ba4e9f2915dea8304073c9

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-23 15:34

Reported

2024-07-23 15:46

Platform

android-33-x64-arm64-20240624-en

Max time kernel

5s

Max time network

338s

Command Line

com.trinsmalw.ownnhavysz

Signatures

N/A

Processes

com.trinsmalw.ownnhavysz

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.196:443 udp
GB 142.250.187.196:443 tcp
GB 216.58.212.238:443 udp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 216.58.212.234:443 remoteprovisioning.googleapis.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
GB 172.217.169.68:443 udp
GB 172.217.169.68:443 tcp
GB 142.250.187.196:443 udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 216.58.204.67:443 tcp
US 172.64.41.3:443 udp
US 34.104.35.123:80 tcp
GB 142.250.187.227:443 tcp
GB 142.250.200.2:443 tcp
GB 142.250.200.2:443 tcp
GB 216.58.201.110:443 tcp
GB 172.217.16.230:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.200.2:443 tcp
US 216.239.34.36:443 tcp
GB 142.250.187.225:443 tcp
GB 142.250.187.225:443 tcp
GB 142.250.187.225:443 tcp
GB 142.250.187.225:443 tcp
GB 142.250.187.225:443 tcp
GB 142.250.178.1:443 tcp
GB 142.250.187.227:443 tcp

Files

/data/data/com.trinsmalw.ownnhavysz/files/.ss/l2884080a.so

MD5 20ed5de8eadfb9f5b84542604a06f4f6
SHA1 e5d1539a02f6233b3a6fe4fa3eb29f49810cc20a
SHA256 7c251be038cb524a2a8ac9b67f2832fb506cc147fa4b0bbbdf7abe89f8bfdf25
SHA512 bfad5b09d6b136b9d10c37a4ee618f7b5d882352a0d9bfcc88ef20e5e5a3a942185f9f4553b2c31c99b4b012ba03a06e4ed610eb25ba4e9f2915dea8304073c9

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-23 15:34

Reported

2024-07-23 15:40

Platform

android-x86-arm-20240624-en

Max time kernel

3s

Max time network

331s

Command Line

com.trinsmalw.ownnhavysz

Signatures

N/A

Processes

com.trinsmalw.ownnhavysz

Network

Country Destination Domain Proto
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 216.58.201.99:80 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.34:443 tcp
GB 216.58.201.99:443 tcp
GB 142.250.187.206:443 tcp
GB 216.58.201.99:443 tcp
GB 142.250.187.206:443 tcp
GB 216.58.201.99:443 tcp
GB 216.58.201.99:443 tcp

Files

/data/data/com.trinsmalw.ownnhavysz/files/.ss/l2884080a.so

MD5 df9326730abca997e68286790b676736
SHA1 7a5b0d0378bd1e1e0aa9646459abc6a225ae50c8
SHA256 d0e70ac14118596cf4a8203910135878f84ac9ea52cb39e8e7035b162ef84624
SHA512 0ee0817af55187ad5d4b31900a4eb2c754642fc3d03f2b8a0272c3882ac8b972fc04c83ee750bf31ba9438a4ffe1a36858b57e6232805db5515bf60a85f0fc63

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 15:34

Reported

2024-07-23 15:35

Platform

android-x64-20240624-en

Max time network

6s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A