Analysis Overview
SHA256
1d66dc652e3740a3fff4ec1ddefa923faec50a35cba8cd60219d7010fda888d4
Threat Level: Known bad
The file golddigger.apk was found to be: Known bad.
Malicious Activity Summary
GoldDigger payload
Golddigger family
Declares services with permission to bind to the system
Requests dangerous framework permissions
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-23 15:34
Signatures
GoldDigger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Golddigger family
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
| Allows an application a broad access to external storage in scoped storage. | android.permission.MANAGE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to collect component usage statistics. | android.permission.PACKAGE_USAGE_STATS | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-23 15:34
Reported
2024-07-23 15:40
Platform
android-x64-arm64-20240624-en
Max time kernel
3s
Max time network
335s
Command Line
Signatures
Processes
com.trinsmalw.ownnhavysz
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.16.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.200:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.187.196:443 | tcp | |
| GB | 142.250.187.196:443 | tcp | |
| GB | 216.58.204.66:443 | tcp | |
| GB | 216.58.204.67:443 | tcp |
Files
/data/data/com.trinsmalw.ownnhavysz/files/.ss/l2884080a.so
| MD5 | 20ed5de8eadfb9f5b84542604a06f4f6 |
| SHA1 | e5d1539a02f6233b3a6fe4fa3eb29f49810cc20a |
| SHA256 | 7c251be038cb524a2a8ac9b67f2832fb506cc147fa4b0bbbdf7abe89f8bfdf25 |
| SHA512 | bfad5b09d6b136b9d10c37a4ee618f7b5d882352a0d9bfcc88ef20e5e5a3a942185f9f4553b2c31c99b4b012ba03a06e4ed610eb25ba4e9f2915dea8304073c9 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-23 15:34
Reported
2024-07-23 15:46
Platform
android-33-x64-arm64-20240624-en
Max time kernel
5s
Max time network
338s
Command Line
Signatures
Processes
com.trinsmalw.ownnhavysz
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.196:443 | udp | |
| GB | 142.250.187.196:443 | tcp | |
| GB | 216.58.212.238:443 | udp | |
| GB | 216.58.212.238:443 | tcp | |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | remoteprovisioning.googleapis.com | udp |
| GB | 216.58.212.234:443 | remoteprovisioning.googleapis.com | tcp |
| US | 1.1.1.1:53 | rcs-acs-tmo-us.jibe.google.com | udp |
| GB | 172.217.169.68:443 | udp | |
| GB | 172.217.169.68:443 | tcp | |
| GB | 142.250.187.196:443 | udp | |
| US | 216.239.36.155:443 | rcs-acs-tmo-us.jibe.google.com | tcp |
| US | 172.64.41.3:443 | tcp | |
| US | 172.64.41.3:443 | tcp | |
| GB | 216.58.204.67:443 | tcp | |
| US | 172.64.41.3:443 | udp | |
| US | 34.104.35.123:80 | tcp | |
| GB | 142.250.187.227:443 | tcp | |
| GB | 142.250.200.2:443 | tcp | |
| GB | 142.250.200.2:443 | tcp | |
| GB | 216.58.201.110:443 | tcp | |
| GB | 172.217.16.230:443 | tcp | |
| GB | 142.250.179.226:443 | tcp | |
| GB | 142.250.200.2:443 | tcp | |
| US | 216.239.34.36:443 | tcp | |
| GB | 142.250.187.225:443 | tcp | |
| GB | 142.250.187.225:443 | tcp | |
| GB | 142.250.187.225:443 | tcp | |
| GB | 142.250.187.225:443 | tcp | |
| GB | 142.250.187.225:443 | tcp | |
| GB | 142.250.178.1:443 | tcp | |
| GB | 142.250.187.227:443 | tcp |
Files
/data/data/com.trinsmalw.ownnhavysz/files/.ss/l2884080a.so
| MD5 | 20ed5de8eadfb9f5b84542604a06f4f6 |
| SHA1 | e5d1539a02f6233b3a6fe4fa3eb29f49810cc20a |
| SHA256 | 7c251be038cb524a2a8ac9b67f2832fb506cc147fa4b0bbbdf7abe89f8bfdf25 |
| SHA512 | bfad5b09d6b136b9d10c37a4ee618f7b5d882352a0d9bfcc88ef20e5e5a3a942185f9f4553b2c31c99b4b012ba03a06e4ed610eb25ba4e9f2915dea8304073c9 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-23 15:34
Reported
2024-07-23 15:40
Platform
android-x86-arm-20240624-en
Max time kernel
3s
Max time network
331s
Command Line
Signatures
Processes
com.trinsmalw.ownnhavysz
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.10:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 216.58.201.110:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.180.14:443 | android.apis.google.com | tcp |
| GB | 216.58.201.99:80 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.200.34:443 | tcp | |
| GB | 216.58.201.99:443 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| GB | 216.58.201.99:443 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| GB | 216.58.201.99:443 | tcp | |
| GB | 216.58.201.99:443 | tcp |
Files
/data/data/com.trinsmalw.ownnhavysz/files/.ss/l2884080a.so
| MD5 | df9326730abca997e68286790b676736 |
| SHA1 | 7a5b0d0378bd1e1e0aa9646459abc6a225ae50c8 |
| SHA256 | d0e70ac14118596cf4a8203910135878f84ac9ea52cb39e8e7035b162ef84624 |
| SHA512 | 0ee0817af55187ad5d4b31900a4eb2c754642fc3d03f2b8a0272c3882ac8b972fc04c83ee750bf31ba9438a4ffe1a36858b57e6232805db5515bf60a85f0fc63 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-23 15:34
Reported
2024-07-23 15:35
Platform
android-x64-20240624-en
Max time network
6s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |