Malware Analysis Report

2024-10-16 05:23

Sample ID 240803-ev3jsaxfpe
Target fnaf2+aptoide.apk
SHA256 a57cd5e6da100b43b807552f98fc2ff97308ca4b777656e7cc3c8146781f8003
Tags
wipelock infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a57cd5e6da100b43b807552f98fc2ff97308ca4b777656e7cc3c8146781f8003

Threat Level: Known bad

The file fnaf2+aptoide.apk was found to be: Known bad.

Malicious Activity Summary

wipelock infostealer trojan

Wipelock

Wipelock Android payload

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-03 04:16

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-03 04:16

Reported

2024-08-03 04:20

Platform

android-x64-20240624-en

Max time kernel

116s

Max time network

183s

Command Line

com.android.chrome

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.133.84:443 accounts.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.200.35:443 update.googleapis.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.178.10:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-03 04:16

Reported

2024-08-03 04:20

Platform

android-x64-arm64-20240624-en

Max time kernel

166s

Max time network

184s

Command Line

com.android.chrome

Signatures

Wipelock

trojan infostealer wipelock

Wipelock Android payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
GB 64.233.167.84:443 accounts.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 142.250.110.84:443 accounts.google.com tcp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.178.3:443 update.googleapis.com tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 archive.org udp
US 1.1.1.1:53 wayback-api.archive.org udp
US 1.1.1.1:53 web.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.224.2:443 archive.org tcp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.3:443 web.archive.org tcp
US 207.241.237.8:443 wayback-api.archive.org tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 update.googleapis.com udp

Files

/storage/emulated/0/Download/.pending-1723263459-fnaf2 aptoide.apk (deleted)

MD5 f28af430e642d139b2132c37587a6eed
SHA1 88ffee4bf68949e923c7faf1427ad4d01d4e4d63
SHA256 03219f86a80911c4cb92e7cc6f18dd2f006d38e43cbfccc3e5f389ea03686adb
SHA512 8f995503125695e92cc74b7d2786110925b05457b9f5f461ebcfaf35bac533b0596eacb6bc4dee2ba8fc6e76463f2f4e0e8d853840008ba5fc3be8721d4f2354

/storage/emulated/0/Download/.pending-1723263459-fnaf2 aptoide.apk

MD5 743ae762afa19ec3862caf1747a0a520
SHA1 41686484e6b8c0038dd574e74f78ae8890efd84d
SHA256 0a87854528f9086dc46f4ddd0fba4f053610d696f7d93d9289064970b73d8f51
SHA512 1f6e266741a2675a586ad54465b67dd580e91ca2ca02eea0537b59353c28677271222d82bf863ae2854742d23b9f5f14d954d1121f60b81f6293f27d65077555

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-03 04:16

Reported

2024-08-03 04:20

Platform

android-x86-arm-20240624-en

Max time kernel

115s

Max time network

181s

Command Line

com.android.chrome

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.200.3:443 update.googleapis.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.179.234:443 tcp

Files

N/A