Malware Analysis Report

2024-10-16 05:28

Sample ID 240804-j2753azhpq
Target https://web.archive.org/web/20230706214541/https://download1587.mediafire.com/t1vdad3xufngg6CCX1k5jtiFJ0YYnHArLuX2ldpUW45Y7C5_ICaaMoj15-uYrQ6IH4D6uZD0Xn-dcHnvDAXCw1fpmTc_0gQtEgldscAvESOiKjQXCpk1VPUISW0N9EJwVOMwZfG74yKr06krisXQH9u4s95Hp7LFqY-oMYQYAG2yBcY/12o45hf43lvv6az/fnaf2+aptoide.apk
Tags
wipelock infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://web.archive.org/web/20230706214541/https://download1587.mediafire.com/t1vdad3xufngg6CCX1k5jtiFJ0YYnHArLuX2ldpUW45Y7C5_ICaaMoj15-uYrQ6IH4D6uZD0Xn-dcHnvDAXCw1fpmTc_0gQtEgldscAvESOiKjQXCpk1VPUISW0N9EJwVOMwZfG74yKr06krisXQH9u4s95Hp7LFqY-oMYQYAG2yBcY/12o45hf43lvv6az/fnaf2+aptoide.apk was found to be: Known bad.

Malicious Activity Summary

wipelock infostealer trojan

Wipelock

Wipelock Android payload

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-04 08:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-04 08:10

Reported

2024-08-04 08:11

Platform

android-x86-arm-20240624-en

Max time kernel

16s

Max time network

26s

Command Line

com.android.chrome

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 archive.org udp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 wayback-api.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.8:443 wayback-api.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 207.241.225.195:443 athena.archive.org tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.180.3:443 update.googleapis.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-04 08:10

Reported

2024-08-04 08:11

Platform

android-x64-20240624-en

Max time kernel

17s

Max time network

27s

Command Line

com.android.chrome

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.133.84:443 accounts.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
GB 173.194.76.84:443 accounts.google.com tcp
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 archive.org udp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 wayback-api.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.8:443 wayback-api.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 207.241.225.195:443 athena.archive.org tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 172.217.169.3:443 update.googleapis.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/storage/emulated/0/Android/data/com.android.chrome/files/Download/Unconfirmed 133222.crdownload

MD5 dc98efd71997adb619bfc6e09b3df258
SHA1 50d0d722d4af4a863a19749dd7ef680c67662aa2
SHA256 d6c670c7a27105f082108d89c6d6b983bdeba6cef36d357b2c4c2bfbc4189aab
SHA512 1903987f5cd074bb672cf335442178a0820bce6e02dc5a04bbbd894c2048bcb068c85e6cefd3663bd0505a20c0651dcfcbb60760f2c5744e344af6f7a627ade7

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-04 08:10

Reported

2024-08-04 08:11

Platform

android-x64-arm64-20240624-en

Max time kernel

18s

Max time network

28s

Command Line

com.android.chrome

Signatures

Wipelock

trojan infostealer wipelock

Wipelock Android payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 web.archive.org udp
US 1.1.1.1:53 accounts.google.com udp
GB 173.194.76.84:443 accounts.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 web.archive.org udp
BE 64.233.184.84:443 accounts.google.com tcp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 archive.org udp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 wayback-api.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.8:443 wayback-api.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 207.241.225.195:443 athena.archive.org tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 172.217.169.3:443 update.googleapis.com tcp

Files

/storage/emulated/0/Download/.pending-1723363882-fnaf2 aptoide.apk (deleted)

MD5 0e7a5b3a6fb5d5339f3ec3e794c2257d
SHA1 094b3330492d4eafb300e69bceb5b805880e343e
SHA256 e0c034d01500e99c4c57867a72ff09ef230ff7572d4bd3f58bacbb704e4c408b
SHA512 b405f3047ac8e3f9f5b58110ba7ed3addd1b8bfd5539ad9681689ad238ff6c3c0628661002a9ac5430b33ccf2078b683fec97344232dcc5c7838c3b5013b1cd7

/storage/emulated/0/Download/.pending-1723363882-fnaf2 aptoide.apk

MD5 e6ce1cfb216674cb596755aa9d140d8c
SHA1 2382796c65e281be4fa6078e59aeaaa64eaa89a7
SHA256 1b657f86ede3cabddbeee5ebcd6460c052f87d285f550cadff84cd39be01faf7
SHA512 f8d0461d2664030818103559b3cda3ac857cb921dbb78c18f95a85c1aa2220705bb2db7c22e3c06f39a60f088eeaa477bc56920c2597270829a1e5277126c5f1