Malware Analysis Report

2024-10-16 05:23

Sample ID 240804-tjpk4stdkc
Target https://web.archive.org/web/20230706214541/https://download1587.mediafire.com/t1vdad3xufngg6CCX1k5jtiFJ0YYnHArLuX2ldpUW45Y7C5_ICaaMoj15-uYrQ6IH4D6uZD0Xn-dcHnvDAXCw1fpmTc_0gQtEgldscAvESOiKjQXCpk1VPUISW0N9EJwVOMwZfG74yKr06krisXQH9u4s95Hp7LFqY-oMYQYAG2yBcY/12o45hf43lvv6az/fnaf2+aptoide.apk
Tags
wipelock infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://web.archive.org/web/20230706214541/https://download1587.mediafire.com/t1vdad3xufngg6CCX1k5jtiFJ0YYnHArLuX2ldpUW45Y7C5_ICaaMoj15-uYrQ6IH4D6uZD0Xn-dcHnvDAXCw1fpmTc_0gQtEgldscAvESOiKjQXCpk1VPUISW0N9EJwVOMwZfG74yKr06krisXQH9u4s95Hp7LFqY-oMYQYAG2yBcY/12o45hf43lvv6az/fnaf2+aptoide.apk was found to be: Known bad.

Malicious Activity Summary

wipelock infostealer trojan

Wipelock

Wipelock Android payload

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-04 16:05

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-04 16:05

Reported

2024-08-04 17:22

Platform

android-x64-20240624-en

Max time kernel

1769s

Max time network

1793s

Command Line

com.android.chrome

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.133.84:443 accounts.google.com tcp
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 archive.org udp
US 207.241.224.2:443 archive.org tcp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 wayback-api.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.8:443 wayback-api.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 207.241.225.195:443 athena.archive.org tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.178.3:443 update.googleapis.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.212.227:443 tcp
GB 172.217.169.74:443 tcp
GB 142.250.200.34:443 tcp
GB 216.58.212.227:443 tcp
GB 216.58.212.227:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.200.35:443 update.googleapis.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
BE 108.177.15.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp

Files

/storage/emulated/0/Android/data/com.android.chrome/files/Download/Unconfirmed 849321.crdownload

MD5 dc98efd71997adb619bfc6e09b3df258
SHA1 50d0d722d4af4a863a19749dd7ef680c67662aa2
SHA256 d6c670c7a27105f082108d89c6d6b983bdeba6cef36d357b2c4c2bfbc4189aab
SHA512 1903987f5cd074bb672cf335442178a0820bce6e02dc5a04bbbd894c2048bcb068c85e6cefd3663bd0505a20c0651dcfcbb60760f2c5744e344af6f7a627ade7

files/dom-0.html

MD5 be13aef92617f11e06868e34dd03d7f2
SHA1 70214bdd21058c225b69458bd397438a2e264762
SHA256 03915f9532cc41b217cfb5f51a7b864a6ba0eb881219facc26e0960168e0e47a
SHA512 a378205fc68b715b416cfabcb6a9aa3d1ae140a9dc7f956d9823a33edd0b01d48ebb38182d337cce60bcc50c636f90ebf97eb3c225997d6c37689d26291c4df2

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-04 16:05

Reported

2024-08-04 17:22

Platform

android-x64-arm64-20240624-en

Max time kernel

1805s

Max time network

1827s

Command Line

com.android.chrome

Signatures

Wipelock

trojan infostealer wipelock

Wipelock Android payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 web.archive.org udp
US 1.1.1.1:53 accounts.google.com udp
GB 173.194.76.84:443 accounts.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.206.84:443 accounts.google.com tcp
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 archive.org udp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 wayback-api.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.8:443 wayback-api.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 207.241.225.195:443 athena.archive.org tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.180.3:443 update.googleapis.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.187.227:443 update.googleapis.com tcp
US 1.1.1.1:53 web.archive.org udp
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp
GB 142.250.187.227:443 update.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.228:443 www.google.com tcp
GB 172.217.169.78:443 tcp

Files

/storage/emulated/0/Download/.pending-1723395116-fnaf2 aptoide.apk (deleted)

MD5 02d0af2e4cc5ab32680fc925c317ab52
SHA1 1b60df6df7f6d8cadc4f45e90cd342d7a96b6333
SHA256 42bb9bfd9df3b9bea58b86da927e0feb6abb79f8893feac6a3708ea772bab4f8
SHA512 3778057d834ea013e15d962c373182faad1f0e5d4a1c4929a20aa4c8f9a74cdc0ed3df6e9915ebc3305237c688975c9645e65449fb3916f834f05dbf67559c56

/storage/emulated/0/Download/.pending-1723395116-fnaf2 aptoide.apk

MD5 0741df517d4ec32497edc0b83ac8c9a4
SHA1 46da1293e08c032d527a8b28255bafa6fd6bc242
SHA256 566fb12031042c5f04d796471f9f640fdcdc103320fb5ce657102f71173acc9a
SHA512 dc217074e405938841ee909821fa217f62bd2de733b0a3c82ca0b46b7ed186d3421f46088ee3e2855e947b465576e85d56cc9f4ae172d95cb8fb0ccdf4215d14

files/dom-0.html

MD5 ce4846fcb8867259f793576419b1529f
SHA1 0148a095c9d90b50178fb0f21a6bfe5a64b831fc
SHA256 fa163c8cf55a4036c8bc717c2f41a47f3aaa1e597a06c5bf21daa95de5a237b7
SHA512 501492bbb02ba4b0d7e251500d39e0f0713476341d8ebdf6f150cff11964e6f85cb3cf8403aea282bf8284cb9295590ea7de2ce2278c68385c8b888e9d464362

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-04 16:05

Reported

2024-08-04 17:22

Platform

android-x86-arm-20240624-en

Max time kernel

1662s

Max time network

1830s

Command Line

com.android.chrome

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 archive.org udp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 wayback-api.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.8:443 wayback-api.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 207.241.225.195:443 athena.archive.org tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.180.3:443 update.googleapis.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 216.58.213.10:443 tcp
GB 142.250.187.227:80 tcp
GB 216.58.204.68:443 tcp
GB 172.217.169.34:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.178.3:443 tcp
GB 142.250.178.3:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.178.3:443 tcp
GB 142.250.178.3:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 216.58.204.67:443 update.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
BE 74.125.71.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.180.14:443 tcp

Files

files/dom-0.html

MD5 1a819e5222381875a9e07400790ebd73
SHA1 d906e6e442671fd6c074f51ec06d564dfd1bd412
SHA256 12e515b169b88ff556729395bee11fe603d058f0211bc9dd972275bb27b5d949
SHA512 6ab91248336e838444939873a49d66b7da81e04af3a52d12bde4393d10c555bc2df9e079db28d0502e2b0dc82e75461c634bd0dfedd0369de27654bedb6a1ccc