Malware Analysis Report

2024-10-16 05:29

Sample ID 240806-w6e2aswfpq
Target https://web.archive.org/web/20230706214541/https://download1587.mediafire.com/t1vdad3xufngg6CCX1k5jtiFJ0YYnHArLuX2ldpUW45Y7C5_ICaaMoj15-uYrQ6IH4D6uZD0Xn-dcHnvDAXCw1fpmTc_0gQtEgldscAvESOiKjQXCpk1VPUISW0N9EJwVOMwZfG74yKr06krisXQH9u4s95Hp7LFqY-oMYQYAG2yBcY/12o45hf43lvv6az/fnaf2+aptoide.apk
Tags
wipelock infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://web.archive.org/web/20230706214541/https://download1587.mediafire.com/t1vdad3xufngg6CCX1k5jtiFJ0YYnHArLuX2ldpUW45Y7C5_ICaaMoj15-uYrQ6IH4D6uZD0Xn-dcHnvDAXCw1fpmTc_0gQtEgldscAvESOiKjQXCpk1VPUISW0N9EJwVOMwZfG74yKr06krisXQH9u4s95Hp7LFqY-oMYQYAG2yBcY/12o45hf43lvv6az/fnaf2+aptoide.apk was found to be: Known bad.

Malicious Activity Summary

wipelock infostealer trojan

Wipelock

Wipelock Android payload

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-06 18:31

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-06 18:31

Reported

2024-08-06 18:35

Platform

android-x64-arm64-20240624-en

Max time kernel

132s

Max time network

165s

Command Line

com.android.chrome

Signatures

Wipelock

trojan infostealer wipelock

Wipelock Android payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 web.archive.org udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
GB 74.125.71.84:443 accounts.google.com tcp
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp
GB 74.125.71.84:443 accounts.google.com tcp
US 207.241.237.3:443 web.archive.org tcp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 archive.org udp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 wayback-api.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.8:443 wayback-api.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 207.241.225.195:443 athena.archive.org tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.179.227:443 update.googleapis.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
US 1.1.1.1:53 web.archive.org udp
US 1.1.1.1:53 web.archive.org udp
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp

Files

/storage/emulated/0/Download/.pending-1723573929-fnaf2 aptoide.apk (deleted)

MD5 02d0af2e4cc5ab32680fc925c317ab52
SHA1 1b60df6df7f6d8cadc4f45e90cd342d7a96b6333
SHA256 42bb9bfd9df3b9bea58b86da927e0feb6abb79f8893feac6a3708ea772bab4f8
SHA512 3778057d834ea013e15d962c373182faad1f0e5d4a1c4929a20aa4c8f9a74cdc0ed3df6e9915ebc3305237c688975c9645e65449fb3916f834f05dbf67559c56

/storage/emulated/0/Download/.pending-1723573929-fnaf2 aptoide.apk

MD5 0741df517d4ec32497edc0b83ac8c9a4
SHA1 46da1293e08c032d527a8b28255bafa6fd6bc242
SHA256 566fb12031042c5f04d796471f9f640fdcdc103320fb5ce657102f71173acc9a
SHA512 dc217074e405938841ee909821fa217f62bd2de733b0a3c82ca0b46b7ed186d3421f46088ee3e2855e947b465576e85d56cc9f4ae172d95cb8fb0ccdf4215d14

files/dom-0.html

MD5 834a7b4679cd8f67f473b44946a7a23d
SHA1 b38c69720e6e65aad514ecdfcac92feedf6f3386
SHA256 258693f9cef8604131d97a938ac7371e24fcbd38a9f0dcd89bf9c89cc8ad5f55
SHA512 db153f3115ad2d4d5ab223e4e954ca2dc56ca4f6c30a407ffae0b44350fa8d19102ad4795975f887012697b71f1d17ef0bbe10f8af63faf3460ebf71c3595fe5

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 18:31

Reported

2024-08-06 18:33

Platform

android-x86-arm-20240624-en

Max time kernel

115s

Max time network

110s

Command Line

com.android.chrome

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 archive.org udp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 wayback-api.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.8:443 wayback-api.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 207.241.225.195:443 athena.archive.org tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 216.58.212.227:443 update.googleapis.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp

Files

/storage/emulated/0/Download/.com.google.Chrome.sOS64Q

MD5 8ae370494e539291344925e9a7c6598c
SHA1 80622cc6583048548393185992b74eceb7f0e7eb
SHA256 a4ba493fa425d42ea933514b8e4bba225cfaffdba89c3bc963cc2ea823d32874
SHA512 09bc5e711e440fcc779ec547721670af33c9052f980996eb22907cf12fa057c5cab8cfeaa6d7230001c6d1d6c786651761ee3687668466c34a4246cbdd3e17a5

/storage/emulated/0/Download/Unconfirmed 772431.crdownload

MD5 06d47ef8c6b95dc181787d9d37f22c83
SHA1 9603c192e78f1891bd4a054045e71b5ae512b461
SHA256 913637f82603e242655ac10278e87f3b21366dad40c09dded407d7bb5d21b175
SHA512 0a42894d2c0c7f55570ea9a426037beadc99a529cd8aa6bd78db8c52e5a09343b9baf9378caad7bf076db448d72c0a24ce6fb328858b31bf1f4237ca8d45c51a

files/dom-0.html

MD5 53a3f02a3b5f01b07ad7078b8e2a5b1c
SHA1 2f3fef9858b448ee1f0279b60cce101c2c19854b
SHA256 bd6f177e7b82a7b8facf4c06df031b042416c63c2a7684b5ef6e7d838fec0d5d
SHA512 2034124f3b2ed1634f661e138938676d52bb291ffd4c55d1093e31230527706e10083b342107f7275c5685673f91642b6244658f7706da2df9ff0407cfddff94

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-06 18:31

Reported

2024-08-06 18:35

Platform

android-x64-20240624-en

Max time kernel

116s

Max time network

174s

Command Line

com.android.chrome

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 accounts.google.com udp
BE 64.233.184.84:443 accounts.google.com tcp
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 archive.org udp
US 1.1.1.1:53 web-static.archive.org udp
US 1.1.1.1:53 archive.org udp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.224.2:443 archive.org tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 172.217.16.227:443 update.googleapis.com tcp
US 1.1.1.1:53 wayback-api.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.8:443 wayback-api.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 207.241.225.195:443 athena.archive.org tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 172.217.16.234:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/storage/emulated/0/Android/data/com.android.chrome/files/Download/Unconfirmed 749865.crdownload

MD5 dc98efd71997adb619bfc6e09b3df258
SHA1 50d0d722d4af4a863a19749dd7ef680c67662aa2
SHA256 d6c670c7a27105f082108d89c6d6b983bdeba6cef36d357b2c4c2bfbc4189aab
SHA512 1903987f5cd074bb672cf335442178a0820bce6e02dc5a04bbbd894c2048bcb068c85e6cefd3663bd0505a20c0651dcfcbb60760f2c5744e344af6f7a627ade7

files/dom-0.html

MD5 76bc33678b59d885c594562c7982013c
SHA1 5a8af5b937b8e66a18b193d390f4d454e0975892
SHA256 afeb3e590e043e97ab3e0f6c729763fecc78aae84e4763c0937eedc69c41a1d2
SHA512 3258511179e3f5ebabe6277b38d4a2ab14cc28d53a31e1442a09503fb6b7de24bcaf8c1c8de60faca1c303190d1218e2aef8448ee5777a7938da71b97be3b2ce