Malware Analysis Report

2024-10-16 05:23

Sample ID 240811-l2srgsyfqh
Target https://web.archive.org/web/20230706214529/https://download1587.mediafire.com/t1vdad3xufngg6CCX1k5jtiFJ0YYnHArLuX2ldpUW45Y7C5_ICaaMoj15-uYrQ6IH4D6uZD0Xn-dcHnvDAXCw1fpmTc_0gQtEgldscAvESOiKjQXCpk1VPUISW0N9EJwVOMwZfG74yKr06krisXQH9u4s95Hp7LFqY-oMYQYAG2yBcY/12o45hf43lvv6az/fnaf2+aptoide.apk
Tags
wipelock infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://web.archive.org/web/20230706214529/https://download1587.mediafire.com/t1vdad3xufngg6CCX1k5jtiFJ0YYnHArLuX2ldpUW45Y7C5_ICaaMoj15-uYrQ6IH4D6uZD0Xn-dcHnvDAXCw1fpmTc_0gQtEgldscAvESOiKjQXCpk1VPUISW0N9EJwVOMwZfG74yKr06krisXQH9u4s95Hp7LFqY-oMYQYAG2yBcY/12o45hf43lvv6az/fnaf2+aptoide.apk was found to be: Known bad.

Malicious Activity Summary

wipelock infostealer trojan

Wipelock Android payload

Wipelock

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-11 10:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-11 10:02

Reported

2024-08-11 10:56

Platform

android-x86-arm-20240624-en

Max time kernel

1819s

Max time network

1828s

Command Line

com.android.chrome

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 archive.org udp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.224.2:443 archive.org tcp
US 1.1.1.1:53 wayback-api.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.8:443 wayback-api.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 207.241.225.195:443 athena.archive.org tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.179.227:443 update.googleapis.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.227:80 tcp
GB 172.217.16.228:443 tcp
GB 142.250.200.2:443 tcp
GB 142.250.187.227:443 tcp
GB 142.250.179.238:443 tcp
GB 142.250.187.227:443 tcp
GB 142.250.179.238:443 tcp
GB 142.250.187.227:443 tcp
GB 142.250.187.227:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.187.195:443 update.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
BE 74.125.133.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 216.58.204.78:443 tcp

Files

files/dom-0.html

MD5 d37bee639444465d5de41a131150a6ca
SHA1 88e527cfaecf448e30fde956a7acb3ebfd098e1f
SHA256 f0a10d97acd18b888aa6aef0ea0df21894490deca7cf9767cd824b7034143cd7
SHA512 a4676c63b1162d9d0a37d9a19e54f93add736dfcfcc9663a457519f8877565fb35bda7b0a536943a36e466c88ca882aed7942843d55922c2cf19631c7b15a0a8

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-11 10:02

Reported

2024-08-11 10:56

Platform

android-x64-20240624-en

Max time kernel

1657s

Max time network

1789s

Command Line

com.android.chrome

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 accounts.google.com udp
BE 142.251.168.84:443 accounts.google.com tcp
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 archive.org udp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 wayback-api.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.8:443 wayback-api.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 207.241.225.195:443 athena.archive.org tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.178.3:443 update.googleapis.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 216.58.204.67:443 tcp
GB 216.58.204.66:443 tcp
GB 216.58.204.67:443 tcp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.179.227:443 update.googleapis.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
BE 74.125.71.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp

Files

/storage/emulated/0/Android/data/com.android.chrome/files/Download/Unconfirmed 659339.crdownload

MD5 dc98efd71997adb619bfc6e09b3df258
SHA1 50d0d722d4af4a863a19749dd7ef680c67662aa2
SHA256 d6c670c7a27105f082108d89c6d6b983bdeba6cef36d357b2c4c2bfbc4189aab
SHA512 1903987f5cd074bb672cf335442178a0820bce6e02dc5a04bbbd894c2048bcb068c85e6cefd3663bd0505a20c0651dcfcbb60760f2c5744e344af6f7a627ade7

files/dom-0.html

MD5 7bf50b36e56363da967abcc2b75f1e90
SHA1 60e31a2d5d8424cd0a62be005c4c8266a7129b71
SHA256 2be361e2690648d7a02a3dee9be9c5f7125b450ad0cd35d5195a7c3434d55386
SHA512 d4363dfaf43c7a0889c3db59d429bfb4ba1e3afbef4aab93ff7e2981a48044eae46a877e091cb46dc72e2f9ebc5eb6e59d419e1f85389fbde59f592232a35f34

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-11 10:02

Reported

2024-08-11 10:56

Platform

android-x64-arm64-20240624-en

Max time kernel

1804s

Max time network

1830s

Command Line

com.android.chrome

Signatures

Wipelock

trojan infostealer wipelock

Wipelock Android payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 web.archive.org udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 web.archive.org udp
BE 108.177.15.84:443 accounts.google.com tcp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 archive.org udp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 wayback-api.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.8:443 wayback-api.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 207.241.225.195:443 athena.archive.org tcp
US 207.241.237.8:443 wayback-api.archive.org tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.187.227:443 update.googleapis.com tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.200.3:443 update.googleapis.com tcp
US 1.1.1.1:53 web.archive.org udp
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp
GB 142.250.200.34:443 tcp
GB 142.250.187.227:443 update.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
BE 142.251.173.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.180.14:443 tcp

Files

/storage/emulated/0/Download/.pending-1723976746-fnaf2 aptoide.apk (deleted)

MD5 8ee5139d1bf116a56b8e11b5eff06afd
SHA1 6fa68ada075e3084fa0c5c11719c6e5d425d2623
SHA256 9f5e69c7df5eeb053816fe31c732c46f6f266015097e81e048f64ec26a0881f3
SHA512 edfe422e5e7eccdf03a30afdd578fde5440b3b00c1cad2f467c78bab1ccc18e1600f11ac925fb25a5b9bbc6b9cc51946d023e6a5725d88aede6d691112e42f2d

/storage/emulated/0/Download/.pending-1723976746-fnaf2 aptoide.apk

MD5 d7224fefc668cd6c672c3930b988b180
SHA1 18fe07b4c76edbfc961ac7cb0db0f072a0942975
SHA256 584b2232e6e6f1b2f5de74110b2429a4bce52f402f86868d0cd220bebd6c0f60
SHA512 302fd5c9e8d7f9aef76451d510ca86f1022c02ac07138503d552586f4f01e317e7f0ac15f3e7ac301c0372895be730a7a845cf28fbd2f7ae948c67bf0d079c50

files/dom-0.html

MD5 3cb82a7d4d0ee212e4df431cf64e6f6c
SHA1 b0b4e9c4546f345edaf1cb187a5dc56db4497631
SHA256 529f47c1dab6ed0b2f2f289ffc3043c1f4d2a5ab2a28db4adf64d088be8eab79
SHA512 eae676fdff9adf5b044b15506f0349658981d7caa280f5fdb8d1b2b37e5d11bb61cced2aba6d4181d380553166647a4bb05cdb39f5697441093628aeff3dc82f