Malware Analysis Report

2024-10-16 05:23

Sample ID 240811-lwc4vavbkk
Target https://web.archive.org/web/20230706214529/https://download1587.mediafire.com/t1vdad3xufngg6CCX1k5jtiFJ0YYnHArLuX2ldpUW45Y7C5_ICaaMoj15-uYrQ6IH4D6uZD0Xn-dcHnvDAXCw1fpmTc_0gQtEgldscAvESOiKjQXCpk1VPUISW0N9EJwVOMwZfG74yKr06krisXQH9u4s95Hp7LFqY-oMYQYAG2yBcY/12o45hf43lvv6az/fnaf2+aptoide.apk
Tags
wipelock infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://web.archive.org/web/20230706214529/https://download1587.mediafire.com/t1vdad3xufngg6CCX1k5jtiFJ0YYnHArLuX2ldpUW45Y7C5_ICaaMoj15-uYrQ6IH4D6uZD0Xn-dcHnvDAXCw1fpmTc_0gQtEgldscAvESOiKjQXCpk1VPUISW0N9EJwVOMwZfG74yKr06krisXQH9u4s95Hp7LFqY-oMYQYAG2yBcY/12o45hf43lvv6az/fnaf2+aptoide.apk was found to be: Known bad.

Malicious Activity Summary

wipelock infostealer trojan

Wipelock

Wipelock Android payload

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-11 09:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-11 09:52

Reported

2024-08-11 09:55

Platform

android-x86-arm-20240624-en

Max time kernel

74s

Max time network

124s

Command Line

com.android.chrome

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 archive.org udp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.224.2:443 archive.org tcp
US 1.1.1.1:53 wayback-api.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.8:443 wayback-api.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 207.241.225.195:443 athena.archive.org tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.187.227:443 update.googleapis.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp

Files

/storage/emulated/0/Download/.com.google.Chrome.apFlHK

MD5 48ebe4976719e8021c6ef85e6c836fad
SHA1 647e3f7542010f5fc6aab0a4d270af03c669aa1b
SHA256 db609f92c7c96b5761a2b05e73aff301202f7bb5cfa0984544cf2f123f53fac6
SHA512 79127234e0cc14849602b1b281ac724bc54098a23b806254885e2f99c88db64b0c2eb94aac2da2d0051de95fb526dcb41a2d2035a4b4136781e0e867241f9f9f

/storage/emulated/0/Download/Unconfirmed 759943.crdownload

MD5 e988cf0c82c847edc2de4339f8b7e288
SHA1 d680efb9efaccd8ee01013f8a2b40d312773707e
SHA256 eebb2234cc8a8ba3ef1050a4a074256e32a9128199dd219e3bcca04978be6129
SHA512 e0f625403f2f693dbf095410001c4e4bd0724296f6c9082f06dc95cc95866088fa37819851d15238c71e0c02f1e432d8f38fb9c1fa95bacbacb972c455f83310

files/dom-0.html

MD5 e2af299ecc22ed763e0b43993f045bd3
SHA1 f129f7d5fef561f13ca727f6d1ab1d09506d60df
SHA256 50cac12d183c0791e0469ea423bf6358d71222625911f354c7214ffcc7e619e8
SHA512 de6ce65f4781ec754244dae752edccc46725258de46cf59be403b6148c8d52fb8da93f7a6e4a10067e8b41ae8c23d51e5e8f9bdf14f667362f0035260437ffb3

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-11 09:52

Reported

2024-08-11 10:23

Platform

android-x64-20240624-en

Max time kernel

374s

Max time network

1791s

Command Line

com.android.chrome

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 accounts.google.com udp
GB 173.194.76.84:443 accounts.google.com tcp
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 archive.org udp
US 207.241.224.2:443 archive.org tcp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 wayback-api.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.8:443 wayback-api.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 207.241.225.195:443 athena.archive.org tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.180.3:443 update.googleapis.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.204.74:443 tcp
GB 142.250.180.3:443 update.googleapis.com tcp
GB 216.58.201.98:443 tcp
GB 142.250.180.3:443 update.googleapis.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.200.35:443 update.googleapis.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
BE 142.251.168.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp

Files

/storage/emulated/0/Android/data/com.android.chrome/files/Download/Unconfirmed 654752.crdownload

MD5 dc98efd71997adb619bfc6e09b3df258
SHA1 50d0d722d4af4a863a19749dd7ef680c67662aa2
SHA256 d6c670c7a27105f082108d89c6d6b983bdeba6cef36d357b2c4c2bfbc4189aab
SHA512 1903987f5cd074bb672cf335442178a0820bce6e02dc5a04bbbd894c2048bcb068c85e6cefd3663bd0505a20c0651dcfcbb60760f2c5744e344af6f7a627ade7

files/dom-0.html

MD5 1b70459c8041c7c34694a0051ed134c7
SHA1 b8ef773df39725538d5ce7de4830714c2c367893
SHA256 4a4ae1b706c8a34548f8dcef277b331941a8fecf61a1138bbeb3dd38fa9f9f03
SHA512 c15b969f7c961b019165ba1a202d562f831e1bab08090fabe9692657c5268098a423574e9f52613c8311a63638eba6dc174fa84be59f2fb74e1381fa3630aa56

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-11 09:52

Reported

2024-08-11 10:23

Platform

android-x64-arm64-20240624-en

Max time kernel

1824s

Max time network

1831s

Command Line

com.android.chrome

Signatures

Wipelock

trojan infostealer wipelock

Wipelock Android payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 web.archive.org udp
US 1.1.1.1:53 accounts.google.com udp
BE 108.177.15.84:443 accounts.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 web.archive.org udp
GB 64.233.166.84:443 accounts.google.com tcp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 archive.org udp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 wayback-api.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.8:443 wayback-api.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 207.241.225.195:443 athena.archive.org tcp
US 207.241.237.8:443 wayback-api.archive.org tcp
US 207.241.224.2:443 archive.org tcp
US 207.241.225.195:443 athena.archive.org tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 216.58.204.67:443 update.googleapis.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
US 1.1.1.1:53 web.archive.org udp
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 web.archive.org udp
GB 142.250.200.2:443 tcp
GB 142.250.187.227:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
BE 74.125.133.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
GB 142.250.187.238:443 tcp

Files

/storage/emulated/0/Download/.pending-1723974796-fnaf2 aptoide.apk (deleted)

MD5 960732cac9b21c0af5fc96dbe9b13d5a
SHA1 1595a654c3643dbeab94aa20066b91a2e189ac33
SHA256 a69803455fdcb2ac7ee98181508612855ba07b8fce971ec3df5f0171bc415d45
SHA512 96ccf5ea3d15463804d7caeef5c07e956efeb3f2cef35556df2cbe7ebdcc1d1c27dad955fcefac66710ba7f8557b3a03a8e8b03a322aa1a8666912d0e4c243a6

/storage/emulated/0/Download/.pending-1723974796-fnaf2 aptoide.apk

MD5 6d0ec374933c03bd528071f6e512edce
SHA1 bef1db98bbf79a3d4d8f4814dca9b4671cf55df9
SHA256 0d1232477b80873f6445a6c9e9582ad6a3203621558f6105fe4e61837ebe2da6
SHA512 d5f9d07e2aa8bfc5c17a5f6e134519823959a1452dba2081a7ae21709d90d88358aa3b6547cf771f0ba0312275a29bc39d3ad8de336c899636b6504d5fc52e76

files/dom-0.html

MD5 33fbb1969f342bf2b634f1b4d00c33d8
SHA1 c055601048b43a298728d5e2f810d6e09940b88a
SHA256 2724f85b1f1de77d51ed2aecd31f6f6a3ff7b7db75c01bd300edec6fdb59caf9
SHA512 b0369f3dc6f39dccc40d38cde8a9ba040fb4f62eef82f62dee58f122c1698788f04d7202d7ba32dcd6f61ab4ada599ac00f60bac9c8ff48d8d4e49e5879342bb