Malware Analysis Report

2024-10-16 05:23

Sample ID 240811-lxyryayend
Target https://web.archive.org/web/20230706214529/https://download1587.mediafire.com/t1vdad3xufngg6CCX1k5jtiFJ0YYnHArLuX2ldpUW45Y7C5_ICaaMoj15-uYrQ6IH4D6uZD0Xn-dcHnvDAXCw1fpmTc_0gQtEgldscAvESOiKjQXCpk1VPUISW0N9EJwVOMwZfG74yKr06krisXQH9u4s95Hp7LFqY-oMYQYAG2yBcY/12o45hf43lvv6az/fnaf2+aptoide.apk
Tags
wipelock infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://web.archive.org/web/20230706214529/https://download1587.mediafire.com/t1vdad3xufngg6CCX1k5jtiFJ0YYnHArLuX2ldpUW45Y7C5_ICaaMoj15-uYrQ6IH4D6uZD0Xn-dcHnvDAXCw1fpmTc_0gQtEgldscAvESOiKjQXCpk1VPUISW0N9EJwVOMwZfG74yKr06krisXQH9u4s95Hp7LFqY-oMYQYAG2yBcY/12o45hf43lvv6az/fnaf2+aptoide.apk was found to be: Known bad.

Malicious Activity Summary

wipelock infostealer trojan

Wipelock

Wipelock Android payload

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-11 09:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-11 09:55

Reported

2024-08-11 11:36

Platform

android-x86-arm-20240624-en

Max time kernel

1664s

Max time network

1829s

Command Line

com.android.chrome

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 archive.org udp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 wayback-api.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.8:443 wayback-api.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 207.241.225.195:443 athena.archive.org tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 172.217.169.3:443 update.googleapis.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 216.58.213.3:80 tcp
GB 172.217.16.228:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.180.3:443 tcp
GB 142.250.180.3:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.180.3:443 tcp
GB 142.250.180.3:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.187.195:443 update.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
BE 64.233.167.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.36:443 www.google.com tcp
GB 142.250.179.238:443 tcp

Files

files/dom-0.html

MD5 cae72ee0850a2819f49bfeec742c5aef
SHA1 85ab026e90fc40dc6abe01c6a6ee52c3b01f47d9
SHA256 49f3087232708afa7d16b84182ea4179c422e1676b58945d9e16f9ed0d9bd69c
SHA512 7849a01a6b6939cc7fd94f15f05d45977dcc9812c912ebc93c344245ee368ede707cdccd1ef2bc1ce2d16f655a8d5b0503702322509debc62e4b0126c8c8bdb3

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-11 09:55

Reported

2024-08-11 11:36

Platform

android-x64-20240624-en

Max time kernel

1659s

Max time network

1792s

Command Line

com.android.chrome

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 accounts.google.com udp
GB 64.233.166.84:443 accounts.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 66.102.1.84:443 accounts.google.com tcp
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 archive.org udp
US 207.241.224.2:443 archive.org tcp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 wayback-api.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.8:443 wayback-api.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 207.241.225.195:443 athena.archive.org tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 172.217.16.227:443 update.googleapis.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.200.10:443 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
GB 172.217.169.10:443 tcp
GB 142.250.178.2:443 tcp
GB 172.217.16.227:443 update.googleapis.com tcp
GB 216.58.213.14:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.180.3:443 update.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
BE 142.251.173.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.228:443 www.google.com tcp

Files

/storage/emulated/0/Android/data/com.android.chrome/files/Download/.com.google.Chrome.saK8HD

MD5 b014a614c6ecc588e0a2f1edd180f79b
SHA1 4497419dba2640ba4d05bd3b048401ff982b9acb
SHA256 341e77c9d2749a124497323fb5ad11f063d115fb9dfd9714198eb9e53e56d1d1
SHA512 f6cff8d9eb22102f01b29e24b47b9534b1152b8c4f6367aa1dc522cbc34b18d3af17a49f73d8d6cc331cb6e956a6cb46700a0644aaa3113c057058ec3f560dfe

/storage/emulated/0/Android/data/com.android.chrome/files/Download/Unconfirmed 765753.crdownload

MD5 d72b2a5b0eba34c207fc551d56597371
SHA1 8956593c32c44979a19958e5ae90319f28259717
SHA256 524b3f2ddd63c6bb8bb3d88b84c3ce077ef28e70da5547bd45b7b02612c66778
SHA512 ee98f5b2305fc4e4fb702c17a10300455cbe0d405dd68834a9492461c016a0ba6cce79cdd3d4c4641e91866fc4f8ed5cf0677a86f14e78666471f85e081199bd

files/dom-0.html

MD5 4f1ba5be80df12ad587caef2eb8ea146
SHA1 f2f90ab68797cf9a4bc71dbd8454c911c7754664
SHA256 9d2f4e88b619b5d8ec76366b0c7a0da0c99d3fefd912e81e7b33af27a9d63e67
SHA512 ed1f7775a3fec075ab3eda82c29cf7206ced1270ddf672ee2fc3a9b81e3bfeb430bce9325172a32763dab3abb9f329164397dea4d8373e014cb1b9cc2cb64b43

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-11 09:55

Reported

2024-08-11 11:36

Platform

android-x64-arm64-20240624-en

Max time kernel

1808s

Max time network

1824s

Command Line

com.android.chrome

Signatures

Wipelock

trojan infostealer wipelock

Wipelock Android payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 web.archive.org udp
US 1.1.1.1:53 accounts.google.com udp
GB 74.125.71.84:443 accounts.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 web.archive.org udp
BE 64.233.184.84:443 accounts.google.com tcp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.179.227:443 update.googleapis.com tcp
US 1.1.1.1:53 archive.org udp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 wayback-api.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.8:443 wayback-api.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 207.241.225.195:443 athena.archive.org tcp
US 207.241.225.195:443 athena.archive.org tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 216.58.204.67:443 update.googleapis.com tcp
US 1.1.1.1:53 web.archive.org udp
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 web.archive.org udp
GB 142.250.187.226:443 tcp
GB 142.250.178.3:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
BE 64.233.184.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.228:443 www.google.com tcp
GB 142.250.187.206:443 tcp

Files

/storage/emulated/0/Download/.pending-1723979204-fnaf2 aptoide.apk (deleted)

MD5 dacb713500a17e6c3ca7e21e957b54a2
SHA1 f040b481adf978a2b707f0b50bbff50f7e5c4690
SHA256 b405bcaf8f8604d7ce24029a287bb1db48974c2326e022a60c3716f31ef1f506
SHA512 c9b1ec1b08e6aa4ba8d873dfa4023a00a05d13b33f4dbf71e37a3a3a7908fa27ada61c8a5e5aff7c32f29162862d3d88d1b363168cd2194844178647e73809f2

/storage/emulated/0/Download/.pending-1723979204-fnaf2 aptoide.apk

MD5 49f23d5486e36de84c7dfcfc607497b1
SHA1 e89e9e34d9fe5203a733059e81d786a99988cb69
SHA256 fc6738c227d62d70515c6487b95ca9438c599722fff4590bb2bae81fae5986ca
SHA512 6fdceb43a6446a2109658f2fb0b5072eb7bb09a0691547372286531ae95c34ef09b0b43d40e5a4432ae62eca80c16f5d011dfb044295001496dd12d49e99756a

files/dom-0.html

MD5 f6d75ded37efb2a2a23f4de42cef1daf
SHA1 60db87cde8f053e4b5da4c4706e662b6051deb4e
SHA256 94ba72978ebb0f13b191515dadbabc84419db55bc9428cae0d4edfade316dce1
SHA512 2a2df3d45df2eab156e97d68e7152fe12a9f3940d539a2d075c7145aa2129c1dee2086d9f4b8192be4a2db1eb34684504feb8390246d109a258edba3b2dc5a78