Analysis Overview
SHA256
2b7790e301f1ec1f90ab8cd3282e232aea99fee4e3fce1d6d6997a42d5981b02
Threat Level: Likely malicious
The file 2b7790e301f1ec1f90ab8cd3282e232aea99fee4e3fce1d6d6997a42d5981b02.bin was found to be: Likely malicious.
Malicious Activity Summary
Removes its main activity from the application launcher
Queries the phone number (MSISDN for GSM devices)
Requests dangerous framework permissions
Registers a broadcast receiver at runtime (usually for listening for system events)
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-19 22:03
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-19 22:03
Reported
2024-08-19 22:20
Platform
android-x86-arm-20240624-en
Max time kernel
16s
Max time network
160s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Queries the phone number (MSISDN for GSM devices)
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
phising.app
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| GB | 216.58.204.78:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| GB | 142.250.178.10:443 | semanticlocation-pa.googleapis.com | tcp |
| GB | 142.250.179.234:443 | semanticlocation-pa.googleapis.com | tcp |
Files
/data/data/phising.app/logs/20240819221702323.log
| MD5 | 512865f619d0de730f9d4b12bb41e7a5 |
| SHA1 | 545039cd03db5f11b358e382e0046f8ba780d474 |
| SHA256 | 0157067c505d84b2af8c43dccfe96bd9dd9f09e92b6299e334979383ff839e6a |
| SHA512 | f7fb7a7a4f7809b3d28752433d98f3c299bee8dc17ca15de04c46644dd66ce134e63e207f1b84391a66059d59bbdbe3a920fedb86cd94b44e9c7e09e413e6e4d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-19 22:03
Reported
2024-08-19 22:20
Platform
android-x64-20240624-en
Max time kernel
20s
Max time network
158s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Queries the phone number (MSISDN for GSM devices)
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
phising.app
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.40:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| GB | 142.250.180.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.178.14:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 142.250.200.10:443 | semanticlocation-pa.googleapis.com | tcp |
| GB | 216.58.213.10:443 | semanticlocation-pa.googleapis.com | tcp |
| GB | 172.217.16.228:443 | tcp | |
| GB | 172.217.16.228:443 | tcp | |
| GB | 142.250.179.238:443 | tcp | |
| GB | 142.250.200.34:443 | tcp |
Files
/data/data/phising.app/logs/20240819221706023.log
| MD5 | e91d2daa78d0f995ebe103325ee6acff |
| SHA1 | a831d916233c8c967490721e0532afc6708405e1 |
| SHA256 | 665f45fc4877ac287eecb5138616b6d3ebee0dd5ec2df338bf103eda8ae46117 |
| SHA512 | 809a2cbdfa21a9a7225d6672374c80078e9f7172feae645d04161be48cd52470353cc5f2a38b9266ac55fd5180a204498b4f0da55e60c8c902cadbbe22a076d1 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-19 22:03
Reported
2024-08-19 22:20
Platform
android-x64-arm64-20240624-en
Max time kernel
16s
Max time network
157s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Queries the phone number (MSISDN for GSM devices)
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
phising.app
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.14:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.40:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.200.36:443 | tcp | |
| GB | 142.250.200.36:443 | tcp |
Files
/data/data/phising.app/logs/20240819221708794.log
| MD5 | aa77a87f76324eca177b8c09e638f76c |
| SHA1 | 40627fb635a1a2f66cc9b2de6182033bf1bf4618 |
| SHA256 | 00b88c4ecddadfdd1dab685f58b48e985b9e8023bd9488982a4e6512d9428a87 |
| SHA512 | 0a1fb887f5638f4eb46de4e540c0be323c442506aef45c720a27d2048b263201fd0c6f0492dd5e119303260e92e014a39d170133bfb27c2942f00c68091cf580 |