Malware Analysis Report

2024-10-16 05:24

Sample ID 241006-bfz9bssfqd
Target https://web.archive.org/web/20230706214541/https://download1587.mediafire.com/t1vdad3xufngg6CCX1k5jtiFJ0YYnHArLuX2ldpUW45Y7C5_ICaaMoj15-uYrQ6IH4D6uZD0Xn-dcHnvDAXCw1fpmTc_0gQtEgldscAvESOiKjQXCpk1VPUISW0N9EJwVOMwZfG74yKr06krisXQH9u4s95Hp7LFqY-oMYQYAG2yBcY/12o45hf43lvv6az/fnaf2+aptoide.apk
Tags
wipelock infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://web.archive.org/web/20230706214541/https://download1587.mediafire.com/t1vdad3xufngg6CCX1k5jtiFJ0YYnHArLuX2ldpUW45Y7C5_ICaaMoj15-uYrQ6IH4D6uZD0Xn-dcHnvDAXCw1fpmTc_0gQtEgldscAvESOiKjQXCpk1VPUISW0N9EJwVOMwZfG74yKr06krisXQH9u4s95Hp7LFqY-oMYQYAG2yBcY/12o45hf43lvv6az/fnaf2+aptoide.apk was found to be: Known bad.

Malicious Activity Summary

wipelock infostealer trojan

Wipelock Android payload

Wipelock

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-06 01:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-06 01:05

Reported

2024-10-06 01:19

Platform

android-x86-arm-20240624-en

Max time kernel

374s

Max time network

610s

Command Line

com.android.chrome

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 archive.org udp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 207.241.225.195:443 athena.archive.org tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 216.58.212.227:443 update.googleapis.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.14:443 tcp
GB 142.250.187.194:443 tcp
GB 172.217.169.68:443 tcp
GB 172.217.16.227:80 tcp
GB 142.250.179.238:443 tcp
GB 142.250.187.195:443 tcp
GB 142.250.187.195:443 tcp
GB 142.250.179.238:443 tcp
GB 142.250.187.195:443 tcp
GB 142.250.187.195:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 216.58.212.227:443 update.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/storage/emulated/0/Download/.com.google.Chrome.x044VA

MD5 dc98efd71997adb619bfc6e09b3df258
SHA1 50d0d722d4af4a863a19749dd7ef680c67662aa2
SHA256 d6c670c7a27105f082108d89c6d6b983bdeba6cef36d357b2c4c2bfbc4189aab
SHA512 1903987f5cd074bb672cf335442178a0820bce6e02dc5a04bbbd894c2048bcb068c85e6cefd3663bd0505a20c0651dcfcbb60760f2c5744e344af6f7a627ade7

files/dom-0.html

MD5 ba77a25ce87139424d2d63c05a4b4f2e
SHA1 0d47904947555cca8c45ae3a76c327b4c60fe8ee
SHA256 66233f8a98d4317258ccc0a67c58afd8cda9adc01bd36a4b3ee79b31aac45355
SHA512 f5a0be25b8ca1b8bf5dc322ea9619f91b1edf82ee8b9c08d2be7affc3674b62494fe4cfb6ac6d6fe514d9961f7f95a17312dcdb02a4835c682852c51d2d8097f

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-06 01:05

Reported

2024-10-06 01:08

Platform

android-x64-20240624-en

Max time kernel

116s

Max time network

147s

Command Line

com.android.chrome

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 accounts.google.com udp
GB 74.125.71.84:443 accounts.google.com tcp
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 archive.org udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 1.1.1.1:53 clients1.google.com udp
US 207.241.225.195:443 athena.archive.org tcp
GB 216.58.213.14:443 clients1.google.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.200.35:443 update.googleapis.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
GB 216.58.213.10:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/storage/emulated/0/Android/data/com.android.chrome/files/Download/.com.google.Chrome.CoKw8l

MD5 889b4a86113b0d878627027f8019b55a
SHA1 a8461e411cf0afe58ec5d34edf5d5a0cf2451ad8
SHA256 6fbfc05ea2a63750480959a4227305d6a7b2b8beba796ab68d889b007c963892
SHA512 6f82962f0c49a3835b428299a7470ea69071860b01902d150b6543516bab9969148c8efcfcbba7adafa9b9f0de4a22f87d2bf26a6b292bed2bf8b6478dce1da9

/storage/emulated/0/Android/data/com.android.chrome/files/Download/Unconfirmed 117228.crdownload

MD5 04f139cbf6d5922c0b0c362a813788a2
SHA1 39e593d8c611adfc68a70c12e71e74a59d3ec741
SHA256 11c4bfc4622f988c36f8bbc10166a9caf85af9c78b4d3f32c4bb3159bfb2fccb
SHA512 8601b4065759616d903b92deed91bcca1c011014a05274182985e94b9a2adefb0c42ba67ff43ea6408055a9c5b151f7ec7120d35122504537d3067972cecc466

files/dom-0.html

MD5 a05a19faf97c1204f9f9eb05acfdc3aa
SHA1 d91bce87c576e33ce1ab0d10b070590a8c5f53a6
SHA256 ef86b02225c9c3a33fa65a7a5e7b3c4db5a95e43ec0a423ce1f3bdebc4266853
SHA512 5069ae31012b64815438bc51c4c6c8c5bab1310fd92c47507b9a849ae218ba75a22f1edde1c10514c428146bd1b7d2fb02019e50ba2910a8c571e81f475cbef6

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-06 01:05

Reported

2024-10-06 01:08

Platform

android-x64-arm64-20240624-en

Max time kernel

124s

Max time network

151s

Command Line

com.android.chrome

Signatures

Wipelock

trojan infostealer wipelock

Wipelock Android payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 web.archive.org udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 accounts.google.com udp
BE 142.251.168.84:443 accounts.google.com tcp
US 1.1.1.1:53 archive.org udp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 wayback-api.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.8:443 wayback-api.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 207.241.225.195:443 athena.archive.org tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.200.3:443 update.googleapis.com tcp
US 1.1.1.1:53 web.archive.org udp
US 1.1.1.1:53 web.archive.org udp

Files

/storage/emulated/0/Download/.pending-1728781578-fnaf2 aptoide.apk (deleted)

MD5 d2a5a564f6e6f810e0df34b36099a2df
SHA1 7a138b8385cf84f87a749f994c5f84492c00a209
SHA256 2fd5e4f63c1cbded025d7be39b3ccd5fff237c8f1615f8b3b6db2a7ff9a06d79
SHA512 aa5275a321fa90ae868bd69ceead9d018e517912fed57a9136971b01cc85b8e6e919feedc22674caba4d485906970f0a39bf20bbc02ffc569aef6be3e2e1c194

/storage/emulated/0/Download/.pending-1728781578-fnaf2 aptoide.apk

MD5 62da81e2b3814236196861ed2ca4f692
SHA1 f81a7a2efed6198303a4511436990be0f8391600
SHA256 9e1e505ef22e17bff8bc272045278703da6bd6583b4ae0e5dc5de75203bebe8e
SHA512 a673d2d9bc3b455cee18e1925c3137d22eef7ee4e8bf25de05404b9c5c605eee9edd6488d524e4969689236fc7278179f3e344bc8c46078cb0c7c0d33a0485c4

files/dom-0.html

MD5 ff3b1591e700362ae0e58bc6cd49ef1a
SHA1 4f54434e3fdf6a2f6a4181ced3588fe76473f6d6
SHA256 193d61f52970c99272c14938226c9b0d7012a0655da48f0ce7903a4bb12f8562
SHA512 7006a3d1336d7c17849421fda9b77dc624ac36e031cacaf0f856c020a8bab055d7627654dae95bee291d8bd5f1efc5be5fd15f18b30afb439d74ae8bc4a4f18b