Malware Analysis Report

2024-10-16 05:24

Sample ID 241006-bq5lsstamb
Target https://web.archive.org/web/20230706214541/https://download1587.mediafire.com/t1vdad3xufngg6CCX1k5jtiFJ0YYnHArLuX2ldpUW45Y7C5_ICaaMoj15-uYrQ6IH4D6uZD0Xn-dcHnvDAXCw1fpmTc_0gQtEgldscAvESOiKjQXCpk1VPUISW0N9EJwVOMwZfG74yKr06krisXQH9u4s95Hp7LFqY-oMYQYAG2yBcY/12o45hf43lvv6az/fnaf2+aptoide.apk
Tags
wipelock infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://web.archive.org/web/20230706214541/https://download1587.mediafire.com/t1vdad3xufngg6CCX1k5jtiFJ0YYnHArLuX2ldpUW45Y7C5_ICaaMoj15-uYrQ6IH4D6uZD0Xn-dcHnvDAXCw1fpmTc_0gQtEgldscAvESOiKjQXCpk1VPUISW0N9EJwVOMwZfG74yKr06krisXQH9u4s95Hp7LFqY-oMYQYAG2yBcY/12o45hf43lvv6az/fnaf2+aptoide.apk was found to be: Known bad.

Malicious Activity Summary

wipelock infostealer trojan

Wipelock

Wipelock Android payload

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-06 01:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-06 01:21

Reported

2024-10-06 01:24

Platform

android-x86-arm-20240624-en

Max time kernel

116s

Max time network

110s

Command Line

com.android.chrome

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 archive.org udp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 207.241.225.195:443 athena.archive.org tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.200.3:443 update.googleapis.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 216.58.213.14:443 tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com tcp

Files

/storage/emulated/0/Download/.com.google.Chrome.PfRh6X

MD5 72f45111bd4547d8d2cd5ec1e602e922
SHA1 e46a4440b99bbb2f982ac311d04c4fed11b50cf5
SHA256 6a0a258fe39519029a077e976be71f0bb1ff51e281ebc0f5a734d0fd37273d73
SHA512 ba49a42f5f1ba23f49e316d849a3ac7baf00e8678d51a5eb365632bcb4287a78c0e225b3e6ce65f4f4e7f715971d47ed6fa294b13d1535a23873226c1e2427c7

/storage/emulated/0/Download/Unconfirmed 702596.crdownload

MD5 dc1f66fb83a9f562e8228cb2a6fba5ac
SHA1 13f15c55122ae10bf8c7739ded88e22d0d000532
SHA256 62991b9b29c715f55c1a23b56806fe5a6ce149f44429d8dcf5ccb4f7308ed32c
SHA512 4f005ffa23aade29f774babbfb588943496d2d56bbf7fe0cc66d297659c4ab015564bcb9196b3e0af94e3a68556c1592add0ac852708b4a0d51a24aa589fca40

files/dom-0.html

MD5 ac0198532c245feee3e5da7adc4c87b0
SHA1 a13d16f9519ef32c9418454a64c72b0b0396af4d
SHA256 9ea5dd672e0940378f5abc1fca2bf3e9472ef0ec7169c368225d2368a143bfac
SHA512 41330e86d220ab938f304e6c7c2450745592d0a2d0aa9898470c902407bec18c2e020460f41fa115fb74002d29c070525b76f80e839fef099fc6155fad394179

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-06 01:21

Reported

2024-10-06 01:24

Platform

android-x64-20240624-en

Max time kernel

116s

Max time network

155s

Command Line

com.android.chrome

Signatures

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 accounts.google.com udp
BE 108.177.15.84:443 accounts.google.com tcp
US 1.1.1.1:53 web.archive.org udp
US 207.241.237.3:443 web.archive.org tcp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 archive.org udp
US 207.241.224.2:443 archive.org tcp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 1.1.1.1:53 clients1.google.com udp
US 207.241.225.195:443 athena.archive.org tcp
GB 216.58.201.110:443 clients1.google.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 216.58.201.99:443 update.googleapis.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/storage/emulated/0/Android/data/com.android.chrome/files/Download/.com.google.Chrome.jlQ4H7

MD5 521103945ce2e47d9b0738cfb8b2a939
SHA1 a8ebe9cdde33389f531bb04f345aa992d808164b
SHA256 9415b8a076722d675492e61016b8e0e6d8b2f4fb52687a915c4e0a13e8717117
SHA512 eb0d5a20e58ed34cf673710a8621862d922f7224cf1cb64488430c0fcc065eabc9e40f8318691954f824b07e2d079b0491a0ab3968acacb0b5cfaf2b9a2c2142

/storage/emulated/0/Android/data/com.android.chrome/files/Download/Unconfirmed 202010.crdownload

MD5 6ce098137f4048beba3515dab496539c
SHA1 6dde3660deafdcf596eff1ee5a80099db6c912c3
SHA256 b2606f6530c7671f38df156e6b92b362ccceedb5cac0dc06a902d8555043f238
SHA512 0b54282c5e1be177c8bb61c64b9ce31428a6ba5bd10324678705e24afee47e90124012e0e12b4e560f8bb3df0875917a956caeb399f4067b3cf941756bf95bd5

files/dom-0.html

MD5 5cebf2abea18c226ffacece3127ba821
SHA1 35cd9927a01a96ab02965bd08cd6b380932b8a7d
SHA256 423b105604548a79c8408673c4cdcda01409d895d384cd5beb313f9c63452df3
SHA512 2df24ddeb25e1e1221ccf096efec3ddada309514b20635528e4dc25a94742ba7ec69afeef3f51ed486a100757b197ea3227d2b0d6cb1d6a088bafb2c289020de

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-06 01:21

Reported

2024-10-06 01:24

Platform

android-x64-arm64-20240624-en

Max time kernel

124s

Max time network

150s

Command Line

com.android.chrome

Signatures

Wipelock

trojan infostealer wipelock

Wipelock Android payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 web.archive.org udp
US 1.1.1.1:53 accounts.google.com udp
BE 108.177.15.84:443 accounts.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 web.archive.org udp
BE 142.251.168.84:443 accounts.google.com tcp
US 207.241.237.3:443 web.archive.org tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 archive.org udp
US 1.1.1.1:53 web-static.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 207.241.237.2:443 web-static.archive.org tcp
US 1.1.1.1:53 wayback-api.archive.org udp
US 207.241.224.2:443 archive.org tcp
US 207.241.237.8:443 wayback-api.archive.org tcp
US 1.1.1.1:53 athena.archive.org udp
US 207.241.225.195:443 athena.archive.org tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.187.227:443 update.googleapis.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 216.58.204.67:443 update.googleapis.com tcp
US 1.1.1.1:53 web.archive.org udp

Files

/storage/emulated/0/Download/.pending-1728782533-fnaf2 aptoide.apk (deleted)

MD5 e353795658248b84a9031faf916e099c
SHA1 fdfcceb08cf1c749e468421db99ecb36e8af933d
SHA256 23f4243f96d622feb3abc23f78d49b629d38f8ec5f597c6a2b363969a06e87fd
SHA512 9843562017c958523a672fbb237fcc44f227af808fd2b5ebd7a498ec0f88fdb84aedee8a933e688be801a8edc66dc334bda13ae500d5d578f08313f1ea0fb1ad

/storage/emulated/0/Download/.pending-1728782533-fnaf2 aptoide.apk

MD5 62056e57d82edbaeacbfbd770d33f853
SHA1 d0c0ccb171d9ca4a3cd65a71805fe35f1bcd197d
SHA256 7d1b0708e8f41e160362a16e3017ee5b98a1260345b51d72d0e75b5ee8ac17ab
SHA512 382756b026bfde1249c94a2a11957e2955c46844e780b506e2ad762547f3de8381f0f6e8bf1a7c9dbede846a90531a3168bcb41a8816cc9249e43e556cb15d46

files/dom-0.html

MD5 1fccfab94e4c69df6c79b669f2a88148
SHA1 87d262c0a470897eaba2fb334920b64877c0812a
SHA256 9b5bd0d464ed59eda7aaa140fa71fb3e8237bee28b554a9b0647708af5b71333
SHA512 444e3b17ba162a8157241ab237cdd097cd96988dbc7e4a677d91d41dde5ba6acb6416572d80537df0cf29f658250f30d8369ebcaa924408911e96d8852d6018e