Malware Analysis Report

2024-12-01 03:14

Sample ID 241020-qx8pcssgpr
Target M-PAjk.apk
SHA256 b5e92288918d78d298c10e37c871ec005c130d0607cfacb103ec0ca9b516af8d
Tags
golddigger collection credential_access discovery evasion execution impact persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b5e92288918d78d298c10e37c871ec005c130d0607cfacb103ec0ca9b516af8d

Threat Level: Known bad

The file M-PAjk.apk was found to be: Known bad.

Malicious Activity Summary

golddigger collection credential_access discovery evasion execution impact persistence

GoldDigger payload

Golddigger family

Queries information about running processes on the device

Makes use of the framework's Accessibility service

Queries account information for other applications stored on the device

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Queries information about active data network

Acquires the wake lock

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 13:39

Signatures

GoldDigger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Golddigger family

golddigger

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by wallpaper services to bind with the system. Allows apps to provide live wallpapers. android.permission.BIND_WALLPAPER N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 13:39

Reported

2024-10-20 13:42

Platform

android-33-x64-arm64-20240624-en

Max time kernel

121s

Max time network

124s

Command Line

com.sextest.test

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.sextest.test

com.sextest.test:main

com.sextest.test:fore_temp

com.sextest.test:mr2_process

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.196:443 udp
GB 142.250.187.196:443 tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 www.baidu.com udp
HK 103.235.46.96:80 www.baidu.com tcp
HK 103.235.46.96:80 www.baidu.com tcp
HK 103.235.46.96:80 www.baidu.com tcp
HK 103.235.46.96:80 www.baidu.com tcp
HK 103.235.46.96:80 www.baidu.com tcp
GB 216.58.212.238:443 udp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.187.196:443 tcp
GB 172.217.169.68:443 tcp
US 172.64.41.3:443 tcp
GB 172.217.169.68:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.179.227:443 tcp
US 172.64.41.3:443 udp
GB 142.250.179.227:443 udp
GB 142.250.187.196:443 udp
US 1.1.1.1:53 rpc.ynwxjd.vip udp
US 104.21.10.141:443 rpc.ynwxjd.vip tcp
GB 142.250.187.227:443 tcp

Files

/data/data/com.sextest.test/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.sextest.test/no_backup/androidx.work.workdb-wal

MD5 844a3652a416d5b060cc8cb05d168ddc
SHA1 4283c9fe98e5e2295af8c64760e0b51a732f8348
SHA256 613f6288aa2b810fb7f8a290e368dc28bc9bd9bc564958e3c001c4f76cf11013
SHA512 7185458385f06b80790f0b787331ded78392e29ab727769579a4383e98d34f286511d231e02400b12b516748378b28c8121f0097ebe497fabb2744ed54d138f1

/data/data/com.sextest.test/no_backup/androidx.work.workdb

MD5 d7ceb7332b6ef5d7dbad45622b1f72cb
SHA1 0a4a46e1b840bc1c3bd4cd47f5567357033f8963
SHA256 64f22fb91dc12db63f08db1d13d94423e38f1b0e55e6cfc11e99c944fb23a6fe
SHA512 6d81baac2883789acc5e94cdcf453cd3bab59d142fb2ba6eeb7d90a132d9cf71410dd50b17261a0505d2e7c875822583d13bb0bce293ac0d9fcb1945503a3e1e