Malware Analysis Report

2025-06-16 00:53

Sample ID 241031-s3qrvaslck
Target CLIENT.apk
SHA256 2bbe9cd94760ffe4f2ac5058343c25d7e9a24c5c678a1d3493999de2a5ea18dc
Tags
collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2bbe9cd94760ffe4f2ac5058343c25d7e9a24c5c678a1d3493999de2a5ea18dc

Threat Level: Shows suspicious behavior

The file CLIENT.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access impact

Obtains sensitive information copied to the device clipboard

Declares services with permission to bind to the system

Requests dangerous framework permissions

Requests enabling of the accessibility settings.

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 15:39

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 15:39

Reported

2024-10-31 15:40

Platform

android-33-x64-arm64-20240624-en

Max time kernel

44s

Max time network

51s

Command Line

cybershieldx.rainbow

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

cybershieldx.rainbow

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.196:443 udp
GB 142.250.187.196:443 tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 udp
US 1.1.1.1:53 dogerat-free.onrender.com udp
US 216.24.57.4:443 dogerat-free.onrender.com tcp
US 216.24.57.4:443 dogerat-free.onrender.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com udp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
US 1.1.1.1:53 content-autofill.googleapis.com udp
GB 216.58.212.234:443 content-autofill.googleapis.com tcp
US 1.1.1.1:53 apis.google.com udp
GB 172.217.169.78:443 apis.google.com tcp
US 1.1.1.1:53 play.google.com udp
GB 172.217.169.14:443 play.google.com tcp
US 1.1.1.1:53 ogads-pa.googleapis.com udp
GB 172.217.169.14:443 play.google.com udp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 172.217.169.3:443 tcp
GB 172.217.169.3:443 tcp
US 172.64.41.3:443 udp
GB 172.217.169.3:443 udp
GB 142.250.187.196:443 tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.187.196:443 udp
US 1.1.1.1:53 policies.google.com udp
GB 172.217.16.238:443 policies.google.com tcp

Files

/data/misc/profiles/cur/0/cybershieldx.rainbow/primary.prof

MD5 10f66da999d8e7ad9dd369a680e789f6
SHA1 da5c0229a460ff7bc102d80162cb3ff63a4bb11c
SHA256 49058d3a71265a31f0a7de57525a42d11ef506a481caedc139233c59641c0e07
SHA512 abed2c8895ec1f139149049ceeca039dc0e47295bafb46dd1abef94c35324a695a99870a613470c584c5dcba6e1ab81690308721e09709f3d9b10ce24be84174

/data/data/cybershieldx.rainbow/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 0ca08c6375d9e4dffaf644d6bc2ddc94
SHA1 0b2e8a345a85db370809ae7dd90199f66fc0ecf0
SHA256 35dd951abacea82409f3971b0cfd6194d5b1b8ed5affa363aa1916fe435631e1
SHA512 a86a454dd9249e010a34c1e64d308630d903abd92f3cccd7ba5d4c39bfd0d519319ab4788c7b19f904d74dec7396467af2827e03ffe96a71293f53fc826c5251

/data/data/cybershieldx.rainbow/files/profileInstalled

MD5 913b846c56f868ac3a5669530ae35df0
SHA1 2454e0c278a3ddb777d4ad6fbeab57de99945064
SHA256 d06f5ec259ac8c291096ce50ef2b9db1d1c26e82759cfe6825ef340c8a3b02c2
SHA512 06911f6f0aa877f8a6271be54b7ca7f307f8434cd5a83591f6a8fcaed8b2823bbba5f3b5d94378a70006fb1bdda24b9dbe00e6ff1650096fa02d11b0f7ea0dd6