Malware Analysis Report

2025-06-15 23:16

Sample ID 241102-181g8sxbrd
Target Root Booster_ByWhitheLuisZ.apk
SHA256 7e2c86ff29529ebd3e7b879857dfa00733e57d153d59a3cbe0ffaa3291afbbc9
Tags
banker discovery evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

7e2c86ff29529ebd3e7b879857dfa00733e57d153d59a3cbe0ffaa3291afbbc9

Threat Level: Likely malicious

The file Root Booster_ByWhitheLuisZ.apk was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion persistence

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-02 22:19

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-02 22:19

Reported

2024-11-02 22:22

Platform

android-x86-arm-20240624-en

Max time kernel

118s

Max time network

108s

Command Line

com.ram.memory.booster.cpu.saver

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /data/local/xbin/su N/A N/A
N/A /data/local/bin/su N/A N/A
N/A /system/sd/xbin/su N/A N/A
N/A /system/bin/failsafe/su N/A N/A
N/A /data/local/su N/A N/A
N/A /sbin/su N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.ram.memory.booster.cpu.saver

/system/bin/sh

stat /sbin/su

stat /system/bin/su

stat /system/xbin/su

stat /data/local/xbin/su

stat /data/local/bin/su

stat /system/sd/xbin/su

stat /system/bin/failsafe/su

stat /data/local/su

/system/bin/cat /proc/cpuinfo

/system/bin/cat /proc/meminfo

su

/system/bin/cat /proc/cpuinfo

/system/bin/cat /proc/meminfo

/system/bin/cat /proc/cpuinfo

/system/bin/cat /proc/meminfo

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 update.liteapks.com udp
US 104.26.15.148:443 update.liteapks.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 172.217.169.34:443 tcp
GB 142.250.180.14:443 tcp

Files

pipe:[38594]

MD5 9741dffc57929807536ffe73e9f04b06
SHA1 568b7bfb136600819b188c8746b055086d945831
SHA256 38327fbcc523fc790c15ce68d7e5027090821904ab2a9a381f44dec9cf6fdba3
SHA512 8f31e0feec22bd876095548cf3bdba13a9d12a3f885f451d869270bca85d4f47302fc0a8986394241765b319766c8322ef1186262aca89a187cbe32666c66613