Malware Analysis Report

2025-04-03 14:13

Sample ID 241104-12fjgsybqb
Target dc4006495ff6f7629cf6bb34aa9d42e6589b55b558e8ee51dba0db213e3562ae.bin
SHA256 dc4006495ff6f7629cf6bb34aa9d42e6589b55b558e8ee51dba0db213e3562ae
Tags
discovery evasion persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

dc4006495ff6f7629cf6bb34aa9d42e6589b55b558e8ee51dba0db213e3562ae

Threat Level: Shows suspicious behavior

The file dc4006495ff6f7629cf6bb34aa9d42e6589b55b558e8ee51dba0db213e3562ae.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Checks the presence of a debugger

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 22:08

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 22:08

Reported

2024-11-04 22:11

Platform

android-x86-arm-20240910-en

Max time kernel

22s

Max time network

152s

Command Line

com.yonoservice.registration

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Checks the presence of a debugger

evasion

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yonoservice.registration

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.178.3:80 tcp
GB 216.58.212.228:443 tcp
GB 172.217.16.226:443 tcp

Files

/data/misc/profiles/cur/0/com.yonoservice.registration/primary.prof

MD5 73f3fed449e037354c9bc19a2ee46738
SHA1 05ea0709c96b7a6297e950818fc2700222048b80
SHA256 6d8bf79b46d067b649501ca93805c189b935cb28a47eb8ca23bb0f4585ce5698
SHA512 47fcb246ae13c2189ad9d5fc551c24e1c61ca9bbd50d64281e77857e3169011925fb42be30d42152d3c0958db44a0cf4bcef4a7800fe8718791853a8970f1ec1

/data/data/com.yonoservice.registration/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 3805f35751e44f6b8e2722645df69779
SHA1 1eee7303b20f71cc40a5eacc1870423d9289f23c
SHA256 2b61416add9a00e30c0ebd70a3205643cb3dc84a4d6d7e750e12c123cc92ed69
SHA512 6fd7ba0cf156d2aef32f97b7457ae26ffb4228e5591ca74341e19d580adc75f52428faf36d90b02974887110ce373a6cb790cff200f3da4f1fe1f4a207d604d3

/data/data/com.yonoservice.registration/files/profileInstalled

MD5 9f83273749608c9b6a38870704fa0455
SHA1 487cea504761b3f95ae4ec893f6745b5b9c2d714
SHA256 200191fdbad7c752b2768e6c9a15a8420deb3cd5cfb90363da89bd66c4bbdc45
SHA512 f3e6b97877f5e1199cdf4692459c98c4ed121b977bd148929f78a19fbd00e44e14d702dbc2b4b00a7023935d8242cafa5cb9fbe9e640b9de81921204c4c29358

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 22:08

Reported

2024-11-04 22:11

Platform

android-33-x64-arm64-20240910-en

Max time kernel

23s

Max time network

153s

Command Line

com.yonoservice.registration

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Checks the presence of a debugger

evasion

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yonoservice.registration

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 content-autofill.googleapis.com udp
GB 142.250.187.234:443 content-autofill.googleapis.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.46:443 android.apis.google.com udp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 216.58.212.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 216.58.213.6:80 tcp
GB 216.58.212.193:443 tcp
GB 172.217.169.65:443 tcp
GB 172.217.169.65:443 tcp
GB 142.250.187.238:443 tcp
GB 172.217.169.65:443 tcp
GB 172.217.169.65:443 tcp
GB 142.250.200.35:443 tcp
US 216.239.34.36:443 tcp

Files

/data/misc/profiles/cur/0/com.yonoservice.registration/primary.prof

MD5 3f40a3add29c68243ae352b006e6a16a
SHA1 05a030a47f897d5b3bbd0bbd5cb9869356a1a358
SHA256 e92b3847638d82a6123f739de5568918e4e09cc8e1966084ea086f54e0a7a41d
SHA512 7d34b9277407f19d8c79f61272e7c4aed08f8581a28af3f7a41604026441687ca1b5fdbab6bbde43b01190885fd4c69baea5d2e80a25eab5b1310afc27dcab17

/data/data/com.yonoservice.registration/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 c0c7714c0077bb2b29aff0df769f6e88
SHA1 938e7bec995645512a2cb827af66f3b180d919f0
SHA256 e50489cc8d2cb53b8f6ffc8c06a3c8fe8f2cd05b8e602be8684250437e007a86
SHA512 401dc7a63d56d5978d0d3f534f8517dd502ab20f94200e3ceeb30be477e49d98dd4381764b63f1ebf655b4ab011eceaede864be357fd44d2a58658eb960baea5

/data/data/com.yonoservice.registration/files/profileInstalled

MD5 9b4fa610e14226799562154111d26dba
SHA1 de9ff0faa134add7f53466bdfeccc347e41aa6a9
SHA256 4b5e38179cbdfe807b66b0d25ff880645e443468e87cf0baecd31c9997caa260
SHA512 cc6eaf71e7a04a94bc855993182bc2b25d708ee92d8ced8492ad9b7a65ccef0c5b059df5701367ae0851accff741ca4a5e57e90bfd7762c54149b634c443a5dd