Malware Analysis Report

2025-04-03 14:12

Sample ID 241104-vp6bgstgnm
Target 522721419887reward-icici.apk
SHA256 f2968b5db9f977e57984c8a6d264c49f237560371953e6e42a2a11bf45e08aab
Tags
collection discovery impact persistence credential_access evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f2968b5db9f977e57984c8a6d264c49f237560371953e6e42a2a11bf45e08aab

Threat Level: Shows suspicious behavior

The file 522721419887reward-icici.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery impact persistence credential_access evasion

Obtains sensitive information copied to the device clipboard

Checks Android system properties for emulator presence.

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Requests changing the default SMS application.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 17:10

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to receive WAP push messages. android.permission.RECEIVE_WAP_PUSH N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 17:10

Reported

2024-11-04 17:13

Platform

android-x86-arm-20240624-en

Max time kernel

124s

Max time network

132s

Command Line

com.ico.ickath

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ico.ickath

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 1.1.1.1:53 rrtt56.co.in udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 oogg.co.in udp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
IN 103.76.231.73:443 oogg.co.in tcp
IN 103.76.231.73:443 oogg.co.in tcp

Files

/data/misc/profiles/cur/0/com.ico.ickath/primary.prof

MD5 6a19774d365d1ce49a3e5099067e574b
SHA1 c350bdb6ad839ce4ee3f27e1af95f22f76f7e9e8
SHA256 b1475084f7e71f8cb69355f28b1a1e2af8fe23dd878649607194ce130c0d2ed9
SHA512 0d58a2fc604ff2c0773e5879f77f5ad49a4cbd651a5f7b6e8ffeba32cf03fa37027393aa0a4cfd7d6fe018742868c7d2798ce24c590db46e829e429dd8afcd4e

/data/data/com.ico.ickath/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 d1ea91961e00361736ee01222e1411a2
SHA1 799a8b18d93ca3798ba7ea718639877ca1fda651
SHA256 a00ff5fee502f131a510963e4851512b544f8651c01c2a80add61b038d4c597d
SHA512 d91475607a13d8e2cb7cf7f22421967f14efc3e5fc103b61ce6911aaed963ffaa86dc9425468dae7c33ffaa6234859ec8fb9290e58d16fa411d4ca9287ea2937

/data/data/com.ico.ickath/files/profileInstalled

MD5 08c89bc17f2acac4f28380f0febd2937
SHA1 df8eeffadcb1b6572b0b40adc9d7f63b0e660a65
SHA256 a1c027f59b037effa43988822154a477a9d7367fdcd6d78fe1c5ea9b4c041f38
SHA512 90819f1a3ca2605a367d076c245c425ba09229032d9e2361b4205be229b29fb90612bb7ac6d03bae2f16662986b779e3e912e6a86dd33affc49cb0c55bff4e9f

/data/misc/profiles/cur/0/com.ico.ickath/primary.prof

MD5 fb4290dc4551b0c6a7e97c46f8211e37
SHA1 a6ce5f0519147f5b8c690efc39cb528571813c7a
SHA256 896341d31fa1f7980f4fe8ad18deb7f6cf6fc96968c1aa56530e25d808c2f127
SHA512 955a1b2fbc19a5b4f0b1722138cf8d581748ee4d45b8d0e95a11d72a1b5e6a03494dc7d2b582978c84336c47c2ade1997a6fbb188723f62668db893451be28ef

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 17:10

Reported

2024-11-04 17:13

Platform

android-x64-20240624-en

Max time kernel

23s

Max time network

156s

Command Line

com.ico.ickath

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ico.ickath

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 1.1.1.1:53 rrtt56.co.in udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp

Files

/data/misc/profiles/cur/0/com.ico.ickath/primary.prof

MD5 6a19774d365d1ce49a3e5099067e574b
SHA1 c350bdb6ad839ce4ee3f27e1af95f22f76f7e9e8
SHA256 b1475084f7e71f8cb69355f28b1a1e2af8fe23dd878649607194ce130c0d2ed9
SHA512 0d58a2fc604ff2c0773e5879f77f5ad49a4cbd651a5f7b6e8ffeba32cf03fa37027393aa0a4cfd7d6fe018742868c7d2798ce24c590db46e829e429dd8afcd4e

/data/data/com.ico.ickath/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 15fe72747f95e48f4c524c2ea1efa9c8
SHA1 f873753d167f8d1f2b5111ce720125947d63fd3c
SHA256 3e4980a7fe9142d55f7531a1791bc8a2a5b5c11f3a3e5c6f732e8e5328533ea5
SHA512 091492db5631263b47545af2f84acd395439fe65d7ee725cc8780e3851a8705d7b053f06a8cdb828f9fa4baf9d0dce32450fe95d9ec51fa277467d91aa3543cb

/data/data/com.ico.ickath/files/profileInstalled

MD5 562b3b26ff359621270b7e1295bf3764
SHA1 b91505b9097c493fa0e0adbdad27a924a0fb059f
SHA256 0ae7f0024237d03781965cfd81bae2f241f5ffba2527f7588c94c62a959209a1
SHA512 a4ffa8a792a87f5f82559507c482935fe0cb2102a4f1d4db3ec38c3be1a743f841f77dc194094059690dcaf916f922d758c3387ed3d7ff21810b38cbce810955

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-04 17:10

Reported

2024-11-04 17:13

Platform

android-x64-arm64-20240624-en

Max time kernel

25s

Max time network

132s

Command Line

com.ico.ickath

Signatures

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ico.ickath

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 rrtt56.co.in udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/misc/profiles/cur/0/com.ico.ickath/primary.prof

MD5 6a19774d365d1ce49a3e5099067e574b
SHA1 c350bdb6ad839ce4ee3f27e1af95f22f76f7e9e8
SHA256 b1475084f7e71f8cb69355f28b1a1e2af8fe23dd878649607194ce130c0d2ed9
SHA512 0d58a2fc604ff2c0773e5879f77f5ad49a4cbd651a5f7b6e8ffeba32cf03fa37027393aa0a4cfd7d6fe018742868c7d2798ce24c590db46e829e429dd8afcd4e

/data/data/com.ico.ickath/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 7e3e38e9cda9b25f1c072fe3414c9911
SHA1 8f980601835d8d6b4f324de6bf6a57c87192a514
SHA256 6f91037b0c8782344fae9d1303f462d44aee70ff633ebd3fcbbc2c36ca1f8d6a
SHA512 c1e91a40dfb1aac3790a7a61a9c33b1d1672d2c20727604ba2fe49f710a4745a5a7ba65240c5ba1fc8a3a2e2d7892445891da98f90e29caaf84792b3b8b5b3c4