Malware Analysis Report

2024-12-01 02:58

Sample ID 241107-11ldcasjgr
Target 2fc4de21ceb15bcb6ba19e48aec52bc24e17c2fc8c49847147d821b5ac8591ab.bin
SHA256 2fc4de21ceb15bcb6ba19e48aec52bc24e17c2fc8c49847147d821b5ac8591ab
Tags
discovery evasion persistence collection credential_access impact phishing
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2fc4de21ceb15bcb6ba19e48aec52bc24e17c2fc8c49847147d821b5ac8591ab

Threat Level: Shows suspicious behavior

The file 2fc4de21ceb15bcb6ba19e48aec52bc24e17c2fc8c49847147d821b5ac8591ab.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence collection credential_access impact phishing

Obtains sensitive information copied to the device clipboard

A potential corporate email address has been identified in the URL: [email protected]

Queries the mobile country code (MCC)

Attempts to obfuscate APK file format

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 22:07

Signatures

Attempts to obfuscate APK file format

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 22:07

Reported

2024-11-07 22:09

Platform

android-x86-arm-20240910-en

Max time kernel

146s

Max time network

151s

Command Line

com.divine.smsreceiver

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.divine.smsreceiver

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 1.1.1.1:53 code.jquery.com udp
US 151.101.129.229:443 cdn.jsdelivr.net tcp
US 151.101.129.229:443 cdn.jsdelivr.net tcp
US 151.101.2.137:443 code.jquery.com tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
GB 172.217.16.228:80 tcp
GB 172.217.16.228:443 tcp
GB 142.250.200.35:80 tcp
GB 216.58.212.234:443 tcp

Files

/data/data/com.divine.smsreceiver/files/profileInstalled

MD5 56b2335f89f49275999499654bb75295
SHA1 3784704c49f57d301570b9afb5748c217970d9cf
SHA256 baea00f9bf9c7a17fdde8a38c01d7e4f20b9aa4fbb0302e0628dcdb7177f4e86
SHA512 f1271c84a711b5d81a1d20a853d51566f2f1a7a7a1dacd018522c54c1489b0a8da798fd485476fa930181ab37e85c55e901bb6f937b4abdd7d50ac1f70f86ee1

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 22:07

Reported

2024-11-07 22:09

Platform

android-x64-20240624-en

Max time kernel

145s

Max time network

156s

Command Line

com.divine.smsreceiver

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.divine.smsreceiver

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 code.jquery.com udp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 151.101.66.137:443 code.jquery.com tcp
US 151.101.129.229:443 cdn.jsdelivr.net tcp
US 151.101.129.229:443 cdn.jsdelivr.net tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp

Files

/data/data/com.divine.smsreceiver/files/profileInstalled

MD5 baf391414d84211dd362b3a5f89eafca
SHA1 e83832d1913f9d8c5f8be5a9f3ab35d35658fac7
SHA256 bc658a8e4ff8887d027171e3c74678fb5b6e343ccadc02172aa0fdfb36122e7d
SHA512 216dc5614257b7467b574be4c7fedc064257dbb9194801165e9931f02e8209234119b673c9d657e7ae1da522957af1e9fb4207fc9880a8ab6789feb5b7124c20

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-07 22:07

Reported

2024-11-07 22:09

Platform

android-x64-arm64-20240910-en

Max time kernel

45s

Max time network

151s

Command Line

com.divine.smsreceiver

Signatures

A potential corporate email address has been identified in the URL: [email protected]

phishing

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.divine.smsreceiver

Network

Country Destination Domain Proto
US 216.239.34.223:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 1.1.1.1:53 code.jquery.com udp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 151.101.1.229:443 cdn.jsdelivr.net tcp
US 151.101.66.137:443 code.jquery.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 216.239.32.223:443 tcp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.179.225:443 tcp
GB 142.250.200.33:443 tcp
US 216.239.32.223:443 tcp
US 216.239.32.223:443 tcp

Files

N/A