Malware Analysis Report

2024-12-01 03:01

Sample ID 241107-12y1tszarc
Target d501b1999c59ceabf75a0db5c0bb8af14b04c3b163af9ab1dd43acb41b52ef2a.bin
SHA256 d501b1999c59ceabf75a0db5c0bb8af14b04c3b163af9ab1dd43acb41b52ef2a
Tags
discovery persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d501b1999c59ceabf75a0db5c0bb8af14b04c3b163af9ab1dd43acb41b52ef2a

Threat Level: Shows suspicious behavior

The file d501b1999c59ceabf75a0db5c0bb8af14b04c3b163af9ab1dd43acb41b52ef2a.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 22:09

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 22:09

Reported

2024-11-07 22:12

Platform

android-x86-arm-20240624-en

Max time kernel

146s

Max time network

132s

Command Line

ng.virtualdoctors.app

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

ng.virtualdoctors.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.virtualdoctors.ng udp
US 172.67.196.115:443 www.virtualdoctors.ng tcp
US 1.1.1.1:53 d3u598arehftfk.cloudfront.net udp
GB 18.165.229.36:443 d3u598arehftfk.cloudfront.net tcp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 1.1.1.1:53 hbagency.it udp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 172.67.202.154:443 hbagency.it tcp
US 172.67.202.154:443 hbagency.it tcp
US 1.1.1.1:53 cmp.inmobi.com udp
GB 18.244.124.99:443 cmp.inmobi.com tcp
GB 18.244.124.99:443 cmp.inmobi.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
US 1.1.1.1:53 storage.googleapis.com udp
GB 142.250.187.251:443 storage.googleapis.com tcp
US 1.1.1.1:53 api.cmp.inmobi.com udp
DE 3.124.147.49:443 api.cmp.inmobi.com tcp
DE 3.124.147.49:443 api.cmp.inmobi.com tcp

Files

/data/misc/profiles/cur/0/ng.virtualdoctors.app/primary.prof

MD5 2b8bf03e3f753375a4c87c6a631d7ae5
SHA1 c6444af0634450f708f0695b9892f6ef3ad4e7a1
SHA256 847d13c8aa9b53d07488c219d793d98bd9c4950784d1cdd6fcbfc415ba1c6595
SHA512 db067b2a3cfba56b0385093cfa62dd971b985db0c6505bd0c2d3d27882491cdb189c4518e069247cb0405d9feb49dad5c5af8b00505d06ae0fd00a711e7f2a5e

/data/data/ng.virtualdoctors.app/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 05220c8bd94501f8904de1576b6a8848
SHA1 2597fbf7c5a78a68b732674c0f126255e089b721
SHA256 b898efcf171c74adf34e205ea7486126e9207a1f355e1de3235a326a6f4d6a05
SHA512 e3af802ee9985ea6cdad735fb2872397a80ea365b44b31867f8c2a006f76236350f39f04c00ad624cfaf4f767cd5d9b41e249a81932caea97ea69a31b600dba8

/data/data/ng.virtualdoctors.app/files/profileInstalled

MD5 b674c849508ee13178154d709a762881
SHA1 561306c72865899a6f669d4766fc9d722238a016
SHA256 66d0dfaf2045432d92749a49486e911e2fbd0d5a84c2f2958e5824a0ccbe39d1
SHA512 306e0d0164f1fd6cc8b456ac12c87828fe217e760be8fcec758a809f066cf4f5a0982a06b4a885b3fb5d87ee41b9936a552b05fc53de834e93a6cadea9c0f849

/data/misc/profiles/cur/0/ng.virtualdoctors.app/primary.prof

MD5 b0fafbf9caeab5a6b83e503dd01c9787
SHA1 e2269c1e65c6e06b32b433243932397328a5bac3
SHA256 fe6acafbaa5b333f7f829d99e96ae9b342c6048a9af8f6e211626c5db5a24734
SHA512 e226ed27417f6431d8552f083ed9fb5316a2c63261aa6580ae700d59bade8b4e4f57ab14bd89b2245cf02b8f8ffe5d12c0fbc0b733f7ef9e76f1ed1319bc6f70

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 22:09

Reported

2024-11-07 22:12

Platform

android-x64-20240910-en

Max time kernel

147s

Max time network

152s

Command Line

ng.virtualdoctors.app

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

ng.virtualdoctors.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.virtualdoctors.ng udp
US 104.21.44.67:443 www.virtualdoctors.ng tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 d3u598arehftfk.cloudfront.net udp
GB 18.165.229.51:443 d3u598arehftfk.cloudfront.net tcp
US 1.1.1.1:53 hbagency.it udp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 172.67.202.154:443 hbagency.it tcp
US 172.67.202.154:443 hbagency.it tcp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 1.1.1.1:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 1.1.1.1:53 cmp.inmobi.com udp
GB 18.244.124.35:443 cmp.inmobi.com tcp
GB 18.244.124.35:443 cmp.inmobi.com tcp
US 1.1.1.1:53 storage.googleapis.com udp
GB 142.250.200.59:443 storage.googleapis.com tcp
US 1.1.1.1:53 api.cmp.inmobi.com udp
DE 18.197.18.38:443 api.cmp.inmobi.com tcp
DE 18.197.18.38:443 api.cmp.inmobi.com tcp
US 1.1.1.1:53 cdn.id5-sync.com udp
US 1.1.1.1:53 gum.criteo.com udp
US 1.1.1.1:53 id5-sync.com udp
US 1.1.1.1:53 id.a-mx.com udp
US 1.1.1.1:53 id.crwdcntrl.net udp
US 1.1.1.1:53 script.4dex.io udp
NL 178.250.1.11:443 gum.criteo.com tcp
NL 79.127.227.46:443 id.a-mx.com tcp
US 172.67.38.106:443 cdn.id5-sync.com tcp
DE 162.19.138.82:443 id5-sync.com tcp
IE 54.74.74.210:443 id.crwdcntrl.net tcp
US 1.1.1.1:53 at.teads.tv udp
US 104.26.8.169:443 script.4dex.io tcp
GB 2.17.149.102:443 at.teads.tv tcp
NL 178.250.1.11:443 gum.criteo.com tcp
US 1.1.1.1:53 cadmus.script.ac udp
US 104.26.8.169:443 script.4dex.io tcp
US 104.18.23.145:443 cadmus.script.ac tcp
US 1.1.1.1:53 dnacdn.net udp
FR 178.250.7.13:443 dnacdn.net tcp
US 1.1.1.1:53 mp.4dex.io udp
US 1.1.1.1:53 onetag-sys.com udp
US 1.1.1.1:53 prebid.a-mo.net udp
US 1.1.1.1:53 adx.adform.net udp
DE 51.89.9.253:443 onetag-sys.com tcp
DK 37.157.6.231:443 adx.adform.net tcp
US 172.64.153.78:443 mp.4dex.io tcp
FR 163.5.194.33:443 prebid.a-mo.net tcp
US 1.1.1.1:53 c.4dex.io udp
US 1.1.1.1:53 lb.eu-1-id5-sync.com udp
DE 162.19.138.82:443 lb.eu-1-id5-sync.com tcp
US 35.241.34.106:443 c.4dex.io tcp
US 35.241.34.106:443 c.4dex.io tcp
US 35.241.34.106:443 c.4dex.io tcp
US 35.241.34.106:443 c.4dex.io tcp
US 35.241.34.106:443 c.4dex.io tcp
US 35.241.34.106:443 c.4dex.io tcp
DE 141.95.98.64:443 lb.eu-1-id5-sync.com tcp
US 1.1.1.1:53 euw2-cdn.ads-m.net udp
US 1.1.1.1:53 1x1.a-mo.net udp
US 1.1.1.1:53 stats.hbagency.ai udp
GB 143.244.38.136:443 euw2-cdn.ads-m.net tcp
DE 18.194.47.192:443 1x1.a-mo.net tcp
IT 94.177.185.122:443 stats.hbagency.ai tcp
US 1.1.1.1:53 cdn.mediago.io udp
US 1.1.1.1:53 acdn.adnxs-simple.com udp
US 1.1.1.1:53 images.mediago.io udp
US 1.1.1.1:53 ams3-ib.adnxs-simple.com udp
US 1.1.1.1:53 cdn.adnxs-simple.com udp
GB 52.84.90.118:443 cdn.mediago.io tcp
US 34.111.60.239:443 images.mediago.io tcp
US 151.101.1.108:443 cdn.adnxs-simple.com tcp
NL 185.89.210.244:443 ams3-ib.adnxs-simple.com tcp
US 151.101.1.108:443 cdn.adnxs-simple.com tcp
US 1.1.1.1:53 sync.a-mo.net udp
US 1.1.1.1:53 i.clean.gg udp
FR 163.5.194.36:443 sync.a-mo.net tcp
US 1.1.1.1:53 trace-eu.mediago.io udp
US 34.95.69.49:443 i.clean.gg tcp
US 1.1.1.1:53 gtrace.mediago.io udp
NL 35.214.168.80:443 gtrace.mediago.io tcp
NL 35.214.168.80:443 gtrace.mediago.io tcp
GB 142.250.200.2:443 tcp

Files

/data/misc/profiles/cur/0/ng.virtualdoctors.app/primary.prof

MD5 2b8bf03e3f753375a4c87c6a631d7ae5
SHA1 c6444af0634450f708f0695b9892f6ef3ad4e7a1
SHA256 847d13c8aa9b53d07488c219d793d98bd9c4950784d1cdd6fcbfc415ba1c6595
SHA512 db067b2a3cfba56b0385093cfa62dd971b985db0c6505bd0c2d3d27882491cdb189c4518e069247cb0405d9feb49dad5c5af8b00505d06ae0fd00a711e7f2a5e

/data/data/ng.virtualdoctors.app/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 170ab4a9e3c8b5b357d3c46034683c1c
SHA1 fe2c2ba4ea6edb348effa569ae5c4ba526336862
SHA256 618869dd56923ff133852a8e534ab06bca48fe5e2fc94de9a90b9c1091f42dd8
SHA512 9420819fcd30cfc46b0cdd64d15bccbef459a7bf2d7aa12cdca82dd99a55c686a84aba2e1f46ef898f83ae45f02b71c2cbf9a07ae7c3b88503608e57557305cb

/data/data/ng.virtualdoctors.app/files/profileInstalled

MD5 f3aacf82edfe56bcba22a28164273d6b
SHA1 24d513c1709e09073cb4501fc66d413ef4747d72
SHA256 e331e7f2b9cc74cbf4ca920b50a48fb2a156640d545775d63a83806bd86ebc13
SHA512 fbce83f3d2cd008051de233ee08c45d24d02151d9a24cfe0c076b762cda9fd1fbab9a1ad779bea40edb0cc3c8b108295f2af4839a060adea89289f452e4b2e7c

/data/misc/profiles/cur/0/ng.virtualdoctors.app/primary.prof

MD5 f6d2e4c846d752e2279ff1d9ae6e3e0c
SHA1 17454be042a90c593f6d4f868865a80b13efa72e
SHA256 67d6f7dc8aa492a636ef8f5f48209f62d3eb81d020863854c69172cfed2eec69
SHA512 df56d9814c07c83d44169827f40bda2dc417a94004efd07913b2f60f6021d2aa142d0d91c0ffc218e8903de7adf658aef23eeb0c8220d3dbeca5f700f7e2bbc7

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-07 22:09

Reported

2024-11-07 22:12

Platform

android-x64-arm64-20240910-en

Max time kernel

142s

Max time network

152s

Command Line

ng.virtualdoctors.app

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

ng.virtualdoctors.app

Network

Country Destination Domain Proto
US 216.239.34.223:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.virtualdoctors.ng udp
US 172.67.196.115:443 www.virtualdoctors.ng tcp
US 1.1.1.1:53 d3u598arehftfk.cloudfront.net udp
GB 18.165.229.51:443 d3u598arehftfk.cloudfront.net tcp
US 1.1.1.1:53 hbagency.it udp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 172.67.202.154:443 hbagency.it tcp
US 172.67.202.154:443 hbagency.it tcp
US 1.1.1.1:53 cmp.inmobi.com udp
GB 18.244.124.93:443 cmp.inmobi.com tcp
US 1.1.1.1:53 region1.google-analytics.com udp
US 216.239.34.36:443 region1.google-analytics.com tcp
GB 18.244.124.93:443 cmp.inmobi.com tcp
US 1.1.1.1:53 api.cmp.inmobi.com udp
DE 18.197.18.38:443 api.cmp.inmobi.com tcp
DE 18.197.18.38:443 api.cmp.inmobi.com tcp
US 1.1.1.1:53 storage.googleapis.com udp
GB 216.58.201.123:443 storage.googleapis.com tcp
US 1.1.1.1:53 id.a-mx.com udp
US 1.1.1.1:53 gum.criteo.com udp
US 1.1.1.1:53 id5-sync.com udp
US 1.1.1.1:53 cdn.id5-sync.com udp
DE 79.127.216.47:443 id.a-mx.com tcp
US 1.1.1.1:53 id.crwdcntrl.net udp
US 1.1.1.1:53 at.teads.tv udp
US 1.1.1.1:53 script.4dex.io udp
NL 178.250.1.11:443 gum.criteo.com tcp
DE 141.95.98.65:443 id5-sync.com tcp
US 104.22.52.86:443 cdn.id5-sync.com tcp
IE 52.31.95.82:443 id.crwdcntrl.net tcp
GB 2.17.149.102:443 at.teads.tv tcp
US 104.26.9.169:443 script.4dex.io tcp
NL 178.250.1.11:443 gum.criteo.com tcp
US 104.26.9.169:443 script.4dex.io tcp
US 1.1.1.1:53 cadmus.script.ac udp
US 104.18.22.145:443 cadmus.script.ac tcp
US 1.1.1.1:53 dnacdn.net udp
FR 178.250.7.13:443 dnacdn.net tcp
US 1.1.1.1:53 adx.adform.net udp
US 1.1.1.1:53 mp.4dex.io udp
US 1.1.1.1:53 onetag-sys.com udp
US 1.1.1.1:53 prebid.a-mo.net udp
DK 37.157.2.229:443 adx.adform.net tcp
US 104.18.34.178:443 mp.4dex.io tcp
DE 51.75.86.98:443 onetag-sys.com tcp
FR 163.5.194.31:443 prebid.a-mo.net tcp
US 1.1.1.1:53 c.4dex.io udp
US 35.241.34.106:443 c.4dex.io tcp
US 35.241.34.106:443 c.4dex.io tcp
US 35.241.34.106:443 c.4dex.io tcp
US 35.241.34.106:443 c.4dex.io tcp
US 35.241.34.106:443 c.4dex.io tcp
US 35.241.34.106:443 c.4dex.io tcp
DE 141.95.98.65:443 id5-sync.com tcp
US 1.1.1.1:53 lb.eu-1-id5-sync.com udp
DE 141.95.98.64:443 lb.eu-1-id5-sync.com tcp
US 1.1.1.1:53 euw2-cdn.ads-m.net udp
US 1.1.1.1:53 stats.hbagency.ai udp
US 1.1.1.1:53 1x1.a-mo.net udp
GB 143.244.38.136:443 euw2-cdn.ads-m.net tcp
IT 94.177.181.20:443 stats.hbagency.ai tcp
DE 3.126.5.106:443 1x1.a-mo.net tcp
US 1.1.1.1:53 cdn.mediago.io udp
US 1.1.1.1:53 images.mediago.io udp
US 1.1.1.1:53 ams3-ib.adnxs-simple.com udp
US 1.1.1.1:53 cdn.adnxs-simple.com udp
GB 52.84.90.15:443 cdn.mediago.io tcp
US 34.111.60.239:443 images.mediago.io tcp
US 151.101.129.108:443 cdn.adnxs-simple.com tcp
NL 185.89.211.84:443 ams3-ib.adnxs-simple.com tcp
US 1.1.1.1:53 trace-eu.mediago.io udp
US 1.1.1.1:53 gtrace.mediago.io udp
US 1.1.1.1:53 sync.a-mo.net udp
NL 35.214.168.80:443 gtrace.mediago.io tcp
NL 35.214.168.80:443 gtrace.mediago.io tcp
FR 163.5.194.37:443 sync.a-mo.net tcp
US 216.239.32.223:443 tcp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.179.225:443 tcp
GB 142.250.200.33:443 tcp
US 216.239.32.223:443 tcp
US 216.239.32.223:443 tcp

Files

/data/misc/profiles/cur/0/ng.virtualdoctors.app/primary.prof

MD5 2b8bf03e3f753375a4c87c6a631d7ae5
SHA1 c6444af0634450f708f0695b9892f6ef3ad4e7a1
SHA256 847d13c8aa9b53d07488c219d793d98bd9c4950784d1cdd6fcbfc415ba1c6595
SHA512 db067b2a3cfba56b0385093cfa62dd971b985db0c6505bd0c2d3d27882491cdb189c4518e069247cb0405d9feb49dad5c5af8b00505d06ae0fd00a711e7f2a5e

/data/data/ng.virtualdoctors.app/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 5c84981e587ecd8c4de7b838c9e2ae9b
SHA1 33750e5fa0d5a4c1b09a695fd6d2dc9e84df1c6c
SHA256 211fb76b7d9273bd3e421af9872a1a850b57c99a9ba0927bebd9a3a2ae81125d
SHA512 e9e9b99b46fcdecd8a50a62caff3a2944154434b677019504969d22518ecb7038e5e22184d8e8ed06bfdb8644719b67c0ff427d4ad069c57b07a0f51ef69d439

/data/misc/profiles/cur/0/ng.virtualdoctors.app/primary.prof

MD5 2d158a4d2a4cdbdb04ad9cb91fc52218
SHA1 10e9e40b3721ee134d9def44715e6cf7256d20ad
SHA256 b74ba56885b9d3f1948f68cd4aac68cb89ae8b9a8120e5827eaee9a8aa08124e
SHA512 58156d0d5497d71a2a690a61da887eb24010abd2efff61c9d61ecc5411086efbedd6f8a37350df852ca510d4b318310bdc21646648c2cfdd42de0fa57fe0c1b0