Malware Analysis Report

2024-12-01 02:58

Sample ID 241107-14metaskel
Target 287fcd033782da9f4b56bbdb4f581ae7fb1e97e7a8fc7d3206a286f57ff9f8c5.bin
SHA256 287fcd033782da9f4b56bbdb4f581ae7fb1e97e7a8fc7d3206a286f57ff9f8c5
Tags
discovery persistence collection credential_access impact phishing
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

287fcd033782da9f4b56bbdb4f581ae7fb1e97e7a8fc7d3206a286f57ff9f8c5

Threat Level: Shows suspicious behavior

The file 287fcd033782da9f4b56bbdb4f581ae7fb1e97e7a8fc7d3206a286f57ff9f8c5.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence collection credential_access impact phishing

A potential corporate email address has been identified in the URL: 85FB9FE59D5DE6E8A9E85924331C8F28@400x400

A potential corporate email address has been identified in the URL: [email protected]

Obtains sensitive information copied to the device clipboard

A potential corporate email address has been identified in the URL: 2BBBD4EAA9F18474A4776C9297FFA0FC@256x256

A potential corporate email address has been identified in the URL: [email protected]

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 22:12

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 22:12

Reported

2024-11-07 22:15

Platform

android-x86-arm-20240910-en

Max time kernel

57s

Max time network

150s

Command Line

com.bossvip57.main

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.bossvip57.main

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:443 1.1.1.1 tcp
US 104.21.57.224:443 www.57bossvip.com tcp
US 1.1.1.1:53 www.57bossvip.com udp
US 172.67.193.20:443 www.57bossvip.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 1.1.1.1:53 sock2.source-cdn.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 104.21.23.22:443 sock2.source-cdn.com tcp
US 104.21.23.22:443 sock2.source-cdn.com tcp

Files

/data/data/com.bossvip57.main/databases/com.google.android.datatransport.events-journal

MD5 48a4a352c59bc7173472e7e1c703646d
SHA1 e4fbf6a05e66b89c394c46c38a91d7581e9617e0
SHA256 f78b635dcc1d3ac9722dbc1eda662efd783d8a51be7ed72dfdb77813633a7f46
SHA512 ea531db0eaf97b3a3ac81e8388d7a047b62de5c5b8c48120ee2373428a7502df6d7dc5ac989f0c9e4cee6313fb20f10c7df5b0bb111c7df219446c023f9c564d

/data/data/com.bossvip57.main/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.bossvip57.main/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.bossvip57.main/databases/com.google.android.datatransport.events-wal

MD5 6ad592833e9cfe4d72afdfb86a8e98b6
SHA1 64ed9058ee3f409eec95f0bd805468a6a54345fc
SHA256 016bf07aff1ed06ee39638a0205c2c7eb9f73c814cfc2f69960d2ca835d1274c
SHA512 08034c2ab5c9ff8bc7ca38f1f5463ba31da1970f7cdbb1e3be3087593c9f452148c49561193f3ae95b8c72a39f42060a169796a612073dd0213970fb0b809656

/data/data/com.bossvip57.main/files/PersistedInstallation1530758990497796991tmp

MD5 aab7fd55889bb70620c84e67120a5ba0
SHA1 44d36ac2ad13d9aa9c94442470ab69791f0ceee6
SHA256 8c2ba78b8597ae2d87fa49a44dc96c740970002389a9c90591d31d2f5aa99b32
SHA512 f9b012d2308ae63f971babcfbbbdafec6fe0137b996811a3ee414a42861e71f2b6d9f20cf2cbd6f1d1261ebc3ab1f345999efe2e5aa82e5d122b72e427dcf83a

/data/data/com.bossvip57.main/files/PersistedInstallation2654199921985559057tmp

MD5 3c0b063b146532f0a7829163d9a25e30
SHA1 deccf475ff6434920b5fb1f4ac46f10ef7c91ab6
SHA256 e538e82386eb2b272c35cb38872f678f6cc715fb0a565493132233b3924b672b
SHA512 4a2fc99bcd926bdf6a85fb219fa0a2bccc547b2b89b323bf460079b43baae6df8168dab9a765dd817b4719527f20b6c4dc868df8c0a4c09dad3d8cf628d914c3

/data/misc/profiles/cur/0/com.bossvip57.main/primary.prof

MD5 908586513d7df7e06d4d8418e6ed8994
SHA1 399fdd1ff2f6c8e26e612fe47ef44aaa085c5ed5
SHA256 39e652dee3844dbe4fda3e08760632d5574f5ddd10e50cfe4d1ea4a0e9799b7a
SHA512 b304d22fcfd832d5fe211d9bf0f7a737cc4037af579b42f44e15341e9c89be3c91ec33e8c8ec8d87b4cda98694b65cf880303fdced7804efa3ad3d135ce99eb9

/data/data/com.bossvip57.main/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 bcdcb7a3964eccdb7a19748689147f98
SHA1 a028a42b7be41cf978c53cd4c3949b279cde78c8
SHA256 59f57ebb9fe71572fc269ad44355154268f7f0fc6d87099bf7b6e9e03b394248
SHA512 76ecf4f121254cf3a337f8fb73434b8c307ca4366fbc8efd97aad8eed8378a1b8060c5cdc0c2616003087cfd1b429e0110ea6cb6b06e7a15574a3f25d1f122a9

/data/data/com.bossvip57.main/files/profileInstalled

MD5 651362cc4ec7ca58505683efb31c2d91
SHA1 466cd37d3190fb64eabd1b3a5a689fb0f91f265a
SHA256 0f8d8ed443bec33e2bb9dd7eccca7d804db82f59ad1a159432b4b2ad8218197e
SHA512 d4340b3ba10f2e49bedc09e654e885e3578c3c7ef80b31c6196981ea3851577cab3c31014f30db430ac8e6f524ef21fc1d8cc613878d29c34c3f0b2def4945b7

/data/misc/profiles/cur/0/com.bossvip57.main/primary.prof

MD5 8d0f6223c7aa61cfbaa8f5a0739f23df
SHA1 bf453a3ecf9fd2020728ba3652b64dbf19fdb330
SHA256 7f99c710e84f5bd0f7cec8d20cf3be648d3075d0af627dd2be891135da350de6
SHA512 75815ff4a672f0264f35a918d7627225af8cee50519717dfa0926eb7596485752413b4ae1e3a205572814b6b4819e3ed40bd638acb8833e7c18f60a8584069b9

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 22:12

Reported

2024-11-07 22:15

Platform

android-x64-20240624-en

Max time kernel

65s

Max time network

157s

Command Line

com.bossvip57.main

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.bossvip57.main

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:443 1.1.1.1 tcp
US 172.67.193.20:443 www.57bossvip.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 www.57bossvip.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 172.67.193.20:443 www.57bossvip.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 1.1.1.1:53 sock1.source-cdn.com udp
US 104.21.23.22:443 sock1.source-cdn.com tcp
US 104.21.23.22:443 sock1.source-cdn.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/data/com.bossvip57.main/databases/com.google.android.datatransport.events-journal

MD5 4a2fc923b42ae6372301c2e29562ea18
SHA1 8d8114bb33a04b3850f60a346327081831628b84
SHA256 e6b66f0ffd2993b396c376f518e58d108c65d11b5bb279aa736e688bcce55483
SHA512 b6dc404328ac2aee5484d959519d6edddfdc873947e64f7d1d86934d1462311a4879bfbe47cfc88b1547146587e49e02a4e8dd44ea8029c9fd7390d8488dc33b

/data/data/com.bossvip57.main/databases/com.google.android.datatransport.events

MD5 9aaa5d15496620fc23076006ef4cc617
SHA1 a496f6d722fb8fe05bb422de7b3152a98e522e03
SHA256 b85c3e02d55ac539c3ba2108d342e11d37ee1c59ad01abfacab1627694c8fa12
SHA512 af73e3da9d6f8a18d67582989f890122543aecf02ea12df382321d4a3208c7653bcdad5735705c35a490db3886d5d043666b3283825296dd5e4929b30610ad0c

/data/data/com.bossvip57.main/databases/com.google.android.datatransport.events-journal

MD5 e787c73500d1aabcc548b7c16cedc4ef
SHA1 190bb9ad5ab8d1dff9d3cc226c1f1aaccead8878
SHA256 79851a9b864a3b8e1f808ec4b2d34562abeabcad29b4ac6ab792f8243ecf66f6
SHA512 8c12d219f652d4666f724750e2d2dfbdda49c03645674d6b9f889b2670e9e20d590472f68261ab84cfc1525dc73ed02ecf8138842bd74cb6b2f6463d18a25e83

/data/data/com.bossvip57.main/files/PersistedInstallation5989877287809988848tmp

MD5 46aa2c30867a0a6492a1b366be129303
SHA1 403c9139703777c63d0bb0684926b8b845315838
SHA256 2d05127acf3c47e546b0968d81f65d483236a1d9e1c5f5453f7fd4c4adaa7451
SHA512 882f512a7e22ef2b44b4f41e5a1d0194d0d4aae175a5006bf201c091393f208d3e04d0748ff503573d34079d06f0e80ec830c444d906f09ebb63719a51c2a80b

/data/data/com.bossvip57.main/databases/com.google.android.datatransport.events-journal

MD5 23fcfd6662b7bf6fbc6bbc0eafe37b23
SHA1 bbaada8e6057c76481e1ca1bb443a15695d3a9b6
SHA256 e9d778b429fad3020865e7f04ae0ad3022d152480f76a660f1c68434c3b7f342
SHA512 29d60a3703e264e93dbe98646013fd7690bffe596f6866ea8456e12335c534e4d5726d7777857be881abe6ca483bf1d85fab5ac2d2aa657ada13b88d9cda364b

/data/data/com.bossvip57.main/files/PersistedInstallation4406946744792759868tmp

MD5 3d24ed007d8603ea0660676c5941238e
SHA1 d756834b96aaecd412da0620af9beaf45e3fb082
SHA256 fdbfe9b53eca9191e898d56e4e3f60bcd99ffc39b0728e4b263fbf429e3ef10b
SHA512 6afb73c9d762d5e553d6f3acb0693189543870a3e6518e01bbb172a2fa37af5339734b2107e7d31a092d2b033269c22439936b039113348428f639fcdec06cff

/data/misc/profiles/cur/0/com.bossvip57.main/primary.prof

MD5 908586513d7df7e06d4d8418e6ed8994
SHA1 399fdd1ff2f6c8e26e612fe47ef44aaa085c5ed5
SHA256 39e652dee3844dbe4fda3e08760632d5574f5ddd10e50cfe4d1ea4a0e9799b7a
SHA512 b304d22fcfd832d5fe211d9bf0f7a737cc4037af579b42f44e15341e9c89be3c91ec33e8c8ec8d87b4cda98694b65cf880303fdced7804efa3ad3d135ce99eb9

/data/data/com.bossvip57.main/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 e81136718dec87ea416a534846924c51
SHA1 c96db2cc74a457529d9002123a945a53c621f9b0
SHA256 98e312ffed086ac195d3c175db6618f611caa3f9eb4d057774bc0516caa43e45
SHA512 a750adb29e7e48b2e538434c72c25d9dda86b17559dc714e96708d19c0efc72d6e0a9c33a6c83d064efff4ce369fa10f8c485be85bdb8f07d9ddaa21bf8a1865

/data/data/com.bossvip57.main/files/profileInstalled

MD5 baa497d4bee74c523d09e565d6f93dc4
SHA1 ce96fe1e5acf8a5a1a87411cc9416ba9da8d2480
SHA256 dedb7808396fe8dc5c21edef01740f4e86a36f14590f0dd2fd94f20ff59c7bde
SHA512 17fd3d36b1aa35bd878096e889cfa98e783b1cb8390c71095f75d231a2acd05e785c97371bc3ef8d88bd312927f42cc5d7746d6054c59e1c96de4eafa5babe45

/data/misc/profiles/cur/0/com.bossvip57.main/primary.prof

MD5 9bb0313ecb7e7b55d3d2cb69ca6b104f
SHA1 268231be22cac3557b6b5efa1bd3d15700ddd2a8
SHA256 0c007dd370d8e7478bccffd714e42ca7ae9a62c6ca49d72c337932b315eacd36
SHA512 a4f2364db13f76dc37c2df3b66085ff2a0f607b92435c3e9565fcc3de541d5381ab0bc7ea4574685b362cadeb019038b36ccb15a3853c81023a356767be83865

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-07 22:12

Reported

2024-11-07 22:14

Platform

android-x64-arm64-20240910-en

Max time kernel

60s

Max time network

150s

Command Line

com.bossvip57.main

Signatures

A potential corporate email address has been identified in the URL: 2BBBD4EAA9F18474A4776C9297FFA0FC@256x256

phishing

A potential corporate email address has been identified in the URL: [email protected]

phishing

A potential corporate email address has been identified in the URL: 85FB9FE59D5DE6E8A9E85924331C8F28@400x400

phishing

A potential corporate email address has been identified in the URL: [email protected]

phishing

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.bossvip57.main

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.201.106:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.14:443 www.youtube.com udp
GB 172.217.169.14:443 www.youtube.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
US 1.1.1.1:443 1.1.1.1 tcp
US 104.21.57.224:443 www.57bossvip.com tcp
US 1.1.1.1:53 www.57bossvip.com udp
US 172.67.193.20:443 www.57bossvip.com tcp
US 1.1.1.1:53 cdnjs.cloudflare.com udp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 sock1.source-cdn.com udp
US 104.21.23.22:443 sock1.source-cdn.com tcp
US 104.21.23.22:443 sock1.source-cdn.com tcp
US 216.239.36.223:443 tcp
US 216.239.36.223:443 tcp
GB 142.250.200.1:443 tcp
GB 216.58.212.193:443 tcp
US 216.239.36.223:443 tcp
US 216.239.36.223:443 tcp

Files

/data/data/com.bossvip57.main/databases/com.google.android.datatransport.events-journal

MD5 a03b0302e9550ef1240724b119805c51
SHA1 0047ba31d2cd265c1c282c306bdfe78ec4eef0d2
SHA256 a52c5ee74d06189334ee34f0f67ed352e53ef694277d7a0901cc54fca7b9c7f1
SHA512 27bea114f4aa0ee881d29dc7ddd1c2b78f17f5b76665acb2769e7a30ac66dc2a236e0a99b1b440ae5654da84bd6581ae460fc911b31d8c3790165e1053f2349a

/data/data/com.bossvip57.main/databases/com.google.android.datatransport.events

MD5 b023d772ca722143938eebb9a6ebf630
SHA1 f940c75f36953b34fea49def8b13051e82a55c71
SHA256 088afeb809ca851df565a887bda152cf378e6cb2c75b7a8cb11c5d5307894136
SHA512 05f5f18ccde2c39430aa215bd8f7a2a7dec12d2224c3c1562c7b7d2e1699981c42f991f38baa2e60136a9c73747c20ed88fd17c718402625fccac526a39bfea7

/data/data/com.bossvip57.main/databases/com.google.android.datatransport.events-journal

MD5 4c76743db6c1168886e827fcc1f047f2
SHA1 0f82f866d93789e8ade27f67d9e90370a6481284
SHA256 c3723bbca8a0827d4e29b58a7d0d410a1e907095673de2434d133dac399fd674
SHA512 69de16d6a4b6b50b6ae19cfc53c1b5697991babbef6c5ac23f122af66ffad91bc7967ad75444fdaa0533146cefcf6f8ff34ef8258153cc9b904da65ad4cb28b4

/data/data/com.bossvip57.main/databases/com.google.android.datatransport.events-journal

MD5 2a7ef74edc0d48e67f38b4183d669e3b
SHA1 086edd596bc630848d61863d3f3fe4f8eb0a2bee
SHA256 c06a1a796963d7b460bf247f7cde0356d78ca607d35dad8740a325836f877c54
SHA512 863bd4129511e1b02c539d7951ffd10a8e5c0a288bb02fddf27c82c9713b288e7013842b99dbceb3a6e6e50461c22a57831c605ca825bec18b3af81900397174

/data/data/com.bossvip57.main/files/PersistedInstallation3966634188706627339tmp

MD5 0164540dc355d2493a52d05f3c2b940e
SHA1 b8b0411308b789d49653a9303713da11e000d1e7
SHA256 9d8faec10f22a8770cdf91921e090bd53eafdde5c2384a6f704dee58c49ea70f
SHA512 72518ad45cfeafe7be9989f4f39ed9ffed6ef92b39d188f416da585eb3b3bd6660b9f429caf84eff7029d2e04c59c5f451e6855f911848314a5d48ddd44e4553

/data/data/com.bossvip57.main/files/PersistedInstallation7094384525456105669tmp

MD5 f4277662c0e0885c15395e2da5a014fb
SHA1 1ab4e1635b19e5c8a7e81cc051bbc5524c535c54
SHA256 b0931269b90a9f5d3ecb96c489cf16f31351b4904bbc3656df87236520fd1595
SHA512 6a020efac94f5831c9bdf4634941feebf1cd377f7f9651a0036444c462f1abadd5cb7547cc2dd531296f5f302682b3a6f5b8103a9c7def87e6f02989f5c9d1ea

/data/misc/profiles/cur/0/com.bossvip57.main/primary.prof

MD5 908586513d7df7e06d4d8418e6ed8994
SHA1 399fdd1ff2f6c8e26e612fe47ef44aaa085c5ed5
SHA256 39e652dee3844dbe4fda3e08760632d5574f5ddd10e50cfe4d1ea4a0e9799b7a
SHA512 b304d22fcfd832d5fe211d9bf0f7a737cc4037af579b42f44e15341e9c89be3c91ec33e8c8ec8d87b4cda98694b65cf880303fdced7804efa3ad3d135ce99eb9

/data/data/com.bossvip57.main/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 a7188ea8c17288d24bd42247acf8b904
SHA1 be326b10dd0fc85400d7a53f4590ec270cdfb34e
SHA256 f26b975762f1e2e1aef819e3a8ee701feea19764ff94258334589732553b28b4
SHA512 78e23c2b139f2e015eca6fbbff68e05468342a941cf0531cc677155b146ca607a2bd348e05a112e05681f0bb0dfeaacf180a6063609fd3191f74a326c024d734

/data/misc/profiles/cur/0/com.bossvip57.main/primary.prof

MD5 64ae0143d69b419e00f97267e6284052
SHA1 d9cec7a6b8110d575a836bc739d800f363277058
SHA256 fe5fcaa0aca4ffe74cf3d75b4ecd2d12835de28816146d6d42b8b8a041067893
SHA512 d03206bc3e5ff88b6c0527e457352fc6892244a2571d07f0a2aef52efa4be6dbab6ed805e2d9ca6d31cd670a4366af6be6fbfd4d97ba3fae3968336c0c11bfa2