Malware Analysis Report

2024-12-01 03:00

Sample ID 241107-1wwcrasjcl
Target 6bfa4ec31eded318330f12abe8d1675c192264124bc0ed5a475eefe8f2b0ef79.bin
SHA256 6bfa4ec31eded318330f12abe8d1675c192264124bc0ed5a475eefe8f2b0ef79
Tags
discovery evasion persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6bfa4ec31eded318330f12abe8d1675c192264124bc0ed5a475eefe8f2b0ef79

Threat Level: Shows suspicious behavior

The file 6bfa4ec31eded318330f12abe8d1675c192264124bc0ed5a475eefe8f2b0ef79.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Checks the presence of a debugger

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 22:00

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 22:00

Reported

2024-11-07 22:03

Platform

android-x86-arm-20240624-en

Max time kernel

26s

Max time network

132s

Command Line

com.yonoservice.registration

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Checks the presence of a debugger

evasion

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yonoservice.registration

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/com.yonoservice.registration/primary.prof

MD5 73f3fed449e037354c9bc19a2ee46738
SHA1 05ea0709c96b7a6297e950818fc2700222048b80
SHA256 6d8bf79b46d067b649501ca93805c189b935cb28a47eb8ca23bb0f4585ce5698
SHA512 47fcb246ae13c2189ad9d5fc551c24e1c61ca9bbd50d64281e77857e3169011925fb42be30d42152d3c0958db44a0cf4bcef4a7800fe8718791853a8970f1ec1

/data/data/com.yonoservice.registration/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 b55e223ac51313ad2edc8fbebde5b71e
SHA1 8cc57426c1726827d0fea89385fe6880875e969f
SHA256 885c4bb43e2fa5e4402519ef950db1f9d357140042e40b3920fc6c7ba163dbd8
SHA512 8c730de31e631bcd412eff882e476ff98b201070c3eeb3a2d6261823bc716cad273954d3e7d4738d77fb60d6f498517450a037c2b948dbcc2d6c18baace00bf1

/data/data/com.yonoservice.registration/files/profileInstalled

MD5 9c9b9b7aae53526f08bee1f21ed10785
SHA1 1b659ffd8dd1ab7810c280a8968a0382c7b51dd5
SHA256 d69c2684c0a28bf279e1a5416cf7c4a85cb10ef6f0ca0f83c978e26c9aed7fe7
SHA512 46a6654597c3b448853a4411f88d96e55bb55afbe8afaf880200149008a7e5b578ebc8509668e0c5b7b95d349803c4bee575ccb65c596de9370b857fff0014c9

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 22:00

Reported

2024-11-07 22:03

Platform

android-33-x64-arm64-20240624-en

Max time kernel

53s

Max time network

134s

Command Line

com.yonoservice.registration

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Checks the presence of a debugger

evasion

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yonoservice.registration

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.196:443 udp
GB 142.250.187.196:443 tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 udp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.187.196:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.200.3:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
US 172.64.41.3:443 udp
GB 142.250.187.196:443 udp

Files

/data/misc/profiles/cur/0/com.yonoservice.registration/primary.prof

MD5 3f40a3add29c68243ae352b006e6a16a
SHA1 05a030a47f897d5b3bbd0bbd5cb9869356a1a358
SHA256 e92b3847638d82a6123f739de5568918e4e09cc8e1966084ea086f54e0a7a41d
SHA512 7d34b9277407f19d8c79f61272e7c4aed08f8581a28af3f7a41604026441687ca1b5fdbab6bbde43b01190885fd4c69baea5d2e80a25eab5b1310afc27dcab17

/data/data/com.yonoservice.registration/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 0dd951e37c421d4b76edbb52c2ed5f62
SHA1 09e27da512da58adedd8add567801b9bb1e8d1ee
SHA256 5361b54d180997db67c2d172221ee6de38d3e7e1be6a834f726fcd1ae88f6afa
SHA512 24a7ff62c58e4b22d6e8ade8275998adcf607e5227172782a8e879478eac069120f60d494d1e29b6633300b4dbd89ba90c7747f1caa9e809ed7b11a2a86bb2f5

/data/data/com.yonoservice.registration/files/profileInstalled

MD5 eb874fdcdd9328f1fe3dd07b25e619c3
SHA1 d56260375fc071c9eb6037b1b733b414ea349982
SHA256 52e90fb832261ce8f9119812a97bd93c425a48f0dca78af583cae0d81bdb5359
SHA512 008264c811609919eda0ab7005b2c6bc78d17a626f24cf2bd3717d8b7ef2d94f07d82b00979f0ab3f4af8897bfc16d1bfbd022b7a020f5d22f26bdc34ef1da02