Malware Analysis Report

2024-12-01 03:04

Sample ID 241108-dcdx2awmhj
Target sample1.apk
SHA256 d257cfde7599f4e20ee08a62053e6b3b936c87d373e6805f0e0c65f1d39ec320
Tags
banker collection discovery evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d257cfde7599f4e20ee08a62053e6b3b936c87d373e6805f0e0c65f1d39ec320

Threat Level: Shows suspicious behavior

The file sample1.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection discovery evasion

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Requests cell location

Queries information about active data network

Reads information about phone network operator.

Requests dangerous framework permissions

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 02:51

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 02:51

Reported

2024-11-08 02:54

Platform

android-x86-arm-20240624-en

Max time kernel

47s

Max time network

131s

Command Line

com.xxGameAssistant.pao

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xxGameAssistant.pao

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 tdcv3.talkingdata.net udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.xxGameAssistant.pao/cache/pao/inject

MD5 23bb1f4e4f35e8489cbab091ad3d6725
SHA1 a2e894a1353b1aa9451cd2ff1bcd06e250d45770
SHA256 856061a1d0868d7ce3aa0d3d12e0c67a9278dc84a826293e3f1af231acfb542b
SHA512 d620f253b3478ce242e0d75849639637856f6cba9d8ab5e8e97a938a46935025583f1186edc630e5bfe1a32296b136352d31481824ed2d5b19de5c0df7f4fa06

/data/data/com.xxGameAssistant.pao/cache/pao/libghost.so

MD5 80892c5e7b60fcef1a004f1abc71d37f
SHA1 5a669700f36e28045c9b653d07b5936790cc83ef
SHA256 911c6166ef4bbbf2fb1da593301cccac94f55c5267882640afcf55ce40add3bc
SHA512 16d5c8dcf253c2ba2725b6b3d029fdb5e7cd98c12547add2380d01ba01410b0923a23256936e2da4cf79d0cba2d4a3cdfd2fc55df0436aceaaf2bb5d2f96c35c

/data/data/com.xxGameAssistant.pao/cache/pao/libhook.so

MD5 4b6f2a8be69f4fa2875565cfe8069451
SHA1 9c764b795126a6f00f13370215fe0686db9aa1bc
SHA256 a8911919780d496276a0cc00528ad24f9d22952af4da34fc120e59302b618a06
SHA512 d9b69b6f21215062f1d361a4a5947120fdb1cf5c4b0939e1551f5394ba42dd9b24f3ddc90c79e55dce5c52efdde782bb9260ad2cbc3f96aac949d159ae07c063

/data/data/com.xxGameAssistant.pao/files/TDtcagent.db-journal

MD5 d3a272958813c5f479245b8288242458
SHA1 e195aee84acdc82b129d22c9348be5967d8ef206
SHA256 f3a93326637bef04771c0f5bcedc925fd0529b66d9c7152c843924b19fc1a387
SHA512 7ceb0084c8bde19900e47a626496c720158dff13dea5e987dd53c39e4b8af08d421ce3f396a3f96148c43801b1c4fa08c2583af2beaf6a98f27e3a9fcd3e776b

/data/data/com.xxGameAssistant.pao/files/TDtcagent.db

MD5 e5b37ff76f07624f4a1781355b04d76a
SHA1 5afd05819cc69303894116d8f0276399628f0b45
SHA256 e10935243e8078dbeafd37710cb22622d48849ac9e1a29adf0603d729da4740b
SHA512 9364a9645c9f91fa844b3292bcc2b3de10e720df2b059f27a62ebb26a030a5a4d4889ac64e4209ec83528a25ef86e65bb51eb5be89e112002300bdaba7892cbe

/data/data/com.xxGameAssistant.pao/files/TDtcagent.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.xxGameAssistant.pao/files/TDtcagent.db-wal

MD5 90cb0fdb7174de8caaae1d4fc673dd8b
SHA1 971a8525c3fcf528032b143cbc99fb4dc8b5075a
SHA256 10d5b359bdbb2b0cfce667118ea0c171c888da5bca7eca78c59f47b9b8aa55df
SHA512 45861df673592b391ab1bbef094927ae6aa5690139f9609ffe99a68e5ee28082e0c73866132da96531a11ec8357434d518a77af8c8405ab01a9d296afa9f2848

/storage/emulated/0/.tid1544838434

MD5 ac546955cea957d3719c38be5ceeb39d
SHA1 1ebf01062f33fee6e1a5ca9fb4bf8013dbcfa916
SHA256 e68e0e571f1c4c169475d0275d3750ea71aee59c96dcfb4d53c8a08ff6df4353
SHA512 c17ce88500da557bf3a93357cd9ae261b09ff2de248a957fd937aa49445832ea9c14921e5b56a2154b022dcdd3ce99c24ea890ff66d8b0326bb290fbc2877622