Malware Analysis Report

2024-11-13 17:37

Sample ID 241109-254wxstkfs
Target acabb6b9cdd2549dae64f7cc9f0e4a402fdaf505958c11bec721eb2f0c3e3ac0.bin
SHA256 acabb6b9cdd2549dae64f7cc9f0e4a402fdaf505958c11bec721eb2f0c3e3ac0
Tags
discovery evasion persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

acabb6b9cdd2549dae64f7cc9f0e4a402fdaf505958c11bec721eb2f0c3e3ac0

Threat Level: Shows suspicious behavior

The file acabb6b9cdd2549dae64f7cc9f0e4a402fdaf505958c11bec721eb2f0c3e3ac0.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Checks the presence of a debugger

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 23:10

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 23:10

Reported

2024-11-09 23:13

Platform

android-x86-arm-20240910-en

Max time kernel

21s

Max time network

152s

Command Line

com.yonoservice.registration

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Checks the presence of a debugger

evasion

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yonoservice.registration

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.179.228:80 tcp

Files

/data/misc/profiles/cur/0/com.yonoservice.registration/primary.prof

MD5 73f3fed449e037354c9bc19a2ee46738
SHA1 05ea0709c96b7a6297e950818fc2700222048b80
SHA256 6d8bf79b46d067b649501ca93805c189b935cb28a47eb8ca23bb0f4585ce5698
SHA512 47fcb246ae13c2189ad9d5fc551c24e1c61ca9bbd50d64281e77857e3169011925fb42be30d42152d3c0958db44a0cf4bcef4a7800fe8718791853a8970f1ec1

/data/data/com.yonoservice.registration/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 c7c81fe1c160df9c011a1d2f952ac373
SHA1 58c49b2cb85074fa6089637fcfdab1aad909c8ae
SHA256 b2743b7537dd656ffd2044727ddc213e5a930ad2674aaa91d5dac3b0350468e4
SHA512 2399dac9d5ef158087967342488b34a583f235a4468c8e843626baf143f27b77a8e830f0f2dc79c013531ef9281ec7fd97ef252203afdbf63969503bc904a7de

/data/data/com.yonoservice.registration/files/profileInstalled

MD5 45f3da5f8e9fa17c461b5962dad1d31d
SHA1 ea0565b3ac43fd0b3077888fe2d9286612fe3582
SHA256 dc93d0d927d19d858004cd013a56f0f797f4e9a44cee2fb71b4322ce617cc84a
SHA512 e79cefc2db926db8321a13770fc07c1dc6be5d11cf3785659c7b36457c3bdd6ef44013b9f36d0224e8005155dd6c47ba64291e65a303f68cd733543a780fe941

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 23:10

Reported

2024-11-09 23:13

Platform

android-33-x64-arm64-20240910-en

Max time kernel

54s

Max time network

154s

Command Line

com.yonoservice.registration

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Checks the presence of a debugger

evasion

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yonoservice.registration

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 content-autofill.googleapis.com udp
GB 216.58.212.202:443 content-autofill.googleapis.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.46:443 android.apis.google.com udp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 216.58.204.74:443 remoteprovisioning.googleapis.com tcp
GB 216.58.204.74:443 remoteprovisioning.googleapis.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com udp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp
GB 216.58.204.70:80 tcp
GB 216.58.201.110:443 tcp
GB 142.250.180.2:443 tcp
US 216.239.32.36:443 tcp
GB 142.250.187.193:443 tcp
GB 216.58.204.65:443 tcp
GB 216.58.204.65:443 tcp
GB 216.58.204.65:443 tcp
GB 216.58.204.65:443 tcp
GB 142.250.179.227:443 tcp
GB 216.58.204.65:443 tcp

Files

/data/misc/profiles/cur/0/com.yonoservice.registration/primary.prof

MD5 3f40a3add29c68243ae352b006e6a16a
SHA1 05a030a47f897d5b3bbd0bbd5cb9869356a1a358
SHA256 e92b3847638d82a6123f739de5568918e4e09cc8e1966084ea086f54e0a7a41d
SHA512 7d34b9277407f19d8c79f61272e7c4aed08f8581a28af3f7a41604026441687ca1b5fdbab6bbde43b01190885fd4c69baea5d2e80a25eab5b1310afc27dcab17

/data/data/com.yonoservice.registration/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 bc1683e567c0f8f66b4d4deb7c643290
SHA1 e44c23fd15b33665989cd9339277b721ce08d5e6
SHA256 a7546895de9edb81ba01c079ce16f51524b925bfba4b865f7ad51648fe9cfe17
SHA512 dc81b2864c8b24dc417f033b0dead68ab73a870fbcfac7919a87ffbe5b78f04872038d8292c14e071f5526a18ee8a0301c5270b8d4670f66b6a0df7146290173

/data/data/com.yonoservice.registration/files/profileInstalled

MD5 282771dda9f414e04a00e151907f8635
SHA1 be2f10c2ba092bed7df71fcff99a072ee2c6aecf
SHA256 51ec21fcf1df4e01a514e74af319bf2dad3ecd42003fd478f9c3d13b6741e701
SHA512 a89853883ec6ffbbda200597fab1a76a1b9fab5a0d26f928d0095445232059b6e1961bd58fa0bff6f4bcfd40756794d27b32315a1f8ff874236003583c433309