Malware Analysis Report

2024-11-15 09:54

Sample ID 241109-lx4cessdmn
Target A.apk
SHA256 e62d68ab13afd961ac3a7255130c5822b50cc5a0b6a7f80cceb46e217f3a95aa
Tags
collection credential_access discovery impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e62d68ab13afd961ac3a7255130c5822b50cc5a0b6a7f80cceb46e217f3a95aa

Threat Level: Shows suspicious behavior

The file A.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access discovery impact

Obtains sensitive information copied to the device clipboard

Reads information about phone network operator.

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 09:55

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 09:55

Reported

2024-11-09 09:57

Platform

android-33-x64-arm64-20240624-en

Max time kernel

54s

Max time network

67s

Command Line

web.browser

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

web.browser

Network

Country Destination Domain Proto
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 google.com udp
GB 216.58.212.238:80 google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:80 www.google.com tcp
GB 216.58.201.100:443 www.google.com tcp
GB 216.58.201.100:443 www.google.com udp
US 1.1.1.1:53 apis.google.com udp
GB 142.250.187.238:443 apis.google.com tcp
US 1.1.1.1:53 play.google.com udp
GB 216.58.212.238:443 play.google.com tcp
US 1.1.1.1:53 content-autofill.googleapis.com udp
GB 172.217.169.10:443 content-autofill.googleapis.com tcp
US 1.1.1.1:53 in.appcenter.ms udp
US 68.220.193.245:443 in.appcenter.ms tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 ogads-pa.googleapis.com udp
GB 172.217.16.234:443 ogads-pa.googleapis.com udp
GB 216.58.212.238:443 play.google.com udp
GB 142.250.187.238:443 apis.google.com tcp
GB 142.250.187.238:443 apis.google.com tcp
US 1.1.1.1:53 consent.google.com udp
GB 216.58.201.110:443 consent.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 216.58.201.110:443 consent.google.com udp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
GB 172.217.16.227:443 tcp
US 162.159.61.3:443 udp
GB 172.217.16.227:443 udp
GB 142.250.187.228:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
US 1.1.1.1:53 encrypted-tbn0.gstatic.com udp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.178.14:443 encrypted-tbn0.gstatic.com udp
GB 142.250.187.228:443 udp
US 1.1.1.1:53 encrypted-tbn3.gstatic.com udp
US 1.1.1.1:53 encrypted-tbn2.gstatic.com udp
GB 142.250.187.206:443 encrypted-tbn2.gstatic.com tcp
US 1.1.1.1:53 cdn.ampproject.org udp
GB 142.250.200.1:443 cdn.ampproject.org tcp
GB 142.250.200.1:443 cdn.ampproject.org tcp
US 1.1.1.1:53 www.tiktok.com udp
GB 104.77.118.88:443 www.tiktok.com tcp
US 1.1.1.1:53 sf16-website-login.neutral.ttwstatic.com udp
NL 2.18.121.75:443 sf16-website-login.neutral.ttwstatic.com tcp
NL 2.18.121.75:443 sf16-website-login.neutral.ttwstatic.com tcp
NL 2.18.121.75:443 sf16-website-login.neutral.ttwstatic.com tcp
NL 2.18.121.75:443 sf16-website-login.neutral.ttwstatic.com tcp
NL 2.18.121.75:443 sf16-website-login.neutral.ttwstatic.com tcp
NL 2.18.121.75:443 sf16-website-login.neutral.ttwstatic.com tcp
NL 2.18.121.75:443 sf16-website-login.neutral.ttwstatic.com tcp
US 1.1.1.1:53 storage.googleapis.com udp
GB 172.217.169.27:443 storage.googleapis.com tcp
GB 172.217.169.27:443 storage.googleapis.com udp
US 1.1.1.1:53 lf16-tiktok-common.ibytedtos.com udp
US 1.1.1.1:53 mon-i18n.tiktokv.com udp
GB 88.221.134.234:443 lf16-tiktok-common.ibytedtos.com tcp
GB 88.221.134.234:443 lf16-tiktok-common.ibytedtos.com tcp
GB 88.221.134.234:443 lf16-tiktok-common.ibytedtos.com tcp
GB 139.177.227.225:443 mon-i18n.tiktokv.com tcp
US 1.1.1.1:53 libraweb.tiktokw.eu udp
US 1.1.1.1:53 mcs-va-useast2a.tiktokv.com udp
GB 184.28.198.186:443 mcs-va-useast2a.tiktokv.com tcp
GB 88.221.135.82:443 libraweb.tiktokw.eu tcp
GB 139.177.227.225:443 mon-i18n.tiktokv.com tcp
GB 184.28.198.186:443 mcs-va-useast2a.tiktokv.com tcp
GB 184.28.198.186:443 mcs-va-useast2a.tiktokv.com tcp
GB 184.28.198.186:443 mcs-va-useast2a.tiktokv.com tcp
GB 184.28.198.186:443 mcs-va-useast2a.tiktokv.com tcp
GB 184.28.198.186:443 mcs-va-useast2a.tiktokv.com tcp
GB 184.28.198.186:443 mcs-va-useast2a.tiktokv.com tcp
GB 184.28.198.186:443 mcs-va-useast2a.tiktokv.com tcp
US 1.1.1.1:53 mssdk-i18n.tiktok.com udp
US 1.1.1.1:53 stun.l.google.com udp
GB 104.86.111.16:443 mssdk-i18n.tiktok.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
US 1.1.1.1:53 p16-sign-va.tiktokcdn.com udp
DE 2.16.62.11:443 p16-sign-va.tiktokcdn.com tcp
DE 2.16.62.11:443 p16-sign-va.tiktokcdn.com tcp
US 1.1.1.1:53 p16-sign-useast2a.tiktokcdn.com udp
DE 2.16.62.26:443 p16-sign-useast2a.tiktokcdn.com tcp
DE 2.16.62.26:443 p16-sign-useast2a.tiktokcdn.com tcp
US 1.1.1.1:53 p16-sign-sg.tiktokcdn.com udp
NL 2.18.121.83:443 p16-sign-sg.tiktokcdn.com tcp
US 1.1.1.1:53 v16-webapp-prime.tiktok.com udp
GB 88.221.134.160:443 v16-webapp-prime.tiktok.com tcp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 mon.tiktokv.com udp
GB 88.221.134.153:443 mon.tiktokv.com tcp
GB 184.28.198.186:443 mcs-va-useast2a.tiktokv.com tcp
GB 184.28.198.186:443 mcs-va-useast2a.tiktokv.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
GB 184.28.198.186:443 mcs-va-useast2a.tiktokv.com tcp
GB 184.28.198.186:443 mcs-va-useast2a.tiktokv.com tcp

Files

/data/data/web.browser/databases/com.microsoft.appcenter.persistence-journal

MD5 a21cc65e6d1dac307ece1ce04cb8f942
SHA1 7dc942f9571b932cdc94bdbb6fcfd1f7d679c74c
SHA256 b2c7688b1a000b2c341186716106dfac5020e1f78ec7932149dc61eee492ca02
SHA512 3007d6af06ed32271761ccbb4685924bd4398f8fce456528c591005945e81d54b036ff423df67159f44b47a5aecbb1d2f734e1fb9d660b1d35a87e34e5619922

/data/data/web.browser/databases/com.microsoft.appcenter.persistence

MD5 6476cb5e643ade61be63ca083f13501f
SHA1 43dcb47df77b63833b7941a241409e48d2a34118
SHA256 f08da305cd1f8b90b47cb03f34871343ef473b3c297298e99767ebcde7642072
SHA512 d06f2b8deaa47f2bb256775dacf5e29b5e0346a627beeba4718dd3cbaededdff09c553091d30716c4d7362c8d53e5468236c2a4e0bf568bf39f62f9764d5b3ed

/data/data/web.browser/databases/com.microsoft.appcenter.persistence-journal

MD5 ed08721ac070480c59aab2d42e818fce
SHA1 3b23eb84bfff52abdc86ebbd6f2aaf603520cd15
SHA256 bf89bd8d62ed17a5d4b91bc999dae70fbf9bc9fe932b2fba9d2bfac1db0629a8
SHA512 f8774195140f022e3f8adda66b234db248993ee0b15fd33a001a2e9343d156fce58d973bd52852c3fadbb9584f9eb793051b0f0bb652772a242eed73edfd2bdc

/data/data/web.browser/databases/com.microsoft.appcenter.persistence-journal

MD5 87b1244d58a26e8a5aa2aeabc75d7aea
SHA1 6c4647e8407d6ec1d6de1f1d96a9a64af1041070
SHA256 05e64e516823903f08e9bb18b0c45415fc44bfc56d641f9dc2f6ab99aeff2e5a
SHA512 85b2873e22c161476f38b631abae301cc764846486c004ca8f55c9658c2528455355f9c257bfe1d64634287cb01dc939500103f76a326756939fc63b6d3ba606

/data/data/web.browser/databases/com.microsoft.appcenter.persistence-journal

MD5 8e586ca34758403edd25aebe18042dc0
SHA1 e71001cfabc68821b3a0bdb83ee945e7464da638
SHA256 e45e2ac1c037fe67e034fba540a370d65240ffd26835361b0b5ac0716005b607
SHA512 a52fb9c238a642067d871257c00201316adb476dae56af6eb558809a5206621a253bb89cb6a29938cd286a5785ad6d3e7b12b3e8d5bdade8e7da0007caf7e968

/data/data/web.browser/databases/com.microsoft.appcenter.persistence-journal

MD5 950092045d1d577ec23d7e39cd76be3a
SHA1 39bfc880067e4c952ed26baea6bafa302d8fd969
SHA256 9932b0391bff8da16d5e56233e6d9f7e59f4b7094e9bd658f77ae9a3d871fc62
SHA512 01f3a200b3e2f60e2a4b0f4a74454a4801f574f3e93953141cbd12b5a59d412c595a9ae004b366f6ac3b3af19129dd276b9bc56b261d92616ceeed96d0238cbf

/data/data/web.browser/databases/com.microsoft.appcenter.persistence-journal

MD5 1571470362d1a734b5cd30104553147e
SHA1 06335ba362ecfba46f44a6e035efef89afa2ac46
SHA256 6e933c4508e8178612a557ad620ca488b7a0a17073dfd3876e6bca3f0c7fecb1
SHA512 c2f8d39c705f123765b5eb3540195b2cf48d09649a536b4a3aee0f38df723d1a09679fb86aa1f496c537b8cb6c67ea9427ffb58ac6c7f124e0d376a8d7286bb7