Malware Analysis Report

2024-11-15 09:53

Sample ID 241109-rkcltsynaj
Target H570.apk
SHA256 c99b92ce6e51f5f235884aeb979d36cace131641469f2c12b27d90fd30f7eefd
Tags
collection credential_access discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c99b92ce6e51f5f235884aeb979d36cace131641469f2c12b27d90fd30f7eefd

Threat Level: Shows suspicious behavior

The file H570.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access discovery impact persistence

Obtains sensitive information copied to the device clipboard

Queries information about running processes on the device

Requests dangerous framework permissions

Queries information about active data network

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 14:14

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 14:14

Reported

2024-11-09 14:17

Platform

android-x64-20240624-en

Max time kernel

138s

Max time network

155s

Command Line

org.noear.h5

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

org.noear.h5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 h5.noear.org udp
CN 47.110.66.144:443 h5.noear.org tcp
CN 47.110.66.144:443 h5.noear.org tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp

Files

/data/data/org.noear.h5/databases/h5db.db-journal

MD5 7ebece237b029b980ced6811bcd99295
SHA1 3ce297e4fc90e5b4a701fdaca6a13d5514199cc2
SHA256 accdef8f9191013decbc83ce15089cad79c86dbade1471b373e05d4748a7d293
SHA512 e7009cc093ab2f6ee8a044d05ec6d225e0a9a5310096d49877b1005a77ae9ee1c721130465faa7f059a2ced0439985850bd781b6658a8d4989c0d282777213f5

/data/data/org.noear.h5/databases/h5db.db

MD5 73ea068258640fde38570fa440e69922
SHA1 0c6ff10eb5f6e9e5ff9bd17aea7104171f3e4fb2
SHA256 18546706395763a6c64e4abc97640b55b78735d61c1221c1701afaa5e72191d2
SHA512 4ebd356d58e997413994c453ae2f0e36bce8c2a3173cb79b042bad839b1e0c8bb14d10003db907465c063c630de0e93a855584951486b3276ac801e3b11e9561

/data/data/org.noear.h5/databases/h5db.db-journal

MD5 25b552bab8eab5011d4c4ad3796fa9b7
SHA1 05c3d01e11c4889bca64ab5f5a25033c1f33d706
SHA256 88d8aa45ae272134337d5fdf670ead8da26113d78f5ed3b2fdd4a5be64ad01ec
SHA512 a4706bb0aacc75b80fc6cc99a3769ab5dc3170f881ee383f932f14fd0ae5ad2527f3e24576e8dedce0fd68530d75946ce338ef9e6fb251739e6f2b76bf424303

/data/data/org.noear.h5/databases/h5db.db-journal

MD5 df136d10e9555673785ac8353c11e10c
SHA1 0e6202a35c7d445e62315909de91e386da0fcb0a
SHA256 5911790349413a9f32bf1d147cfb5a06d68a51a31851ef4243389f2bfeb9e4bc
SHA512 5f738ed62ac5fb01a1c3a2249f7bfa766821c4edaf6f47ab4a7c832e3028b4237c88bebcd9600a8e2d0e2582a600e2e13fe072677e984fbc9b7456bc2e85f90b

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-09 14:14

Reported

2024-11-09 14:17

Platform

android-x64-arm64-20240910-en

Max time kernel

132s

Max time network

150s

Command Line

org.noear.h5

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

org.noear.h5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.204.78:443 android.apis.google.com tcp
US 216.239.34.223:443 tcp
US 1.1.1.1:53 h5.noear.org udp
CN 47.110.66.144:443 h5.noear.org tcp
CN 47.110.66.144:443 h5.noear.org tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.187.193:443 tcp
GB 216.58.204.65:443 tcp
US 216.239.34.223:443 tcp

Files

/data/user/0/org.noear.h5/databases/h5db.db-journal

MD5 188261c91a39485e5c44d0843af6933a
SHA1 d8251fdf848e293aba66d9499056678f2bbf9010
SHA256 be7dce962fe96112c26edc9747f322761e02c061e781e8db466ef71548fa4314
SHA512 f73465b6fc95f1e71f5ef4d7ca6db1ec2a74bbf08c21e9ded78a7eb3fe3822cbc32b5323997f993dd732dd998ebaceb0f8e57c97a35fedc92a081be34601d7d8

/data/user/0/org.noear.h5/databases/h5db.db

MD5 de509cc22b63bb9758eb605d7c98445d
SHA1 00b86b3286b7ddde992ad4a0a280fcf3328929b3
SHA256 7a45236f5c9ed2fc0252e21e484beccd235dccc8f2572aa97a42f0f8b975aa70
SHA512 06f5d7ae892be98160d10fdcc1f7fc5ad25ca1a99c2d65406454c545ff91de507d8e1159d6273e1187d2ac79c24965b54634b958a786a563e5c06e8799d6d940

/data/user/0/org.noear.h5/databases/h5db.db-journal

MD5 f793634ff654026bde0bacf85b8b1f38
SHA1 c7bee78c81a0420c18e4a453e0bb386564531f22
SHA256 12d821f5226a1fa0efe617ad62bc3a1ca266faaee5710caf47049b639cc7b242
SHA512 0f540b45a03cede007537e7ea8cd69fcb9eb78c8222257d761e54da31ffcc75c85d58877db4b0702b77d20081efe0f313bd4cd2a2632100b4d6105ff3fdcac2b

/data/user/0/org.noear.h5/databases/h5db.db-journal

MD5 51aa7813a56d5b8e53c8393322eafe55
SHA1 df5fb4e54fc0cca514a89bd3ee229feef0451fdf
SHA256 b2a359bfdd3da85401873673d9c77c87acefcb1fef4bb4c8cd7b30d9f5dd2091
SHA512 49197125a92f1634ee87008dbb7588b8c709b1f30a9ac2813acd723675856c2abb68b9ec02e9426b44a85f818b845c64df2887fd8bb66e94c5f76733b0700279

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 14:14

Reported

2024-11-09 14:17

Platform

android-x86-arm-20240624-en

Max time kernel

133s

Max time network

131s

Command Line

org.noear.h5

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

org.noear.h5

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 h5.noear.org udp
CN 47.110.66.144:443 h5.noear.org tcp
CN 47.110.66.144:443 h5.noear.org tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp

Files

/data/data/org.noear.h5/databases/h5db.db-journal

MD5 87ef5d7bc0ec5094047528b6340bb1cf
SHA1 4d950eef3c92d2876e01e07f05504bc1c39dd556
SHA256 2e1faf966418baa2abf04d10ae1cfbf24a8bddff0a060a68bf94022557fc9b9c
SHA512 778cbfd6fc0912d54cb24737bcae3f1057a3455ff093b3b0a4a65ebb5274c96e9acbe9b00230b12ca7a6e4c6ea1ed13ce51573090b001196be907649f6a340e6

/data/data/org.noear.h5/databases/h5db.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/org.noear.h5/databases/h5db.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/org.noear.h5/databases/h5db.db-wal

MD5 123e53b603d72040126c1528633f9ceb
SHA1 b54738620a954cc04892a59b5f0b98ab7f7e4d72
SHA256 63eb4c25458318803141e6c0aa19264e49552e8847ba2525df879786f46114b6
SHA512 a4530f28d05c3246e94f4bef18829d398233bdd3812a5f31f3ea956f4383dd5cc773d6113dbba196e0d11ba759ff01d54ba9f3f15bb12bcb7f4cf3bb4feadc5b