Malware Analysis Report

2024-11-15 09:54

Sample ID 241110-ma4v4stqfs
Target MPajak.apk
SHA256 95b09b49f68c8173b98ca5ff4472c611b437181d809283d3fd046fb14943081e
Tags
collection credential_access discovery evasion execution impact persistence golddigger gigabud
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

95b09b49f68c8173b98ca5ff4472c611b437181d809283d3fd046fb14943081e

Threat Level: Known bad

The file MPajak.apk was found to be: Known bad.

Malicious Activity Summary

collection credential_access discovery evasion execution impact persistence golddigger gigabud

Golddigger family

Gigabud payload

GoldDigger payload

Gigabud family

Queries account information for other applications stored on the device

Makes use of the framework's Accessibility service

Queries information about running processes on the device

Queries information about active data network

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

Schedules tasks to execute at a specified time

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 10:16

Signatures

Gigabud family

gigabud

Gigabud payload

Description Indicator Process Target
N/A N/A N/A N/A

GoldDigger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Golddigger family

golddigger

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by wallpaper services to bind with the system. Allows apps to provide live wallpapers. android.permission.BIND_WALLPAPER N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 10:16

Reported

2024-11-10 10:28

Platform

android-33-x64-arm64-20240624-en

Max time kernel

599s

Max time network

602s

Command Line

com.aaa.ccc

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.aaa.ccc

com.aaa.ccc:fore_temp

com.aaa.ccc:main

com.aaa.ccc:mr2_process

Network

Country Destination Domain Proto
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.baidu.com udp
HK 103.235.47.188:80 www.baidu.com tcp
HK 103.235.47.188:80 www.baidu.com tcp
HK 103.235.47.188:80 www.baidu.com tcp
HK 103.235.47.188:80 www.baidu.com tcp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
HK 103.235.47.188:80 www.baidu.com tcp
GB 216.58.204.78:443 udp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.178.3:443 tcp
US 172.64.41.3:443 udp
GB 142.250.178.3:443 udp
GB 216.58.201.100:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 216.58.201.100:443 udp
US 1.1.1.1:53 apim.indlx.vip udp
US 104.21.13.205:443 apim.indlx.vip tcp
US 104.21.13.205:443 apim.indlx.vip tcp
GB 142.250.187.194:443 tcp
GB 142.250.187.194:443 tcp
GB 142.250.200.38:443 tcp
GB 142.250.180.2:443 tcp
GB 142.250.187.194:443 tcp
GB 172.217.169.46:443 tcp
US 216.239.34.36:443 tcp
GB 172.217.16.225:443 tcp
GB 142.250.179.225:443 tcp
GB 172.217.16.225:443 tcp
GB 172.217.16.225:443 tcp
GB 172.217.16.225:443 tcp
GB 172.217.16.225:443 tcp
GB 142.250.187.227:443 tcp
GB 142.250.187.227:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp

Files

/data/data/com.aaa.ccc/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.aaa.ccc/no_backup/androidx.work.workdb-wal

MD5 52535c4582dd54b1e9103ae6b06c5f26
SHA1 c47f243be29232f5eb0812c74ac00809556fb0b1
SHA256 e86dbc727c7ebc5e5930d60288a3e830d05c8ea09c6ca96a5f098dba800a3306
SHA512 fee95035c33890d500cfe6d6181ca4d279cfcb0915f89d4a82da055d47db4d7901193e307a8133bbb4ea9bf6c1c0958aa9d6d689da3ce54a2b6c51b6197d116c

/data/data/com.aaa.ccc/no_backup/androidx.work.workdb

MD5 8be5167c517962f3138a980f4a44a3de
SHA1 2c4b0597ee486740e9af02fd0e5f6c85ec772746
SHA256 0c79611de8afd7b47d3d5cbe274970bdf8d159c1d18a124d81b06e8fc595bbd1
SHA512 a44c8cd3ba4d3fb6d65c3447dac0b370aa39e982b117630ec8818a9b5f9e0c0694cb1aad18fc5cd236b77e816a9967e04edf11e57821faea325796fb0c74ed9a