Malware Analysis Report

2024-12-01 03:06

Sample ID 241110-zprkjsxrhp
Target AmnesiaBETA.apk
SHA256 9f0460662f390a0c5ca40b0ae41a5205a72553c9df68e4afef53d9becf6fae12
Tags
execution persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

9f0460662f390a0c5ca40b0ae41a5205a72553c9df68e4afef53d9becf6fae12

Threat Level: Shows suspicious behavior

The file AmnesiaBETA.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

execution persistence

Looks up external IP address via web service

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Schedules tasks to execute at a specified time

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 20:54

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-10 20:53

Reported

2024-11-10 20:58

Platform

android-33-x64-arm64-20240624-en

Max time kernel

10s

Max time network

135s

Command Line

beznogym.hack

Signatures

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

beznogym.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 1.1.1.1:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.200.42:443 remoteprovisioning.googleapis.com tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 udp
GB 172.217.16.227:443 tcp
GB 172.217.16.227:443 udp
GB 142.250.187.228:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.187.228:443 udp

Files

/data/data/beznogym.hack/no_backup/androidx.work.workdb-journal

MD5 3e9a655922b11910b56d661d962ed7a2
SHA1 30b189fe90eb1cf2930f4259661444b395a703ef
SHA256 2d5eb147cdcb61760ec15648bee54a312e69848109da75db99fe411b8aa66d6b
SHA512 7b617f8e00b1dadb3c7cac74753821e5c6873e5102908c8584b9f178ccbc370e7b182d20c2e25346ba961b5c3d486f6fc64a5336a72ee5e0e7bb44df257340cc

/data/data/beznogym.hack/no_backup/androidx.work.workdb

MD5 0eb157e1a86d4d00aa601dd2f6ff3ee3
SHA1 fee434f784e73cc7916322e949f727caf8363102
SHA256 b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4
SHA512 b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

/data/data/beznogym.hack/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/beznogym.hack/no_backup/androidx.work.workdb-wal

MD5 dbb5880c4866ac2f3ae9f45d741e2ee2
SHA1 182bb91e3e145e331900b175747240eaafd96a3f
SHA256 891067a417ff93807f253537eadc815823e357ab4e4dcdf4979c134428b78fc0
SHA512 21d98615637417b778b93bca2ae4e6382f9251b35dc41ce62100e1020895418335cd745653a0e3db4af7eb611ebdd2164304b098fa5a54a30852cd22225c6f3d

/data/data/beznogym.hack/no_backup/androidx.work.workdb-wal

MD5 812e6990594750a4a27ccb788c5399d4
SHA1 4bca7ce9e7bb93401e99137b91a6578dd29b136b
SHA256 aba3738cdfbc09756f8ae4ab7a0674938db1bfe59371751970f08f1a89c80ee3
SHA512 05ddf07552fce2a1789dc1f863b32e57eabdac1de84d307c0cc1b58a3f987350fba11bff07707ab0a4234f2adcba7ed4aecadfb18173249ea44bd5ce3524dc83

/data/data/beznogym.hack/no_backup/androidx.work.workdb-wal

MD5 41c0bbfbc15fefbb198f306af47b2540
SHA1 30cec0590f730a59f95702cb53a7add4b0795612
SHA256 2bb16d150d8b14bce5a82aacb137e11d47acd7fd391c50c40d8aba9cf242c7af
SHA512 3f3070ec89b8a240490e91e2a9d4b3b3885ee1a0154774fa66c41bc3b15167b0a37aa81a0aa8846f20bd95d63e51a43a911797a1038ca7f5aacd0267a72e5de9

/data/data/beznogym.hack/files/profileInstalled

MD5 c0a5ea0aff6e51035067e6299461e62a
SHA1 88eb51a3a2b04db2ad68b28163d296f61f07d3fd
SHA256 1c7b9c3aca3a67ad7fa41ebc4824c65c4d567a4014dee887bf92bf131ce99803
SHA512 f8c11e2c93cbe52bcc2501c5ad1c5b3196f7c8497739c089a20d65abc0f3265840647e2f91ec597677f6cc54b66642e36dd5f1a5f45e6ad76018db7a0fd8e187

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-10 20:53

Reported

2024-11-10 20:58

Platform

android-x86-arm-20240624-en

Max time kernel

10s

Max time network

143s

Command Line

beznogym.hack

Signatures

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

beznogym.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 1.1.1.1:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp

Files

/data/data/beznogym.hack/no_backup/androidx.work.workdb-journal

MD5 b08247ea20aad8b2b3fac7d194c95041
SHA1 0d392be49c87a3c024e21ea97bdbd4f17d57e72b
SHA256 b03adb3d26d78a208e0e6282216c1b9dd25000a87f783a71c2b268ab2f068e69
SHA512 fef857c0187eede68473d1b2a76eaeeaafd64b1a0c3292c18862831923e40411a72885312fe981b70dc32e407f055b18c8ec712b1ff0770d99ca9724e0c78c4e

/data/data/beznogym.hack/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/beznogym.hack/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/beznogym.hack/no_backup/androidx.work.workdb-wal

MD5 9cb5317e22ca3388f4577e17900795dc
SHA1 21e076fd46cdece382dc314318b2ff51fa153462
SHA256 a50213e9973eef51a76a3ed467986718112bf9f0e8b8fb5330f101f35122cd9c
SHA512 a66dc0de0009fe6aa0bdf771b18d33e97751aa16ee161e346dcb4db133bcb06cb95a5450f30fcc395f96457e3b02b0cbb453c579ed48e98e797498d5944d3632

/data/data/beznogym.hack/no_backup/androidx.work.workdb-wal

MD5 46bab48c0fb4bdeb4087a8759cb323b8
SHA1 266bbfafd44b68e8582fb4d3004016c013eee8c7
SHA256 7895bc9307b8d877cc5c1ee183604bef4d978627851a495a0334ecd5a708eb42
SHA512 ebb4be732edb8c27bf7872d0e865c5644f242c8bc70da711430ebb3e96b05de7697555c337360c16682b2883170367dedb8ddd01218b31d2e5d5e631c1624a6a

/data/data/beznogym.hack/no_backup/androidx.work.workdb-wal

MD5 b076ca71bfed199efa47b90fb7b3d2ef
SHA1 ba06093af3aad443e5e71394d8b759bde20ce0bf
SHA256 8e2504c0a5d88f646fae358a80549c6ef7e5c0ed2c168040875f0e3ccf2c936b
SHA512 1dac11e50942d272b40d19f391d28e8d9a7cfe8d4bf0da5a2441c780d05c3c0bd50ba44dd134240accb2ae73cc32e362fd23b23fd8a704ea8574dee67adbecbc

/data/data/beznogym.hack/files/profileInstalled

MD5 dc7d0b55d62ecb129c78b6b8893517d6
SHA1 34f3fc5c3a7adb281195e947aff6bb046468b927
SHA256 aee2d4d7c8a046701ef83de67dd69ab4cad753b7565d7eb27c199e87db0f25cc
SHA512 2ffaf97adfe6b747ae5611ab1981613868d3f3ba237445c4e920b61467011db649e2522c13270f94207b66d4398365f16f52cc97802c0f7fb295c041eb4494f4

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 20:53

Reported

2024-11-10 20:58

Platform

android-x64-20240624-en

Max time kernel

9s

Max time network

156s

Command Line

beznogym.hack

Signatures

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

beznogym.hack

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 1.1.1.1:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/beznogym.hack/no_backup/androidx.work.workdb-journal

MD5 9384b0da8f92847853489126e8b0f953
SHA1 d7b9fb4a3ea9771ae394f58e907a00d3b95abb8b
SHA256 0cf77da37b4aa81d328d89ecf9f4d4be999fb91982b6752f442aa6fa36cc50a8
SHA512 c58e241f6d1ae459ed8034684d8537e79087554c79a118368063d45a0a68bbdc020ad73b6047ea638ee1592433a556a4c8f2a60d79c84dcc04a2c911fbb5bfea

/data/data/beznogym.hack/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/beznogym.hack/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/beznogym.hack/no_backup/androidx.work.workdb-wal

MD5 237ee09325f2e8118961b4375eca1cfd
SHA1 06f1c2ae42595c808ebe0c4cac896a721b53d5cc
SHA256 d359051e096f51af368ad3cfcc9fa2164b25e162f672d58a63a0ef4258c2e8af
SHA512 ecdcc5e08fcb5355fadcf9d0539b9631b34f4eabde24e2ea5eddd6f015b9c6fb5fd90269a175a13d01fd41d7c886c9a22a82bfcfd04355444766d0af099d385e

/data/data/beznogym.hack/no_backup/androidx.work.workdb-wal

MD5 ac3802d9c3d5077fd7a1c9b059d4a99a
SHA1 a447904e9195d7f4dc063db946e45b7b09ff0ba4
SHA256 769faa7d375ba31b525771b4820b4a475a1d07988c635cd73f7a5fff6d803bec
SHA512 88914b6a10868a037c4d52c5241e7e600d3015669b83b89050e7a808cfe238a2e974fb11c7073af25dafe34f59c5960dd07ea6b80896b7f05dfc409b3064b618

/data/data/beznogym.hack/no_backup/androidx.work.workdb-wal

MD5 7b7d40d56ae040999bdd3f0073b05a4d
SHA1 6f8081e420faa287cdefa18e246c5118c060883f
SHA256 94c0671724885eb4287c8f65957ac0f5493b2e639b3349ce2407d536b59a9bb7
SHA512 9437d15f9a2cef58b7774f3ada3e9b7e2718355ad7fa5c37c1bd2e04e533f58d228332232349f91a562f2ba127589057b759883d03c1de1522c8348268e59b9f

/data/data/beznogym.hack/files/profileInstalled

MD5 5516e6ad44fb289751955077a732a284
SHA1 271e66a713e820716201b3329ee4eb6bacde7dcc
SHA256 db179280bb1f7ac21b326e00bf6a7cd6f07d166fe4361fbaf688decd44bc60c7
SHA512 27ca27792c88b6cea7a08e8b479ac2fbe5e8f17c5da1c19a6d5b6d88f5d63d367dcef0c999c97af6215cc240305dc8c1ce3519f9281e6ee32256258ba2f75134

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 20:53

Reported

2024-11-10 20:58

Platform

android-x64-arm64-20240624-en

Max time kernel

9s

Max time network

133s

Command Line

beznogym.hack

Signatures

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

beznogym.hack

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 1.1.1.1:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/data/beznogym.hack/no_backup/androidx.work.workdb-journal

MD5 e2284536baa717e585cd50626e467d30
SHA1 45057a7dda97482acb7139251f07945a1a942c53
SHA256 6e40fd042717691b499fc2aa1180a1a4e64296eeadd73ba2851fbf3591b59686
SHA512 a36c297a66527c28760afb72e6125d60bda5d6670b00d02296364f3c665412f5f7e483f2e670e2fcbe1b9966848013f6b656fbeb4acb8468edace02482802958

/data/data/beznogym.hack/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/beznogym.hack/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/beznogym.hack/no_backup/androidx.work.workdb-wal

MD5 8b7dbdd38e09ebf14fb56a07bd1f8e2f
SHA1 47c28bf7f603792d0a562ab977ab1dfbc69f625a
SHA256 ff1ce8e9510bde6758024a575d6a8fb8ae1035538c98242291cf0b0ded6412d9
SHA512 0f72fbcd722da623dd751d0f64ef7f9055106fc999f62bac9c32014c79b4fe6332c0b8bd57b365e62573cd3b5a7d0ddb95843e9edbfa5c860afea0e0dda4c9ec

/data/data/beznogym.hack/no_backup/androidx.work.workdb-wal

MD5 b33f1264d6a7c3e43d34f8f08b14d34f
SHA1 c6f40fdc9efb17a8a2b4461ab3661fce2fea1d5d
SHA256 d3a463ac1b1714ce9b910c166efaadca715d834a1e22ba8a82bebd364f76e514
SHA512 302fdd665300b6bda1fd6d48f1d20b684ac834edcbe6554ec69f25396aaa8b0f92b84b28305d4a7fabc6c9ca99b75c46c89cbf20f9f36f63d60c568358424268

/data/data/beznogym.hack/no_backup/androidx.work.workdb-wal

MD5 f9bfe2c1da4c9252b045f09a951bd47e
SHA1 308a5191eb0241b8d34a9df7cbace371e5ec40b2
SHA256 7939e4dad9a76df08b62fc73abfcbe4297770dd58f146726295d725946319981
SHA512 eabe17ce6daa3aabde74cd0af335220a1e05d8d329157b4abc347aca199543f27e15e7abf95099323cc9a17f8b388cf8dcd8287eb211d25c79388187e37ca046