Malware Analysis Report

2024-12-01 03:12

Sample ID 241111-txxhwazqav
Target Incredibox-Sprunki.apk
SHA256 480202492f12938f93798c2ecbc4d68ffdb16aac0c644d63986f17180ae46538
Tags
discovery persistence collection credential_access impact evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

480202492f12938f93798c2ecbc4d68ffdb16aac0c644d63986f17180ae46538

Threat Level: Shows suspicious behavior

The file Incredibox-Sprunki.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence collection credential_access impact evasion

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 16:26

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 16:26

Reported

2024-11-11 16:29

Platform

android-x86-arm-20240624-en

Max time kernel

47s

Max time network

137s

Command Line

co.median.android.leezlz

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

co.median.android.leezlz

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 license.gonative.io udp
US 192.155.91.240:443 license.gonative.io tcp
US 1.1.1.1:53 events.gonative.io udp
US 172.67.132.147:443 events.gonative.io tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.187.227:443 update.googleapis.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/co.median.android.leezlz/files/gonative-config/regexintext.json

MD5 ad12f43961ab46511df5ddb2c0a8c139
SHA1 d5202081c0033dc2a4147c97a5255ea5b6dc1a0f
SHA256 537892617ffc701ff8c306ee15bac6f81c04d427d9df47eef137dc77882a2023
SHA512 955eb641704a9de4bd934a928e5fa3af2fc24f840b27117038f650905e9c69509b9b7f42306419363d6bda5e9b04e57bf9ba84b2690bbda85ae20091799018ee

/data/data/co.median.android.leezlz/files/INSTALLATION

MD5 26b95a35decdd0782bb7ce95065ac7b2
SHA1 11097c0670ce7824e33886162d82b6ad7aa90634
SHA256 65cf8049f9a0673f49fe724998b5fec03880b159cf741c7dbbe386073101a698
SHA512 0bcc60081fe054c938f1ee91b02b54e0520b808c352cdf8093966dba1a5a056911a3e85b87f7c5d06418eab4017c9e2ebf705108834f90ae1036e4d474b00dac

/data/misc/profiles/cur/0/co.median.android.leezlz/primary.prof

MD5 3f5cfe4fc19be316d18a9c517f993ea8
SHA1 4a86c072ef020f6dd6dad7353e9ac09a55f0e385
SHA256 48fef3acaefdf80aae362810301bf24016a0c499eaf4ef1fca14a8cb6e0b32e3
SHA512 a98e4d143c92842ecaf448a17bc6aeb890bc239040663bc77bb844508d5e17375371ccfb8bd555342332a485062ed96b2eea207a129d4b6c07852080869222b4

/data/data/co.median.android.leezlz/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 49bc1a28f791199f83c0f92bcb629c66
SHA1 7585d0caaed4d909585e20dc8324e6c35f3aaef9
SHA256 dfa22789c82239e581f559c7cf6468e58f7fd95dd85524d4f6f1866735f7cdbb
SHA512 f4c5ec7fe507c2f7ec0a25f9a354d63fbd0c554ff2734cbc89d9d2239c5d7295ef6cbf34d50a29c3eb9dc0a30e9722b045732d5953326dfbbbad2281df4d04c7

/data/data/co.median.android.leezlz/files/profileInstalled

MD5 671c057eb6ed479e42ad8bc162111d21
SHA1 fa4a8cd71b96bab2dbf139e34654b26c263891e3
SHA256 a84239799ed416384e9629325f2ea5ec1e7387aca4d2b5afcfdd6ab1597e064c
SHA512 81d523108130b9d4aa02c614ad1af8633314fecd4e249402f9425e885c8e1c23992d37c135c8ceb8c34f156497fbb25deb43fff6d1e5c3849fd82f484223f92d

/data/misc/profiles/cur/0/co.median.android.leezlz/primary.prof

MD5 c9eaa32e7f79ca0d0f50a88961534899
SHA1 b35b5af507d94eba162bd69b2b890cf68a09cdd7
SHA256 e9b982c371bdfcb9e921e54113c90ce8346c1af7b468115fe322bcfbf8fd4f5d
SHA512 24280d610cc752c49b0cea8f3d04b02235673ce5e93e1afc52821dbcf53b027b97ba93a48e39a13ee53d6d4b1fd25496ffe1ed9c11c27e9d43ea1737cad1f5d8

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 16:26

Reported

2024-11-11 16:29

Platform

android-x64-20240624-en

Max time kernel

47s

Max time network

158s

Command Line

co.median.android.leezlz

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

co.median.android.leezlz

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 license.gonative.io udp
US 192.155.91.240:443 license.gonative.io tcp
US 1.1.1.1:53 events.gonative.io udp
US 172.67.132.147:443 events.gonative.io tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 accounts.google.com udp
GB 64.233.166.84:443 accounts.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 108.177.15.84:443 accounts.google.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 216.58.213.3:443 update.googleapis.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.179.238:443 tcp
GB 142.250.200.34:443 tcp

Files

/data/data/co.median.android.leezlz/files/gonative-config/regexintext.json

MD5 ad12f43961ab46511df5ddb2c0a8c139
SHA1 d5202081c0033dc2a4147c97a5255ea5b6dc1a0f
SHA256 537892617ffc701ff8c306ee15bac6f81c04d427d9df47eef137dc77882a2023
SHA512 955eb641704a9de4bd934a928e5fa3af2fc24f840b27117038f650905e9c69509b9b7f42306419363d6bda5e9b04e57bf9ba84b2690bbda85ae20091799018ee

/data/data/co.median.android.leezlz/files/INSTALLATION

MD5 3b4d6ac61c9abd2a3696a4e2ff5137a5
SHA1 fc6fcb74885611349d926f1bc5e101b83af213e8
SHA256 49bd3857e3540bb35caff8bc5a696358f98d0a12ec0438f27b41d893b5807d7f
SHA512 91f14644b0a23aa8f05d1334511b891a52b1d819c2fc4227d802ae301c5634ea4d28ef230c1f1d80019477ccef38c494236632e104cf0deed97fffe008f49b0f

/data/misc/profiles/cur/0/co.median.android.leezlz/primary.prof

MD5 3f5cfe4fc19be316d18a9c517f993ea8
SHA1 4a86c072ef020f6dd6dad7353e9ac09a55f0e385
SHA256 48fef3acaefdf80aae362810301bf24016a0c499eaf4ef1fca14a8cb6e0b32e3
SHA512 a98e4d143c92842ecaf448a17bc6aeb890bc239040663bc77bb844508d5e17375371ccfb8bd555342332a485062ed96b2eea207a129d4b6c07852080869222b4

/data/data/co.median.android.leezlz/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 b0fc025ffcaa1736a8208a1c5e256f94
SHA1 2d10a8a3e84e01e48f21f973ae90faaf154c8c3b
SHA256 9e29a4c43539838a2e89bbc8ebcc7751b67999aa4a021e0e10eb550b4fb6f68d
SHA512 8c495b30bc2c9627a837ffb0b0108df7140a06d920ceda20f4728a7857ac4cb60b27b7f3a000d7871a54d1ebfc72e4091fabecaddf6d54eefbed88bd5d6ad328

/data/data/co.median.android.leezlz/files/profileInstalled

MD5 b4c8594b561d2529ffc5f2cdf8f31193
SHA1 eb46475beda099b201c61998cdfef9c99b29727e
SHA256 19ff360238edff1a8950a2ddefced1577f8ef7149b5d42db140b6ea67d4e9433
SHA512 67381a8696d5015f6078e168b5e8ce64042db1e3925fb2b7e60e1e8d6fb766b19d8f345dc6ec74b897dd1a732cd29cb51814b7afb2644ad0b8b3725d27fda77c

/data/misc/profiles/cur/0/co.median.android.leezlz/primary.prof

MD5 c378e3fa0dc3d9d139c4503aafc3282e
SHA1 7c7f43fb7dfdafbcfd34221a505370c28ad4a341
SHA256 bb3304d0aadf9aab6187a2861ef8996c11ca3df28da08f3fcec555a6a79ae4cc
SHA512 cb9764d0b193dd4bdd6bdccc87d684f99ea4ea9a27173df61f6852cfa1c40cdb97e05106733163fdc9484a8319f14484c65eb5b73e0eecd26954ab094d5542b3

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-11 16:26

Reported

2024-11-11 16:29

Platform

android-x64-arm64-20240624-en

Max time kernel

19s

Max time network

134s

Command Line

co.median.android.leezlz

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

co.median.android.leezlz

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 license.gonative.io udp
US 192.155.91.240:443 license.gonative.io tcp
US 1.1.1.1:53 events.gonative.io udp
US 172.67.132.147:443 events.gonative.io tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 108.177.15.84:443 accounts.google.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.178.3:443 update.googleapis.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.200.3:443 update.googleapis.com tcp

Files

/system_ext/framework/androidx.window.sidecar.jar

MD5 bdf3529e80318eb14e53a5bf3720c10d
SHA1 25c9ace4b1af6e80ebb2572345972c56505969ba
SHA256 bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b
SHA512 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b

/data/data/co.median.android.leezlz/files/gonative-config/regexintext.json

MD5 ad12f43961ab46511df5ddb2c0a8c139
SHA1 d5202081c0033dc2a4147c97a5255ea5b6dc1a0f
SHA256 537892617ffc701ff8c306ee15bac6f81c04d427d9df47eef137dc77882a2023
SHA512 955eb641704a9de4bd934a928e5fa3af2fc24f840b27117038f650905e9c69509b9b7f42306419363d6bda5e9b04e57bf9ba84b2690bbda85ae20091799018ee

/data/data/co.median.android.leezlz/files/INSTALLATION

MD5 08e1a93cc01e68a35685d8b30f0970fd
SHA1 6d0bbd1bd1b14f2a8ba6cf9ec175582ff6eb1768
SHA256 20bad057a3e55ec97e80e2a458a36d4f5ac432e61d3507e5e51739391ddcdd90
SHA512 938f57d703c1c6a624f8880839be05e6a29c612835679448c692f321e69e0908158b427de1f4242e7fdc1fe3d1f654b89e64713ce3c41eb6c0425da06c823883

/data/misc/profiles/cur/0/co.median.android.leezlz/primary.prof

MD5 3f5cfe4fc19be316d18a9c517f993ea8
SHA1 4a86c072ef020f6dd6dad7353e9ac09a55f0e385
SHA256 48fef3acaefdf80aae362810301bf24016a0c499eaf4ef1fca14a8cb6e0b32e3
SHA512 a98e4d143c92842ecaf448a17bc6aeb890bc239040663bc77bb844508d5e17375371ccfb8bd555342332a485062ed96b2eea207a129d4b6c07852080869222b4

/data/data/co.median.android.leezlz/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 e85875a16f60660da5354c0c416439b2
SHA1 d4011b30512e4a289c386e6763d1e17518910f9e
SHA256 e3375a4e7eff328cc72ad0e91a188b6f702c257d44a7e1f5a0ab8534a7415228
SHA512 b0c82dacf686d2e27949fab5ae51b46d3859b04cad953b4fd2dca69e3a6a8842bd0d78cc9401c469277677aeec30a81a6f4cd4818d4428c406bf98e86b1f8c95