Malware Analysis Report

2024-12-07 17:10

Sample ID 241112-13fwmswjcl
Target 6fdf1a9ee94fbb08c3dfeb6d5ad64708018c01aa960029e5f14f9475d07cd56c.bin
SHA256 6fdf1a9ee94fbb08c3dfeb6d5ad64708018c01aa960029e5f14f9475d07cd56c
Tags
discovery evasion persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6fdf1a9ee94fbb08c3dfeb6d5ad64708018c01aa960029e5f14f9475d07cd56c

Threat Level: Shows suspicious behavior

The file 6fdf1a9ee94fbb08c3dfeb6d5ad64708018c01aa960029e5f14f9475d07cd56c.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Checks the presence of a debugger

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 22:10

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 22:10

Reported

2024-11-12 22:12

Platform

android-x86-arm-20240910-en

Max time kernel

6s

Max time network

151s

Command Line

com.jhuklisupport.android

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Checks the presence of a debugger

evasion

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.jhuklisupport.android

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.178.4:80 tcp
GB 142.250.200.35:80 tcp
GB 142.250.178.4:443 tcp
GB 142.250.200.34:443 tcp

Files

/data/misc/profiles/cur/0/com.jhuklisupport.android/primary.prof

MD5 a3e481943d5331bca7034e0f8faa6799
SHA1 9eb15b91a64f968449554b76d8c0f9cbc5df718f
SHA256 1069b08e167a3f2c435f6738e65b10c59b149b6fc41f8d6f10277dde53d1a64f
SHA512 d99904619f40ca60a20a8377000d174a6b68a814d55d20b13868506828ef430a677beab34d59fff5decc2b395ac80123ca22d74d88054a73e43d0f4a941abab4

/data/data/com.jhuklisupport.android/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 a6ff4b0c51f65c554879f4858cb4dff1
SHA1 1a78d8a684d52e190de66492d8bc11bf6d87bcad
SHA256 9d4e491b718df7082e174cc6b063f77252e4258fe85c027a36cdf0474cd4660d
SHA512 9f5a9cca38bf3983fa8bb9c0657df75e1d4eb392148a43b8335dc30cad5d59c4816c3d74238e2c4c674314e5b5c390c680c3f69ce5f478dbb482488ad43b5bfa

/data/data/com.jhuklisupport.android/files/profileInstalled

MD5 ad6fc4dccad1f9786cd129dcdf672769
SHA1 f0868d418b44dd1fd2f798879c88ea3e2d13342d
SHA256 eadc8f9cc943e6410bfdde6ef310862952112a8e92cc0bd49f1edd94fd7bd474
SHA512 5ff9a23233a978c9195d8bbb3bdd8e118bac566655a64a345e12d190f647a8cd582b2e9f46af55b20857a5fbabc900d0cb46b383914b527a5af746c816dea638

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 22:10

Reported

2024-11-12 22:12

Platform

android-x64-20240910-en

Max time kernel

22s

Max time network

153s

Command Line

com.jhuklisupport.android

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Checks the presence of a debugger

evasion

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.jhuklisupport.android

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 216.58.212.226:443 tcp

Files

/data/misc/profiles/cur/0/com.jhuklisupport.android/primary.prof

MD5 a3e481943d5331bca7034e0f8faa6799
SHA1 9eb15b91a64f968449554b76d8c0f9cbc5df718f
SHA256 1069b08e167a3f2c435f6738e65b10c59b149b6fc41f8d6f10277dde53d1a64f
SHA512 d99904619f40ca60a20a8377000d174a6b68a814d55d20b13868506828ef430a677beab34d59fff5decc2b395ac80123ca22d74d88054a73e43d0f4a941abab4

/data/data/com.jhuklisupport.android/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 9d437a34c847f676574f3d9947e8ef0d
SHA1 766699177a14b71ba03c612ebe5ebabc5d4cad1b
SHA256 2d170ca6ea9b349075049dbe53496a627fb35c616d2d0583ebd8c66b7e03a8ca
SHA512 cc497838cfd7b5c59f300de8fb0922d6fa21616b20472a627fffe0704f286bd626df177600ad843d86b58c017a82e99ee139d8b0af2ff2410977c83c3d938072

/data/data/com.jhuklisupport.android/files/profileInstalled

MD5 8ff39c5b24908d3f948fe0686f7412a1
SHA1 962b01b40b6a48f1ad3b073a6c7bc6c1a003c094
SHA256 acb32b9f953719c8e25b0f5c20daa21bbc4fad8e0ad43fd26e455565137bd942
SHA512 b437b8c270c1d5b16d5b022c527b6c621dfed476d8cbbb32984df809282ef44df56deb1f9578e771b05adc9298e298b58df0c831bb3e0fc3b84b74e9e5cadb92

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-12 22:10

Reported

2024-11-12 22:12

Platform

android-x64-arm64-20240910-en

Max time kernel

122s

Max time network

155s

Command Line

com.jhuklisupport.android

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks the presence of a debugger

evasion

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.jhuklisupport.android

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.180.14:443 www.youtube.com tcp
GB 216.58.212.206:443 www.youtube.com tcp
US 216.239.36.223:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.187.193:443 tcp
US 216.239.36.223:443 tcp
GB 142.250.187.193:443 tcp
US 216.239.36.223:443 tcp

Files

/data/misc/profiles/cur/0/com.jhuklisupport.android/primary.prof

MD5 a3e481943d5331bca7034e0f8faa6799
SHA1 9eb15b91a64f968449554b76d8c0f9cbc5df718f
SHA256 1069b08e167a3f2c435f6738e65b10c59b149b6fc41f8d6f10277dde53d1a64f
SHA512 d99904619f40ca60a20a8377000d174a6b68a814d55d20b13868506828ef430a677beab34d59fff5decc2b395ac80123ca22d74d88054a73e43d0f4a941abab4

/data/data/com.jhuklisupport.android/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 a858fc27dd3c5a452f03ce6f416f9f07
SHA1 ff435270fee15e8349a638397241dab04cae694d
SHA256 7b61e4e601ebf0e916b3c2af5b4e50392e50252c4d1e3faa98a09a2c6bb45ca2
SHA512 e0b39f573792e5f0a563787d5250d0c262e304257273a8aa5060785716e7a46c333df3c35de243a719c50ab61ea183712a1718c57c977311636b048ff5da986a