Malware Analysis Report

2024-12-07 17:10

Sample ID 241112-1z69esvrhj
Target 8fb5d925ec834fa64e20fb6b09227f967b01c560047520351297346e36c51ddd.bin
SHA256 8fb5d925ec834fa64e20fb6b09227f967b01c560047520351297346e36c51ddd
Tags
discovery evasion persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8fb5d925ec834fa64e20fb6b09227f967b01c560047520351297346e36c51ddd

Threat Level: Shows suspicious behavior

The file 8fb5d925ec834fa64e20fb6b09227f967b01c560047520351297346e36c51ddd.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Checks the presence of a debugger

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 22:06

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 22:06

Reported

2024-11-12 22:08

Platform

android-x86-arm-20240910-en

Max time kernel

6s

Max time network

151s

Command Line

com.yonoservice.registration

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Checks the presence of a debugger

evasion

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yonoservice.registration

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.179.228:80 tcp

Files

/data/misc/profiles/cur/0/com.yonoservice.registration/primary.prof

MD5 73f3fed449e037354c9bc19a2ee46738
SHA1 05ea0709c96b7a6297e950818fc2700222048b80
SHA256 6d8bf79b46d067b649501ca93805c189b935cb28a47eb8ca23bb0f4585ce5698
SHA512 47fcb246ae13c2189ad9d5fc551c24e1c61ca9bbd50d64281e77857e3169011925fb42be30d42152d3c0958db44a0cf4bcef4a7800fe8718791853a8970f1ec1

/data/data/com.yonoservice.registration/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 aca22647736818f7763fca11175ad709
SHA1 63e464b4dec0a28e754a6339c8365ca82a4294b2
SHA256 42dcd068e20bfaae4bde0a0bdde4b13edc07736bebc399ca46cfaddbdc0b3fe9
SHA512 ccf39aa3ee6b5e36a178ba795bfa0425b9517067e8de7a11329436d0afc5c09cd4d2679dc312ffaa030b6225a07e0868bea8df2d1bf94b6f1bdccf51b475c201

/data/data/com.yonoservice.registration/files/profileInstalled

MD5 3215743f3c3a55d49f404e5e0df421f3
SHA1 4fddd9d8adb9265c203ee88bdd23b8f3c72cf10f
SHA256 0f0b55e7778b501a4cbf08247f300141b69061b540c0ab395cf37b3df7f49cf7
SHA512 eb3a90bd7a411d02b46aa07b594ddcab0916096116cb83f527354b30582e678ff58d0a3c23e96862bca18e33e3cd8a1c57073087cb4ff69ff1f767808670591b

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 22:06

Reported

2024-11-12 22:09

Platform

android-x64-arm64-20240910-en

Max time kernel

65s

Max time network

156s

Command Line

com.yonoservice.registration

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Checks the presence of a debugger

evasion

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yonoservice.registration

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
US 216.239.36.223:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.179.225:443 tcp
GB 216.58.201.97:443 tcp
US 216.239.36.223:443 tcp

Files

/data/misc/profiles/cur/0/com.yonoservice.registration/primary.prof

MD5 73f3fed449e037354c9bc19a2ee46738
SHA1 05ea0709c96b7a6297e950818fc2700222048b80
SHA256 6d8bf79b46d067b649501ca93805c189b935cb28a47eb8ca23bb0f4585ce5698
SHA512 47fcb246ae13c2189ad9d5fc551c24e1c61ca9bbd50d64281e77857e3169011925fb42be30d42152d3c0958db44a0cf4bcef4a7800fe8718791853a8970f1ec1

/data/data/com.yonoservice.registration/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 f12c571be8af40ed527ba89037fe0db1
SHA1 690640d7e13a286f9035bd896f0dd7c14eacfd71
SHA256 f55d3fa15b6fe43369cb9e62a5bb09f301719773c8f46e53141a4303a3304694
SHA512 a8b584420fc6eee857e7f1b30786d3bbb7c9faaf860f21f3a648e5cbc3318f1b851716a04156e077ec43409163570c4da90b5f2bcecd02942d534fff8f640f48