Analysis Overview
SHA256
c9fdbcaa970176c23dbcd2e52a744fafbc7b34f16e0d4c3e0616b48e35e3c9d4
Threat Level: Shows suspicious behavior
The file c9fdbcaa970176c23dbcd2e52a744fafbc7b34f16e0d4c3e0616b48e35e3c9d4.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
Obtains sensitive information copied to the device clipboard
A potential corporate email address has been identified in the URL: [email protected]
Requests dangerous framework permissions
Queries the mobile country code (MCC)
Attempts to obfuscate APK file format
Makes use of the framework's foreground persistence service
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks memory information
Checks CPU information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 22:05
Signatures
Attempts to obfuscate APK file format
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 22:05
Reported
2024-11-12 22:08
Platform
android-x86-arm-20240910-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Makes use of the framework's foreground persistence service
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.setServiceForeground | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.divine.smsreceiver
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.206:443 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | maxcdn.bootstrapcdn.com | udp |
| US | 1.1.1.1:53 | cdn.jsdelivr.net | udp |
| US | 1.1.1.1:53 | code.jquery.com | udp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 151.101.2.137:443 | code.jquery.com | tcp |
| US | 104.18.10.207:443 | maxcdn.bootstrapcdn.com | tcp |
| US | 104.18.10.207:443 | maxcdn.bootstrapcdn.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.238:443 | android.apis.google.com | tcp |
| GB | 142.250.200.2:443 | tcp |
Files
/data/data/com.divine.smsreceiver/files/profileInstalled
| MD5 | b2687db67a43692446bbcedc728f8c54 |
| SHA1 | d4fdba9f0e3b371833e6da0ec5a7e7d60d115de7 |
| SHA256 | 119c053b6863614e8723e8be7f6f6d98a472165fb8fe0590ca7f18ac0fc30086 |
| SHA512 | 6f8feaddceaba31a1927871c279c81bcc2448d3349d4cd726dc2fa2a29cf69c379e39ae72b9e271cdfe26c68d333ab8b13edbb05a8c7b175b530fe3521a2e9d9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 22:05
Reported
2024-11-12 22:08
Platform
android-x64-20240910-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Makes use of the framework's foreground persistence service
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.setServiceForeground | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.divine.smsreceiver
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.16.234:443 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.178.14:443 | android.apis.google.com | tcp |
| GB | 216.58.212.202:443 | tcp | |
| US | 1.1.1.1:53 | maxcdn.bootstrapcdn.com | udp |
| US | 1.1.1.1:53 | code.jquery.com | udp |
| US | 1.1.1.1:53 | cdn.jsdelivr.net | udp |
| US | 104.18.10.207:443 | maxcdn.bootstrapcdn.com | tcp |
| US | 104.18.10.207:443 | maxcdn.bootstrapcdn.com | tcp |
| US | 151.101.66.137:443 | code.jquery.com | tcp |
| US | 151.101.193.229:443 | cdn.jsdelivr.net | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.169.8:443 | ssl.google-analytics.com | tcp |
Files
/data/data/com.divine.smsreceiver/files/profileInstalled
| MD5 | 8b5a6e364f94ed6d770dc0d7efac5bce |
| SHA1 | 6c6e9f3a91d97ee52baf22e74931e94c87b92040 |
| SHA256 | 1f78818e1761ea2806d5bc48f5d569004a2e86e5249b4d4595449f801a9ce8aa |
| SHA512 | 4414f2ddebe123458d7be3161938ef763787e8235815765f4506fc7d1c00b303f5ad5707064c2745af5cc1bca6565852f227db3edfddb3858b2009e5b12feaa5 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-12 22:05
Reported
2024-11-12 22:08
Platform
android-x64-arm64-20240910-en
Max time kernel
115s
Max time network
153s
Command Line
Signatures
A potential corporate email address has been identified in the URL: [email protected]
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Makes use of the framework's foreground persistence service
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.setServiceForeground | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.divine.smsreceiver
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.200.46:443 | tcp | |
| GB | 142.250.200.46:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | www.youtube.com | udp |
| GB | 216.58.212.238:443 | www.youtube.com | udp |
| GB | 216.58.212.238:443 | www.youtube.com | tcp |
| GB | 142.250.200.46:443 | www.youtube.com | tcp |
| US | 216.239.32.223:443 | tcp | |
| US | 1.1.1.1:53 | maxcdn.bootstrapcdn.com | udp |
| US | 1.1.1.1:53 | code.jquery.com | udp |
| US | 1.1.1.1:53 | cdn.jsdelivr.net | udp |
| US | 104.18.10.207:443 | maxcdn.bootstrapcdn.com | tcp |
| US | 104.18.10.207:443 | maxcdn.bootstrapcdn.com | tcp |
| US | 151.101.130.137:443 | code.jquery.com | tcp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.200:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.187.193:443 | tcp | |
| US | 216.239.32.223:443 | tcp | |
| GB | 216.58.204.65:443 | tcp | |
| US | 216.239.32.223:443 | tcp |