Malware Analysis Report

2024-12-07 17:43

Sample ID 241112-zrv1ra1dqc
Target LazаrusCheat.apk
SHA256 9dff4c35ea3ed466cc71fbec368c61f641134877a352d52b3c543bb95b397456
Tags
collection discovery impact persistence credential_access
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9dff4c35ea3ed466cc71fbec368c61f641134877a352d52b3c543bb95b397456

Threat Level: Shows suspicious behavior

The file LazаrusCheat.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection discovery impact persistence credential_access

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Requests changing the default SMS application.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 20:57

Signatures

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 20:57

Reported

2024-11-12 21:00

Platform

android-x86-arm-20240624-en

Max time kernel

19s

Max time network

131s

Command Line

com.example.application

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests changing the default SMS application.

collection impact
Description Indicator Process Target
Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.example.application

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 195.10.205.12:100 195.10.205.12 tcp
NL 195.10.205.37:100 195.10.205.37 tcp
NL 195.10.205.54:100 195.10.205.54 tcp
NL 147.45.45.192:100 147.45.45.192 tcp
NL 195.10.205.12:100 195.10.205.12 tcp
NL 195.10.205.37:100 195.10.205.37 tcp
NL 195.10.205.54:100 195.10.205.54 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/com.example.application/primary.prof

MD5 4f0578d9f0b68522af6ad21538a8f8ad
SHA1 81ca8f42ce048f6abaecf86b85d901c91e42d0c5
SHA256 d119d7c40d7b2e2d7518f0f060e991c48f7c575a3d946ba3c10bd70efa9e8042
SHA512 0fc21dd74c762910036e3697cc73a9f09495097f805e0e6a00dcc5c7eea61795550775e5e1ec47b64bf64e84c0d7fd4cab3f676c4e193fa219bca9348c5afb38

/data/data/com.example.application/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 c6b555fcd753f92f5eda4301e098bb7b
SHA1 3f13ab9fba4374e929efdc506ba5e1d024d0ac50
SHA256 7d0096ab358a7ed3a286674d3c3c74498534d4fc21a163ee9c1b8f63e6a10227
SHA512 1a9c3457b73e5912aadd50113d9137cdc375ee517709f84dc8f8829ef2f6244ca68a45e005d7a58d4c2d525e0b7d370538ee00cfa37c7835aa95058426deac87

/data/data/com.example.application/files/profileInstalled

MD5 a3501180fba4f5c7fb8109fa25bad5db
SHA1 250682a07c712ecc13fd83de75853f80e2f1b1e9
SHA256 8eeb9cf428e1e9784b5012ed933837494216cf669e5a1da021ff14946d026f2f
SHA512 74f9ebf8b80f1237f85a7c78a8ae266a865bbf316252324032a6ea9656d268c2d1eb90bb2f607f3802012a74f807fbd433a32e628e3ed7064ae6eec43e54ece7

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 20:57

Reported

2024-11-12 20:59

Platform

android-x64-20240624-en

Max time kernel

47s

Max time network

64s

Command Line

com.example.application

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.example.application

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
NL 195.10.205.12:100 195.10.205.12 tcp
NL 195.10.205.37:100 195.10.205.37 tcp
NL 195.10.205.54:100 195.10.205.54 tcp
NL 147.45.45.192:100 147.45.45.192 tcp
NL 195.10.205.12:100 195.10.205.12 tcp
NL 195.10.205.37:100 195.10.205.37 tcp
NL 195.10.205.54:100 195.10.205.54 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/misc/profiles/cur/0/com.example.application/primary.prof

MD5 4f0578d9f0b68522af6ad21538a8f8ad
SHA1 81ca8f42ce048f6abaecf86b85d901c91e42d0c5
SHA256 d119d7c40d7b2e2d7518f0f060e991c48f7c575a3d946ba3c10bd70efa9e8042
SHA512 0fc21dd74c762910036e3697cc73a9f09495097f805e0e6a00dcc5c7eea61795550775e5e1ec47b64bf64e84c0d7fd4cab3f676c4e193fa219bca9348c5afb38

/data/data/com.example.application/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 982cccb4cf753c0f9f96177669802e1c
SHA1 83eb33abdcb823113d1553c2c94422efab003660
SHA256 5d8b1a4ac5203e90571284bf646e502ff560de0f58babd67774b2d3fed482d75
SHA512 675cd2c9590e3ac1c2b3d1d3cce82b76b90ac60e6067d1bdb83baa15afd8a0661f7c787bb2dd83f53469a78c2580a5770da4d236abee1500913c2e37b3a66b46

/data/data/com.example.application/files/profileInstalled

MD5 36bea815940e588547ec05e6617eb9a1
SHA1 7222fa60d0d4814312200a5c23ae85e46f77d363
SHA256 46df37d41669b2ab2fd3094b9bbbb779895147b36cc2488c88495422781879a9
SHA512 cbe4c33a45845adefea403e90bbe0a7643e18864515cb8573a6e40665065a892847894e5c0fb6f864355a7b448ca8ab771bdfbdd4ae13f9cc35fb3899329a9b5

/data/misc/profiles/cur/0/com.example.application/primary.prof

MD5 eef1bd0db0883a2c7f728cea42bf836a
SHA1 840eb4ceea23540f4424c714925c0fb6bc716fb7
SHA256 e2ee28d59dd576a2266191ee55daa66f0a8b69fd2a4cc20d3cd948a4d4fb0e38
SHA512 3904a9d2f4fc94e2ca3bc480f15b184a8a6e7a7beb25bb703f55dd07461a21959f442d3b031f54de92496a39e07d01a55122e89c2d0aa40f885ff624dda998d5

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-12 20:57

Reported

2024-11-12 21:00

Platform

android-x64-arm64-20240624-en

Max time kernel

47s

Max time network

134s

Command Line

com.example.application

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.example.application

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
NL 195.10.205.12:100 195.10.205.12 tcp
NL 195.10.205.37:100 195.10.205.37 tcp
NL 195.10.205.54:100 195.10.205.54 tcp
NL 147.45.45.192:100 147.45.45.192 tcp
NL 195.10.205.12:100 195.10.205.12 tcp
NL 195.10.205.37:100 195.10.205.37 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
NL 195.10.205.54:100 195.10.205.54 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/misc/profiles/cur/0/com.example.application/primary.prof

MD5 4f0578d9f0b68522af6ad21538a8f8ad
SHA1 81ca8f42ce048f6abaecf86b85d901c91e42d0c5
SHA256 d119d7c40d7b2e2d7518f0f060e991c48f7c575a3d946ba3c10bd70efa9e8042
SHA512 0fc21dd74c762910036e3697cc73a9f09495097f805e0e6a00dcc5c7eea61795550775e5e1ec47b64bf64e84c0d7fd4cab3f676c4e193fa219bca9348c5afb38

/data/data/com.example.application/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 bd983a14a036998deb623252d56ab741
SHA1 365b64c08e6edd2d3effd12c54877b31042a8b4a
SHA256 5755497ef2f40418bd498421f7141f86f80774a9608f7cb81d2b05b19f3e1eca
SHA512 4e4d90efae685db03862acc7aec9b700384174e33c621da88788a5da8fb0816a48e693a40131c368835d47e95ca2199a419fe09b5aa9a03942ad0b8b01682e46

/data/misc/profiles/cur/0/com.example.application/primary.prof

MD5 5758455dd50003616d0efa270ffa761b
SHA1 47caecc466d1c3002e715324fcfc3786edae4398
SHA256 e7995a985e91715f6b50c90af7ff01a50bffd25aa7d023805035dfd4241c401a
SHA512 8968aa5695c98d8c66771cea700b5f84d2acb87eb0d45ddffe463264dde5322b64ca7e416d0b2bcc7f399ae6f2a5fe24d23b5fa9dafc4e27adf6de9feaae3846