Malware Analysis Report

2024-12-07 20:01

Sample ID 241113-11j6aazhrk
Target cb41964b951d476d7a89b8b7923f12ec9ecb1dc9b6527077340d556f4e28eabc.bin
SHA256 cb41964b951d476d7a89b8b7923f12ec9ecb1dc9b6527077340d556f4e28eabc
Tags
discovery evasion persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cb41964b951d476d7a89b8b7923f12ec9ecb1dc9b6527077340d556f4e28eabc

Threat Level: Shows suspicious behavior

The file cb41964b951d476d7a89b8b7923f12ec9ecb1dc9b6527077340d556f4e28eabc.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Checks the presence of a debugger

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 22:06

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 22:06

Reported

2024-11-13 22:10

Platform

android-x86-arm-20240910-en

Max time kernel

22s

Max time network

150s

Command Line

axismobile.service.testingonnboard.system

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Checks the presence of a debugger

evasion

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

axismobile.service.testingonnboard.system

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 172.217.16.234:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/axismobile.service.testingonnboard.system/primary.prof

MD5 56a9ec969d048bd4d92fe10cad2a7dd4
SHA1 8dcbf49eaa4358fee96a428bfbcc3f6da0fb4e30
SHA256 c7f8303cd4e78e329b18270c2339850ac518bbe67fd2acebfaaa3de0b4f32e7a
SHA512 23282b25fba777fd8c921431f1e5a2eca2ad33ffddefc7b080f6f919f122b9766f09b1869e4d903af236f8c11131145fb2545fe0835b0f2accf5fd880dd04032

/data/data/axismobile.service.testingonnboard.system/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 b9ef1c141dddd0fc324a77958b77993a
SHA1 a7533a0e6e9c47d5fd912a5bfffe1c04a7d1b5f8
SHA256 beef5974f6867034750e841fbaf290c49749e3ca044eba98b5902d52e751f42b
SHA512 a83cc5b174ca2aee86e6d7c51260d26cfe69ca371bf53e8f53bd14db1eff73446e18329335cd51c045614d9fc93c16f2abf917b09206f517b246ed35f5caca15

/data/data/axismobile.service.testingonnboard.system/files/profileInstalled

MD5 5b02988744b881929325ba2f5eff1355
SHA1 9286589c4a3a394fa1ca11be1f84f503b08edb03
SHA256 b18488a6da40e05e10685f89da94047a0f9aa63586e28c3a40bccbafd8f0d069
SHA512 d697776094c0c6b5e370160c9b19753511e65d8fb22d800e1e7ac538cec2ae063e834f6c03650fbef6ae9fd109d99fae3b9733201330efe21bb39b97616d20b1

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 22:06

Reported

2024-11-13 22:10

Platform

android-x64-arm64-20240910-en

Max time kernel

26s

Max time network

151s

Command Line

axismobile.service.testingonnboard.system

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Checks the presence of a debugger

evasion

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

axismobile.service.testingonnboard.system

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.14:443 www.youtube.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
GB 172.217.169.14:443 android.apis.google.com tcp
US 216.239.32.223:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.187.193:443 tcp
GB 142.250.187.225:443 tcp
US 216.239.32.223:443 tcp

Files

/data/misc/profiles/cur/0/axismobile.service.testingonnboard.system/primary.prof

MD5 56a9ec969d048bd4d92fe10cad2a7dd4
SHA1 8dcbf49eaa4358fee96a428bfbcc3f6da0fb4e30
SHA256 c7f8303cd4e78e329b18270c2339850ac518bbe67fd2acebfaaa3de0b4f32e7a
SHA512 23282b25fba777fd8c921431f1e5a2eca2ad33ffddefc7b080f6f919f122b9766f09b1869e4d903af236f8c11131145fb2545fe0835b0f2accf5fd880dd04032

/data/data/axismobile.service.testingonnboard.system/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 dcd085c947af9f46452f4ffcb384329b
SHA1 d1015857f90ca2a118f015262c9e2f03027c12f8
SHA256 a34890c830179061a02dbb1643b22b4136bd2f6dbfef36b53e7150a04fb16754
SHA512 51fd878fdcff847087bae17a68e7f887b21707858f092515e2ebe7bf6a456b94f54c3d34cbf85f361c1715708b793b3f8a6154e7b06e5c5a3ea67d53e9c78447