Malware Analysis Report

2024-12-07 18:58

Sample ID 241113-11qcastmcl
Target 33b53c15fb46a07f47c325461d9cbf48ff16d65158fdb8cad6ad902610e99937.bin
SHA256 33b53c15fb46a07f47c325461d9cbf48ff16d65158fdb8cad6ad902610e99937
Tags
collection credential_access impact discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

33b53c15fb46a07f47c325461d9cbf48ff16d65158fdb8cad6ad902610e99937

Threat Level: Shows suspicious behavior

The file 33b53c15fb46a07f47c325461d9cbf48ff16d65158fdb8cad6ad902610e99937.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access impact discovery persistence

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 22:07

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read image or video files from external storage that a user has selected via the permission prompt photo picker. android.permission.READ_MEDIA_VISUAL_USER_SELECTED N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-13 22:07

Reported

2024-11-13 22:10

Platform

android-x64-arm64-20240910-en

Max time kernel

17s

Max time network

151s

Command Line

com.gto.qtjnanjfi

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.gto.qtjnanjfi

Network

Country Destination Domain Proto
US 216.239.38.223:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.46:443 www.youtube.com udp
GB 172.217.169.46:443 www.youtube.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.200.33:443 tcp
US 216.239.38.223:443 tcp
GB 216.58.204.65:443 tcp
US 216.239.38.223:443 tcp

Files

/data/misc/profiles/cur/0/com.gto.qtjnanjfi/primary.prof

MD5 8b1d4d08e654c958d0852d7501229bcc
SHA1 15669301c8b625bf378914006a33cfdf8bb5967c
SHA256 c9cf404b60750d5c4028b0dcfd58f398df198db225c519029418fad67326e370
SHA512 77cab65274d9b52b8ac9254f5f7990ad8a51eefaf3502f309ef3f864fe6e43cb195da881c2b3f027f6dd5b84d51911911244da23fe64768ad9a0ab5a21000473

/data/data/com.gto.qtjnanjfi/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 1d42886a471fc7f7753f5d707f4fdde3
SHA1 768f2c303daec353e6acfa8e995203ca54dcc2ad
SHA256 f8ab6d342e1eef60cf92a273ed3cb453c52df17708524a3b36fa505d993bae8f
SHA512 29bcb5fc3d311c67b7f4bed120c6daa920c1b72a2bc261b9257ed506d2c8fc3ac54a8f30fdbda5e11b737d1340e149ca57aa23c0aaec106339011a39ae7fb8b1

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 22:07

Reported

2024-11-13 22:11

Platform

android-x86-arm-20240624-en

Max time kernel

47s

Max time network

136s

Command Line

com.gto.qtjnanjfi

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.gto.qtjnanjfi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
GB 216.58.213.10:443 tcp

Files

/data/misc/profiles/cur/0/com.gto.qtjnanjfi/primary.prof

MD5 8b1d4d08e654c958d0852d7501229bcc
SHA1 15669301c8b625bf378914006a33cfdf8bb5967c
SHA256 c9cf404b60750d5c4028b0dcfd58f398df198db225c519029418fad67326e370
SHA512 77cab65274d9b52b8ac9254f5f7990ad8a51eefaf3502f309ef3f864fe6e43cb195da881c2b3f027f6dd5b84d51911911244da23fe64768ad9a0ab5a21000473

/data/data/com.gto.qtjnanjfi/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 d5442c6146ac34f822864ce3a7ff06ac
SHA1 7b89c0801c350fd3ee79c19c41a30d9c075f0dd0
SHA256 04e9d373fed71468915bbbd65d017caee5c4832d4be2526c83f1e20adf01991f
SHA512 2222e06771e5d55f23e6cc5429e6310d4183ea832271633980010d6a32a866feddcf98f3423319756ed9a49cc9ffea2e2c37b62b32346cbc2135d345abb9186e

/data/data/com.gto.qtjnanjfi/files/profileInstalled

MD5 7a872db58572ff35c868418499126f23
SHA1 c8f7205b34b8135b2ec2e820576d015a196a07e3
SHA256 c4f21758546736d5de3175ca6e33530166c40a2905a81b9cbf6cb12214b6244d
SHA512 0b4f15de5f3c4ab18bd730d4283e2aaeb70270d757ebfdeb8337f1841d3ac5cca345cea9f37fbd4791e46f666a38d9b3e254c64d2613f0ae48c1b0b96a710e34

/data/misc/profiles/cur/0/com.gto.qtjnanjfi/primary.prof

MD5 cf96f43f051de00c256f2081c33ca4d8
SHA1 1cb7bc4655473cfe450d6c1dda7a0599f2fd87dc
SHA256 63d0620791950342f2e79594fe39646dad23e0ee274c2caa3fefeaa25bbd72ab
SHA512 b3bd5cbb81cf95adaf400d9d80fb8f4b4db0dd451634c9c7bdd762b90bac4c26c283d5262e2b167997253b7a67e3699acc1b499104d9b382e445281f879e4859

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 22:07

Reported

2024-11-13 22:09

Platform

android-x64-20240624-en

Max time kernel

47s

Max time network

157s

Command Line

com.gto.qtjnanjfi

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.gto.qtjnanjfi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp

Files

/data/misc/profiles/cur/0/com.gto.qtjnanjfi/primary.prof

MD5 8b1d4d08e654c958d0852d7501229bcc
SHA1 15669301c8b625bf378914006a33cfdf8bb5967c
SHA256 c9cf404b60750d5c4028b0dcfd58f398df198db225c519029418fad67326e370
SHA512 77cab65274d9b52b8ac9254f5f7990ad8a51eefaf3502f309ef3f864fe6e43cb195da881c2b3f027f6dd5b84d51911911244da23fe64768ad9a0ab5a21000473

/data/data/com.gto.qtjnanjfi/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 88e5a69d31f78311d57ef83b0288953b
SHA1 7ff6b14eb104d13e009516ec8c4999458b79da38
SHA256 e66f73574091ab0192143de5b02ed23d33d6bd12de05cad512023ed2a9f4807a
SHA512 2350c3358037dc997150eeed65b77d272ef209eb687591094b1e369595d33d42108fb5088c25789f4c47074e3b7270a361209abeb523e4c7b5a8eb3a86f8d93e

/data/data/com.gto.qtjnanjfi/files/profileInstalled

MD5 941872bae68d8fdd2c6b71be64a16773
SHA1 536509a6b1a18d021511d0a6c4b5c13d23f221a0
SHA256 3bb00bcb9fff893c9975f39263a387512056c1ff0a24400e45844d900c875eb0
SHA512 77278323d723ab8ee8c29fbd7e7e920c1c97d85a9b2c6c65faff392d121cc02c4c5536e115b3556282dd4ddbef5021cd2b5b964e807ea2745f2865ca70d0c058

/data/misc/profiles/cur/0/com.gto.qtjnanjfi/primary.prof

MD5 8c916fe8530076dd2cdfb584d4781cd1
SHA1 958ce43ba2a5caf6dbc85a67c5423baf7f883143
SHA256 a99e600b7025f87a82e014de73f959fb174ce5f24be683b584da81d04e2ee5d7
SHA512 ba5eb0a4620581df64f0e78d053a6f92a14b28b89054943d18d0936be955d07399e632b4e2324677cb37b2f9bc459a322040c9baeb1ec81b8904d4206044136d