Analysis Overview
SHA256
33b53c15fb46a07f47c325461d9cbf48ff16d65158fdb8cad6ad902610e99937
Threat Level: Shows suspicious behavior
The file 33b53c15fb46a07f47c325461d9cbf48ff16d65158fdb8cad6ad902610e99937.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
Obtains sensitive information copied to the device clipboard
Requests dangerous framework permissions
Queries the mobile country code (MCC)
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks memory information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 22:07
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read image files from external storage. | android.permission.READ_MEDIA_IMAGES | N/A | N/A |
| Allows an application to read image or video files from external storage that a user has selected via the permission prompt photo picker. | android.permission.READ_MEDIA_VISUAL_USER_SELECTED | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-13 22:07
Reported
2024-11-13 22:10
Platform
android-x64-arm64-20240910-en
Max time kernel
17s
Max time network
151s
Command Line
Signatures
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.gto.qtjnanjfi
Network
| Country | Destination | Domain | Proto |
| US | 216.239.38.223:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | www.youtube.com | udp |
| GB | 172.217.169.46:443 | www.youtube.com | udp |
| GB | 172.217.169.46:443 | www.youtube.com | tcp |
| GB | 142.250.187.238:443 | www.youtube.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.178.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.200.46:443 | www.youtube.com | tcp |
| GB | 142.250.200.33:443 | tcp | |
| US | 216.239.38.223:443 | tcp | |
| GB | 216.58.204.65:443 | tcp | |
| US | 216.239.38.223:443 | tcp |
Files
/data/misc/profiles/cur/0/com.gto.qtjnanjfi/primary.prof
| MD5 | 8b1d4d08e654c958d0852d7501229bcc |
| SHA1 | 15669301c8b625bf378914006a33cfdf8bb5967c |
| SHA256 | c9cf404b60750d5c4028b0dcfd58f398df198db225c519029418fad67326e370 |
| SHA512 | 77cab65274d9b52b8ac9254f5f7990ad8a51eefaf3502f309ef3f864fe6e43cb195da881c2b3f027f6dd5b84d51911911244da23fe64768ad9a0ab5a21000473 |
/data/data/com.gto.qtjnanjfi/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 1d42886a471fc7f7753f5d707f4fdde3 |
| SHA1 | 768f2c303daec353e6acfa8e995203ca54dcc2ad |
| SHA256 | f8ab6d342e1eef60cf92a273ed3cb453c52df17708524a3b36fa505d993bae8f |
| SHA512 | 29bcb5fc3d311c67b7f4bed120c6daa920c1b72a2bc261b9257ed506d2c8fc3ac54a8f30fdbda5e11b737d1340e149ca57aa23c0aaec106339011a39ae7fb8b1 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 22:07
Reported
2024-11-13 22:11
Platform
android-x86-arm-20240624-en
Max time kernel
47s
Max time network
136s
Command Line
Signatures
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.gto.qtjnanjfi
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.213.10:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.169.46:443 | android.apis.google.com | tcp |
| GB | 216.58.213.10:443 | tcp |
Files
/data/misc/profiles/cur/0/com.gto.qtjnanjfi/primary.prof
| MD5 | 8b1d4d08e654c958d0852d7501229bcc |
| SHA1 | 15669301c8b625bf378914006a33cfdf8bb5967c |
| SHA256 | c9cf404b60750d5c4028b0dcfd58f398df198db225c519029418fad67326e370 |
| SHA512 | 77cab65274d9b52b8ac9254f5f7990ad8a51eefaf3502f309ef3f864fe6e43cb195da881c2b3f027f6dd5b84d51911911244da23fe64768ad9a0ab5a21000473 |
/data/data/com.gto.qtjnanjfi/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | d5442c6146ac34f822864ce3a7ff06ac |
| SHA1 | 7b89c0801c350fd3ee79c19c41a30d9c075f0dd0 |
| SHA256 | 04e9d373fed71468915bbbd65d017caee5c4832d4be2526c83f1e20adf01991f |
| SHA512 | 2222e06771e5d55f23e6cc5429e6310d4183ea832271633980010d6a32a866feddcf98f3423319756ed9a49cc9ffea2e2c37b62b32346cbc2135d345abb9186e |
/data/data/com.gto.qtjnanjfi/files/profileInstalled
| MD5 | 7a872db58572ff35c868418499126f23 |
| SHA1 | c8f7205b34b8135b2ec2e820576d015a196a07e3 |
| SHA256 | c4f21758546736d5de3175ca6e33530166c40a2905a81b9cbf6cb12214b6244d |
| SHA512 | 0b4f15de5f3c4ab18bd730d4283e2aaeb70270d757ebfdeb8337f1841d3ac5cca345cea9f37fbd4791e46f666a38d9b3e254c64d2613f0ae48c1b0b96a710e34 |
/data/misc/profiles/cur/0/com.gto.qtjnanjfi/primary.prof
| MD5 | cf96f43f051de00c256f2081c33ca4d8 |
| SHA1 | 1cb7bc4655473cfe450d6c1dda7a0599f2fd87dc |
| SHA256 | 63d0620791950342f2e79594fe39646dad23e0ee274c2caa3fefeaa25bbd72ab |
| SHA512 | b3bd5cbb81cf95adaf400d9d80fb8f4b4db0dd451634c9c7bdd762b90bac4c26c283d5262e2b167997253b7a67e3699acc1b499104d9b382e445281f879e4859 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 22:07
Reported
2024-11-13 22:09
Platform
android-x64-20240624-en
Max time kernel
47s
Max time network
157s
Command Line
Signatures
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.gto.qtjnanjfi
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.232:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.169.14:443 | android.apis.google.com | tcp |
| GB | 142.250.180.4:443 | tcp | |
| GB | 142.250.180.4:443 | tcp | |
| GB | 172.217.16.238:443 | tcp | |
| GB | 142.250.179.226:443 | tcp |
Files
/data/misc/profiles/cur/0/com.gto.qtjnanjfi/primary.prof
| MD5 | 8b1d4d08e654c958d0852d7501229bcc |
| SHA1 | 15669301c8b625bf378914006a33cfdf8bb5967c |
| SHA256 | c9cf404b60750d5c4028b0dcfd58f398df198db225c519029418fad67326e370 |
| SHA512 | 77cab65274d9b52b8ac9254f5f7990ad8a51eefaf3502f309ef3f864fe6e43cb195da881c2b3f027f6dd5b84d51911911244da23fe64768ad9a0ab5a21000473 |
/data/data/com.gto.qtjnanjfi/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 88e5a69d31f78311d57ef83b0288953b |
| SHA1 | 7ff6b14eb104d13e009516ec8c4999458b79da38 |
| SHA256 | e66f73574091ab0192143de5b02ed23d33d6bd12de05cad512023ed2a9f4807a |
| SHA512 | 2350c3358037dc997150eeed65b77d272ef209eb687591094b1e369595d33d42108fb5088c25789f4c47074e3b7270a361209abeb523e4c7b5a8eb3a86f8d93e |
/data/data/com.gto.qtjnanjfi/files/profileInstalled
| MD5 | 941872bae68d8fdd2c6b71be64a16773 |
| SHA1 | 536509a6b1a18d021511d0a6c4b5c13d23f221a0 |
| SHA256 | 3bb00bcb9fff893c9975f39263a387512056c1ff0a24400e45844d900c875eb0 |
| SHA512 | 77278323d723ab8ee8c29fbd7e7e920c1c97d85a9b2c6c65faff392d121cc02c4c5536e115b3556282dd4ddbef5021cd2b5b964e807ea2745f2865ca70d0c058 |
/data/misc/profiles/cur/0/com.gto.qtjnanjfi/primary.prof
| MD5 | 8c916fe8530076dd2cdfb584d4781cd1 |
| SHA1 | 958ce43ba2a5caf6dbc85a67c5423baf7f883143 |
| SHA256 | a99e600b7025f87a82e014de73f959fb174ce5f24be683b584da81d04e2ee5d7 |
| SHA512 | ba5eb0a4620581df64f0e78d053a6f92a14b28b89054943d18d0936be955d07399e632b4e2324677cb37b2f9bc459a322040c9baeb1ec81b8904d4206044136d |