Malware Analysis Report

2024-12-07 19:04

Sample ID 241113-1zngbazgmf
Target 1be147c207a1177fe3d01e134e4356a37d953e4a80a461dff10385e29c359c96.bin
SHA256 1be147c207a1177fe3d01e134e4356a37d953e4a80a461dff10385e29c359c96
Tags
discovery evasion persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1be147c207a1177fe3d01e134e4356a37d953e4a80a461dff10385e29c359c96

Threat Level: Shows suspicious behavior

The file 1be147c207a1177fe3d01e134e4356a37d953e4a80a461dff10385e29c359c96.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Checks the presence of a debugger

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 22:05

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 22:05

Reported

2024-11-13 22:08

Platform

android-x86-arm-20240910-en

Max time kernel

21s

Max time network

151s

Command Line

com.narialsupport.android

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Checks the presence of a debugger

evasion

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.narialsupport.android

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
GB 172.217.16.228:80 tcp
GB 172.217.16.228:443 tcp
GB 142.250.200.35:80 tcp

Files

/data/misc/profiles/cur/0/com.narialsupport.android/primary.prof

MD5 ff6929b3b9bfae587ca2fb87db958fba
SHA1 f7d7994284d2d441bae07fc356c671b582136232
SHA256 1ae529570948d802af83e2358a0db7044568e057fbe014babddd8aa7a104b18c
SHA512 e277783f431649a3c154098a4f3d7034f85059d314ef975d9851c2bd9c844fb178b1bdd953412816625a8104e4b6b9520dc75b7ca6c3725461083cc90380f340

/data/data/com.narialsupport.android/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 190e5433af8f8e01ce803084783158c4
SHA1 93d47f5512d07d76e5f628ac9869af5da23bffb6
SHA256 1c142db3ffc252718f0f39d648d2dfbcbc40418526c6d19f2a07550f26f09815
SHA512 f83f3aaadc3d8e64e82ab07a16038a253ede83b178f065d0dd6b2b0e43988dc627a2e45a99d592f0d9a45c1e55cae8f31684ae312b9d9f9a4a8807ff0097aab5

/data/data/com.narialsupport.android/files/profileInstalled

MD5 a426fed80c95e84012fc94dabc956ecb
SHA1 86ba38f55064ad6a53568b174e9d8bfbc27046fe
SHA256 e654aa012974275c907b5c67dce502d5246ea7f46791905c7c1fdb9ed7ea6f3b
SHA512 7c8cea6186cf9a553fb1d448245a9d9b00f929223a46b7e9694f11c36e6c3b7adab615f34d02a0b0ae68e87f29016dc650ab48c694736de0885b92c32efadcf0

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 22:05

Reported

2024-11-13 22:09

Platform

android-x64-20240910-en

Max time kernel

143s

Max time network

155s

Command Line

com.narialsupport.android

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Checks the presence of a debugger

evasion

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.narialsupport.android

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp

Files

/data/misc/profiles/cur/0/com.narialsupport.android/primary.prof

MD5 ff6929b3b9bfae587ca2fb87db958fba
SHA1 f7d7994284d2d441bae07fc356c671b582136232
SHA256 1ae529570948d802af83e2358a0db7044568e057fbe014babddd8aa7a104b18c
SHA512 e277783f431649a3c154098a4f3d7034f85059d314ef975d9851c2bd9c844fb178b1bdd953412816625a8104e4b6b9520dc75b7ca6c3725461083cc90380f340

/data/data/com.narialsupport.android/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 0948359137e2431577eb5642106a7830
SHA1 61391c0bcce09777255cd6dbb3a7cc9401bde707
SHA256 23311c1226d82e6c89a1607627a6fee68f934c7d436782bcca1344da76926014
SHA512 104fd80a16210ca12e6b4092b1f1d5a26887c9241d82da26ff71abd58e1ee30abb1c7eec40b795b3760b86ddfc9e584df34923410d6081a0187811dcf6596d97

/data/data/com.narialsupport.android/files/profileInstalled

MD5 67a27b6659c192284a0f04f49eca76ed
SHA1 a0b8ae9fe30a7384f63351768ef85fd9338953f3
SHA256 d30859ebed861ab38e991c40e41c396989ae82842fbf1a9016072183211ea76a
SHA512 78d36b2c1db7ba6b0c498dcc8c1384998257a9adc8478e7feebc1866a673c2802da6394b05888626845c1ada89e8ee8264b9c7dfc4515161a99acee946051ce3

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-13 22:05

Reported

2024-11-13 22:08

Platform

android-x64-arm64-20240910-en

Max time kernel

23s

Max time network

150s

Command Line

com.narialsupport.android

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks the presence of a debugger

evasion

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.narialsupport.android

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
GB 216.58.201.106:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com udp
GB 142.250.200.46:443 www.youtube.com tcp
GB 172.217.16.238:443 www.youtube.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 216.239.36.223:443 tcp
US 216.239.36.223:443 tcp
GB 142.250.200.1:443 tcp
GB 216.58.212.193:443 tcp
US 216.239.36.223:443 tcp
US 216.239.36.223:443 tcp

Files

/data/misc/profiles/cur/0/com.narialsupport.android/primary.prof

MD5 ff6929b3b9bfae587ca2fb87db958fba
SHA1 f7d7994284d2d441bae07fc356c671b582136232
SHA256 1ae529570948d802af83e2358a0db7044568e057fbe014babddd8aa7a104b18c
SHA512 e277783f431649a3c154098a4f3d7034f85059d314ef975d9851c2bd9c844fb178b1bdd953412816625a8104e4b6b9520dc75b7ca6c3725461083cc90380f340

/data/data/com.narialsupport.android/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 84c05d715058cfad658697c250ecd6b6
SHA1 7c4acfbcac348fcc368e3fa6373b94d0198424e0
SHA256 706c57824ea357314ab5bb9808613fe59a87acae8d1b1e76a834fd25e4fdd9ff
SHA512 d49696a6cb27f73b406cbdaf43fec52b433de2dbf4cb425d0a563ced6094d6cee8b7ab101745d940be535cbf23e4b3fbfc2a55dad9ba2f5b52e80e9e0fe7bdbd