Malware Analysis Report

2024-12-07 18:59

Sample ID 241113-1zqxfazhpj
Target f3843057dedd09c80eb9d468fc87468ec89c45403a4d66345b665d730aad05f8.bin
SHA256 f3843057dedd09c80eb9d468fc87468ec89c45403a4d66345b665d730aad05f8
Tags
discovery evasion persistence collection credential_access impact phishing
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f3843057dedd09c80eb9d468fc87468ec89c45403a4d66345b665d730aad05f8

Threat Level: Shows suspicious behavior

The file f3843057dedd09c80eb9d468fc87468ec89c45403a4d66345b665d730aad05f8.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence collection credential_access impact phishing

Obtains sensitive information copied to the device clipboard

A potential corporate email address has been identified in the URL: [email protected]

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Attempts to obfuscate APK file format

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 22:05

Signatures

Attempts to obfuscate APK file format

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 22:05

Reported

2024-11-13 22:09

Platform

android-x86-arm-20240910-en

Max time kernel

148s

Max time network

152s

Command Line

com.divine.smsreceiver

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.divine.smsreceiver

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
US 1.1.1.1:53 maxcdn.bootstrapcdn.com udp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 1.1.1.1:53 code.jquery.com udp
US 104.18.10.207:443 maxcdn.bootstrapcdn.com tcp
US 104.18.10.207:443 maxcdn.bootstrapcdn.com tcp
US 151.101.129.229:443 cdn.jsdelivr.net tcp
US 151.101.2.137:443 code.jquery.com tcp
GB 142.250.178.3:80 tcp
GB 216.58.212.228:443 tcp
GB 172.217.16.226:443 tcp

Files

/data/data/com.divine.smsreceiver/files/profileInstalled

MD5 e2097fdffb56fb750302c2be8b64efd5
SHA1 04e914cf88662184369ca668be707ce4ac4d13db
SHA256 95324240e5fb37406caaa090bb64a8e9ea1b9616d42f6e91795212c31ad6c2ef
SHA512 fbc7b54d910249aa93fc72c386cd94ada4cd63e2a45d6e81c0f36e18acbc2fd8672ac156eb5bbe6accf676793148d408502b6eba67604ce33a6e412e1ca76dbd

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 22:05

Reported

2024-11-13 22:08

Platform

android-x64-20240910-en

Max time kernel

148s

Max time network

155s

Command Line

com.divine.smsreceiver

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.divine.smsreceiver

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.106:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 1.1.1.1:53 code.jquery.com udp
US 1.1.1.1:53 maxcdn.bootstrapcdn.com udp
US 151.101.193.229:443 cdn.jsdelivr.net tcp
US 151.101.2.137:443 code.jquery.com tcp
US 104.18.11.207:443 maxcdn.bootstrapcdn.com tcp
US 104.18.11.207:443 maxcdn.bootstrapcdn.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
GB 216.58.201.98:443 tcp

Files

/data/data/com.divine.smsreceiver/files/profileInstalled

MD5 8ba2e241a625d70118de8389ae826948
SHA1 c7b0d1088434f394eec82dc35b97662855d7c85f
SHA256 b827be9022a175f8c89a2b80d4d8ca01b49758682b8b8136cd029a28a32119aa
SHA512 4b032aa39e52d10ffe640683d1a6a19e148be330d09a203373bc08e50085ecda2a05ac91a766120259f8a06027d143f238ee89ea26765fd252cf3b9f674c52a8

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-13 22:05

Reported

2024-11-13 22:08

Platform

android-x64-arm64-20240624-en

Max time kernel

47s

Max time network

135s

Command Line

com.divine.smsreceiver

Signatures

A potential corporate email address has been identified in the URL: [email protected]

phishing

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.divine.smsreceiver

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 maxcdn.bootstrapcdn.com udp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 1.1.1.1:53 code.jquery.com udp
US 104.18.11.207:443 maxcdn.bootstrapcdn.com tcp
US 104.18.11.207:443 maxcdn.bootstrapcdn.com tcp
US 151.101.65.229:443 cdn.jsdelivr.net tcp
US 151.101.2.137:443 code.jquery.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

N/A