Malware Analysis Report

2024-12-07 16:02

Sample ID 241113-qrq75asfjd
Target GetApps v34.8.1.0.apk
SHA256 ea6afc83aebe255bb476fe32ae0b0256a65877f14d8483642912ecf02c8ed896
Tags
banker collection discovery evasion execution impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ea6afc83aebe255bb476fe32ae0b0256a65877f14d8483642912ecf02c8ed896

Threat Level: Likely malicious

The file GetApps v34.8.1.0.apk was found to be: Likely malicious.

Malicious Activity Summary

banker collection discovery evasion execution impact persistence

Checks if the Android device is rooted.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries account information for other applications stored on the device

Queries information about running processes on the device

Requests dangerous framework permissions

Queries information about active data network

Checks the presence of a debugger

Uses Crypto APIs (Might try to encrypt user data)

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 13:30

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 13:29

Reported

2024-11-13 13:30

Platform

android-x86-arm-20240624-en

Max time kernel

5s

Max time network

18s

Command Line

com.xiaomi.mipicks

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/bin/su N/A N/A
N/A /system/xbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Checks the presence of a debugger

evasion

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.xiaomi.mipicks

chmod 493 /data/user/0/com.xiaomi.mipicks/files/miui_mod_icons

Network

Country Destination Domain Proto
US 1.1.1.1:53 digitalassetlinks.googleapis.com udp
US 1.1.1.1:53 cdn.exp.xiaomi.com udp

Files

/data/data/com.xiaomi.mipicks/databases/com.google.android.datatransport.events-journal

MD5 22b2faa5bd07ec8ab95096a6b83d45d8
SHA1 a4c1c7abcb612ae8ceae840e7abe0cd9237f1cb5
SHA256 b0bfa97dd4e1cc10b3d660f7f8c71c80e7fb4db7a4216ee72e71e81578e6c697
SHA512 e9874dcf8da9c449a77a500cb95ae09a997301747e12f1f1504795dda4e6d063cd88d4ba4a0ba78bdd02a85e004a07cf19882431e8ad48d6af2cd05d7b93d572

/data/data/com.xiaomi.mipicks/databases/com.google.android.datatransport.events

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.xiaomi.mipicks/databases/com.google.android.datatransport.events-wal

MD5 d2789f5bad1e13c9df7422467cff6166
SHA1 93ffe1329a742fff2345930a0c661f792df05843
SHA256 deed09c0b2cf056f7c09e8564012904788d65ab534f12c490b9131f988249fff
SHA512 3313aed11541d4ff51786574696b34ff72a66d4b25ef908ebf6459959e873e6c9e5dca3bcbb628cab5e92bf7f34e4fd859740ff2522a2928106d65b1cf376b5b

/data/data/com.xiaomi.mipicks/databases/market_2.db-journal

MD5 9e85be91f34eb9ae9d8d78cfc6346ca5
SHA1 1dd3b2532f85b7e9dabc78c2e538cf015e8685bb
SHA256 86d91dcc1da6ca6414b6b2f42fcfed36de6c46c0d042c580a676f08d1171312d
SHA512 700dceaeb397f0f7790db31bd2145c0ddc4ef91f239590a9d61992488fd2f684de2d660245e2d5e2a033c82af50c58a2208b25743a59a1c7258352cb18d1d2db

/data/data/com.xiaomi.mipicks/databases/market_2.db-wal

MD5 48a04b711c953648c701215fd693a18e
SHA1 f47480e6735c68a3e961a007f8ee257898e54999
SHA256 a26e130d4f9e939993d796535b18e4a89a41ddb4359e8a7d3dd869c0dcd6def2
SHA512 de95c40631459e3d8efec3cbd7b9f098373cf4332b9e7b342aac92bc6b06371bb0a854a939fea71678b2ba6db37a394051b11a4efb2badc57eca81fd682a4917

/data/data/com.xiaomi.mipicks/files/mmkv/overseas_100009

MD5 620f0b67a91f7f74151bc5be745b7110
SHA1 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d
SHA256 ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7
SHA512 2d23913d3759ef01704a86b4bee3ac8a29002313ecc98a7424425a78170f219577822fd77e4ae96313547696ad7d5949b58e12d5063ef2ee063b595740a3a12d

/data/data/com.xiaomi.mipicks/databases/traffic.db-journal

MD5 00393e7f60642883296e894256ca74b5
SHA1 ff6d7c98669eb196401f8136f772efd325485149
SHA256 571a9996458bf4641c8bf3f839cb6d2ae8c8820e19fd07776aa52edea5325008
SHA512 a1560db71255f239b84bb145a24d7cf1dbcab0a4df128cdffdbf8411f4240b5ecda6ff28039b496b61191523a55118410137b985f36bf77f34e108280f9570d1

/data/data/com.xiaomi.mipicks/databases/traffic.db-wal

MD5 6c3147a6b310b849ea26ff07f1f25890
SHA1 310fc922648747a5a714edcf9077f475f93a4992
SHA256 a0cd6469b53f980670923c5e72eccf616d8e6f229203b25b2bae0da73bf0c28a
SHA512 3e67c00b534c35248afae5677d6a836aa102b7b85f89eeb5120b108942f1a52cf08e59ca77b738b79e78be656b00036779836ac7f953ec3c9ed7adac5dbc8751