Malware Analysis Report

2025-04-03 14:16

Sample ID 241114-1z1rmstkcz
Target c622d8c06faef7a38e1332e45597982554ac52567f19fc4b057415197bc1a652.bin
SHA256 c622d8c06faef7a38e1332e45597982554ac52567f19fc4b057415197bc1a652
Tags
collection evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c622d8c06faef7a38e1332e45597982554ac52567f19fc4b057415197bc1a652

Threat Level: Shows suspicious behavior

The file c622d8c06faef7a38e1332e45597982554ac52567f19fc4b057415197bc1a652.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection evasion persistence

Reads the content of SMS inbox messages.

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 22:06

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 22:05

Reported

2024-11-14 22:09

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

157s

Command Line

com.shootii.rooomu

Signatures

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Processes

com.shootii.rooomu

Network

Country Destination Domain Proto
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 m6295070150-default-rtdb.firebaseio.com udp
US 35.190.39.113:443 m6295070150-default-rtdb.firebaseio.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp

Files

/data/data/com.shootii.rooomu/app_sslcache/m6295070150-default-rtdb.firebaseio.com.443

MD5 8a5a2dc6eeca336faafef331866db45f
SHA1 4b03dd1693ddd35d1ec8eda2c5e240046cd6dc62
SHA256 77fba891821de42dc5727968ac9669942803780bb0b7c65cf662f01ed03b2bcb
SHA512 da630edea4381594d73f6bc6a1a62fad8493bcc40a6210b51f519f243ec477788515c9200014e006ac3d3d9edfe87dac6e36a569a10b8bae2f622e60dae56b25

/data/misc/profiles/cur/0/com.shootii.rooomu/primary.prof

MD5 8d7dac347876fb9353edaaccac204323
SHA1 14d8b02b52fd914f4e52a705bad8aa21ff4489ba
SHA256 01517c2da8691eb6e0138c1b3bebd5f380811d4925a57093d37954617982b82d
SHA512 42daeac48f93ce48abe36a16906b13086192eb7a76aa1a401911d375ff9dbe32ecf1d85f6522cba9ee5b172e8680acae242622889a8086f680694dcd4e76328a

/data/data/com.shootii.rooomu/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 deb63ca142556e207ae3c247460d0409
SHA1 5db9866b929d3de6488c9f2e943484df451a2f91
SHA256 03534ecd54812b9da36b391c4c473e400781caa13b07651ff0bdd86bc9f77f6e
SHA512 2e7630efb0fa896729e5230b434cd172c3700e5f0971a0dc9bd73405b59358353a03eb74abca66cc66b1714540ce9bd2ad6545a005b8a8d51ab9ae3085998c56

/data/data/com.shootii.rooomu/files/profileInstalled

MD5 535777644acd6b542c14ec83c6fef65c
SHA1 e9eaa58d948b29e7dd0067ad75c25c21cf9d5912
SHA256 c6e2e32985034a5d60d3d2d79689b82c391886f8e37e2da3d0de47733c287afe
SHA512 f7512e654286d71b6f99ce1bc3a3cd900ac81a54cdddfbedf65c0c3a513ad6c33fe13d2c3b81992e0b4ac980380dc6ffe47fa1413249e89ce305b1b8619189c6

/data/misc/profiles/cur/0/com.shootii.rooomu/primary.prof

MD5 da2a3aca48816ff170b5bdecf5f5b7a2
SHA1 6d9971e3669635e8f6c28c4fd66cc181dddaf1b1
SHA256 2464947164c33b64be4ec546af5a7d350b75e440db8c7cf67082eb101580ec33
SHA512 e3593f836f9ddfc6d491504c7d99321043821f9b30d593721bd3f17e9dd2a216b360cb9284fd3cba91ebd560f3260573c601c6fad53afbb7b755b597ec1f11f6

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 22:05

Reported

2024-11-14 22:09

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

158s

Command Line

com.shootii.rooomu

Signatures

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Processes

com.shootii.rooomu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 m6295070150-default-rtdb.firebaseio.com udp
US 34.120.160.131:443 m6295070150-default-rtdb.firebaseio.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/misc/profiles/cur/0/com.shootii.rooomu/primary.prof

MD5 8d7dac347876fb9353edaaccac204323
SHA1 14d8b02b52fd914f4e52a705bad8aa21ff4489ba
SHA256 01517c2da8691eb6e0138c1b3bebd5f380811d4925a57093d37954617982b82d
SHA512 42daeac48f93ce48abe36a16906b13086192eb7a76aa1a401911d375ff9dbe32ecf1d85f6522cba9ee5b172e8680acae242622889a8086f680694dcd4e76328a

/data/data/com.shootii.rooomu/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 7f141fa506187c45d4b725bf061297e0
SHA1 a9855d57eb53db6ad66e35f8946f8423d44e589c
SHA256 685947f39c70c774d7176f071298ba16253c82336ede0edd98b25525ff2beec8
SHA512 facb683ca87ee458c1a2e769eada025cf9cb9a89b3060516feb7d2c5c1cefad93b7176f4ee8082999c1933a2d80b7a28077c11ff7573130e9f8e3e367b5a9d3d

/data/data/com.shootii.rooomu/files/profileInstalled

MD5 ddafbd5108a9eb3651d72abdce31bcb8
SHA1 789d9b6ba4ba05da82a6698585b722c4c46343b9
SHA256 4c2f9ee46556eef307e97d90ae54accfe37ce59be54cf2bfcbb2876da1ec8644
SHA512 fa9fc0c7f7eda4f70f28de86569e000e2e7edc954cfbc70e040498d31a6a6ca29485396761a0abf13d673f42cd12ce5f0ec8caae70f3939627a28f2cf90686ce

/data/misc/profiles/cur/0/com.shootii.rooomu/primary.prof

MD5 f6396d86df673368444b14cd4b9b0b75
SHA1 4434b71bb304d96a3ca7d9fb38791673e6794cee
SHA256 c358d623ae0ae9a5b9efacaf0046448b2d0e76d17462cb60165e1b7ec77a1739
SHA512 8cc2db908257c7563f95073592da3d6ca7e4ec808e36356bb2ce3a5542dc72a2e402b98e088bf487a957ae9fc06f1d24b2a6bc303ebfce637e615ac67b4c41df

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-14 22:05

Reported

2024-11-14 22:09

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

158s

Command Line

com.shootii.rooomu

Signatures

Reads the content of SMS inbox messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/inbox N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Processes

com.shootii.rooomu

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 m6295070150-default-rtdb.firebaseio.com udp
US 35.190.39.113:443 m6295070150-default-rtdb.firebaseio.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/misc/profiles/cur/0/com.shootii.rooomu/primary.prof

MD5 8d7dac347876fb9353edaaccac204323
SHA1 14d8b02b52fd914f4e52a705bad8aa21ff4489ba
SHA256 01517c2da8691eb6e0138c1b3bebd5f380811d4925a57093d37954617982b82d
SHA512 42daeac48f93ce48abe36a16906b13086192eb7a76aa1a401911d375ff9dbe32ecf1d85f6522cba9ee5b172e8680acae242622889a8086f680694dcd4e76328a

/data/data/com.shootii.rooomu/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 fee4b620bc2c25d154b0586afcd40f8e
SHA1 380efb576977fb20cab7624431c0605017fa9f8a
SHA256 eb958ff727daed79663a21bf67ccc486a242d102538a49ab8cf146366b8f5aae
SHA512 bdb06b9aa2c5f70fb11c1e38cd1bdeca8e3c99f36751fcd95cbfa349de93de10276ce1d6c33c8071898eb91d5988091dc1134575fdcef1e685e2c970dfe0338b