Malware Analysis Report

2024-12-07 19:53

Sample ID 241114-jeqbqswbma
Target c7c501d32edd434117db39f3f9d250284bfe377734b95d59f76ebbc646f4b879.apk
SHA256 c7c501d32edd434117db39f3f9d250284bfe377734b95d59f76ebbc646f4b879
Tags
discovery evasion persistence collection credential_access impact
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c7c501d32edd434117db39f3f9d250284bfe377734b95d59f76ebbc646f4b879

Threat Level: Shows suspicious behavior

The file c7c501d32edd434117db39f3f9d250284bfe377734b95d59f76ebbc646f4b879.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion persistence collection credential_access impact

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Attempts to obfuscate APK file format

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 07:35

Signatures

Attempts to obfuscate APK file format

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 07:35

Reported

2024-11-14 07:37

Platform

android-x86-arm-20240624-en

Max time kernel

123s

Max time network

155s

Command Line

ru.cvv.core

Signatures

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

ru.cvv.core

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 cdn6.aptoide.com udp
US 104.22.10.83:443 cdn6.aptoide.com tcp
RU 89.23.102.250:8000 89.23.102.250 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/ru.cvv.core/primary.prof

MD5 12a36dd4643f1d71a9c0187cb9f1e617
SHA1 8aad72f18bf4b2984fad16b14fd982a0ed6962f1
SHA256 c33a1f1345cb2eb44c57343588b3bcac4eb7db1f3bb2660ac89a18f168d905d9
SHA512 3c428b6bfbc01eea37b51716c87c15b543e81cfa1d9eb61629fefecd4a3e1b3b5088a553ee3374013edf8a41370243cc9ff1a80e8fcdc68edeb1674c886b1400

/data/data/ru.cvv.core/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 11daa852e3c713012fcf3b8ae7cdfc5b
SHA1 d9e64e4450c27f906f1ec84757510cc2f8c85e6b
SHA256 1d1a55658f12651c949fc9cddf93409ae390e085c370c888433dc5b95556b77e
SHA512 03fd813f34c1861bb31706c8a4f6bbd570f8f9459895709d121b5c3262e75b5816fcc673e600bb8da2e24c87066838531bf5385a4ce96f48f4f3bf4ea583347d

/data/data/ru.cvv.core/files/profileInstalled

MD5 2d8b171ecd62734ede15f4d3447e6b64
SHA1 c40f9870ecb5435216b366b479cfdfdbfb03d02a
SHA256 ce27f1879b07a979b21e96fc0af3a51666909b59fde7bbbab66d5c0aa25ff5d1
SHA512 c2a0424aa05a9c0c199203b0d4cc604dbf4f329ca8aea493f2c375456aa70c207d84fce726630d27e547d5208b50cf899eb580048f526e6d2f995ddda1419e89

/data/misc/profiles/cur/0/ru.cvv.core/primary.prof

MD5 556891d26d10f86790061e22be99caed
SHA1 c03f3f6222ade40e7c3190bd774dc48d1a76d67d
SHA256 da0434e58ba566d44ff8f9cb1a3f6b3398b9c1358572f9071a59e384177abd45
SHA512 6fc151bb21ee40b6f4527c311cfa36aee04313840ceee556be12cf1679e759975b7272efb091edd012453e1089f1e1545fae3388c80305cc50c53c6b2462124e

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 07:35

Reported

2024-11-14 07:37

Platform

android-x64-20240910-en

Max time kernel

121s

Max time network

152s

Command Line

ru.cvv.core

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

ru.cvv.core

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 cdn6.aptoide.com udp
US 104.22.11.83:443 cdn6.aptoide.com tcp
RU 89.23.102.250:8000 89.23.102.250 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/ru.cvv.core/primary.prof

MD5 12a36dd4643f1d71a9c0187cb9f1e617
SHA1 8aad72f18bf4b2984fad16b14fd982a0ed6962f1
SHA256 c33a1f1345cb2eb44c57343588b3bcac4eb7db1f3bb2660ac89a18f168d905d9
SHA512 3c428b6bfbc01eea37b51716c87c15b543e81cfa1d9eb61629fefecd4a3e1b3b5088a553ee3374013edf8a41370243cc9ff1a80e8fcdc68edeb1674c886b1400

/data/data/ru.cvv.core/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 4f533fcdb329b2d5ed35eb15d4f2524e
SHA1 f5beaf1cafaa0ad99ea0826bf3aa7fd65127d46d
SHA256 bb1156fca55f20cf241789c6bc4ccd537181831c89eed689fda486fdc22d2dfc
SHA512 ba8b374d3dd19dc5994b93a7643c4b59d98eb8fe081e7ec15a07fa0dbb56849a9378ec5e371d80951ee44352a9f655fcfff55a3d89f8a84919eb11eb80918c04

/data/data/ru.cvv.core/files/profileInstalled

MD5 f0803663c26077f28257c261158d2a0b
SHA1 390d7768ca22e6ea531d4cfca1d5b9c231736bde
SHA256 50fbb7a871e80fb8c2ea1171b45ae8d3d725e787ce6616615a8a5f48c1363b64
SHA512 b24a07496ed0024ac6280867e55fe9fcd1c4e2dc4ed44b520146cec30d35a6a92a06922ad04207d5fed9d9e05c02870d71cb555f38287bdad60b7ea131b19474

/data/misc/profiles/cur/0/ru.cvv.core/primary.prof

MD5 7c2d8304e60e21ab3531dcd24eec9d04
SHA1 6e0d031a460206748ae30a2d4d9379c0db16fd22
SHA256 1fa88bcfea27544f984c6a5b48e582d15b70c0dd66c0afd09934623f5be0f6e2
SHA512 66fdcfe48df15e2985f4a53f946f100c2d0078636ca11fa5632b58aab51ee485c97d41d90ed39277a3ac8ee26fb356d3a55a940db1997d3fd69e5bfeca0de01f

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-14 07:35

Reported

2024-11-14 07:37

Platform

android-x64-arm64-20240910-en

Max time kernel

121s

Max time network

150s

Command Line

ru.cvv.core

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

ru.cvv.core

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 216.58.201.106:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com tcp
GB 142.250.187.238:443 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com tcp
GB 216.58.201.110:443 www.youtube.com tcp
US 1.1.1.1:53 cdn6.aptoide.com udp
US 104.22.11.83:443 cdn6.aptoide.com tcp
RU 89.23.102.250:8000 89.23.102.250 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 216.239.36.223:443 tcp
US 216.239.36.223:443 tcp
GB 142.250.200.1:443 tcp
GB 216.58.212.193:443 tcp
US 216.239.36.223:443 tcp
US 216.239.36.223:443 tcp

Files

/data/misc/profiles/cur/0/ru.cvv.core/primary.prof

MD5 12a36dd4643f1d71a9c0187cb9f1e617
SHA1 8aad72f18bf4b2984fad16b14fd982a0ed6962f1
SHA256 c33a1f1345cb2eb44c57343588b3bcac4eb7db1f3bb2660ac89a18f168d905d9
SHA512 3c428b6bfbc01eea37b51716c87c15b543e81cfa1d9eb61629fefecd4a3e1b3b5088a553ee3374013edf8a41370243cc9ff1a80e8fcdc68edeb1674c886b1400

/data/data/ru.cvv.core/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 3d260a151baaaf1ebb823a0992dd1e6a
SHA1 0467198e140fc163dd16123bc0dc0f07431d0a21
SHA256 50567415920f93f0a38e65b290b169f9da4b131ea075ddd95629bd2eff7b6fc3
SHA512 c3b21bc1fae2d19b3a4b93a5eafc69dad49438ae9b4a81986a9ead675f457ac7691cc9e6c598225fb9ad9f75daacd7c5e0f33c474a35c848624e66f7870f2420