Malware Analysis Report

2024-12-07 19:47

Sample ID 241114-mteqbs1rck
Target Sinergram.apk
SHA256 a946908f67ecd089ee34cc9aa89a9075de754d09e4bd2a82481fa029d8683fdc
Tags
collection credential_access discovery impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a946908f67ecd089ee34cc9aa89a9075de754d09e4bd2a82481fa029d8683fdc

Threat Level: Shows suspicious behavior

The file Sinergram.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access discovery impact persistence

Obtains sensitive information copied to the device clipboard

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 10:45

Signatures

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 10:45

Reported

2024-11-14 10:49

Platform

android-x64-20240624-en

Max time kernel

131s

Max time network

145s

Command Line

com.example.application

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.example.application

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
DE 62.60.158.14:300 tcp
DE 62.60.158.14:300 tcp
DE 62.60.158.14:300 tcp
DE 178.63.215.73:300 tcp
DE 62.60.158.14:300 tcp
DE 178.63.215.73:300 tcp
DE 178.63.215.73:300 tcp
DE 62.60.158.13:300 tcp
DE 178.63.215.73:300 tcp
DE 62.60.158.13:300 tcp
DE 62.60.158.13:300 tcp
DE 5.9.230.13:300 tcp
DE 62.60.158.13:300 tcp
DE 5.9.230.13:300 tcp
DE 5.9.230.13:300 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
DE 178.63.237.127:300 tcp
DE 5.9.230.13:300 tcp
DE 178.63.237.127:300 tcp
DE 178.63.237.127:300 tcp
DE 85.209.154.13:300 tcp
DE 178.63.237.127:300 tcp
DE 85.209.154.13:300 tcp
DE 85.209.154.13:300 tcp
DE 85.209.154.145:300 tcp
DE 85.209.154.13:300 tcp
DE 85.209.154.145:300 tcp
DE 85.209.154.145:300 tcp
DE 62.60.158.13:308 62.60.158.13 tcp
DE 85.209.154.145:300 tcp
DE 62.60.158.14:300 tcp
DE 62.60.158.14:300 tcp
DE 62.60.158.14:300 tcp
DE 62.60.158.14:300 tcp
DE 178.63.215.73:300 tcp
DE 178.63.215.73:300 tcp
DE 178.63.215.73:300 tcp
DE 178.63.215.73:300 tcp
DE 62.60.158.13:300 tcp
DE 62.60.158.13:300 tcp
DE 62.60.158.13:300 tcp
DE 62.60.158.13:300 tcp
DE 5.9.230.13:300 tcp
DE 5.9.230.13:300 tcp
DE 5.9.230.13:300 tcp
DE 5.9.230.13:300 tcp
DE 178.63.237.127:300 tcp
DE 178.63.237.127:300 tcp
DE 178.63.237.127:300 tcp
DE 178.63.237.127:300 tcp
DE 85.209.154.13:300 tcp
DE 85.209.154.13:300 tcp
DE 85.209.154.13:300 tcp
DE 85.209.154.13:300 tcp
DE 85.209.154.145:300 tcp
DE 85.209.154.145:300 tcp
DE 85.209.154.145:300 tcp
DE 85.209.154.145:300 tcp
DE 62.60.158.13:308 62.60.158.13 tcp
DE 62.60.158.14:300 tcp
DE 62.60.158.14:300 tcp
DE 62.60.158.14:300 tcp
DE 62.60.158.14:300 tcp
DE 178.63.215.73:300 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
DE 178.63.215.73:300 tcp
DE 178.63.215.73:300 tcp
DE 62.60.158.13:300 tcp
DE 178.63.215.73:300 tcp
DE 62.60.158.13:300 tcp
DE 62.60.158.13:300 tcp
DE 5.9.230.13:300 tcp
DE 62.60.158.13:300 tcp
DE 5.9.230.13:300 tcp
DE 5.9.230.13:300 tcp
DE 178.63.237.127:300 tcp
DE 5.9.230.13:300 tcp
DE 178.63.237.127:300 tcp
DE 178.63.237.127:300 tcp
DE 85.209.154.13:300 tcp
DE 178.63.237.127:300 tcp
DE 85.209.154.13:300 tcp
DE 85.209.154.13:300 tcp
DE 85.209.154.145:300 tcp
DE 85.209.154.13:300 tcp
DE 85.209.154.145:300 tcp
DE 85.209.154.145:300 tcp
DE 62.60.158.13:308 62.60.158.13 tcp
DE 85.209.154.145:300 tcp
DE 62.60.158.14:300 tcp
DE 62.60.158.14:300 tcp
DE 62.60.158.14:300 tcp
DE 62.60.158.14:300 tcp
DE 178.63.215.73:300 tcp
DE 178.63.215.73:300 tcp
DE 178.63.215.73:300 tcp
DE 178.63.215.73:300 tcp
DE 62.60.158.13:300 tcp
DE 62.60.158.13:300 tcp
DE 62.60.158.13:300 tcp
DE 62.60.158.13:300 tcp
DE 5.9.230.13:300 tcp
DE 5.9.230.13:300 tcp
DE 5.9.230.13:300 tcp
DE 5.9.230.13:300 tcp
DE 178.63.237.127:300 tcp
DE 178.63.237.127:300 tcp
DE 178.63.237.127:300 tcp
DE 178.63.237.127:300 tcp
DE 85.209.154.13:300 tcp
DE 85.209.154.13:300 tcp
DE 85.209.154.13:300 tcp
DE 85.209.154.145:300 tcp
DE 85.209.154.13:300 tcp
DE 85.209.154.145:300 tcp
DE 85.209.154.145:300 tcp
DE 62.60.158.13:308 62.60.158.13 tcp
DE 85.209.154.145:300 tcp
DE 62.60.158.14:300 tcp
DE 62.60.158.14:300 tcp
DE 62.60.158.14:300 tcp
DE 62.60.158.14:300 tcp
DE 178.63.215.73:300 tcp
DE 178.63.215.73:300 tcp
DE 178.63.215.73:300 tcp
DE 178.63.215.73:300 tcp
DE 62.60.158.13:300 tcp
DE 62.60.158.13:300 tcp
DE 62.60.158.13:300 tcp
DE 62.60.158.13:300 tcp
DE 5.9.230.13:300 tcp
DE 5.9.230.13:300 tcp
DE 5.9.230.13:300 tcp
DE 5.9.230.13:300 tcp
DE 178.63.237.127:300 tcp
DE 178.63.237.127:300 tcp
DE 178.63.237.127:300 tcp
DE 85.209.154.13:300 tcp
DE 178.63.237.127:300 tcp
DE 85.209.154.13:300 tcp
DE 85.209.154.13:300 tcp
DE 85.209.154.13:300 tcp
DE 85.209.154.145:300 tcp
DE 85.209.154.145:300 tcp
DE 85.209.154.145:300 tcp
DE 62.60.158.13:308 62.60.158.13 tcp
DE 85.209.154.145:300 tcp
DE 62.60.158.14:300 tcp
DE 62.60.158.14:300 tcp
DE 62.60.158.14:300 tcp
DE 178.63.215.73:300 tcp
DE 178.63.215.73:300 tcp
DE 178.63.215.73:300 tcp
DE 62.60.158.13:300 tcp
DE 62.60.158.13:300 tcp
DE 62.60.158.13:300 tcp
DE 5.9.230.13:300 tcp
DE 5.9.230.13:300 tcp
DE 5.9.230.13:300 tcp
DE 178.63.237.127:300 tcp
DE 178.63.237.127:300 tcp
DE 178.63.237.127:300 tcp
DE 85.209.154.13:300 tcp
DE 85.209.154.13:300 tcp
DE 85.209.154.13:300 tcp
DE 85.209.154.145:300 tcp
DE 85.209.154.145:300 tcp
DE 85.209.154.145:300 tcp
DE 62.60.158.13:308 62.60.158.13 tcp

Files

/data/misc/profiles/cur/0/com.example.application/primary.prof

MD5 31f034348980ff7afe3dcb170575e77b
SHA1 04b73895a2b31f1aecdc798a36d803559574b434
SHA256 08e843b7fde86451d66bb0b4d41eb76ae12637f3d37310742e8b1f5c77d6f87a
SHA512 3c265bac21c894c8fff73993575b5b88b1d9e5c98ef37f25714a623fe190525a0bef11b84d85a2d8fca9287be3934d805289f7e8eb29b35c1eb9a07962dafb88

/data/data/com.example.application/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 3e003049329c8e62365f78fdf390f653
SHA1 85bc3f8df85b50355dc38848a174c11d2c6f6d8e
SHA256 85b61dbcc0ffc609402e264ecf6cee6deb0521bd1635a2152a9137b870146ee7
SHA512 ffe657f4ed1852d610b1707719f546e7c2cc772ef846121ff461101c31f239cf4cbe42b717f11f8bf8b27ee6e87694d86ee1323734a5a0534cb593e4457d7f45

/data/data/com.example.application/files/profileInstalled

MD5 be13e0526226425b9faa7ab9ae9fd4fe
SHA1 6c9dfb7c12426154c2e1306dd4b90a1803464780
SHA256 a229f9d89d825285a6a794fa8b0d693122ad834b38da743ab2587b05a05a445e
SHA512 135e5e3f0ef26a5e922b821f1fdff02f0a7fc5c1dc861b68f4666fb142da4073038ebf4887033f940f365e727a41d4fda28661a733358ef626ae50bfc0f87198

/data/misc/profiles/cur/0/com.example.application/primary.prof

MD5 9a7dc923dc350757677be6a4d10d2214
SHA1 e7386843f73ba7e46b823e65e6d54fe5423dafbd
SHA256 8b9b15418e5c94f1d7bc35f478d11772f145ebde4ac7cfcd0219382232f44531
SHA512 6e8847f485f1a7bda5cb8dc434e50524a62b9ec6486500c84237b8faca6f36572a4096b32d6534c207968fe182745d4ac281ef684d2de4d3839c33d343ccbd04

/data/misc/profiles/cur/0/com.example.application/primary.prof

MD5 0bb2cc97a460232a11d425c030b313ec
SHA1 fafa44a1363947e480fef01199d010fec2d877a4
SHA256 2e9db08d5962050f86a16f11601dbdb98ad0589cc2650289aeaa1cd544c8c3de
SHA512 ba4ff868ef6e8a61619f6d6e76b6e2cc629cf7f23640c63ebc3bf444ce7b5b4243d857f9f7fce8f1f6f0e62d8a085a32995df46e5808452a2ec7a2dfc15dbc62