Malware Analysis Report

2025-01-19 05:48

Sample ID 241127-ye7y4stman
Target c6d701287fa8b065989ef6f157b47249866d56ad857f296ccfa2c3745a3fe4a8
SHA256 c6d701287fa8b065989ef6f157b47249866d56ad857f296ccfa2c3745a3fe4a8
Tags
axbanker discovery persistence collection credential_access impact
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6d701287fa8b065989ef6f157b47249866d56ad857f296ccfa2c3745a3fe4a8

Threat Level: Known bad

The file c6d701287fa8b065989ef6f157b47249866d56ad857f296ccfa2c3745a3fe4a8 was found to be: Known bad.

Malicious Activity Summary

axbanker discovery persistence collection credential_access impact

Axbanker family

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-27 19:43

Signatures

Axbanker family

axbanker

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 19:43

Reported

2024-11-27 19:45

Platform

android-x86-arm-20240624-en

Max time kernel

51s

Max time network

133s

Command Line

com.example.shineinterview

Signatures

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.example.shineinterview

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 onlinemeeting.online udp
IN 89.117.27.152:443 onlinemeeting.online tcp

Files

/data/misc/profiles/cur/0/com.example.shineinterview/primary.prof

MD5 7c1eb4af3f79e9ffeb273fcb0ed8206f
SHA1 c7227d3c1602954cf9a0b322c67dae9e2c3d86bd
SHA256 37820ff872b0ac9a9a6d44cf6f8bb6ccef7345791ed5ad1e02ec45db1f8b4e9d
SHA512 943a5e08723e2c95723f4fde17c67cb1be21ea03e401cadb8576f451646071407e549b19ac607c8c809ab171db1c139a5f77f7c3494fb2917c26120eeb93543c

/data/data/com.example.shineinterview/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 e97e0671a7db4bc0bf73321d8e68bf78
SHA1 6f5177bee0493e4300c4aa6b11c6a85ae93d76a1
SHA256 8b39350abc2ec14ef988573ca0fd6602e701f4b9e66f8ca9dbffbf25285106ab
SHA512 406561ecd9f3e3fe6b2af575287f8a5038e31b0c7a1f8376e61f749469148e9047559b2a29347e2977f9c130d288d01ed4ec82c278ce7c46cf5537c32bcdb239

/data/data/com.example.shineinterview/files/profileInstalled

MD5 0ece11568a23009da88d5168de604656
SHA1 b22efc957de3e60f41b2d98171dbb0ecdf0d8053
SHA256 f62a26b75cbd0ac67828d5069c8403a2eb9deafed15f6b9b5b2ea5d14552a99e
SHA512 f1095a2e93acc231c36f0f76e00b023d2c918a45aea14116f8f8312e64ab122bec70e49da5f797957e77c1ba3aa02f8520980a75da07ab33561507b771b2e3df

/data/misc/profiles/cur/0/com.example.shineinterview/primary.prof

MD5 c06c0a0f3fcd9ebf034a3c4e08bc38fa
SHA1 c27531ba90adbb02a3b605f32167728080490f17
SHA256 05db0dfff52fe003ff12df82b24605731f6a09bdecc6c21264ca120982ca8022
SHA512 24666f027f0f268ca9f116b7b8f501059e91a088090d128a57211c7fc8fa3f63fa37d44c90906d5b9f980a20afc77bb3f0db54ec41338397faccdb303f9d05b3

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-27 19:43

Reported

2024-11-27 19:44

Platform

android-x64-20240624-en

Max time kernel

46s

Max time network

83s

Command Line

com.example.shineinterview

Signatures

N/A

Processes

com.example.shineinterview

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/misc/profiles/cur/0/com.example.shineinterview/primary.prof

MD5 7c1eb4af3f79e9ffeb273fcb0ed8206f
SHA1 c7227d3c1602954cf9a0b322c67dae9e2c3d86bd
SHA256 37820ff872b0ac9a9a6d44cf6f8bb6ccef7345791ed5ad1e02ec45db1f8b4e9d
SHA512 943a5e08723e2c95723f4fde17c67cb1be21ea03e401cadb8576f451646071407e549b19ac607c8c809ab171db1c139a5f77f7c3494fb2917c26120eeb93543c

/data/data/com.example.shineinterview/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 546ac0040e6adce309870abc768a5375
SHA1 7d5a640b0f200d75956abf724e30436477805d8b
SHA256 0db921083b7a7aea6654850493d0bb717d605895a417249904af514f3794e9eb
SHA512 ff9a6125d9705777e4bae2ce571318d3e244cea1b41596022fc2072104ac84daab9d45807c91603b0d268fe0002cdeef1c0c4fa1220faf924dbe662197793035

/data/data/com.example.shineinterview/files/profileInstalled

MD5 477d89a54f5b3aa8d9ebde7ec1b5f05f
SHA1 5bb2d8271087c520175883f6097acc284b1b7d5a
SHA256 9bb60d67f35eee6e9cfcde82ffafe9b499c9a3935dd1a7b2d5e2ced2e8ca9b26
SHA512 9f28b63c4db2b6141550fe22b36e2c40fe956f31041d2eef376a85d5cf1204743aaf03d7cb9ed4332b1c30015f12cfb79dbecd169b48ed61f3aa9d66bfbad2c0

/data/misc/profiles/cur/0/com.example.shineinterview/primary.prof

MD5 8a073709458e35ba0337704b05fe4a9d
SHA1 78dd8bc96ba89a1bc92a09510cf06a90e640fd0b
SHA256 b109527138ce2fc62c08cd2eac8261780a340b3fc151f2a854cc43a875cf0e41
SHA512 37055129017cd91b3eea9f89f54e1dd734010e09836aff1da3b18328db0049a93cc5ff8d79d104d98a9c15a912c8ad57fb502f315340cecdb58cab39e0b231a7

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-27 19:43

Reported

2024-11-27 19:44

Platform

android-x64-arm64-20240624-en

Max time kernel

73s

Max time network

79s

Command Line

com.example.shineinterview

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.example.shineinterview

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 onlinemeeting.online udp
IN 89.117.27.152:443 onlinemeeting.online tcp
IN 89.117.27.152:443 onlinemeeting.online tcp
US 1.1.1.1:53 www.recaptcha.net udp
GB 142.250.178.3:443 www.recaptcha.net tcp
GB 142.250.178.3:443 www.recaptcha.net tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/misc/profiles/cur/0/com.example.shineinterview/primary.prof

MD5 7c1eb4af3f79e9ffeb273fcb0ed8206f
SHA1 c7227d3c1602954cf9a0b322c67dae9e2c3d86bd
SHA256 37820ff872b0ac9a9a6d44cf6f8bb6ccef7345791ed5ad1e02ec45db1f8b4e9d
SHA512 943a5e08723e2c95723f4fde17c67cb1be21ea03e401cadb8576f451646071407e549b19ac607c8c809ab171db1c139a5f77f7c3494fb2917c26120eeb93543c

/data/data/com.example.shineinterview/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 d7d0d05cc06d9d95530198ac6c19ca99
SHA1 0886e106bed98aba0cbbf350fd2226af6d29630a
SHA256 f26808283e7561c8e5eea4d047da7c49fe56837300425ad99ce674d6660d0f1c
SHA512 6f0aad40c4edc6e1d1191a1f683c7fb92d8dddc0e6ef39df1f895e63751611699f41c66d993fe3deb7a67d90325714ab04bc0645d3baf7069ac12eb456a95e47

/data/misc/profiles/cur/0/com.example.shineinterview/primary.prof

MD5 c70e98448713900bb76eced944bfe1f8
SHA1 64a2fe92e3a2cef8371f24a05cd2003706001849
SHA256 fa9d456ae8d13b7f43e55d3bf8977bc72b1883355981465b9adcdb02df3cdc1d
SHA512 41d731a997cd5939111e0719bdf8b51747c609fe804668f7d063ba5239132d7a3d6fcadff1ae9a9ea606a85af8ddd8d5536b6ab960865f3904c0f73909428689