Malware Analysis Report

2025-01-19 04:55

Sample ID 241214-rwkrkswral
Target sample5.apk
SHA256 ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5
Tags
pegasus collection discovery infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5

Threat Level: Known bad

The file sample5.apk was found to be: Known bad.

Malicious Activity Summary

pegasus collection discovery infostealer persistence trojan

Pegasus payload

Pegasus

Pegasus family

Reads the content of the call log.

Reads the content of the browser bookmarks.

Reads the contacts stored on the device.

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-14 14:32

Signatures

Pegasus family

pegasus

Pegasus payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to receive WAP push messages. android.permission.RECEIVE_WAP_PUSH N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to use SIP service. android.permission.USE_SIP N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-14 14:32

Reported

2024-12-14 14:33

Platform

android-x86-arm-20240624-en

Max time kernel

12s

Max time network

22s

Command Line

com.network.android

Signatures

Pegasus

infostealer trojan pegasus

Pegasus family

pegasus

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of the browser bookmarks.

collection
Description Indicator Process Target
URI accessed for read content://browser/bookmarks N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.network.android

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp

Files

/data/data/com.network.android/logs/0vlt.dat

MD5 9cc3eb57144c50106927bb105a05ad68
SHA1 f23452d76fd43ac0a4897db89d97f62436274843
SHA256 5d92f1447dd0a4a68f5916a8bfe1e8e2d1e3de06d206dc18d51477c1383d5130
SHA512 0341ca534a9bf1f602e6d6c8b82704efc4427015c0027213fea615ad83774048c51b8b73f94c6da2b030d50199dc983d75e1175cf274a38c89afe3561c7eeae8

/data/data/com.network.android/logs/0vlt.dat

MD5 312efc87a601b198b815e0d09486c7ad
SHA1 434f399a9cc011e41d5cd98157679c03cb197060
SHA256 3eec0309c7eb43244d1d2525a59aca03f08d5918d906f920915f90494eab6b13
SHA512 691443a42eacf542cbfc3f18435c3a176a0e8483a45d168474ac30a2f81f22c6f5f3d8a914189b251bc17928cff96ce8be04cac611dba9d5681a971bb3635f8c

/data/data/com.network.android/logs/0vlt.dat

MD5 523492be36c3831d177a2fb9ac491904
SHA1 e0190f223ba374e300e230813d269bed62ffef3d
SHA256 0c57f0f9ae5964f87c95a517db7a3bdf80cf6625a77287721f5b53d8d8ea2c1b
SHA512 dee422d1f7bffa701ea1ab771a5679cd0426ba1b956bda837532b343e07f7448ad5cd95eaddaee024a7a3f03d1ca7fa4cbf88820760b9e49c5119016c3600525

/data/data/com.network.android/databases/NetworkManagerData.db-journal

MD5 c59c5ca3c825bd9957356a974b4bdccd
SHA1 b789abb976f7947b7235c9d0e2f11c4bf21e3a36
SHA256 ef9238aa06e89462079409e55b142a437fb902806197f11a7824ab45c85594a1
SHA512 54084f961e879696c488e21d7e4547383c0f3b8442afab076435b1f6b743ff5f5cb3b98273e3b23b6e2fd3e414fdc7b1518903383e0ac4deefa99da11c3ec97b

/data/data/com.network.android/databases/NetworkManagerData.db

MD5 b1b07690091ef56446cb1e2105e92d78
SHA1 a7c2ff91432530df5e42131b557029d481f5f44e
SHA256 2cbd6c123ba0396b016401cc9590cf6b7ce23538f57398e34615cdd614bda3cb
SHA512 89f4f33b7cd99eb06c1ee71baba6724ac1297f006789070f4bb1441f0de113ad7685995884f47356f8bcfeb559c4e7d57d2dc2fc4321bda21208a87b1ba0bacb

/data/data/com.network.android/databases/NetworkManagerData.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.network.android/databases/NetworkManagerData.db-wal

MD5 895d2d50648872de5646922ec2c5be37
SHA1 7f4bb42623223c9d5da7a707bb443ecf4a8342d8
SHA256 fceb36a6a4e321f8bcdd9312eb96d5eee7fc1dca0d14c51954cf9351cab41235
SHA512 b09702522c378cb2f1367e3d6a9f88023595ad6d76ef6d77c11ca0760d45d5c0cbb09b0498c77a8dd20146339b52bd866ce3eb1c4ff927ca5cab2452db4e3e32

/data/data/com.network.android/logs/0vlt.dat

MD5 040ebb546066539d5bace40460ff6657
SHA1 5f57417f5037cc5c59983f75431b7444576a1fcf
SHA256 e8543e0aa4676eb625ce5b713085cf56958dbf7e262abbb907e334039edabaeb
SHA512 5c22e29deb7d299e3291364e7c7886645f6d7d3e49e8308d5df746b0d9094bfb993b90a4eea42ecbe004e1045fa172ea6793b0409222eeeeed3719fb5e961420

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-14 14:32

Reported

2024-12-14 14:33

Platform

android-x64-20240624-en

Max time kernel

12s

Max time network

23s

Command Line

com.network.android

Signatures

Pegasus

infostealer trojan pegasus

Pegasus family

pegasus

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of the browser bookmarks.

collection
Description Indicator Process Target
URI accessed for read content://browser/bookmarks N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.network.android

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/com.network.android/pex.dat

MD5 138d764910cb46a05b83d5af830dcfd4
SHA1 583dafb10cbfa0941821d9fe721b4a28498ae656
SHA256 0aa2c4123b0ccd2e11f3ea6bf425488da6b7db400745fb43e8563aa1d5f95731
SHA512 874b0c9745cb1446ae6e826e7888b08e1e7127b790bf3842093d16499175922a6305c7244c9b42a854cd7685bbe18d879cb057d59ed45bd30fd9dc11748e3584

/data/data/com.network.android/srcsu.dat

MD5 f091e95aa696a326b4b948869fd3df78
SHA1 3e2b4a81bac630973a990ed1e9e0a973158a818a
SHA256 5f1c4d94b3c91704c3955b8954ce543eecb292da4a58b7c61e7592adcffa0f33
SHA512 0b5ed603ca79db5a98e2b4e24d98eecedc7bcdc660efb37241f9c3e40a68e9fab5caac53a1a4e3fb6cfd99ac40c0ab8acf63d4e5ff96c7ab03aebec4f87b35f0

/data/data/com.network.android/logs/0vlt.dat

MD5 d0e55d2a8b279b457ffbca111ed8f203
SHA1 4a8e8bea348cdc69b73c554639bc3be4423b2761
SHA256 632d3835a10d98313b545ed4578e5a2a1f2afcd82b6b6d90c125b7ee575a7cef
SHA512 6f490a482826cb2ee209181242efe2b87a3a38fefff761e81dcc75ea49f132114eeaf8f799affbb483bf1d898baaa4521ace9aff7bf13a1371a1d4623c03b713

/data/data/com.network.android/logs/0vlt.dat

MD5 312efc87a601b198b815e0d09486c7ad
SHA1 434f399a9cc011e41d5cd98157679c03cb197060
SHA256 3eec0309c7eb43244d1d2525a59aca03f08d5918d906f920915f90494eab6b13
SHA512 691443a42eacf542cbfc3f18435c3a176a0e8483a45d168474ac30a2f81f22c6f5f3d8a914189b251bc17928cff96ce8be04cac611dba9d5681a971bb3635f8c

/data/data/com.network.android/logs/0vlt.dat

MD5 523492be36c3831d177a2fb9ac491904
SHA1 e0190f223ba374e300e230813d269bed62ffef3d
SHA256 0c57f0f9ae5964f87c95a517db7a3bdf80cf6625a77287721f5b53d8d8ea2c1b
SHA512 dee422d1f7bffa701ea1ab771a5679cd0426ba1b956bda837532b343e07f7448ad5cd95eaddaee024a7a3f03d1ca7fa4cbf88820760b9e49c5119016c3600525

/data/data/com.network.android/databases/NetworkManagerData.db-journal

MD5 842e1883dd96f45c1bf4c24ae0ba9d55
SHA1 bf16b459112beedba3bd06f7167d73188e93aa11
SHA256 949b3eb36a5031d782096cdab6a5fab3581586da960382b290845bfacc5e670e
SHA512 0bce176d7540b92dd4ed796043c0ed07e411852df9010b25c87318f7578d43d4a46926e56de7959c7eb5427577484f5af5540f90aa0d635dbf55ba9cebd13055

/data/data/com.network.android/databases/NetworkManagerData.db

MD5 2839279a9a853a40909c1dca03d2337f
SHA1 03baa059604d878e22917202fd90fb5f7de635ce
SHA256 97c1943ed1e984e7af5d8c490197075b8e43af11568663abee7c61f4e2caf0d8
SHA512 bc63d7854eee474c97373a207031f7358bcb8330dcbab015cf2515e21728c0d0737fd3e452e3d4c4be2c52ff00a86a472592c540e374d3293141c425b276de56

/data/data/com.network.android/databases/NetworkManagerData.db-journal

MD5 47a0625c14dc10e34d98a400a3c6a23d
SHA1 26c8e311881891a383f63be45c7388918d16e358
SHA256 5d02f4a697d2f06999f275885e6d99eb5f0f316b24fadb7c0dbb4fc1d2c588d1
SHA512 b85daad99bc428c9ec919d8571525ead6cb6f42b60c5aaceb9fad22cb8109f796a68eb17dba29b8d4188be3c8879ff12687291239de063309fc99a2aed1bb888

/data/data/com.network.android/databases/NetworkManagerData.db-journal

MD5 60e5e7a1000910c83ebbfbe3ed359761
SHA1 490a601ddb548c2fdc10768916faeeb14c826d5c
SHA256 bd5da118eb03e46fe7056b054f481822ead69597542bde95428de21fd77521a2
SHA512 296cc04770360613cd0ff3f4fea1c800834b179ff2f8e12236e5d00589e562b6ea0bb1320f72548cb2d94ec64d0ab6534003b5ec342c0a082449d536d53f1a53

/data/data/com.network.android/logs/0vlt.dat

MD5 696e5a00f4f7b3777774a4721f472135
SHA1 e762bac361916307ea1a31b58eab2d8b716b0d61
SHA256 3fa9a77e64feffb58e21ead43cbb363583f49eb589d8cd432c5d9f0902a26af9
SHA512 1abea733d11b657fab85d04e5e681fd44b0a8a4d3d13e818ca57b952431aaa3f28862aaba243400f6ecbb4cc17ece1b33461d125733aae318b14c32f5127bb79

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-14 14:32

Reported

2024-12-14 14:33

Platform

android-x64-arm64-20240624-en

Max time kernel

13s

Max time network

20s

Command Line

com.network.android

Signatures

Pegasus

infostealer trojan pegasus

Pegasus family

pegasus

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of the browser bookmarks.

collection
Description Indicator Process Target
URI accessed for read content://browser/bookmarks N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.network.android

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp

Files

/data/user/0/com.network.android/pex.dat

MD5 138d764910cb46a05b83d5af830dcfd4
SHA1 583dafb10cbfa0941821d9fe721b4a28498ae656
SHA256 0aa2c4123b0ccd2e11f3ea6bf425488da6b7db400745fb43e8563aa1d5f95731
SHA512 874b0c9745cb1446ae6e826e7888b08e1e7127b790bf3842093d16499175922a6305c7244c9b42a854cd7685bbe18d879cb057d59ed45bd30fd9dc11748e3584

/data/user/0/com.network.android/srcsu.dat

MD5 f091e95aa696a326b4b948869fd3df78
SHA1 3e2b4a81bac630973a990ed1e9e0a973158a818a
SHA256 5f1c4d94b3c91704c3955b8954ce543eecb292da4a58b7c61e7592adcffa0f33
SHA512 0b5ed603ca79db5a98e2b4e24d98eecedc7bcdc660efb37241f9c3e40a68e9fab5caac53a1a4e3fb6cfd99ac40c0ab8acf63d4e5ff96c7ab03aebec4f87b35f0

/data/data/com.network.android/logs/0vlt.dat

MD5 7afdc5caa0446f28d95a135822697b72
SHA1 0715a4340f430f350436e60aabd41f8529b375f1
SHA256 a53ce9b8fb5aec6fe423e4d37eb2eaac64898b7f6fb8c51757169da50571fb93
SHA512 0791cf8564b55eda371c6fae257a0c11931777cc27f0ba78ebdc90b189119099dc126e2cb6db545585633b88ee1389cc24f83485077fcc9fbaca942f7586f146

/data/data/com.network.android/logs/0vlt.dat

MD5 040ebb546066539d5bace40460ff6657
SHA1 5f57417f5037cc5c59983f75431b7444576a1fcf
SHA256 e8543e0aa4676eb625ce5b713085cf56958dbf7e262abbb907e334039edabaeb
SHA512 5c22e29deb7d299e3291364e7c7886645f6d7d3e49e8308d5df746b0d9094bfb993b90a4eea42ecbe004e1045fa172ea6793b0409222eeeeed3719fb5e961420

/data/data/com.network.android/logs/0vlt.dat

MD5 83b46a9003595c290070a35321254b20
SHA1 af83a64c55cbe5b684a3e98e4224e229e072a07c
SHA256 86c8335ec5b9c23b145101aafee5f961271fa70541451aa1a757c5b2ad7c591c
SHA512 1a74d54fb9f39f7dfb72dd0dcc57985328bcdb30f78f576bd5d025b301b968f0a3162541f88768fe453391d20285b960113a59d76fdb2db7cd9c9cb206474195

/data/data/com.network.android/logs/0vlt.dat

MD5 31a5dee5e000b7897f8a398c6e2174b9
SHA1 74369488239322f68791b625f3e697e53e4e5f8c
SHA256 e4c5389246c6934dd7c313e80926802b62620b08db7b1393630a2f0005105743
SHA512 147d48d2435aec97ace975ac2e8eddafd2c3262ec9e54272d5a69b6918d43fcf2e4fa8a945b7225818d8afb1e30f1082f5dd8b25c46b2e46f64f5ead4a319930

/data/user/0/com.network.android/databases/NetworkManagerData.db-journal

MD5 9d8e5cde196edfd36de1dd641efdc8ec
SHA1 c9f61b6b65fd591981f5c04bbe06af4886a5e2cc
SHA256 3cc2b8f3da663e01518ca4585bb2069006aa89eb79f40d9321c0ac32e6770c6e
SHA512 cf7372fa7145e7851b2062c82b70fb46946361737d7106c263a87aa05d25fc57088d55c4198a18a4dfaf092dca40796d851e5aad35c53f64e3784269f8486d26

/data/user/0/com.network.android/databases/NetworkManagerData.db

MD5 f64a816e653835b07054fb6ff9c91524
SHA1 8a78b568a09bfa940d8d4c1d889c92dd962047ac
SHA256 f942e329bb4d8e844e2ee2cee3fa71212fbf26c1016a5dec8eaf529716d0479a
SHA512 32195c3faf677215d7e9a9c1809585c93b981edea59c111d41110df1a10913edce7b11d2ca12c83b01cc0fd57ce4667ad9f101fbff4273de4a020919e718dd10

/data/user/0/com.network.android/databases/NetworkManagerData.db-journal

MD5 1ac9ec8476ab1c2f124500e4ca185bf0
SHA1 f8600d76a5df3ec53c2113f7f24c352046268dab
SHA256 ba6e14cfe94b94639ac6adbee8720ac4e27f14536ac057272c9ce91507a7b72e
SHA512 fed474ab1d82cd0f696017e629305b2598634449234b2564dbad52a767a7245d9602f3defb3d5f445a975b39e3c97002736b270bc03b3db50c60d67b796e18d4

/data/user/0/com.network.android/databases/NetworkManagerData.db-journal

MD5 217799137ef8ee03371f3ee50d59f492
SHA1 b51d7f64f48b4a644345ec7709f7d854dc407194
SHA256 009a8264f245456bdbbd2ddc197be33a1511e7a7da24da6cb5dc8154c80aea5b
SHA512 c5068c8f2828490793533165725a7f8229f9a87a327fc0f50c0496714d050b065fdecca34541936dca1ed9c886c5a435313fd0784abcedbc89c05d07309828da

/data/data/com.network.android/logs/0vlt.dat

MD5 b97bd2ad01697ad90da4c9fc1de10b5c
SHA1 8fea5806326c6353b7d5407ea78474b55141b48c
SHA256 58c5bd6566fe9bb553225d1e21a8e79d03cbbf611eb7c0de2568905929cf2ccf
SHA512 89b098ff11edc0db99cca5d6288777c089687f9fd96d92e0a6c4392be1161ebd698a2eeb914044ad26e87792f536eefae92504ee38171b270dd8722fe5565dc9