Malware Analysis Report

2025-01-19 07:46

Sample ID 241217-13apma1lfr
Target c0db49cee9c7ff64d7691573404bb46977468b397b1757b310a643112c974df7.bin
SHA256 c0db49cee9c7ff64d7691573404bb46977468b397b1757b310a643112c974df7
Tags
soumnibot banker evasion impact infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c0db49cee9c7ff64d7691573404bb46977468b397b1757b310a643112c974df7

Threat Level: Known bad

The file c0db49cee9c7ff64d7691573404bb46977468b397b1757b310a643112c974df7.bin was found to be: Known bad.

Malicious Activity Summary

soumnibot banker evasion impact infostealer trojan

Android SoumniBot payload

SoumniBot

Soumnibot family

Loads dropped Dex/Jar

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-17 22:09

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-17 22:09

Reported

2024-12-17 22:12

Platform

android-33-x64-arm64-20240624-en

Max time kernel

149s

Max time network

134s

Command Line

com.wound.jams

Signatures

Android SoumniBot payload

Description Indicator Process Target
N/A N/A N/A N/A

SoumniBot

trojan infostealer banker soumnibot

Soumnibot family

soumnibot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.wound.jams/cache/j8ps1 N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.wound.jams

Network

Country Destination Domain Proto
GB 142.250.187.228:443 udp
N/A 224.0.0.251:5353 udp
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 udp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.180.10:443 remoteprovisioning.googleapis.com tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 udp
GB 142.250.187.228:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 216.58.204.67:443 tcp

Files

/data/data/com.wound.jams/cache/j8ps1

MD5 d958e6ba717b19d4948b4f977828ebf0
SHA1 271e17ce7e35513cbc11ec100e1423212b53c85c
SHA256 a09dc7dbdc65695709103eb0009f7e955a7918177201ba5bde780413ea11e078
SHA512 17c8fdb1c1058422b62df196d3745d5fb9053e9f6c336da415ca55c0b71aabd4c4b07183576901e7399833d1003e67c82100fd3a732f06b7f212701f5f317a80

/data/data/com.wound.jams/no_backup/androidx.work.workdb-journal

MD5 15decc2f321149733a815ac44aee6935
SHA1 11e27c9eeff526cac11a16cfb8ed27abca73528a
SHA256 773a0e49fb6b5b58fe0ba9b4c438efc2e0ba167551d78bdb3b0e5381bab64c3e
SHA512 7a90b530c6480d502c49667bd74c819ae737f91f80281c34dd8dec0d3fa2b0f11b6af0f7b9bde715269029f03a0eb280cfae38d806264fb89516c19953c5373a

/data/data/com.wound.jams/no_backup/androidx.work.workdb

MD5 0eb157e1a86d4d00aa601dd2f6ff3ee3
SHA1 fee434f784e73cc7916322e949f727caf8363102
SHA256 b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4
SHA512 b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

/data/data/com.wound.jams/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.wound.jams/no_backup/androidx.work.workdb-wal

MD5 73096504eeaa7854209c2808f5901640
SHA1 639e2d781ae1f33e4556d038dbc7af6e60808568
SHA256 34b1a06d7e2f1fe198196e944051192ee1cbe4ad0188a91cfaefa0a546aae218
SHA512 8ffe6230ec00f66589bc9b13a2d3d5e47bc155553bc5d6519aac5c16ad7734cd9106269c26f71dc965caff5f7cdcf62589171ccf48fa9b1d664251014713ed80

/data/data/com.wound.jams/no_backup/androidx.work.workdb-wal

MD5 ea6958b3fbe451c13258f165142339b4
SHA1 1ea31cbafa04777895df1a15d07b8391e18b9ed1
SHA256 542aa65d3c8d30ba76ec0d0996b16ecf4d2f29664207adc6acae75e5d50064e9
SHA512 0bf2cc2367998a0f52455b7f12bb24cf5e6080a12379f97534cd7ab8f47135af87a79ba347e5c1e94fd09bf421d398402245186597181049864da7b00e03b022

/data/misc/profiles/cur/0/com.wound.jams/primary.prof

MD5 2c8b5a464a0c52d635f34101e7f3e62c
SHA1 e541e1d0665bf3a06dfe4d003c2bfd383ea9974b
SHA256 a78f975c521c3c26ac34140a4a4cfda4c534e1cc026ce590fa1099e93ef6be37
SHA512 4efea5fdc8d20335bae7e05e652168cd64100b6b2d0b04acac06a0553431439241e3e0ce30f4d38c57a17208e9e00bd6a10dcd51378c2470918ff8fb74905287

/data/data/com.wound.jams/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 6115f8b06de8b1d635a02004d5f3deda
SHA1 86c6c960e6ce393064a76b22ced40fa213a6d39f
SHA256 6ba3b8d36d68a54e4def13a5c1001f5e1209f4cbdc9ad8fd51f42d9115e07915
SHA512 0b9a8a90b60bd18d894cedfcc4b0b5ca8570549d220ff7f7219c64a8a25100bc1b6cc2314d941c8b4d745b147820eb812322dbf8231947795bae0b6ff8af2f62

/data/data/com.wound.jams/files/profileInstalled

MD5 0ffdfddaab607b9424b357f577cdcf12
SHA1 58560d72021d6e3094cbd770fb96ca325e7e6a94
SHA256 5099fdd9dcb29e7f5c7c5f1d5e97c8c0f0fa905f1fc01275b620f789ba6aea1f
SHA512 421a6af3f5630b34cb19140e55ccd3966257bde37ec866c13076c62c29965e10c45e84dfe8f9f17dc43c3e2c758a23b1d4399440f8b1e28c047d4bcfd518fadb