Analysis Overview
SHA256
c0db49cee9c7ff64d7691573404bb46977468b397b1757b310a643112c974df7
Threat Level: Known bad
The file c0db49cee9c7ff64d7691573404bb46977468b397b1757b310a643112c974df7.bin was found to be: Known bad.
Malicious Activity Summary
Android SoumniBot payload
SoumniBot
Soumnibot family
Loads dropped Dex/Jar
Requests dangerous framework permissions
Requests disabling of battery optimizations (often used to enable hiding in the background).
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-17 22:09
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an application a broad access to external storage in scoped storage. | android.permission.MANAGE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to read the user's calendar data. | android.permission.READ_CALENDAR | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-17 22:09
Reported
2024-12-17 22:12
Platform
android-33-x64-arm64-20240624-en
Max time kernel
149s
Max time network
134s
Command Line
Signatures
Android SoumniBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SoumniBot
Soumnibot family
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.wound.jams/cache/j8ps1 | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.wound.jams
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.228:443 | udp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.228:443 | udp | |
| GB | 142.250.187.228:443 | udp | |
| GB | 142.250.187.228:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.180.14:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | rcs-acs-tmo-us.jibe.google.com | udp |
| US | 216.239.36.155:443 | rcs-acs-tmo-us.jibe.google.com | tcp |
| GB | 142.250.187.238:443 | tcp | |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | remoteprovisioning.googleapis.com | udp |
| GB | 142.250.180.10:443 | remoteprovisioning.googleapis.com | tcp |
| US | 162.159.61.3:443 | tcp | |
| US | 162.159.61.3:443 | tcp | |
| US | 162.159.61.3:443 | udp | |
| GB | 142.250.187.228:443 | tcp | |
| GB | 142.250.178.4:443 | tcp | |
| GB | 142.250.178.4:443 | tcp | |
| GB | 216.58.204.67:443 | tcp |
Files
/data/data/com.wound.jams/cache/j8ps1
| MD5 | d958e6ba717b19d4948b4f977828ebf0 |
| SHA1 | 271e17ce7e35513cbc11ec100e1423212b53c85c |
| SHA256 | a09dc7dbdc65695709103eb0009f7e955a7918177201ba5bde780413ea11e078 |
| SHA512 | 17c8fdb1c1058422b62df196d3745d5fb9053e9f6c336da415ca55c0b71aabd4c4b07183576901e7399833d1003e67c82100fd3a732f06b7f212701f5f317a80 |
/data/data/com.wound.jams/no_backup/androidx.work.workdb-journal
| MD5 | 15decc2f321149733a815ac44aee6935 |
| SHA1 | 11e27c9eeff526cac11a16cfb8ed27abca73528a |
| SHA256 | 773a0e49fb6b5b58fe0ba9b4c438efc2e0ba167551d78bdb3b0e5381bab64c3e |
| SHA512 | 7a90b530c6480d502c49667bd74c819ae737f91f80281c34dd8dec0d3fa2b0f11b6af0f7b9bde715269029f03a0eb280cfae38d806264fb89516c19953c5373a |
/data/data/com.wound.jams/no_backup/androidx.work.workdb
| MD5 | 0eb157e1a86d4d00aa601dd2f6ff3ee3 |
| SHA1 | fee434f784e73cc7916322e949f727caf8363102 |
| SHA256 | b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4 |
| SHA512 | b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8 |
/data/data/com.wound.jams/no_backup/androidx.work.workdb-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/com.wound.jams/no_backup/androidx.work.workdb-wal
| MD5 | 73096504eeaa7854209c2808f5901640 |
| SHA1 | 639e2d781ae1f33e4556d038dbc7af6e60808568 |
| SHA256 | 34b1a06d7e2f1fe198196e944051192ee1cbe4ad0188a91cfaefa0a546aae218 |
| SHA512 | 8ffe6230ec00f66589bc9b13a2d3d5e47bc155553bc5d6519aac5c16ad7734cd9106269c26f71dc965caff5f7cdcf62589171ccf48fa9b1d664251014713ed80 |
/data/data/com.wound.jams/no_backup/androidx.work.workdb-wal
| MD5 | ea6958b3fbe451c13258f165142339b4 |
| SHA1 | 1ea31cbafa04777895df1a15d07b8391e18b9ed1 |
| SHA256 | 542aa65d3c8d30ba76ec0d0996b16ecf4d2f29664207adc6acae75e5d50064e9 |
| SHA512 | 0bf2cc2367998a0f52455b7f12bb24cf5e6080a12379f97534cd7ab8f47135af87a79ba347e5c1e94fd09bf421d398402245186597181049864da7b00e03b022 |
/data/misc/profiles/cur/0/com.wound.jams/primary.prof
| MD5 | 2c8b5a464a0c52d635f34101e7f3e62c |
| SHA1 | e541e1d0665bf3a06dfe4d003c2bfd383ea9974b |
| SHA256 | a78f975c521c3c26ac34140a4a4cfda4c534e1cc026ce590fa1099e93ef6be37 |
| SHA512 | 4efea5fdc8d20335bae7e05e652168cd64100b6b2d0b04acac06a0553431439241e3e0ce30f4d38c57a17208e9e00bd6a10dcd51378c2470918ff8fb74905287 |
/data/data/com.wound.jams/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 6115f8b06de8b1d635a02004d5f3deda |
| SHA1 | 86c6c960e6ce393064a76b22ced40fa213a6d39f |
| SHA256 | 6ba3b8d36d68a54e4def13a5c1001f5e1209f4cbdc9ad8fd51f42d9115e07915 |
| SHA512 | 0b9a8a90b60bd18d894cedfcc4b0b5ca8570549d220ff7f7219c64a8a25100bc1b6cc2314d941c8b4d745b147820eb812322dbf8231947795bae0b6ff8af2f62 |
/data/data/com.wound.jams/files/profileInstalled
| MD5 | 0ffdfddaab607b9424b357f577cdcf12 |
| SHA1 | 58560d72021d6e3094cbd770fb96ca325e7e6a94 |
| SHA256 | 5099fdd9dcb29e7f5c7c5f1d5e97c8c0f0fa905f1fc01275b620f789ba6aea1f |
| SHA512 | 421a6af3f5630b34cb19140e55ccd3966257bde37ec866c13076c62c29965e10c45e84dfe8f9f17dc43c3e2c758a23b1d4399440f8b1e28c047d4bcfd518fadb |