Malware Analysis Report

2025-01-19 04:56

Sample ID 241217-wts3dsvmcr
Target ADE8BEF0AC29FA363FC9AFD958AF0074478AEF650ADEB0318517B48BD996D5D5.apk
SHA256 ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5
Tags
pegasus collection discovery infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5

Threat Level: Known bad

The file ADE8BEF0AC29FA363FC9AFD958AF0074478AEF650ADEB0318517B48BD996D5D5.apk was found to be: Known bad.

Malicious Activity Summary

pegasus collection discovery infostealer persistence trojan

Pegasus

Pegasus family

Pegasus payload

Reads the contacts stored on the device.

Reads the content of the call log.

Reads the content of the browser bookmarks.

Queries information about active data network

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-17 18:13

Signatures

Pegasus family

pegasus

Pegasus payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to receive WAP push messages. android.permission.RECEIVE_WAP_PUSH N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to use SIP service. android.permission.USE_SIP N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-17 18:13

Reported

2024-12-17 18:18

Platform

android-x86-arm-20240624-en

Max time kernel

90s

Max time network

133s

Command Line

com.network.android

Signatures

Pegasus

infostealer trojan pegasus

Pegasus family

pegasus

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of the browser bookmarks.

collection
Description Indicator Process Target
URI accessed for read content://browser/bookmarks N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.network.android

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp

Files

/data/data/com.network.android/logs/0vlt.dat

MD5 1e92412412daa20ad98ae46839ff4388
SHA1 a7260980c2fc9f6cd3ab52a58e24442862ae9dee
SHA256 d22db8249716c2160d66aede4aa501dba4fbfb17cbad7b54764e6426eab9e214
SHA512 868f7be397875ca5a50b0e64542e3c3d05ff451935c78e6da459f4738012432af9a42a904051522614e0547a604d5775d6e49002b018f7b11a7d01dc818725f5

/data/data/com.network.android/logs/0vlt.dat

MD5 258ea25947ddae14c3e674bf94f0d4a5
SHA1 1b4a25b97ec4f725712448f5e2d7e7594800770e
SHA256 cdd4de4468b15a208c4e872324a35013c53f549ab56e91ae6d92c462cd07b327
SHA512 9af6bc073745c447a9c09f8a3ba97c2685318920403b7570ac0d4d98cf81516799ed5e6aef4b7a4d115f04606d6258fd257236feb485d9f48de43804fbb66146

/data/data/com.network.android/logs/0vlt.dat

MD5 dfbe2c780b49114a8a8ce60b5559366b
SHA1 46a610bf773e628fe44746ff5286f1e0e1f432a6
SHA256 067fa981a23981fdb88df8389d347a6180970f93cc4507c102116f3d85bf3e9d
SHA512 dbd042939e30aa1fe12dbabae72db05f1ad7fb46cfe8aaa5eb2ca65cdc30496fabcf8765b434b291db4b0a6b62a8c7bc7cff3007f47a517fd22e137e651e0be6

/data/data/com.network.android/databases/NetworkManagerData.db-journal

MD5 b5dbe9cc11ca25a0b80bbba2c00535dc
SHA1 a65e08ab1baf46fa39e5b779d4f74a71eb6db708
SHA256 2a2340031327aa81ed9b86218f76534dd8eac6fce0fceb17ca441f27dd5a2607
SHA512 f3ced73f4fb70450bd142b85e689a7db896eebb3ab7f08e0eca24a803990539591221a226a0653ef385752415d090c0d26d1a10318b2b11c19cc0ffee1784eab

/data/data/com.network.android/databases/NetworkManagerData.db

MD5 b1b07690091ef56446cb1e2105e92d78
SHA1 a7c2ff91432530df5e42131b557029d481f5f44e
SHA256 2cbd6c123ba0396b016401cc9590cf6b7ce23538f57398e34615cdd614bda3cb
SHA512 89f4f33b7cd99eb06c1ee71baba6724ac1297f006789070f4bb1441f0de113ad7685995884f47356f8bcfeb559c4e7d57d2dc2fc4321bda21208a87b1ba0bacb

/data/data/com.network.android/databases/NetworkManagerData.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.network.android/databases/NetworkManagerData.db-wal

MD5 58904537851f05e3264079cfe2f77794
SHA1 66b1fc35e1cd6bbeaf8f6ba92491ba0e988862df
SHA256 b5ddc15e1b603419ba6bb7050fa25a1c41dd36e6d39044eb90bbf6b8846917aa
SHA512 24492a50e7e89542e4f78db0fd3e53bf062047872fd2bd07c6c47adfc9d8c0e31fffd3c457687c0c1e5aab1a6c3255a025b9bff4f176c0a3d4882ec6d1d187de

/data/data/com.network.android/logs/0vlt.dat

MD5 66533c3cf81fc41d6dceae7f3c6f3df5
SHA1 b2c26a873e8b9224e7f9dfbe2457f22efaea8afd
SHA256 95e30e0fc3c19d1ed3884da9d226c8d081125264b8f8d698c130886f057ab767
SHA512 1206a2a997a8b3eff3a789115ec6f7360f6caf2fcb832be80d6f187e4aa3741db4436a8657c8abc1cd7456f8bf9302be036c62aee7ec4f78b678e179df0e6319

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-17 18:13

Reported

2024-12-17 18:16

Platform

android-x64-20240910-en

Max time kernel

143s

Max time network

150s

Command Line

com.network.android

Signatures

Pegasus

infostealer trojan pegasus

Pegasus family

pegasus

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of the browser bookmarks.

collection
Description Indicator Process Target
URI accessed for read content://browser/bookmarks N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.network.android

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.213.10:443 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/com.network.android/pex.dat

MD5 138d764910cb46a05b83d5af830dcfd4
SHA1 583dafb10cbfa0941821d9fe721b4a28498ae656
SHA256 0aa2c4123b0ccd2e11f3ea6bf425488da6b7db400745fb43e8563aa1d5f95731
SHA512 874b0c9745cb1446ae6e826e7888b08e1e7127b790bf3842093d16499175922a6305c7244c9b42a854cd7685bbe18d879cb057d59ed45bd30fd9dc11748e3584

/data/data/com.network.android/srcsu.dat

MD5 f091e95aa696a326b4b948869fd3df78
SHA1 3e2b4a81bac630973a990ed1e9e0a973158a818a
SHA256 5f1c4d94b3c91704c3955b8954ce543eecb292da4a58b7c61e7592adcffa0f33
SHA512 0b5ed603ca79db5a98e2b4e24d98eecedc7bcdc660efb37241f9c3e40a68e9fab5caac53a1a4e3fb6cfd99ac40c0ab8acf63d4e5ff96c7ab03aebec4f87b35f0

/data/data/com.network.android/logs/0vlt.dat

MD5 227e428c5ccc3aa1797fd9f142b900f9
SHA1 4d7c9d7e1fd0ce21c0ff676ae32b905168ddc6bf
SHA256 3b50a9b2f338d83bef59452af964afa3f091b559767a59dbc33977488ba0496b
SHA512 449bff34ece3219df9e32d32cab53080f35cf421eee7c5352f87ec9058fcac05d16b0d5608e94fdffe5ff40fd95eeabb3cb87340e481a88ef83aa6f371782685

/data/data/com.network.android/logs/0vlt.dat

MD5 63c2c03a9b3fd766a720e696e9db90ec
SHA1 7f2927ccb0e1840d65813d4d7e1ec62ff35b9fe8
SHA256 91f076dd64ad33746ef601e31fd8445d43892433809fc536fb49ced6b6d5e189
SHA512 ef2ac076a9fe1bce61c9824585a40c2f57b61b5b2eb89429345fe68c539f8741026d9b20ea768a92e15ff3ed06212d9f0d9eb5d821356d5c9f9dc9f590b6b0f5

/data/data/com.network.android/logs/0vlt.dat

MD5 0a43e89d1745fb17055261e85812ca09
SHA1 caf99594f16cf39d16c9c947da2fee74f97bca84
SHA256 44ec6694742271e499142e3092dd8b5d5155280cb0d27a39f968c0863d5f4812
SHA512 461df488950c172a1770e8b47c325d2ec1afdb53371dfc06790dc9397a7f7b5fa4318d795fbc43f434ea85b2f10d50de68e829ea71280745830555524e7fa91c

/data/data/com.network.android/logs/0vlt.dat

MD5 356d90d4da1d8d6be8f642f02d265df0
SHA1 060f71b835cf060a5ddb1cc3c0e6d69f6dee24ae
SHA256 f09889d38fda8853883d88302d95768528981003442169c1f7e178a992710bdd
SHA512 3cf788520399845d790496a500d67dd76822da61bf68fd77f200bebe6ca51dcd340bc18eebaa6363acac89eaeb12d3dc9eb642c7873b3554ad035f5b1bd16f22

/data/data/com.network.android/databases/NetworkManagerData.db-journal

MD5 1f674b51123a5ce0475b585b8c267949
SHA1 610a3a4b4200a781fa188dcf99436be168ea1af9
SHA256 1834fd6a4f4c3d8a4bcc7c56bbfd5f180929cc5b8b4d359d7d674e6f748e5289
SHA512 25f27741ea199495e870f3b0f06c90ced55a6cbbe7e82bf63b6858fcdae422640d8edcfe3f6cd900ed9066952a0d06185ad3327221a1efb2b6a9c3646315afae

/data/data/com.network.android/databases/NetworkManagerData.db

MD5 2839279a9a853a40909c1dca03d2337f
SHA1 03baa059604d878e22917202fd90fb5f7de635ce
SHA256 97c1943ed1e984e7af5d8c490197075b8e43af11568663abee7c61f4e2caf0d8
SHA512 bc63d7854eee474c97373a207031f7358bcb8330dcbab015cf2515e21728c0d0737fd3e452e3d4c4be2c52ff00a86a472592c540e374d3293141c425b276de56

/data/data/com.network.android/databases/NetworkManagerData.db-journal

MD5 25b78229e34ea9f0c99a0216a147dba2
SHA1 59a16fecf837a6b5fe555472b0a4446451e13c9d
SHA256 fabd0df0c9dd7c57360e0c1d4a432ebab1d7bcd8f5ab48b6b64d0e5f90a824ad
SHA512 e0fd05ad676e996f9ee0ed11d2bc9479807b6070887b11848219c1f682ab966c08c6d65f11c3cd21d4275429804afa718d8e7b8b55c672d569f76e824f4cd0f5

/data/data/com.network.android/databases/NetworkManagerData.db-journal

MD5 3169c48908d19721e92daddf06f4a8cd
SHA1 fef45055ee18184fa4f8faf2d4a52d7516d4a8e3
SHA256 52fadd73104ec1a80051d11f5aaf684cb723d21a28e926c8abe69408aa68036f
SHA512 26eb1d14591513c8d2b97012e0a3f440225e417d9aaca89ff25f848f1d38312fac5a1215adda674334f935dcea30cbb4d4f3b72a4e48aca7bd4bdd09fca1990e

/data/data/com.network.android/logs/0vlt.dat

MD5 75a8d31e694e01fa045127b60f6338b3
SHA1 d8a99abcd722fc0f7cb2d7c307c28079f2579bc5
SHA256 0fdf2d5ded0ecc1f82fc29c937b0a4273251a9333dc9726c746286075c1e3af7
SHA512 9786124c8410c6f8cd1d5b678e844925c9a3d79dd72cf0b789af31652f98d26e3b16d0933db0d207cc0259db4148bd330106a43b30ab7af1e7cc1c8b6ca90642

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-17 18:13

Reported

2024-12-17 18:17

Platform

android-x64-arm64-20240910-en

Max time kernel

103s

Max time network

160s

Command Line

com.network.android

Signatures

Pegasus

infostealer trojan pegasus

Pegasus family

pegasus

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of the browser bookmarks.

collection
Description Indicator Process Target
URI accessed for read content://browser/bookmarks N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.network.android

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.78:443 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com tcp
GB 172.217.169.78:443 www.youtube.com tcp
US 216.239.38.223:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
GB 216.58.212.193:443 tcp
GB 142.250.187.225:443 tcp
US 216.239.38.223:443 tcp

Files

/data/user/0/com.network.android/pex.dat

MD5 138d764910cb46a05b83d5af830dcfd4
SHA1 583dafb10cbfa0941821d9fe721b4a28498ae656
SHA256 0aa2c4123b0ccd2e11f3ea6bf425488da6b7db400745fb43e8563aa1d5f95731
SHA512 874b0c9745cb1446ae6e826e7888b08e1e7127b790bf3842093d16499175922a6305c7244c9b42a854cd7685bbe18d879cb057d59ed45bd30fd9dc11748e3584

/data/user/0/com.network.android/srcsu.dat

MD5 f091e95aa696a326b4b948869fd3df78
SHA1 3e2b4a81bac630973a990ed1e9e0a973158a818a
SHA256 5f1c4d94b3c91704c3955b8954ce543eecb292da4a58b7c61e7592adcffa0f33
SHA512 0b5ed603ca79db5a98e2b4e24d98eecedc7bcdc660efb37241f9c3e40a68e9fab5caac53a1a4e3fb6cfd99ac40c0ab8acf63d4e5ff96c7ab03aebec4f87b35f0

/data/data/com.network.android/logs/0vlt.dat

MD5 f06579cb58a639feb7d29a61b48d1c7d
SHA1 7ce1cb368be0f10584c6cc2934a99becbcbeddd4
SHA256 090536cf0f5f478df1b601800600ad27269750fc1032ec33e32150cf57657d94
SHA512 fe83e45941500d002f788f8222104214518e16a29576c6c885951a9b53087a10be9753a75aefdda5e84c3bfc6c2b6338db46abdf6c77566d96146e290a4ac5c4

/data/data/com.network.android/logs/0vlt.dat

MD5 c9da35a54c64786ec7d44c4c0b460832
SHA1 39badf3b11294904943a800c1850fe899a04f614
SHA256 a23b3d9b88c5c03b254c4c17b3538599d1627bfec41cbab157f61035210d90b7
SHA512 acb6955764741c8e8ae4fbda2c158d4fddfa384afbfca795f1126ae8967c52d07a9c79e3faa5a1d5f7a1eb31cc0ed8e9846ccb9786d8996fcec42c4bb30e8e54

/data/data/com.network.android/logs/0vlt.dat

MD5 a8225c55e979f7eca7dad779a1eeaec3
SHA1 0b1e6148c6588ae8540c97aeb5ae98ac7e14d9a9
SHA256 8e128a72a3ada82b65030f644243a2280dc752a889fb242ac8387fa787ffcde5
SHA512 0df03d6adbf3399aa5f188b9e6a8c9b5611f1edc49af396a72747467bf7a918534c76f28ebc69740dda6348271febd78df9d8dffa44d5b54e9331cbb9cfecd4f

/data/data/com.network.android/logs/0vlt.dat

MD5 a3aee01326e3debb707d237ad87a5e12
SHA1 259f8492cd5c7cbb8a07ec4a1f6bc182d974c407
SHA256 7148a3dab50e14b5e5ce0dc987125374ffb055ed3f9d5ef74c0f849acd3cd28d
SHA512 d17252f18d6856c62361308335630fe47f7ec3e89a8d077eeae70d9f3fab58d03b1d2f41827595b2e7776c8558565410256b238a2909408b12abcb6a69f77142

/data/user/0/com.network.android/databases/NetworkManagerData.db-journal

MD5 dab15e36efb7be2ca20162117b173975
SHA1 9f5b96baf943e35c74f922fa4335c5c6bf73093e
SHA256 1153b36567e9c1212ae96ccbb844931d047f6463f47415f27edef68d836104c7
SHA512 5efcb0af4b1e7db879bda76532565e762f2fcfc6a96b94395fb66caa807dd8bb43ae637f27690a244e01560d16e5bf4815854fd943fd1accef6bf324fe53ab86

/data/user/0/com.network.android/databases/NetworkManagerData.db

MD5 f64a816e653835b07054fb6ff9c91524
SHA1 8a78b568a09bfa940d8d4c1d889c92dd962047ac
SHA256 f942e329bb4d8e844e2ee2cee3fa71212fbf26c1016a5dec8eaf529716d0479a
SHA512 32195c3faf677215d7e9a9c1809585c93b981edea59c111d41110df1a10913edce7b11d2ca12c83b01cc0fd57ce4667ad9f101fbff4273de4a020919e718dd10

/data/user/0/com.network.android/databases/NetworkManagerData.db-journal

MD5 3398caf7ee017b8a78bd46a225b546bd
SHA1 ae739473b988659c20063bec65854fd01a022c89
SHA256 b9fae22bd1c489170213edbe9e316d600744258201e8552d122df40e05c861fc
SHA512 cf13bb3fd7f2bb0793691bd7a409b35d5c8cd6a761bbf6bb4bafd5139ade80b49416e1783a683e040f51b30f7e096182f8fe2a78e054ee1bb8b6ef9a64105108

/data/user/0/com.network.android/databases/NetworkManagerData.db-journal

MD5 6f89e825c7311dac3e93f907bfa024a5
SHA1 57785546db913966358757c9a395f26dc295ecd9
SHA256 3c87c596508c8f25c38ba24fb209fc0cc49875ed7177d1b99f77a5e4f5825866
SHA512 98b45ff3c2ee0950cc7c1ba56a3359a949863a1bff1fff87ce69ecfbdb543e60b72627f4b7ebf14f81a480e0c3ddf6d67889c8f8badda2d665de07ef66e89886

/data/data/com.network.android/logs/0vlt.dat

MD5 d1c8ff5237b88aea6dac021e27b7bdb1
SHA1 7fac35ff6bf296ab51ddd148c4fe4f523c911284
SHA256 33296943127d6d3a0d6be9a727e05f812d6aa9a6b184c83599568e018b659237
SHA512 41ed800ca0349ee36cb308ec4c4c75dbb4b233212b98016ab51aba9ffe2eb2f780b08991230d2c087fb6976269322e1cb8103aa672bd675639da61344fb81479