Malware Analysis Report

2025-01-19 04:56

Sample ID 241217-xmq5wswkfr
Target ADE8BEF0AC29FA363FC9AFD958AF0074478AEF650ADEB0318517B48BD996D5D5.apk
SHA256 ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5
Tags
pegasus collection discovery infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5

Threat Level: Known bad

The file ADE8BEF0AC29FA363FC9AFD958AF0074478AEF650ADEB0318517B48BD996D5D5.apk was found to be: Known bad.

Malicious Activity Summary

pegasus collection discovery infostealer persistence trojan

Pegasus payload

Pegasus family

Pegasus

Reads the contacts stored on the device.

Reads the content of the browser bookmarks.

Reads the content of the call log.

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-17 18:58

Signatures

Pegasus family

pegasus

Pegasus payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to receive WAP push messages. android.permission.RECEIVE_WAP_PUSH N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to use SIP service. android.permission.USE_SIP N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-17 18:58

Reported

2024-12-17 19:01

Platform

android-x64-20240624-en

Max time kernel

114s

Max time network

155s

Command Line

com.network.android

Signatures

Pegasus

infostealer trojan pegasus

Pegasus family

pegasus

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of the browser bookmarks.

collection
Description Indicator Process Target
URI accessed for read content://browser/bookmarks N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.network.android

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp

Files

/data/data/com.network.android/pex.dat

MD5 138d764910cb46a05b83d5af830dcfd4
SHA1 583dafb10cbfa0941821d9fe721b4a28498ae656
SHA256 0aa2c4123b0ccd2e11f3ea6bf425488da6b7db400745fb43e8563aa1d5f95731
SHA512 874b0c9745cb1446ae6e826e7888b08e1e7127b790bf3842093d16499175922a6305c7244c9b42a854cd7685bbe18d879cb057d59ed45bd30fd9dc11748e3584

/data/data/com.network.android/srcsu.dat

MD5 f091e95aa696a326b4b948869fd3df78
SHA1 3e2b4a81bac630973a990ed1e9e0a973158a818a
SHA256 5f1c4d94b3c91704c3955b8954ce543eecb292da4a58b7c61e7592adcffa0f33
SHA512 0b5ed603ca79db5a98e2b4e24d98eecedc7bcdc660efb37241f9c3e40a68e9fab5caac53a1a4e3fb6cfd99ac40c0ab8acf63d4e5ff96c7ab03aebec4f87b35f0

/data/data/com.network.android/logs/0vlt.dat

MD5 00eec7b91792033f3ec8836d7ad2b6a0
SHA1 8c9a53f8aa7a366ddff84827f4f50b1db46d33b5
SHA256 7bce92c98bf3bd4fefe070494bc3d47fd4521673fe4d14bff6f3ef5d519c17ae
SHA512 5f272104518a5c2a904b3335d8b738b0af97a19a3d915ebd091a604f2d70af94d0b13aadc34c4668d2891502ab4e3bb7fc9c43a426a13e9361718bdffab1de61

/data/data/com.network.android/logs/0vlt.dat

MD5 89ac99637f2aaee511a2bca2d2b4bd1f
SHA1 60353f579fcd7e348124ed757574846e863b024a
SHA256 c0b971af775834d2eb6fe70a43aea7f9c070ba0fa3988750fcbf85270cfe6657
SHA512 3a523031f9b57e2183de3c540b1203f0af4e78f1c1de6c786a6e330233c03849804987dcc93b16cae016c637ea988571b9c38bb7ebaf91805b838efa1b882aa2

/data/data/com.network.android/logs/0vlt.dat

MD5 c34b856958aabc5e519c0cd8ad7c8e6a
SHA1 b8e4bb3264d6f3f81d6d6c2181d425cbeb6e2fe5
SHA256 d29589154b409dd69f6b623fb2c02a2547f15867767e7651de41e2ceef7d3006
SHA512 d1bb49942d692a46ee4871860ddf786014c0823f408be22abb26d63f0ab0776c0dacadce6603eebc9fcfd092277da006983fdf8929b781d986da41b884df3388

/data/data/com.network.android/databases/NetworkManagerData.db-journal

MD5 c15f88e0f4adafd2fbdc1772da11d19c
SHA1 d4ee5774a3a4d1d406d99ac31996222f70ca7d2c
SHA256 c3838b7d81ce2777f32c060a1b125a0ae48d850a435b5adbe9319e76636459bf
SHA512 41843ece9712b6fdb3c473c62977dba13af2dbeb851b546022406d879547732566ab672da7894d48d78d5e345c0d92fbd70854fc4a83e59ce6aade6d8573c3bd

/data/data/com.network.android/databases/NetworkManagerData.db

MD5 2839279a9a853a40909c1dca03d2337f
SHA1 03baa059604d878e22917202fd90fb5f7de635ce
SHA256 97c1943ed1e984e7af5d8c490197075b8e43af11568663abee7c61f4e2caf0d8
SHA512 bc63d7854eee474c97373a207031f7358bcb8330dcbab015cf2515e21728c0d0737fd3e452e3d4c4be2c52ff00a86a472592c540e374d3293141c425b276de56

/data/data/com.network.android/databases/NetworkManagerData.db-journal

MD5 3fc7f85bd8b7ff73ac5d51f05fd58ea1
SHA1 fb03bf2b746fa8253ff50236728393ba6bdf2bab
SHA256 1a3aa15a2e893cdb1541873459842a08154c6c25c0d1ae51443bc2350d740ece
SHA512 6e1d19320338eadeb1b5fba9ac3ae7caa0bc30687adda73be3aff882b88485a28eed2eed00d17a8b84b195f4fc09f5b52196813834201db3e57da2bd884f6590

/data/data/com.network.android/databases/NetworkManagerData.db-journal

MD5 c70519f4715aab6501eb29faa765420c
SHA1 568be8780e3e6c01630937d80105fb1db9087f86
SHA256 eed28dbbb2d799075423276cfd90ff3bd49d9a95f3a0758eace3558580e4ff45
SHA512 95df7efe8fe53d5c316dfa3414abf03607d9c043ec0b31688b4835216af62136dc9453334627c7fa0d870a8c96bb3af5823e9f37f7e5118f61a0b243e2e5cb56

/data/data/com.network.android/logs/0vlt.dat

MD5 aa7ff80b5289a40558fa62bd09055cb3
SHA1 2ebe57bed28463f3227ad1e5b31171984c07c068
SHA256 a8c7de1b66c20bd16f58fd17f2d750b8c75d24f79c80cfc18e3a103641a0e555
SHA512 2525af8dbb620cae03b1e3ebd6140791ceb9a8cc184f0e20a55ca2514859da0a2f1badb06122572afa89b78a548b4644abbe6d6b6550209e48b7b3f76a483bed

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-17 18:58

Reported

2024-12-17 19:01

Platform

android-x64-arm64-20240910-en

Max time kernel

108s

Max time network

157s

Command Line

com.network.android

Signatures

Pegasus

infostealer trojan pegasus

Pegasus family

pegasus

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of the browser bookmarks.

collection
Description Indicator Process Target
URI accessed for read content://browser/bookmarks N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.network.android

Network

Country Destination Domain Proto
US 216.239.38.223:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.212.238:443 www.youtube.com udp
GB 216.58.212.238:443 www.youtube.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.200.33:443 tcp
US 216.239.38.223:443 tcp
GB 216.58.204.65:443 tcp
US 216.239.38.223:443 tcp

Files

/data/user/0/com.network.android/pex.dat

MD5 138d764910cb46a05b83d5af830dcfd4
SHA1 583dafb10cbfa0941821d9fe721b4a28498ae656
SHA256 0aa2c4123b0ccd2e11f3ea6bf425488da6b7db400745fb43e8563aa1d5f95731
SHA512 874b0c9745cb1446ae6e826e7888b08e1e7127b790bf3842093d16499175922a6305c7244c9b42a854cd7685bbe18d879cb057d59ed45bd30fd9dc11748e3584

/data/user/0/com.network.android/srcsu.dat

MD5 f091e95aa696a326b4b948869fd3df78
SHA1 3e2b4a81bac630973a990ed1e9e0a973158a818a
SHA256 5f1c4d94b3c91704c3955b8954ce543eecb292da4a58b7c61e7592adcffa0f33
SHA512 0b5ed603ca79db5a98e2b4e24d98eecedc7bcdc660efb37241f9c3e40a68e9fab5caac53a1a4e3fb6cfd99ac40c0ab8acf63d4e5ff96c7ab03aebec4f87b35f0

/data/data/com.network.android/logs/0vlt.dat

MD5 0937b0b26841842e28350c47aeedcdd9
SHA1 88fa486e874e45ff72a6bee07f64f67925d75888
SHA256 63b3a7fc249bc9b42d0feb37be36abaa3ae340b0c60626ab0c8870dfaf44b6d6
SHA512 cf5d69819318e9fb65d553bd8420f4fe2df589a02724a7105ed97b434062862d9f22dd30cb1215879eff412f84d7bdb4981edbedb150b9342aa829789f600d39

/data/data/com.network.android/logs/0vlt.dat

MD5 6c7e573a089552d9e332de6eb538028c
SHA1 398fea91ec2d7f6cb87539db8e882f64c978d3b6
SHA256 94654fd6535cc45cbc1dd6f997713dfad748fd78be3fec74c05cc231e29392cb
SHA512 fa7d0451986077c6dd155c66fa28fa61033aaf6e0f6a87de78c0b453f537ca0d129dce62eb1b380b3209901065426dd6e02c82a161aebec9c66be3a03fa27fae

/data/data/com.network.android/logs/0vlt.dat

MD5 8e4127cb44215fc945bf025e2271b06b
SHA1 e2af2dda41c72e77fd6f4bc69bb8434188bd7fae
SHA256 960d6e764daea52589e2f5e5b022f19c5a9a72cecc85d0f21c071f867b3ddf1c
SHA512 c45f392fdd7ea8b295147ff16ee19374c68e909fec4ef55d5fdd7cbc88e5ef9af534e0edc847d2ab2d36c4a2a43b339db12cc3f8c2b1f2595e92f2c0e5f7dc1a

/data/user/0/com.network.android/databases/NetworkManagerData.db-journal

MD5 0b6bb09cb8cceaec6bc4209f2a6ee649
SHA1 93e6f0c2be322a10ea3c1e97a5c7d84d3b3e89d0
SHA256 bdeeb595e32e9114b927fd4491a5e49cca5037894eca70f2845104576c4c5784
SHA512 a3cf2a48b238e285bfd52f27b01518fc9b694b6efce86d911eaa908fda59d802b6485cbb81085279b7a064296f0254b73f63e734f43635e6ac2a13e9023e1f9f

/data/user/0/com.network.android/databases/NetworkManagerData.db

MD5 f64a816e653835b07054fb6ff9c91524
SHA1 8a78b568a09bfa940d8d4c1d889c92dd962047ac
SHA256 f942e329bb4d8e844e2ee2cee3fa71212fbf26c1016a5dec8eaf529716d0479a
SHA512 32195c3faf677215d7e9a9c1809585c93b981edea59c111d41110df1a10913edce7b11d2ca12c83b01cc0fd57ce4667ad9f101fbff4273de4a020919e718dd10

/data/user/0/com.network.android/databases/NetworkManagerData.db-journal

MD5 70d7ae1ea055ea93c2032b5289650237
SHA1 6fe047367a0d4dd1d05c21770bdd8213ad89b006
SHA256 e1ebec136f8f38f51e651a2b61904e0fc10898ae67a5065ae3a691149e531964
SHA512 13cbbc140dc490cdac6fc21668926ed7d71e28418d48f173647c4c1dd7f8f65ec42bc2c31cd0a55689ecf05885679e4a33159f88babc64dee68fe51aef62fb55

/data/user/0/com.network.android/databases/NetworkManagerData.db-journal

MD5 7850ad27ed1cf1823c4d43bdd12027a2
SHA1 154187b102964f18616aeafe766136cb95226deb
SHA256 f4aaf9744df53850caceb18abd07afcb29b43476919ce530e6ef385654de207c
SHA512 06b26e895a43233a1c6bd5cf482f699261f580ff7fd4d7eb5ffb6828e81aa111f02b24743728b555384e4b735abb5ff6a9838310ceea40014081bebe2a1ed472

/data/data/com.network.android/logs/0vlt.dat

MD5 5cf9c9ac5e57741dbd72a851edab1f7e
SHA1 34193f77a973eef0b68974300774ffbcac171414
SHA256 613040c2648ea24425795fefcc8e3ad52aae4578b166dc8b4d17a3db500e3dcc
SHA512 215e0685e6a7991c408cf8b5ebb737ac78cf7d7c3712c5076f50bd1ee1059e63452b9cef03d04808ec314c3c01cb4d620c848fd34c81fe80ab8525adbb757434

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-17 18:58

Reported

2024-12-17 19:01

Platform

android-x86-arm-20240624-en

Max time kernel

113s

Max time network

137s

Command Line

com.network.android

Signatures

Pegasus

infostealer trojan pegasus

Pegasus family

pegasus

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of the browser bookmarks.

collection
Description Indicator Process Target
URI accessed for read content://browser/bookmarks N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.network.android

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp

Files

/data/data/com.network.android/logs/0vlt.dat

MD5 00eec7b91792033f3ec8836d7ad2b6a0
SHA1 8c9a53f8aa7a366ddff84827f4f50b1db46d33b5
SHA256 7bce92c98bf3bd4fefe070494bc3d47fd4521673fe4d14bff6f3ef5d519c17ae
SHA512 5f272104518a5c2a904b3335d8b738b0af97a19a3d915ebd091a604f2d70af94d0b13aadc34c4668d2891502ab4e3bb7fc9c43a426a13e9361718bdffab1de61

/data/data/com.network.android/logs/0vlt.dat

MD5 89ac99637f2aaee511a2bca2d2b4bd1f
SHA1 60353f579fcd7e348124ed757574846e863b024a
SHA256 c0b971af775834d2eb6fe70a43aea7f9c070ba0fa3988750fcbf85270cfe6657
SHA512 3a523031f9b57e2183de3c540b1203f0af4e78f1c1de6c786a6e330233c03849804987dcc93b16cae016c637ea988571b9c38bb7ebaf91805b838efa1b882aa2

/data/data/com.network.android/logs/0vlt.dat

MD5 c34b856958aabc5e519c0cd8ad7c8e6a
SHA1 b8e4bb3264d6f3f81d6d6c2181d425cbeb6e2fe5
SHA256 d29589154b409dd69f6b623fb2c02a2547f15867767e7651de41e2ceef7d3006
SHA512 d1bb49942d692a46ee4871860ddf786014c0823f408be22abb26d63f0ab0776c0dacadce6603eebc9fcfd092277da006983fdf8929b781d986da41b884df3388

/data/data/com.network.android/databases/NetworkManagerData.db-journal

MD5 238a301eb3a75558adbe1e67ace7970b
SHA1 6df24b0878dac52b83251daa966c8c1c899ef8f2
SHA256 1c8e6012e0c7e07cb4ae52add099fffd6f10095a85b3517ee0d6071a0493bfe4
SHA512 68ffeba034daa9ba8042939e3d2fc71411f759678612628d449d807cde373d35a8d71d2c5aa4d19767df132ff1fcdf958edbf4347f016177e674e6a66031b1f0

/data/data/com.network.android/databases/NetworkManagerData.db

MD5 b1b07690091ef56446cb1e2105e92d78
SHA1 a7c2ff91432530df5e42131b557029d481f5f44e
SHA256 2cbd6c123ba0396b016401cc9590cf6b7ce23538f57398e34615cdd614bda3cb
SHA512 89f4f33b7cd99eb06c1ee71baba6724ac1297f006789070f4bb1441f0de113ad7685995884f47356f8bcfeb559c4e7d57d2dc2fc4321bda21208a87b1ba0bacb

/data/data/com.network.android/databases/NetworkManagerData.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.network.android/databases/NetworkManagerData.db-wal

MD5 22c2ed15f2b81b5a665a3f13b098353a
SHA1 f89ed6e3373033630e90e4fc1df3b134c73b3df9
SHA256 5098990e422ce8c923e65d67a4c10fafb1fad45c3be869de4090f2a2c94f8b9c
SHA512 8e87920e2e19855ffe1cc94cc6d990ab0ab0089a74e57c41b0a38b2303d68ad32826beffb850facf8aab92fa40d44c5e6de91d0cb56dc9b2c91a5723eaef3a61

/data/data/com.network.android/logs/0vlt.dat

MD5 16cf2367274fa597076095d59733cd6a
SHA1 d566433b6aa93eb872f0f7c033d10e7b3c76080e
SHA256 fbb65bef1a0cfe8c33e958663593cfc57a9d997967709a6ecf7363dbfda4b3ff
SHA512 ed749afd46ed8df51d902ea1c0c25c92cfa461cf63a499a829eed3f6b85cdbc655fb5fd634eea0173a848b7c5980fd7fe1163ae0e778c8816532c6d07b8cc652