Malware Analysis Report

2025-01-19 04:56

Sample ID 241218-nylj4syncm
Target ADE8BEF0AC29FA363FC9AFD958AF0074478AEF650ADEB0318517B48BD996D5D5.apk
SHA256 ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5
Tags
pegasus collection discovery infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5

Threat Level: Known bad

The file ADE8BEF0AC29FA363FC9AFD958AF0074478AEF650ADEB0318517B48BD996D5D5.apk was found to be: Known bad.

Malicious Activity Summary

pegasus collection discovery infostealer persistence trojan

Pegasus family

Pegasus

Pegasus payload

Reads the content of the call log.

Reads the contacts stored on the device.

Reads the content of the browser bookmarks.

Queries information about active data network

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-18 11:48

Signatures

Pegasus family

pegasus

Pegasus payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to monitor incoming MMS messages. android.permission.RECEIVE_MMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to receive WAP push messages. android.permission.RECEIVE_WAP_PUSH N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to use SIP service. android.permission.USE_SIP N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-18 11:48

Reported

2024-12-18 13:44

Platform

android-x86-arm-20240910-en

Max time kernel

175s

Max time network

1776s

Command Line

com.network.android

Signatures

Pegasus

infostealer trojan pegasus

Pegasus family

pegasus

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of the browser bookmarks.

collection
Description Indicator Process Target
URI accessed for read content://browser/bookmarks N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.network.android

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.200.2:443 tcp
GB 142.250.187.206:443 tcp
GB 142.250.179.227:80 tcp
GB 142.250.179.228:80 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
BE 74.125.71.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp

Files

/data/data/com.network.android/logs/0vlt.dat

MD5 efee9598cb4cdb2dcd6cb3c71509a179
SHA1 3d537b14646077f9e4fe0294d70105cf6a65b6a3
SHA256 93516087d55d0924ded05728dab462e41610b2802b7d4d55630100155b024852
SHA512 67c1b55051ab1be2e3d049fcd7a3b2d58fead3b514da59af6bcb088d615d1408d434bdd2f3196b6323a984e44084b219ad1595ea3ae2cdfe9937b6290bdfc248

/data/data/com.network.android/logs/0vlt.dat

MD5 1ac2984e7b0776f5957ed342acc8a6bb
SHA1 de3062433ce8215ee21bd640ab12ea521aa0a4d0
SHA256 9d52ea58a8f2f80bd9cec5fc9d8a58e6ac6a74a4ab2aac03e9fce4c825cd0b9f
SHA512 a95bf5cc872a4c1220a85de72b2277cc1150d2dbf18d376f2d1ab21929a27cca342f187510134b729f5f0c3899e30ed434f4781a17ef043eb8cde559f5618d7c

/data/data/com.network.android/logs/0vlt.dat

MD5 66e1cee196960093adaeeb63f7ad3f9d
SHA1 5c2ace037edc413d6311bfaa696af61408194122
SHA256 f805267b4361a636012e89dc9459238b44791f1d6498583e85c1d2c5a91c8cb9
SHA512 e20171e47675da9ce27c4d367bc2a04ca4400eec095d74573219fe43d8b3ecb383b1abb8cdd0623bcf07a1ed4c0af67bf38408e231a686ad27a7aa531d35cd4f

/data/data/com.network.android/databases/NetworkManagerData.db-journal

MD5 161e391de1d931abccd1f61b75f8e49e
SHA1 d4edb9c735a5f81ffacd320181c6014fe9aeace7
SHA256 bde98ede447788e854fc100e8e53a8716e52e01781b5dbc0bed7749b6d99e636
SHA512 b6ee3383ce50858e5212752c80b843199ac5f6a8193268e07d2306a74acd0a95e4ce6493034cb05a4fb8dce5cf584395237bec98edb80f7eac85eeea424f4a92

/data/data/com.network.android/databases/NetworkManagerData.db

MD5 b1b07690091ef56446cb1e2105e92d78
SHA1 a7c2ff91432530df5e42131b557029d481f5f44e
SHA256 2cbd6c123ba0396b016401cc9590cf6b7ce23538f57398e34615cdd614bda3cb
SHA512 89f4f33b7cd99eb06c1ee71baba6724ac1297f006789070f4bb1441f0de113ad7685995884f47356f8bcfeb559c4e7d57d2dc2fc4321bda21208a87b1ba0bacb

/data/data/com.network.android/databases/NetworkManagerData.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.network.android/databases/NetworkManagerData.db-wal

MD5 b47662f2b5335defd96ad07282f8fbcd
SHA1 afd5af246da5692cb73ea3a367765042dd691ec8
SHA256 f08c0ccbfd350cf6ad4dcee17df8f583f774b10b6be7444b8b693abf5cfb6614
SHA512 28ae6a7156d3ada214be057628e822faa7c525e482834646633f5f150f20391c650580e0934b9fde929fe8bfb8e8f90ec00567daacd78c165ccf975db01ce228

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-18 11:48

Reported

2024-12-18 13:44

Platform

android-x64-20240910-en

Max time kernel

175s

Max time network

1654s

Command Line

com.network.android

Signatures

Pegasus

infostealer trojan pegasus

Pegasus family

pegasus

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of the browser bookmarks.

collection
Description Indicator Process Target
URI accessed for read content://browser/bookmarks N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.network.android

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 216.58.213.2:443 tcp
US 216.239.34.223:443 tcp
US 216.239.34.223:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
BE 66.102.1.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.4:443 www.google.com tcp

Files

/data/data/com.network.android/pex.dat

MD5 138d764910cb46a05b83d5af830dcfd4
SHA1 583dafb10cbfa0941821d9fe721b4a28498ae656
SHA256 0aa2c4123b0ccd2e11f3ea6bf425488da6b7db400745fb43e8563aa1d5f95731
SHA512 874b0c9745cb1446ae6e826e7888b08e1e7127b790bf3842093d16499175922a6305c7244c9b42a854cd7685bbe18d879cb057d59ed45bd30fd9dc11748e3584

/data/data/com.network.android/srcsu.dat

MD5 f091e95aa696a326b4b948869fd3df78
SHA1 3e2b4a81bac630973a990ed1e9e0a973158a818a
SHA256 5f1c4d94b3c91704c3955b8954ce543eecb292da4a58b7c61e7592adcffa0f33
SHA512 0b5ed603ca79db5a98e2b4e24d98eecedc7bcdc660efb37241f9c3e40a68e9fab5caac53a1a4e3fb6cfd99ac40c0ab8acf63d4e5ff96c7ab03aebec4f87b35f0

/data/data/com.network.android/logs/0vlt.dat

MD5 52fa126620ba974678a3f26de9a12ee1
SHA1 5f69eefd3e191c3db252ab5fc38f4a60066d0375
SHA256 f01841af7c5b339f0d8202edaadb7e18b441509d6721ff22a5c5dae957741123
SHA512 e7ab7895bc4fb067e7e0ea0319660b0f1620a30e78f06376fcd6095702941b1f44644fa65e865794f67f92521e0f9d313d5a4769064fb73984f0d666b3166a63

/data/data/com.network.android/logs/0vlt.dat

MD5 b9ffc613f157b9749e7f272305f8f369
SHA1 0eb8ec631e0cfd126c6b278de9c06cda7aa57041
SHA256 3a13c91dd39c6ff35ca10ded4300733e4de9f60836cee787b35d770c08ff7633
SHA512 3411176dac505e2d373f390fba300b9c19831c5779b03da2cb46db456d837b92db2e05eec629ad0532d7353e2398bdb7a433e3203ec3fd3b104165686944cd86

/data/data/com.network.android/logs/0vlt.dat

MD5 3b3d64b79f227c732acb3481aa958f53
SHA1 744356c613c1fcc71d6fb7c6fb58336100131649
SHA256 d2722624ef205e9789881529f3fc80de67f660296460e3d9bf07dc4785b25a9f
SHA512 5303beae775132922832b318ab74f0565d332b396eb4225acd135127aec2b908ad2f3264dbac01134efd85a9bd1eebfa756b8fe4151a408f2b606023edae3c41

/data/data/com.network.android/databases/NetworkManagerData.db-journal

MD5 0b4d6fef501e43634d5353b54344cd8c
SHA1 1023c7ef21b37d0133b4bfca1770e0d5f18949f2
SHA256 c8af55b4b8a93f876782b19fa0227667d0719c5c3aeccdc49120f08b300c2171
SHA512 8bd53035f33b5be851133625a6580ed7282b1464ad601444841dff40533caed3c6f2f6fc0a2a0724fbb4d3d85f6256b2a06508d09e13aa9a081862440fdc9721

/data/data/com.network.android/databases/NetworkManagerData.db

MD5 2839279a9a853a40909c1dca03d2337f
SHA1 03baa059604d878e22917202fd90fb5f7de635ce
SHA256 97c1943ed1e984e7af5d8c490197075b8e43af11568663abee7c61f4e2caf0d8
SHA512 bc63d7854eee474c97373a207031f7358bcb8330dcbab015cf2515e21728c0d0737fd3e452e3d4c4be2c52ff00a86a472592c540e374d3293141c425b276de56

/data/data/com.network.android/databases/NetworkManagerData.db-journal

MD5 b3e8311a73f0d55f421b3c8624275d2a
SHA1 48cb62f1acf4d424c04c9f46822ea8f41e3ce78c
SHA256 758a7963a8b7fb4b7c2c503ebf35ceb84eb9fb3c5d2a194da882bfc6d5c9d2dd
SHA512 972d96d773c7b87b70505c3d896d464d724b1a726bd0df3071ed91eedd13a1e21d51d6063510a44e7bc3af9013ca2a748b5c375afcab3ff4df100b63e67683a2

/data/data/com.network.android/databases/NetworkManagerData.db-journal

MD5 f3cc916addb57cbbbb5a6e264e9ee017
SHA1 d45f23e041820b657336c5d6a4004e4ba0245857
SHA256 f583b90f505f3eff584b50522f63659f4fd79cbd578beb60a4b560b6a2c30323
SHA512 8916081ad1f13ca127d17a860156ae356137e270a0168ee388b5823ec9a1a50ab2619220d016a7fbd6d5cec78270e312cc420e29729d76af3ec0c5cef348a5db

/data/data/com.network.android/logs/0vlt.dat

MD5 a508a2fb9a5d3571d2fdbc34015a9dba
SHA1 8c3d957aecbdbe61d622af9c4fc4c72d832f39cc
SHA256 8e99a77097ece81b01f295e029ec21ab830242c2efe2c16e06c7f5004f5dc6e7
SHA512 f73e1e6ef6da23be555d6f52bc59da32d50f95c56734bebf39e354ea69fd73268b0a198292f560265d4b99bfaebaf1362c31c4802099bf3edaf8280e872311e3

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-18 11:48

Reported

2024-12-18 13:44

Platform

android-x64-arm64-20240910-en

Max time kernel

176s

Max time network

1767s

Command Line

com.network.android

Signatures

Pegasus

infostealer trojan pegasus

Pegasus family

pegasus

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/contacts N/A N/A

Reads the content of the browser bookmarks.

collection
Description Indicator Process Target
URI accessed for read content://browser/bookmarks N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.network.android

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.14:443 www.youtube.com tcp
GB 142.250.187.206:443 www.youtube.com tcp
US 216.239.32.223:443 tcp
GB 142.250.187.193:443 tcp
GB 142.250.187.225:443 tcp
US 216.239.32.223:443 tcp
GB 142.250.178.2:443 tcp
GB 216.58.213.6:443 tcp
US 216.239.36.223:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
BE 142.250.110.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
GB 64.233.167.84:443 accounts.google.com tcp
US 1.1.1.1:53 update.googleapis.com udp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.200.3:443 update.googleapis.com tcp
GB 142.250.200.3:443 update.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp

Files

/data/user/0/com.network.android/pex.dat

MD5 138d764910cb46a05b83d5af830dcfd4
SHA1 583dafb10cbfa0941821d9fe721b4a28498ae656
SHA256 0aa2c4123b0ccd2e11f3ea6bf425488da6b7db400745fb43e8563aa1d5f95731
SHA512 874b0c9745cb1446ae6e826e7888b08e1e7127b790bf3842093d16499175922a6305c7244c9b42a854cd7685bbe18d879cb057d59ed45bd30fd9dc11748e3584

/data/user/0/com.network.android/srcsu.dat

MD5 f091e95aa696a326b4b948869fd3df78
SHA1 3e2b4a81bac630973a990ed1e9e0a973158a818a
SHA256 5f1c4d94b3c91704c3955b8954ce543eecb292da4a58b7c61e7592adcffa0f33
SHA512 0b5ed603ca79db5a98e2b4e24d98eecedc7bcdc660efb37241f9c3e40a68e9fab5caac53a1a4e3fb6cfd99ac40c0ab8acf63d4e5ff96c7ab03aebec4f87b35f0

/data/data/com.network.android/logs/0vlt.dat

MD5 d69ee05b880d57792f4a323ec0b9781a
SHA1 28ad2787a3c86387b9d0ec3ce52e400a476b976f
SHA256 2a785c0ff694d9c43b7712b2de8d7e6d010a5b9d4db463b6ac600334c2be21aa
SHA512 08bfb4844753b5ccdc2f7bb13f638d201ea07f15972486aa405894507e20a7f1d77d998113e04bf31432a42cd9971ea947f50db55066e15f280b84fac1145ba2

/data/data/com.network.android/logs/0vlt.dat

MD5 c93fd8d417ea402ee8bc82098380d7e9
SHA1 1a0d453e2693c238390ecc67abcc8efae8f31c43
SHA256 2d223ab3ccfe8140970b3950cf11feae4caafb3288d6943af5388d5ee2b3097e
SHA512 2623aba560e8f069eda5c6dd586a01ab7698743ce877469d2655201374ad60c101f22675581fa3912d0b07ca410088f376bc2037b395785eb9f719d00f260491

/data/data/com.network.android/logs/0vlt.dat

MD5 9298d6f4cf1819d584d605768058e9b6
SHA1 34cd8d7901ba8f7025f8f83f869ebbf0665e7dd2
SHA256 0503ba701104c92b2e88d7cca0e2e1d2c5569b447ef9064be64edd773171f92c
SHA512 941450335b6f5f6996b4144f3c8fdb05c09fcf63597521eb6fd0512dd886b60f9bdcd4f7767f84cf72c0f7f69701933d762df9bb4f595238ddd37ff93fe797b1

/data/user/0/com.network.android/databases/NetworkManagerData.db-journal

MD5 062f671934d2532ed0be4ae367b46ac8
SHA1 a83365ca1930c81ad60325d6468f30d9ccce4707
SHA256 abf7bd87a5089ba01c70a214821bc13127097a4ea28ee2eb156868cf1ac65246
SHA512 6fd0b48f993b847f0ad54b0bcfaf23b6eab4538756594777f94b48406df235357625fbce9fd7ac2bbcab58f21822f78c36957a3c21000af0568d4bdf8b0531c9

/data/user/0/com.network.android/databases/NetworkManagerData.db

MD5 f64a816e653835b07054fb6ff9c91524
SHA1 8a78b568a09bfa940d8d4c1d889c92dd962047ac
SHA256 f942e329bb4d8e844e2ee2cee3fa71212fbf26c1016a5dec8eaf529716d0479a
SHA512 32195c3faf677215d7e9a9c1809585c93b981edea59c111d41110df1a10913edce7b11d2ca12c83b01cc0fd57ce4667ad9f101fbff4273de4a020919e718dd10

/data/user/0/com.network.android/databases/NetworkManagerData.db-journal

MD5 3f916fb9d93ba8e16c2f758c742bb108
SHA1 9182b9e44880f426cca98474c3ec8c35796766c6
SHA256 833634cf5ad1f1f42f1a3c9b139b7314e9cf7431f0d7248a67b43f7ffda294ca
SHA512 f52662601523cf84b8a0327de1a72c7971f1cf8927f4298d5603ff82ce9ade2a75df18ccc7d8d9e6006a41387784e78b2ebfd8f563568a81b1e958f5dca93fa8

/data/user/0/com.network.android/databases/NetworkManagerData.db-journal

MD5 dcb0fe5e4eafb50740e685a837701ff8
SHA1 a917e27ad21f0449b9736dd4f3a2b2fe82719b52
SHA256 e2d10deb2edbf9b12eb07f1959eda9fcb96757107024c75a5011e22e657e334b
SHA512 b7a4abe348ea9e9432e4d6db12b0e8812a816b1c4cfa941071ad203102a9c1ca6fd3eeaaaf470f64b89daace767ab3ab4d905dd7bd74f9fb874264589475aa3c

/data/data/com.network.android/logs/0vlt.dat

MD5 1a675e8052feae4feff0fb870441fca9
SHA1 1de1d956d7e34cba4f3c03e63c3bd4dece6c3d09
SHA256 ac575135dfe3a8c0c9deffb8672444fb02545d3551ff8ec378252b0f5626c192
SHA512 fc1a5518ca0e565873e3dbffe449e25288d102468a3ccb3f78ceecf0eb153d3dd55377942e5fca31144db688d6e33ca79b9e414bc9a7fc22c966c1fa93b99ec4