Malware Analysis Report

2025-01-19 07:46

Sample ID 241222-1zy8ta1khm
Target 659769a2334d0f9aea8cae732b9f9dd2834ede265a3a042d67deac1a8e75c51e.bin
SHA256 659769a2334d0f9aea8cae732b9f9dd2834ede265a3a042d67deac1a8e75c51e
Tags
soumnibot banker discovery evasion infostealer trojan persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

659769a2334d0f9aea8cae732b9f9dd2834ede265a3a042d67deac1a8e75c51e

Threat Level: Known bad

The file 659769a2334d0f9aea8cae732b9f9dd2834ede265a3a042d67deac1a8e75c51e.bin was found to be: Known bad.

Malicious Activity Summary

soumnibot banker discovery evasion infostealer trojan persistence

Soumnibot family

Android SoumniBot payload

SoumniBot

Loads dropped Dex/Jar

Requests dangerous framework permissions

Queries information about active data network

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-22 22:05

Signatures

Android SoumniBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Soumnibot family

soumnibot

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-22 22:05

Reported

2024-12-22 22:08

Platform

android-x64-arm64-20240910-en

Max time kernel

149s

Max time network

159s

Command Line

bai.shan.shui

Signatures

Android SoumniBot payload

Description Indicator Process Target
N/A N/A N/A N/A

SoumniBot

trojan infostealer banker soumnibot

Soumnibot family

soumnibot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/bai.shan.shui/[email protected] N/A N/A
N/A /data/user/0/bai.shan.shui/[email protected] N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

bai.shan.shui

Network

Country Destination Domain Proto
US 216.239.36.223:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.212.238:443 www.youtube.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.187.225:443 tcp
GB 142.250.179.225:443 tcp
US 216.239.32.223:443 tcp
US 216.239.32.223:443 tcp

Files

/data/user/0/bai.shan.shui/.jiagu/libjiaguv1.so

MD5 29f77b0cb6556577977e910a8c236edc
SHA1 7b3e8796d51439a738011a6c40cd614b90c542ab
SHA256 d7a458c582cbba02ac4237a81e95c270572b2e168ed8b5b70191feba0ebf7fe8
SHA512 5797d366d2aded5afa0d1a67f17a5bf7e7798cbb8d380978d93b22232656ce9b89f46c75e68d9dd52ccc11e8d4af3cdd3793e83240bc2b8007c825966271b3ef

/data/user/0/bai.shan.shui/[email protected]

MD5 dc4eb6b2e4b7c4c25d8badddd60ed3c0
SHA1 0dca2a4b0ba49145d5f319e7e43ba02c14760fb9
SHA256 e77f2ab5e5e73f0c7ecfb62a8181c8e004bf6b68b4826f588cae23b1a172912c
SHA512 f6813c82188acbbadde1ff473632cf2f62063a5c9357a1a80ad66664d7157e63a95fc8fb1fade18a812a75b0b3056760d89e10dcf2ef8f406c890313989a753d

/data/user/0/bai.shan.shui/files/mmkv/mmkv.default

MD5 620f0b67a91f7f74151bc5be745b7110
SHA1 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d
SHA256 ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7
SHA512 2d23913d3759ef01704a86b4bee3ac8a29002313ecc98a7424425a78170f219577822fd77e4ae96313547696ad7d5949b58e12d5063ef2ee063b595740a3a12d

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-22 22:05

Reported

2024-12-22 22:08

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

136s

Command Line

bai.shan.shui

Signatures

Android SoumniBot payload

Description Indicator Process Target
N/A N/A N/A N/A

SoumniBot

trojan infostealer banker soumnibot

Soumnibot family

soumnibot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A Anonymous-DexFile@0xd3aae000-0xd3c7f770 N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

bai.shan.shui

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp

Files

/data/data/bai.shan.shui/.jiagu/libjiaguv1.so

MD5 e0cdfe09bad49823017b8df7dc1e8f13
SHA1 e94f612851dd5114c6609189aa3c985893bc5c41
SHA256 5bf5f10931feefdabb6dbf9e39208c99225237b97cab7d278f6f2fecef81ae35
SHA512 d1258bb156caebbdabc0feb8676ffee86dcc4c5b2a0c1b728b485422feec2c4a167ba702af47783d6affb018c95b533a45c8642b730de0cc84994077219e3b2d

Anonymous-DexFile@0xd3aae000-0xd3c7f770

MD5 dc4eb6b2e4b7c4c25d8badddd60ed3c0
SHA1 0dca2a4b0ba49145d5f319e7e43ba02c14760fb9
SHA256 e77f2ab5e5e73f0c7ecfb62a8181c8e004bf6b68b4826f588cae23b1a172912c
SHA512 f6813c82188acbbadde1ff473632cf2f62063a5c9357a1a80ad66664d7157e63a95fc8fb1fade18a812a75b0b3056760d89e10dcf2ef8f406c890313989a753d

/data/data/bai.shan.shui/files/mmkv/mmkv.default

MD5 620f0b67a91f7f74151bc5be745b7110
SHA1 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d
SHA256 ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7
SHA512 2d23913d3759ef01704a86b4bee3ac8a29002313ecc98a7424425a78170f219577822fd77e4ae96313547696ad7d5949b58e12d5063ef2ee063b595740a3a12d