Malware Analysis Report

2025-01-23 13:53

Sample ID 241229-ajl1fawmcv
Target https://bit.ly/3ild93L
Tags
wipelock infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://bit.ly/3ild93L was found to be: Known bad.

Malicious Activity Summary

wipelock infostealer trojan

Wipelock

Wipelock Android payload

Wipelock family

Legitimate hosting services abused for malware hosting/C2

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-29 00:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-29 00:14

Reported

2024-12-29 00:17

Platform

android-x86-arm-20240624-en

Max time kernel

116s

Max time network

131s

Command Line

com.android.chrome

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 bit.ly udp
US 67.199.248.11:443 bit.ly tcp
US 67.199.248.11:443 bit.ly tcp
US 1.1.1.1:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 1.1.1.1:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 172.217.16.227:443 update.googleapis.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.4:443 www.google.com udp
GB 172.217.169.4:443 www.google.com tcp

Files

/storage/emulated/0/Download/.com.google.Chrome.o30QSe

MD5 f761405f69117e472b4ad2f09445afe2
SHA1 be410ab11bce4a1ba881e0932a5c440c5f3beb30
SHA256 49fb1fb78476aea4f6300f7f67ecdb0e9f255c494afc793c55a0b74fc2ea1480
SHA512 0955fd520de62bfd25220b114d4f58272bf9b38a27ac17fa53340e48da90f3f929236f8869fc25b1d8da6035a02cc3d45f743bf045face984fea7d9af5e7c19a

/storage/emulated/0/Download/Unconfirmed 415228.crdownload

MD5 bba922ca26b73427526555fe8449f330
SHA1 3b60ebfb4616bdf69adef721558450b7d7b967e6
SHA256 997aacf217a668c13d3fe3c49e849c2c050042154b4fd409d5583a25c9282fe2
SHA512 73a7d28d9fb03aa5c67ef3df15d4f43827e918fb0e88823746250ae0248b10060cab98e82f8b420e1219ca63aa97910aabfcc5240835725f7a665add0a4dcbfe

files/dom-0.html

MD5 cecb649cb1fb79c3736936fcbef3bbf2
SHA1 2c95183d7d2b0cd68d15b3c4115189351fc08720
SHA256 09bda72e7c32a69e3268e0ebd8caa33684cbc954dd00c7d93a38830e348ef324
SHA512 b8aca3cf0ea838093bd29b70ead608597260b0e35886d491d17c304878f99510fd885d96a191080acb5b706a642253bd9cbe5065ff234472b048fcce282061de

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-29 00:14

Reported

2024-12-29 00:17

Platform

android-x64-20240624-en

Max time kernel

151s

Max time network

140s

Command Line

com.android.chrome

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 accounts.google.com udp
GB 64.233.167.84:443 accounts.google.com tcp
US 1.1.1.1:53 bit.ly udp
US 67.199.248.11:443 bit.ly tcp
US 67.199.248.11:443 bit.ly tcp
US 1.1.1.1:53 github.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 1.1.1.1:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 172.217.16.227:443 update.googleapis.com tcp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 108.177.15.84:443 accounts.google.com tcp
US 1.1.1.1:53 bit.ly udp
US 1.1.1.1:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 67.199.248.11:443 bit.ly tcp
US 67.199.248.11:443 bit.ly tcp
US 1.1.1.1:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
GB 216.58.212.202:443 semanticlocation-pa.googleapis.com tcp

Files

/storage/emulated/0/Android/data/com.android.chrome/files/Download/.com.google.Chrome.BGXEIb

MD5 194b038f6a60a1cd5c5907e5878ff189
SHA1 7505c2befcce4156c44b77144b546fbe21a26c3b
SHA256 d988730819819513874d0231546477f126d051e63f6246f4dd0a6423c33c96d1
SHA512 ed318f635d9557f24a094b6b6f899c5525a0c6d20b2a88f3eac57a399ae947bfefd9e39d2aec2cb93b43c1a2ef9ebdf614c89cd72332c0c6eeee599f0afb6c59

/storage/emulated/0/Android/data/com.android.chrome/files/Download/Unconfirmed 574818.crdownload

MD5 409c5bb280884ef577c67e8a95a39492
SHA1 a53da5c7a3edcab3ad5336bb2c8c570a6877bdda
SHA256 6144e477559646eb0abdcbfa21e10d16e656b0a983f8ce9b0a4e28e42aa3664e
SHA512 eb0030f0768b1721e043abb632f2ea0936cf77b690dfeb2716975a6f39d3c9944ad41c6784a20e89197d53d75d8548b474b68ad2b3b1019313c26cb5f351a798

files/dom-0.html

MD5 cecb649cb1fb79c3736936fcbef3bbf2
SHA1 2c95183d7d2b0cd68d15b3c4115189351fc08720
SHA256 09bda72e7c32a69e3268e0ebd8caa33684cbc954dd00c7d93a38830e348ef324
SHA512 b8aca3cf0ea838093bd29b70ead608597260b0e35886d491d17c304878f99510fd885d96a191080acb5b706a642253bd9cbe5065ff234472b048fcce282061de

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-29 00:14

Reported

2024-12-29 00:17

Platform

android-x64-arm64-20240910-en

Max time kernel

146s

Max time network

150s

Command Line

com.android.chrome

Signatures

Wipelock

trojan infostealer wipelock

Wipelock Android payload

Description Indicator Process Target
N/A N/A N/A N/A

Wipelock family

wipelock

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.179.238:443 android.apis.google.com tcp
US 216.239.36.223:443 tcp
US 1.1.1.1:53 bit.ly udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 bit.ly udp
US 67.199.248.11:443 bit.ly tcp
US 1.1.1.1:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 1.1.1.1:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.133.84:443 accounts.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 216.58.213.3:443 update.googleapis.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 216.58.204.67:443 update.googleapis.com tcp
US 216.239.36.223:443 tcp
GB 142.250.187.225:443 tcp
US 216.239.36.223:443 tcp
GB 142.250.200.1:443 tcp

Files

/storage/emulated/0/Download/.pending-1736036091-Elite.apk (deleted)

MD5 8d1d56039fdf3d45a68187c10227754c
SHA1 87a5afa4095bb68a95268f87429c4f8e68cc2ca5
SHA256 db9414860133a9a46313ec8e197c4bf855f56b063161002f27c4bb106b8b837f
SHA512 60270423383da12669f33d392566d17aaa07d517b7f317810a190204b744e30ec90cd8391fac7477d373d58b15a12b32bd4112cf61f55ec8828aac2759a42006

/storage/emulated/0/Download/.pending-1736036091-Elite.apk

MD5 cb4c4ad2bb25fe01cd5ae84838209797
SHA1 2822d74c5bb73fc8a447e0d69f4df7fda6bf4f1b
SHA256 84aa38f32e38c89db97fc9cddf93384a9852c7e36b1e519d747577734ee4c02a
SHA512 fadb1ad6e35683da0d71e952a2e68e6caaa01bcdb3c346b28d788268a2820414939c0b5640d4d5ab88a22ac143a047eed02571f8963105c97ba85677df8f5ae6

files/dom-0.html

MD5 cecb649cb1fb79c3736936fcbef3bbf2
SHA1 2c95183d7d2b0cd68d15b3c4115189351fc08720
SHA256 09bda72e7c32a69e3268e0ebd8caa33684cbc954dd00c7d93a38830e348ef324
SHA512 b8aca3cf0ea838093bd29b70ead608597260b0e35886d491d17c304878f99510fd885d96a191080acb5b706a642253bd9cbe5065ff234472b048fcce282061de