Analysis Overview
Threat Level: Known bad
The file https://bit.ly/3ild93L was found to be: Known bad.
Malicious Activity Summary
Wipelock
Wipelock Android payload
Wipelock family
Legitimate hosting services abused for malware hosting/C2
Declares broadcast receivers with permission to handle system events
Requests dangerous framework permissions
Checks CPU information
Checks memory information
MITRE ATT&CK
Enterprise Matrix V15
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-29 00:14
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-29 00:14
Reported
2024-12-29 00:17
Platform
android-x86-arm-20240624-en
Max time kernel
116s
Max time network
131s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.android.chrome
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | bit.ly | udp |
| US | 67.199.248.11:443 | bit.ly | tcp |
| US | 67.199.248.11:443 | bit.ly | tcp |
| US | 1.1.1.1:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 1.1.1.1:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| GB | 172.217.16.227:443 | update.googleapis.com | tcp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 216.58.213.10:443 | semanticlocation-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 172.217.169.4:443 | www.google.com | udp |
| GB | 172.217.169.4:443 | www.google.com | tcp |
Files
/storage/emulated/0/Download/.com.google.Chrome.o30QSe
| MD5 | f761405f69117e472b4ad2f09445afe2 |
| SHA1 | be410ab11bce4a1ba881e0932a5c440c5f3beb30 |
| SHA256 | 49fb1fb78476aea4f6300f7f67ecdb0e9f255c494afc793c55a0b74fc2ea1480 |
| SHA512 | 0955fd520de62bfd25220b114d4f58272bf9b38a27ac17fa53340e48da90f3f929236f8869fc25b1d8da6035a02cc3d45f743bf045face984fea7d9af5e7c19a |
/storage/emulated/0/Download/Unconfirmed 415228.crdownload
| MD5 | bba922ca26b73427526555fe8449f330 |
| SHA1 | 3b60ebfb4616bdf69adef721558450b7d7b967e6 |
| SHA256 | 997aacf217a668c13d3fe3c49e849c2c050042154b4fd409d5583a25c9282fe2 |
| SHA512 | 73a7d28d9fb03aa5c67ef3df15d4f43827e918fb0e88823746250ae0248b10060cab98e82f8b420e1219ca63aa97910aabfcc5240835725f7a665add0a4dcbfe |
files/dom-0.html
| MD5 | cecb649cb1fb79c3736936fcbef3bbf2 |
| SHA1 | 2c95183d7d2b0cd68d15b3c4115189351fc08720 |
| SHA256 | 09bda72e7c32a69e3268e0ebd8caa33684cbc954dd00c7d93a38830e348ef324 |
| SHA512 | b8aca3cf0ea838093bd29b70ead608597260b0e35886d491d17c304878f99510fd885d96a191080acb5b706a642253bd9cbe5065ff234472b048fcce282061de |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-29 00:14
Reported
2024-12-29 00:17
Platform
android-x64-20240624-en
Max time kernel
151s
Max time network
140s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.android.chrome
com.android.chrome
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| GB | 64.233.167.84:443 | accounts.google.com | tcp |
| US | 1.1.1.1:53 | bit.ly | udp |
| US | 67.199.248.11:443 | bit.ly | tcp |
| US | 67.199.248.11:443 | bit.ly | tcp |
| US | 1.1.1.1:53 | github.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| US | 1.1.1.1:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 1.1.1.1:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| GB | 172.217.16.227:443 | update.googleapis.com | tcp |
| GB | 172.217.16.232:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.178.10:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 216.58.212.202:443 | semanticlocation-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| BE | 108.177.15.84:443 | accounts.google.com | tcp |
| US | 1.1.1.1:53 | bit.ly | udp |
| US | 1.1.1.1:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 67.199.248.11:443 | bit.ly | tcp |
| US | 67.199.248.11:443 | bit.ly | tcp |
| US | 1.1.1.1:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 216.58.212.202:443 | semanticlocation-pa.googleapis.com | tcp |
Files
/storage/emulated/0/Android/data/com.android.chrome/files/Download/.com.google.Chrome.BGXEIb
| MD5 | 194b038f6a60a1cd5c5907e5878ff189 |
| SHA1 | 7505c2befcce4156c44b77144b546fbe21a26c3b |
| SHA256 | d988730819819513874d0231546477f126d051e63f6246f4dd0a6423c33c96d1 |
| SHA512 | ed318f635d9557f24a094b6b6f899c5525a0c6d20b2a88f3eac57a399ae947bfefd9e39d2aec2cb93b43c1a2ef9ebdf614c89cd72332c0c6eeee599f0afb6c59 |
/storage/emulated/0/Android/data/com.android.chrome/files/Download/Unconfirmed 574818.crdownload
| MD5 | 409c5bb280884ef577c67e8a95a39492 |
| SHA1 | a53da5c7a3edcab3ad5336bb2c8c570a6877bdda |
| SHA256 | 6144e477559646eb0abdcbfa21e10d16e656b0a983f8ce9b0a4e28e42aa3664e |
| SHA512 | eb0030f0768b1721e043abb632f2ea0936cf77b690dfeb2716975a6f39d3c9944ad41c6784a20e89197d53d75d8548b474b68ad2b3b1019313c26cb5f351a798 |
files/dom-0.html
| MD5 | cecb649cb1fb79c3736936fcbef3bbf2 |
| SHA1 | 2c95183d7d2b0cd68d15b3c4115189351fc08720 |
| SHA256 | 09bda72e7c32a69e3268e0ebd8caa33684cbc954dd00c7d93a38830e348ef324 |
| SHA512 | b8aca3cf0ea838093bd29b70ead608597260b0e35886d491d17c304878f99510fd885d96a191080acb5b706a642253bd9cbe5065ff234472b048fcce282061de |
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-29 00:14
Reported
2024-12-29 00:17
Platform
android-x64-arm64-20240910-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Wipelock
Wipelock Android payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Wipelock family
Declares broadcast receivers with permission to handle system events
| Description | Indicator | Process | Target |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.android.chrome
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | www.youtube.com | udp |
| GB | 142.250.187.238:443 | www.youtube.com | tcp |
| GB | 142.250.200.46:443 | www.youtube.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| US | 216.239.36.223:443 | tcp | |
| US | 1.1.1.1:53 | bit.ly | udp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| US | 1.1.1.1:53 | bit.ly | udp |
| US | 67.199.248.11:443 | bit.ly | tcp |
| US | 1.1.1.1:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 1.1.1.1:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| BE | 74.125.133.84:443 | accounts.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.204.72:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| GB | 216.58.213.3:443 | update.googleapis.com | tcp |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| GB | 216.58.204.67:443 | update.googleapis.com | tcp |
| US | 216.239.36.223:443 | tcp | |
| GB | 142.250.187.225:443 | tcp | |
| US | 216.239.36.223:443 | tcp | |
| GB | 142.250.200.1:443 | tcp |
Files
/storage/emulated/0/Download/.pending-1736036091-Elite.apk (deleted)
| MD5 | 8d1d56039fdf3d45a68187c10227754c |
| SHA1 | 87a5afa4095bb68a95268f87429c4f8e68cc2ca5 |
| SHA256 | db9414860133a9a46313ec8e197c4bf855f56b063161002f27c4bb106b8b837f |
| SHA512 | 60270423383da12669f33d392566d17aaa07d517b7f317810a190204b744e30ec90cd8391fac7477d373d58b15a12b32bd4112cf61f55ec8828aac2759a42006 |
/storage/emulated/0/Download/.pending-1736036091-Elite.apk
| MD5 | cb4c4ad2bb25fe01cd5ae84838209797 |
| SHA1 | 2822d74c5bb73fc8a447e0d69f4df7fda6bf4f1b |
| SHA256 | 84aa38f32e38c89db97fc9cddf93384a9852c7e36b1e519d747577734ee4c02a |
| SHA512 | fadb1ad6e35683da0d71e952a2e68e6caaa01bcdb3c346b28d788268a2820414939c0b5640d4d5ab88a22ac143a047eed02571f8963105c97ba85677df8f5ae6 |
files/dom-0.html
| MD5 | cecb649cb1fb79c3736936fcbef3bbf2 |
| SHA1 | 2c95183d7d2b0cd68d15b3c4115189351fc08720 |
| SHA256 | 09bda72e7c32a69e3268e0ebd8caa33684cbc954dd00c7d93a38830e348ef324 |
| SHA512 | b8aca3cf0ea838093bd29b70ead608597260b0e35886d491d17c304878f99510fd885d96a191080acb5b706a642253bd9cbe5065ff234472b048fcce282061de |