Overview

overview

10

Static

static

10

3476006a8f...16.apk

android-9-x86

8

77bd99fc14...42.apk

android-9-x86

6

77bd99fc14...42.apk

android-10-x64

7

77bd99fc14...42.apk

android-11-x64

7

a1de866d5f...45.apk

android-9-x86

7

a1de866d5f...45.apk

android-10-x64

7

a1de866d5f...45.apk

android-11-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    G.apk

  • Size

    289.5MB

  • Sample

    250215-w9zvwaykgj

  • MD5

    405394c381ca2000e01428e79d03cecb

  • SHA1

    cb41f1d9e06c1b783378a43486c7d997a3635b68

  • SHA256

    7d69e0d82e74059115486fae5dd5ac6463c7fccd91dbbcaa9587117c7d201ddb

  • SHA512

    40266c79a3d2c010882cfc4b237c6d27989dc385fd23d8bafe89e4ff329a181fed4ba44dac91187ffd2698d51af44454917e901375aa0dc87624ec956f12f80d

  • SSDEEP

    6291456:BN08aneiYsmfO6eRtz+WmPn4auzQgHDXuDFHVfuc1Fyn6RQuj3jN31S:j08aneo2eTTI2NHDXuDjxPyn6zj3jN3M

Score
10/10
adwindblacknetdcratgafgytiratameshagentmirairedlinesectopratsocks5systemzspynotestealctriadaxwormxzutilcheatexe1gamershackedjared jasonjustinsmirainiko'ssorasupporttgzachsandroidbackdoorcollectioncredential_accessdefense_evasiondiscoveryexecutionimpactpersistencepyinstallerratupx

Malware Config

Extracted

Family

gafgyt

C2

94.156.64.4:42516

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

blacknet

Botnet

HacKed

C2

http://botnetera.pagekite.me/

Mutex

BN[pjClIrDI-2470224]

Attributes
  • antivm

    true

  • elevate_uac

    true

  • install_name

    WindowsUpdate.exe

  • splitter

    |BN|

  • start_name

    35dcbc7eb742dd4f1edfbccf7826c724

  • startup

    false

  • usb_spread

    false

Extracted

Family

meshagent

Version

2

Botnet

Jared

C2

http://remote.itbros.gg:443/agent.ashx

Attributes
  • mesh_id

    0xF98928763778F2FD524C600EA95888BC3F29F77DFF8D3596377E426598FF4DE19BD6249A9742DB68836A6240938EA29C

  • server_id

    F627774F79155814736EE21CBB35A146E8F9B4171A581ECBAA39D28C58336B36DF159D5B5CECFBA751E840F6370F1353

  • wss

    wss://remote.itbros.gg:443/agent.ashx

Extracted

Family

mirai

Botnet

MIRAI

Extracted

Family

meshagent

Version

2

Botnet

Niko's

C2

http://remote.itbros.gg:443/agent.ashx

Attributes
  • mesh_id

    0xCC1E7C1166A8A0335717737CFDA2E64FACC79248C9C6D850A0B5A94759E7C9E13C9B9244E4A847257CCBBC0EAEC80B08

  • server_id

    F627774F79155814736EE21CBB35A146E8F9B4171A581ECBAA39D28C58336B36DF159D5B5CECFBA751E840F6370F1353

  • wss

    wss://remote.itbros.gg:443/agent.ashx

Extracted

Family

xworm

C2

involved-hurt.gl.at.ply.gg:35238

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    WindowsHealthSystem.exe

Extracted

Family

redline

Botnet

cheat

C2

0.tcp.eu.ngrok.io:18950

Extracted

Family

mirai

C2

hoiiaz.iaz.coby

Extracted

Family

redline

Botnet

tg

C2

163.5.112.53:51523

Extracted

Family

stealc

Botnet

exe1

C2

http://185.216.70.109

Attributes
  • url_path

    /eb488f9cb9d466ca.php

Extracted

Family

spynote

C2

scambaiter11.ddns.net:1111

Extracted

Family

mirai

Botnet

SORA

Extracted

Family

meshagent

Version

2

Botnet

Support

C2

http://remote.itbros.gg:443/agent.ashx

Attributes
  • mesh_id

    0xA559DB7ED1F4A977B6E5BEAF559497BBAE6A52FEED32610632CDAC56FF3244D927EB36368EFACB4BDCD6874051F48C24

  • server_id

    F627774F79155814736EE21CBB35A146E8F9B4171A581ECBAA39D28C58336B36DF159D5B5CECFBA751E840F6370F1353

  • wss

    wss://remote.itbros.gg:443/agent.ashx

Extracted

Family

meshagent

Version

2

Botnet

Gamers

C2

http://remote.itbros.gg:443/agent.ashx

Attributes
  • mesh_id

    0xB8F4908099CB069735DD8FC593ACA3119A6C5ED0C507394C089A715B5FA5EFBA1D98364846083D0BE3247A5FC05E0C20

  • server_id

    F627774F79155814736EE21CBB35A146E8F9B4171A581ECBAA39D28C58336B36DF159D5B5CECFBA751E840F6370F1353

  • wss

    wss://remote.itbros.gg:443/agent.ashx

Extracted

Family

meshagent

Version

2

Botnet

Zachs

C2

http://remote.itbros.gg:443/agent.ashx

Attributes
  • mesh_id

    0xC7A33EDA0BFDF615D7BF495F6929ABF24E0F0CE5DA8B7506583EF4AC3DED6C1B9AA1099B8D3D68FAB50FF8A84A256ACA

  • server_id

    F627774F79155814736EE21CBB35A146E8F9B4171A581ECBAA39D28C58336B36DF159D5B5CECFBA751E840F6370F1353

  • wss

    wss://remote.itbros.gg:443/agent.ashx

Extracted

Family

meshagent

Version

2

Botnet

Jason

C2

http://remote.itbros.gg:443/agent.ashx

Attributes
  • mesh_id

    0xFA9FC6C822E4BBC30FB432B4AE3EEB30569280B896B231E257D5250BB3298DF74E7425CFD529ED8E5D2F7FEFF79072C2

  • server_id

    F627774F79155814736EE21CBB35A146E8F9B4171A581ECBAA39D28C58336B36DF159D5B5CECFBA751E840F6370F1353

  • wss

    wss://remote.itbros.gg:443/agent.ashx

Extracted

Family

mirai

Botnet

MIRAI

C2

client.orxy.space

Extracted

Family

meshagent

Version

2

Botnet

Justins

C2

http://remote.itbros.gg:443/agent.ashx

Attributes
  • mesh_id

    0x9F5FED4173597ED282C8D36A09C4833E9267C075B1C1B6195734232678D54C8B23802F7341389FBB53F89405F173FC60

  • server_id

    F627774F79155814736EE21CBB35A146E8F9B4171A581ECBAA39D28C58336B36DF159D5B5CECFBA751E840F6370F1353

  • wss

    wss://remote.itbros.gg:443/agent.ashx

Extracted

Family

mirai

Botnet

MIRAI

Targets

    • Target

      3476006a8f64bfe72a8b04477f6005293b5854cfbc58bee2ea28e59b58f0e316.apk

    • Size

      76.1MB

    • MD5

      d4d73a10d80f4f09d54340088f352554

    • SHA1

      6ca0a0b90cc1e7df7a3a6fcdc419cb1684c5d22b

    • SHA256

      3476006a8f64bfe72a8b04477f6005293b5854cfbc58bee2ea28e59b58f0e316

    • SHA512

      6af85127eeb011213e97e8af7761445394cbbccc04d2dfb6d4c739cad7c9465c9c89c4d37432cb3fa423cfcea809a71a1eab0891b1a82bca92857145656b77ff

    • SSDEEP

      1572864:Lcga40E1c4sL0MmD+PwpJjTVveOwZIjZMxNgN9O7hZw3:ggqEe0rDamwZ6Z+gfQZ4

    Score
    8/10
    discoveryexecutionimpactpersistenceupx

    • Patched UPX-packed file

      Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

    • Acquires the wake lock

    • Queries information about active data network

      discovery

    • Reads information about phone network operator.

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

    • Target

      77bd99fc14c25843d7ce183443119b5d7a1f524c00f5a9e2dcccc22f8dae6042.apk

    • Size

      2.6MB

    • MD5

      40981142bcde486676e5eea7bcdfadbb

    • SHA1

      b61860a7ef0ec87174b92c59c6b68265a32619c4

    • SHA256

      77bd99fc14c25843d7ce183443119b5d7a1f524c00f5a9e2dcccc22f8dae6042

    • SHA512

      584e8dbd93b9d89c29d3b7180f524a1d3077cad2fc10542db15f8a604290f475ddd2ddcbabbf5a406f048d224bcadd00348abfcce39f9885a569ef6e2a9ec090

    • SSDEEP

      49152:J/G52p3JiUhiZu/Rtzr52jvAOpPK4Nc5hFV3MM0b9kpYgs6V/Dce7q5px671:Rvp5piZmpCvBpPKr3r8MIWpYMV/6pS

    Score
    7/10
    discoverypersistencecollectioncredential_accessimpact

    • Obtains sensitive information copied to the device clipboard

      Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

      collectioncredential_accessimpact

    • Acquires the wake lock

    • Queries information about active data network

      discovery

    • Queries the mobile country code (MCC)

      discovery
    behavioral2behavioral3behavioral4

    • Target

      a1de866d5f75b3f31becb07f4660e2a3cc29d242888be38fadb5a54657156745.zip

    • Size

      8.5MB

    • MD5

      9f4e25cdd7cf65b7714204ca91162e0f

    • SHA1

      6b824048947cbb6c99ab24fd62cd0eb603f30fd8

    • SHA256

      a1de866d5f75b3f31becb07f4660e2a3cc29d242888be38fadb5a54657156745

    • SHA512

      d07a6d10cbc9264a0623d31a478c2ef30e77ae13e3d021504e4e46d2a807a829a0e2d848447f5f4dab25a68c836c0c1c1cfc21365bbdc7b05167961e99bdaa6e

    • SSDEEP

      49152:P826LuO1F0uqpLVmMGyYQ3CwnJUiBqW0ucmDmzZzdGGYQTOzfUNYqK0cg9cDo:PbUP1DsV/GyCQxpmzZzBfTs0t9d

    Score
    7/10
    collectioncredential_accessdefense_evasionexecutionpersistence

    • Makes use of the framework's Accessibility service

      Retrieves information displayed on the phone screen using AccessibilityService.

      collectiondefense_evasioncredential_access

    • Acquires the wake lock

    • Makes use of the framework's foreground persistence service

      Application may abuse the framework's foreground service to continue running in the foreground.

      defense_evasionpersistence

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

      defense_evasion
    behavioral5behavioral6behavioral7

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Input Injection

1
T1516

Virtualization/Sandbox Evasion

1
T1633

System Checks

1
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

1
T1426

System Network Configuration Discovery

2
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

1
T1471

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Tasks