Malware News

Sample Name: 2j7sxYTjQh.apk

MD5: e9eb39d8880a1a04acc538bb717dc337

SHA1: 13944686c0d6eef8be486306fe8645e2f33c131f

SHA256: 5522a7cc358b4193eac53e620d3baa47f385a04bf3d15d1850076cce9456d5f4

Sample Malware URL: 

https://malshare.com/sample.php?action=detail&hash=e9eb39d8880a1a04acc538bb717dc337

Dynamic Behaviour Analysis 

1. Antivirus / Scanner detection for submitted sample

2. Detected SMSWorm

3. Multi AV Scanner detection for submitted file

4. Checks if app is currently debugged

5. Might try to detect if ADB is running

6. Reads the serial number of the device

7. Tries to detect Android x86

8. Tries to detect the analysis device (e.g. the Android emulator)

9. Uses the command line tool ping to scan for other devices in the same network

10. Accesses /proc

11. Accesses android OS build fields

12. Checks an internet connection is available

13. Checks if a SIM card is installed

14. Checks if phone is rooted (checks for Superuser.apk)

15. Checks if phone is rooted (checks for test-keys build tags)

16. Executes native commands

17. Found suspicious command strings (may be related to BOT commands)

18. Has functionality to send UDP packets

19. Has functionality to add an overlay to other apps

20. Has permission to execute code after phone reboot

21. Has permission to read contacts

22. Has permission to read the phones state (phone number, device IDs, active call ect.)

23. Has permission to send SMS in the background

24. Lists and deletes files in the same context

25. May access the Android keyguard (lock screen)

26. May query (preferred) Access Point Name (APN)

27. Might use exploit to break dedexer tools

28. Obfuscates method names

29. Opens an internet connection

30. Performs DNS lookups (Java API)

31. Queries list of running processes/tasks

32. Queries media storage location field

33. Queries phone contact information

34. Queries several sensitive phone informations

35. Queries the SIM provider name (SPN - Service Provider Name)

36. Queries the SIM provider numeric MCC+MNC (mobile country code + mobile network code)

37. Queries the list of paired Bluetooth devices

38. Queries the network operator name

39. Queries the network operator numeric MCC+MNC (mobile country code + mobile network code)

40. Queries the phones location (GPS)

41. Reads boot loader settings of the device

42. Requests potentially dangerous permissions

43. Requests root access

44. Scans for Bluetooth devices

45. Sends SMS using SmsManager

46. Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

47. Tries to detect QEMU emulator

48. Tries to detect Virtualbox

49. Uses reflection

Android Info

• Android Type APK

• Package Name com.halorozd.meditation

• Main Activity com.halorozd.meditation.MainActivity

• Internal Version 3

• Displayed Version 3.6

• Minimum SDK Version 23

• Target SDK Version 30

• Certificate Attributes

• Valid From 2016-09-23 11:57:06

• Valid To 3015-01-25 11:57:06

• Serial Number 333a0b9b

• Thumbprint d122d9adc3e5d5ff346b32c0413f5cf3a3cc4658

Permission

• android.permission.ACCESS_FINE_LOCATION 

• android.permission.SEND_SMS 

• android.permission.INTERNET 

• android.permission.ACCESS_COARSE_LOCATION 

• android.permission.READ_PHONE_STATE 

• android.permission.READ_CONTACTS 

• android.permission.RECEIVE_BOOT_COMPLETED 

• android.permission.VIBRATE 

• android.permission.ACCESS_NETWORK_STATE 

• com.google.android.finsky.permission.BIND_GET_INSTALL_REFERRER_SERVICE

Interesting Strings

https://awsdus.api.p3insight.de/isupload/upload_check_lumen.php

https://d1byvlfiet2h9q.cloudfront.net/InApp/resources/adInformationDialog3.html

https://d2to8y50b3n6dq.cloudfront.net/truststores/[PROJECTID]/cdnconfig.zip

https://d2to8y50b3n6dq.cloudfront.net/truststores/[PROJECTID]/truststore.zip

https://geoip.api.c0nnectthed0ts.com/geoip/

https://geoip.api.p3insight.de/geoip/

https://info.startappservice.com/InApp/resources/info_l.png

https://play.google.com

https://ul.api.c0nnectthed0ts.com/ul/v3/

https://www.com.startapp.com/policy/sdk-policy/

https://www.jio.com/api/jio-recharge-service/recharge/mobility/number/ 

https://android.googlesource.com/toolchain/llvm

https://android.googlesource.com/toolchain/clang

MITRE ATT&CK® Techniques- for Mobile 

Tactic Technique ID Technique Name 

Defense Evasion T1406 T1523 1. Obfuscated Files or Information 2. Evade Analysis Environment  

Discovery T1421 T1422 1. System Network Connections Discovery 2. System Network Configuration

 T1430 T1426 T1424 3. Location Tracking 4. System Information Discovery 5. Process Discovery 

Collection T1432 T1430 T1507  1. Access Contact List 2. Location Tracking 3. Network Information Discovery 

Command and Control T1573 T1219 1. Encrypted Channel 2. Remote Access Software 

Network Effects T1449 1.Exploit SS7 to Redirect Phone Calls/SMS 

Impact T1447 T1448 1.Delete Device Data 2. Carrier Billing Fraud 

Indicators of Compromise (IoCs): 

IOC  IOC Type  

5522a7cc358b4193eac53e620d3baa47f385a04bf3d15d1850076cce9456d5f4 SHA256   

hxxps://awsdus.api[.]p3insight[.]de/isupload/upload_check_lumen[.]php Interesting URL 

hxxps://geoip.api.p3insight[.]de/geoip/ Interesting URL 

hxxp://tiny[.]cc/COVID-VACCINE Interesting URL 

202.83.21[.]14 IP address 

216.58.212[.]170 IP address 

Safety Recommendations: 

1. Keep your antivirus software updated to detect and prevent malware infections. 

2. Keep your system and applications updated. 

3. Use strong passwords and enable two-factor authentication during logins. 

4. Verify the privileges and permissions requested by the app before granting access. 

5. People concerned about the exposure of their stolen credentials in the dark web can register at AmiBreached.com to ascertain their exposure. 

Contacted IP's