LetsDefend level 1 alert SOC122 - Android Banker Malware Detected event-id 55
Details
EventID: 55
Event Time: Feb. 7, 2021, 6:21 p.m.
Rule: SOC122 - Android Banker Malware Detected
Level: Security Analyst
Source Address 10.15.15.12
Source Hostname MarksPhone
Username Mark
Package Name com.uijluzvup.hsoextg
Device Action Blocked
playbook
Search Log
10.15.15.12に関係するアクセスを確認
| # | DATE | TYPE | SOURCE ADDRESS | SOURCE PORT | DESTINATION ADDRESS | DESTINATION PORT |
|---|---|---|---|---|---|---|
| 18 | Oct, 19, 2020, 10:59 PM | Proxy | 10.15.15.12 | 14774 | 172.217.169.206 | 443 |
| 19 | Oct, 19, 2020, 11:03 PM | Firewall | 10.15.15.12 | 14774 | 172.217.169.206 | 443 |
| 22 | Oct, 19, 2020, 11:06 PM | Firewall | 10.15.15.12 | 12441 | 140.82.121.4 | 443 |
| 351 | Feb, 07, 2021, 01:21 PM | Proxy | 10.15.15.12 | 58425 | 13.95.16.245 | 443 |
| 376 | Mar, 07, 2021, 05:47 PM | Proxy | 10.15.15.12 | 46234 | 67.199.248.10 | 443 |
18
URL: https://play.google.com/store/apps
19
No Log
22
URL: https://github.com/googleprojectzero/domato
351
Request URL: https://www.teamviewer.com Request Method: GET Device Action: Allowed
376
Request URL: https://bit.ly/TAPSCAN
どれも直接的な関係は無さそうに思える。
Analyze APK
Koodous: https://koodous.com/apks?search=com.uijluzvup.hsoextg
2種類のapkを確認。
com.uijluzvup.hsoextg
2a629fe1790c01fe5a0a83b5c3a12c8a
Koodous: https://koodous.com/apks/47eddb0a004c4a24442c8e942c7057cccb66837658a5f215093127def6bbf7e4
VirusTotal:https://www.virustotal.com/gui/file/47eddb0a004c4a24442c8e942c7057cccb66837658a5f215093127def6bbf7e4
MetaDefender: https://metadefender.opswat.com/results/file/2a629fe1790c01fe5a0a83b5c3a12c8a/hash/overview
サンプルの取得や動作の確認はできなかったが、
Permissions android.permission.SEND_SMS android.permission.READ_EXTERNAL_STORAGE android.permission.READ_CONTACTS android.permission.WRITE_SMS android.permission.CALL_PHONE android.permission.RECEIVE_SMS android.permission.READ_PHONE_STATE android.permission.WRITE_EXTERNAL_STORAGE android.permission.READ_SMS ... https://www.virustotal.com/gui/file/47eddb0a004c4a24442c8e942c7057cccb66837658a5f215093127def6bbf7e4/details
おそらく、連絡先を読み取ったり、SMSや電話を勝手に利用できる。
d64760981f9af1f0213ab211e0f12108
Koodous: https://koodous.com/apks/33903114a1fe7e7783d7d1c6acef36a6200a928492b590f1afa2d83ee58b9dea
VirusTotal: https://www.virustotal.com/gui/file/33903114a1fe7e7783d7d1c6acef36a6200a928492b590f1afa2d83ee58b9dea
Answer: Malicious
Containment
Containment!
Add Artifacts
| Value | Type | Comment |
|---|---|---|
| 10.15.15.12 | IP Address | Detected Malicious APK on MarksPhone |
今回はTrue Positive.
End
