As always, IOCs at the end.
Characteristics:
Uses IRC to send data to the attacker and FTP.
Get the victim's IP address via external services, uses ip2location until it is able to connect to the external service.
Get list of applications
Send SMS using the device.
Requests several permissions:
android.permission.INTERNET
android.permission.READ_EXTERNAL_STORAGE
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.REBOOT
android.permission.CALL_PHONE
android.permission.READ_SMS
android.permission.READ_CONTACTS
android.permission.SEND_SMS
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.READ_CALL_LOG
android.permission.SYSTEM_ALERT_WINDOW
Includes Spanish strings in the code, suggesting the actor is from a Spanish speaking country.
The IP the duckdns serves the APK from is from Spain.
Useful links:
Virustotal Graph: https://www.virustotal.com/graph/embed/g1f66b84527234df186946867ace02cc1d175d8dd4bd045cf948261dd16565c7d
Virustotal Collection: https://www.virustotal.com/gui/collection/4b368a9e4f689c2585fdf10248d7a117bfca4300bb6494d9c10ea5278400e0f1
This sample seems like work in progress. There is functionality implemented that is not called during execution.
The channel and ids and credentials used to send data via IRC or via FTP.
When connecting to the remote IRC server it answers from `irc.prodigybot[.]net`:
The random ID is generated by choosing a random number which is hardcoded:
It iterates in a loop to ensure that the BOT_IP is always the latest one:
There is functionality to get the list of applications installed in the device but it is not called, the same goes for sending SMS and getting the contacts list.
The owner or owners point to maybe two different actors, SharK and G0ku, as seen in the code:
On the other side, this duckdns dynDNS url has been used in the past for other payloads and has hosted other unrelated malicious files:
Also, the serving IP address 95.60.57[.]103 is from Spain:
Similar samples were seen in the wild previously the 12th of August of 2022 and points to a work in progress. In previous samples, it contains similar functionality with slight differences. For example, data is stored in resources and the credentials stay the same. The resource owner might point to two actors.
IOCs:
Sample SHA256: a0715a88e289763cac6ca6ce5b5b24575c6d966591c7949eb88d0024dcace2bc
anunnakii.duckdns.org:6667 IRC port
Owners: {"G0KU", "SharK"}
Resolving IP address of the dyndns: 95.60.57[.]103
Other SHA256:
ca0f0b0f2175ad5a982c6a135fb833e0d0f6093fdbd8004483804e5177c89671
496590c57e3c3cc1cebbfb5135667a00ff11678ca0a3c913c5532ce8169221f4
c3fa7ac9db35a7d28468b25429a8334d22c6819b12df923e6dd65e2d0f9c8aa3
7e339c8bac29595a26185bdda3242919e0c0ab64fa54ce454ede738c983c306d
33c9320da28b5d1bd7b1a3ef1ac2b16f2977dfb6cd5e03f2868d956fa1d6ab45
2855011ea35cb91642ca75bd3d027273b83cb4511f5a4da50c41b15df9490793