{ "Event": { "analysis": "1", "date": "2020-11-24", "extends_uuid": "", "info": "[Threat Intel] WAPDropper: An Android Malware Subscribing Victims to Premium Services and Targeting Telecomm Companies", "protected": false, "publish_timestamp": "1780039627", "published": true, "threat_level_id": "2", "timestamp": "1780039627", "uuid": "cbc7019f-c90e-48ef-94d6-d7cca59a6c03", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#5dfed4", "local": false, "name": "misp-galaxy:producer=\"Check Point\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#566f91", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Carrier Billing Fraud - T1448\"", "relationship_type": "" }, { "colour": "#9f9a68", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deliver Malicious App via Other Means - T1476\"", "relationship_type": "" }, { "colour": "#b2ee2e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Download New Code at Runtime - T1407\"", "relationship_type": "" }, { "colour": "#5760f4", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Suppress Application Icon - T1508\"", "relationship_type": "" }, { "colour": "#b418fc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1422\"", "relationship_type": "" }, { "colour": "#24a1e3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Connections Discovery - T1421\"", "relationship_type": "" }, { "colour": "#bbb53d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1426\"", "relationship_type": "" }, { "colour": "#0da3ae", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Discovery - T1418\"", "relationship_type": "" }, { "colour": "#d39115", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1406\"", "relationship_type": "" }, { "colour": "#1cbd79", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1575\"", "relationship_type": "" }, { "colour": "#33360c", "local": false, "name": "misp-galaxy:target-information=\"Thailand\"", "relationship_type": "" }, { "colour": "#915448", "local": false, "name": "misp-galaxy:target-information=\"Malaysia\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:sector=\"Telecoms\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#dd2e44", "local": false, "name": "rectifyq:MY-relevancy=\"relevant\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#170059", "local": false, "name": "rectifyq:topic=\"mobile-attack\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1736669392", "to_ids": false, "type": "link", "uuid": "d5de300f-88a3-412b-897c-52a0d9a2e3f4", "value": "https://research.checkpoint.com/2020/enter-wapdropper-subscribe-users-to-premium-services-by-telecom-companies/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1736669392", "to_ids": false, "type": "text", "uuid": "a1c80916-ec42-4b33-bfb8-e6481d6ddf2a", "value": "Check Point researchers recently encountered WAPDropper, a new malware which downloads and executes an additional payload. In the current campaign, it drops a WAP premium dialer which subscribes its victims to premium services without their knowledge or consent." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1736669392", "to_ids": false, "type": "text", "uuid": "e551a8ea-5ed9-4f27-963a-77688bc54aee", "value": "Name: WAPDropper: An Android Malware Subscribing Victims to Premium Services and Targeting Telecomm Companies\nAuthor: AlienVault\nAdversary: \nTags: [\"WAPDropper\", \"Subscription Fraud\", \"Android Malware\", \"Premium Services Fraud\", \"Telecomm\"]\nTgtd countries: [\"Thailand\", \"Malaysia\"]\nMlwr families: [\"WAPDropper\", \"Trojan-Downloader.AndroidOS\"]\nAttack_ids: [\"T1448\", \"T1476\", \"T1407\", \"T1508\", \"T1422\", \"T1421\", \"T1426\", \"T1418\", \"T1406\", \"T1575\"]\nIndustries: [\"Telecommunications\"]" }, { "category": "Network activity", "comment": "Main C&C Server", "deleted": false, "disable_correlation": false, "timestamp": "1747505014", "to_ids": true, "type": "hostname", "uuid": "7c4a6d85-3588-4c80-8951-b7d338abef91", "value": "ks7br7.3q03on.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Rotating C&C", "deleted": false, "disable_correlation": false, "timestamp": "1747505014", "to_ids": true, "type": "hostname", "uuid": "602fbe18-082f-41ca-a47e-761e36b428b7", "value": "ip.cooktracking.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Rotating C&C", "deleted": false, "disable_correlation": false, "timestamp": "1747505014", "to_ids": true, "type": "hostname", "uuid": "7d9094b4-4885-43df-b312-20c305a9a0e1", "value": "l.facebook1mob.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "IP", "deleted": false, "disable_correlation": false, "timestamp": "1780039625", "to_ids": true, "type": "ip-dst", "uuid": "28a7156f-48c9-486f-b8bf-d76bb026f733", "value": "34.233.155.78", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#92678d", "local": false, "name": "asn:asn=\"14618\"", "relationship_type": "" }, { "colour": "#e68e4d", "local": false, "name": "asn:as-owner=\"AMAZON-AES\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "IP Infrastructure", "deleted": false, "disable_correlation": false, "timestamp": "1780039627", "to_ids": true, "type": "ip-dst", "uuid": "c9cb552c-10f2-46d6-bb49-226fbc858e6a", "value": "52.54.159.156", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#92678d", "local": false, "name": "asn:asn=\"14618\"", "relationship_type": "" }, { "colour": "#e68e4d", "local": false, "name": "asn:as-owner=\"AMAZON-AES\"", "relationship_type": "" }, { "colour": "#d16c37", "local": false, "name": "asn:as-country=\"US\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:country=\"united states of america\"", "relationship_type": "" } ] }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1740277964", "to_ids": false, "type": "malware-type", "uuid": "ed69cdc3-496c-496d-9644-a528c1b6a60c", "value": "WAPDropper" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747504726", "uuid": "0531953e-761c-4b73-8707-4475e31b1738", "Attribute": [ { "category": "Payload delivery", "comment": "WAPDropper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747504726", "to_ids": true, "type": "md5", "uuid": "c5318b7e-140b-48d0-b77b-7ec6f5a4439d", "value": "cb4e32705a64aca8329cab42e44047f5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "WAPDropper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740280980", "to_ids": true, "type": "sha1", "uuid": "ce973735-671a-43f9-b29f-cf70d984409c", "value": "cb6c733ea3bb14621c9b3eb612526dd6767f3553", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "WAPDropper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740280980", "to_ids": true, "type": "sha256", "uuid": "9fb025f8-5ca1-4b9b-8e66-5a2bcd3d91b5", "value": "2e5909411496a3b58b75fa55745138bfe2d73526b4ab00e7f06da2c5969c3661", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740280689", "to_ids": true, "type": "ssdeep", "uuid": "a483c390-05d2-4c4b-a736-c65198073e4e", "value": "3072:Kncxy9iCtJ4i2uxiWrwIi0s5avw1QABzCURVnGcBS1mu:Cn9BtJ45WUNSw1vzCURVgEu" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740280689", "to_ids": false, "type": "size-in-bytes", "uuid": "b4b42440-cc28-43a9-b9ab-bce140b26b6a", "value": "170060" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740280689", "to_ids": true, "type": "vhash", "uuid": "adc3beba-d800-4174-adeb-d13442cebd0b", "value": "7267e062195a9f78f0539238e8f1779f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740280689", "to_ids": true, "type": "filename", "uuid": "28150392-6774-43ce-9f53-717be7795925", "value": "cb4e32705a64aca8329cab42e44047f5.virus" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 04/02/2022", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740280689", "to_ids": false, "type": "text", "uuid": "d9e66356-611e-4c70-b18d-7aa1f217211e", "value": "WAPDropper\r\nType Description: Android\n\nMicrosoft: Trojan:AndroidOS/Multiverze\nVT Total Detection:27/60" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1747504748", "uuid": "4414b9c5-3479-4f2d-8740-fcdae9745bfd", "Attribute": [ { "category": "Payload delivery", "comment": "WAPDropper", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1747504748", "to_ids": true, "type": "md5", "uuid": "319474d0-b87c-40a2-aacf-26da344e12f7", "value": "a7267059bf34b6df33c1d0e57ae7bda0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "WAPDropper", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1740280981", "to_ids": true, "type": "sha1", "uuid": "9300f377-946b-4c04-8f54-43e579690c2f", "value": "2e5a7bba3149ea31c71c97632d780af64a5b6727", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "WAPDropper", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1740280981", "to_ids": true, "type": "sha256", "uuid": "2c240a60-81c3-4093-b09d-d4bf81717fdf", "value": "a7632c3fcbd93b7e4c275eabbf3ddf09adee1035b2917301d622433f61ef8e1d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1740280711", "to_ids": true, "type": "ssdeep", "uuid": "6b99406a-3599-41bd-a19f-d6476d9e0c6f", "value": "49152:PeBZf0vx/dH4gPic6RbItWQEdLEZVFfsj3TxSdw+K1X8fLh66:PePiVdHlPEFlFa9srTxU66" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1740280711", "to_ids": false, "type": "size-in-bytes", "uuid": "ea008f87-6fe9-4366-a3bd-4d17f91fc4cd", "value": "2850988" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1740280711", "to_ids": true, "type": "vhash", "uuid": "ac4ca66d-c232-419d-bc71-eefd88b2cb7b", "value": "ec010b30aa71285875ff05c86cc0fa78" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1740280711", "to_ids": true, "type": "filename", "uuid": "9b1d61df-b849-4544-8d56-b6eadda784d0", "value": "a7267059bf34b6df33c1d0e57ae7bda0.apk" }, { "category": "Other", "comment": "Checked: 23/02/2025\nLast-scan\t: 29/05/2022", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1740280711", "to_ids": false, "type": "text", "uuid": "3fd6b2a6-9a7d-40b4-9e33-a9d599c332ad", "value": "WAPDropper\r\nType Description: Android\n\nMicrosoft: Trojan:AndroidOS/Wapdropper.A!MTB\nVT Total Detection:32/62" } ] } ] } }