0892942b07717a4fdef6639d02c56ce6ddb8e599529d299facaeda1c0cb16808

Resubmissions

08-01-2023 07:12

230108-h1hy4sgd3s 10

30-08-2022 07:07

220830-hxmswsddgq 8

Analysis

max time kernel
3986030s
max time network
166s
platform
android_x64
resource
android-x64-arm64-20220823-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20220823-enlocale:en-usos:android-11-x64system
submitted
30-08-2022 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0892942b07717a4fdef6639d02c56ce6ddb8e599529d299facaeda1c0cb16808.apk
Size

3.6MB
MD5

4d291ffddce396d078d16f10c35d5e2e
SHA1

1d9727aaf55191c9876e7c4b376dc2a6dd027a06
SHA256

0892942b07717a4fdef6639d02c56ce6ddb8e599529d299facaeda1c0cb16808
SHA512

1157293368632554da526e7795b1761877333e9d8eba34ccb21a45305aa88d58781ab42e5a7dfcd279ed23cc6317c6edf0609a175927551919ef60994da02452
SSDEEP

98304:cN6uQZn8I4hoe+t+wgBxtxvAoJ+g2EtoAO2:cEcoft7kL1AdEtoA7

Score

8^/10

banker evasion ransomware

Malware Config

Signatures

Makes use of the framework's Accessibility service. 3 IoCs

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.cwblsehgz.ochxfcflb
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.cwblsehgz.ochxfcflb
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.cwblsehgz.ochxfcflb

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps). 1 IoCs

banker

description	ioc	Process
Framework service call	android.content.pm.IPackageManager.getInstalledApplications	com.cwblsehgz.ochxfcflb

Acquires the wake lock. 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.cwblsehgz.ochxfcflb

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.cwblsehgz.ochxfcflb/khkjgU8hgy/dga6oI6gbIHjs4j/base.apk.yakhfds1.hkk	4565	com.cwblsehgz.ochxfcflb
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.cwblsehgz.ochxfcflb/khkjgU8hgy/dga6oI6gbIHjs4j/base.apk.yakhfds1.hkk]	4565	com.cwblsehgz.ochxfcflb

Queries the unique device ID (IMEI, MEID, IMSI).
Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.cwblsehgz.ochxfcflb

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.cwblsehgz.ochxfcflb

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.cwblsehgz.ochxfcflb

com.cwblsehgz.ochxfcflb
1⤵
- Makes use of the framework's Accessibility service.
- Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4565

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.cwblsehgz.ochxfcflb/khkjgU8hgy/dga6oI6gbIHjs4j/base.apk.yakhfds1.hkk

Filesize
1.3MB

MD5
ec1169d8d6412e6cd1146dbb40833dc1

SHA1
9376b58dbf56de90045611b176f92ef65578dc67

SHA256
6d0e90239201e97f3a1711a2bd32e02cb6d242e078d9484db5188e45f0b15ea7

SHA512
d307036b4aa93bcc4b7a6069413fab6bb18e5ddc7a8a951715fb8872b97e47ba0ff42af8ee5f455edb20945fae686165b8ed00f14475f490dc80d37ef891746a

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/shared_prefs/multidex.version.xml

Filesize
307B

MD5
6ee22d065e4e503a915abeb7bc0ce905

SHA1
56c987f58c4022d269dc7d4b8bbe371ded16d1ce

SHA256
6ca5f98edb16350a3c0c5ad8e98762646413ac6835f9659ae98f7008df5dd059

SHA512
83f8fd1ccf555f57654f631387790e08d6dd2970ef759eee486a91f752463c23c336261179f88e8a81572ad569c2d665f3eaf9849d0172807f17182e1e09dd31

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/shared_prefs/settings.xml

Filesize
136B

MD5
c1a63b5ae58b62543ee749e603103150

SHA1
481fc83cd43b64f7bb6871477cfa88c97af47e99

SHA256
f7054481fb168942e5307f9ccc1c648e5aa512613b435de5c5cf6a17cec8411a

SHA512
ef685a6d98698ccd4cfada380738c7f4a7027fa79bb095a3f6770aa4b5f37549adb0180aadc39acf5bb73aeed1ce1230253fba3a4f5bde40df4d1de7ff36d87d

Download Submit
/data/user/0/com.cwblsehgz.ochxfcflb/shared_prefs/settings.xml

Filesize
180B

MD5
78784b514642e5910222b3f6371906dd

SHA1
831b712f1b0209fa95d81a3e6fcaca26397e4042

SHA256
fea6430b6d746edbc7404ed205be9183a3f29cedf81bb102bf743d9f40fa129c

SHA512
c0483d9c49a1c90cf020b38de59ab1fa7fa235bf29c3b0fd5abc29d38f2cf09bc6eafeada4a0aa40087fc792f54b70401539ad533b622e5bc69ac41c2fae05fe

Download Submit
[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.cwblsehgz.ochxfcflb/khkjgU8hgy/dga6oI6gbIHjs4j/base.apk.yakhfds1.hkk]

Filesize
1.3MB

MD5
ec1169d8d6412e6cd1146dbb40833dc1

SHA1
9376b58dbf56de90045611b176f92ef65578dc67

SHA256
6d0e90239201e97f3a1711a2bd32e02cb6d242e078d9484db5188e45f0b15ea7

SHA512
d307036b4aa93bcc4b7a6069413fab6bb18e5ddc7a8a951715fb8872b97e47ba0ff42af8ee5f455edb20945fae686165b8ed00f14475f490dc80d37ef891746a

Download Submit