Malware Analysis Report

2024-09-09 16:38

Sample ID 230206-ncz6dadf55
Target 0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8_unpacked.zip
SHA256 0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8
Tags
banker evasion ransomware
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8

Threat Level: Likely malicious

The file 0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8_unpacked.zip was found to be: Likely malicious.

Malicious Activity Summary

banker evasion ransomware

Makes use of the framework's Accessibility service.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Requests enabling of the accessibility settings.

Requests dangerous framework permissions

Acquires the wake lock.

Reads information about phone network operator.

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2023-02-06 11:15

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-06 11:15

Reported

2023-02-06 11:18

Platform

android-x86-arm-20220823-en

Max time kernel

641466s

Max time network

158s

Command Line

com.rduzmauwns.jieliysagr

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.rduzmauwns.jieliysagr

com.rduzmauwns.jieliysagr:remote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 172.217.168.234:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 216.58.214.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 149.154.167.99:443 t.me tcp

Files

/data/user/0/com.rduzmauwns.jieliysagr/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.rduzmauwns.jieliysagr/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.rduzmauwns.jieliysagr/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.rduzmauwns.jieliysagr/shared_prefs/WebViewChromiumPrefs.xml

MD5 21223e9184445fe043476484cd8cb1f9
SHA1 2b4813f849121d60ba35eb0889080668bb62c778
SHA256 bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af
SHA512 be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

/data/user/0/com.rduzmauwns.jieliysagr/app_webview/Web Data

MD5 dc79f9ce5f3ab5270b33e61119dfc959
SHA1 1844bf222a5144b513dcf2fb50a18c011701c647
SHA256 47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65
SHA512 18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

/data/user/0/com.rduzmauwns.jieliysagr/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.rduzmauwns.jieliysagr/app_webview/metrics_guid

MD5 8b86508fdf8506833a83e294b6dac49c
SHA1 bcb3ef5837080f3b3abe0894db542ba1a60d042e
SHA256 10c659617aa1d738bd46db8ea494e8c7f5117ac9c410c7132e94f3e0c0555de6
SHA512 434a0e366f71e8098e8419b0326a30570afac0ed90b197e7a99f4599fbc3f07ea4804e26128818ba7930905fb91a7b686d36e4a118fbde16cd54f715bb884d7f

/data/user/0/com.rduzmauwns.jieliysagr/app_webview/Web Data-journal

MD5 9b3f882d919fbac6ca8774607bc460e3
SHA1 89f15177ca3609626c7bc2cb1bbfb171ba5379ef
SHA256 268e536cab6a17f0abede0df5be8876fc9522fe45c1a0489567163e4aacff252
SHA512 a6c3aee240f6844f85078e83f012ff4f45d544702c2e132fc7d49ec3262983dce9e855f2ead5873ee0aded3bc4aece4e2ca7285da8c5ea6af5430dcdec385a2f

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-06 11:15

Reported

2023-02-06 11:18

Platform

android-x64-20220823-en

Max time kernel

645066s

Max time network

159s

Command Line

com.rduzmauwns.jieliysagr

Signatures

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.rduzmauwns.jieliysagr

com.rduzmauwns.jieliysagr:remote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.208.106:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 216.58.214.14:443 android.apis.google.com tcp
US 1.1.1.1:53 t.me udp
NL 149.154.167.99:443 t.me tcp

Files

/data/user/0/com.rduzmauwns.jieliysagr/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.rduzmauwns.jieliysagr/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.rduzmauwns.jieliysagr/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.rduzmauwns.jieliysagr/shared_prefs/WebViewChromiumPrefs.xml

MD5 6ef709b8536878951e87c29a1518fc2b
SHA1 24376c70b00152501b3d98df61fa7db435339172
SHA256 10b13d894f36d4391fcc31313a244d5f6cd89c8e8c03347282e281c4af13c0a6
SHA512 96547eff6779251a5c4941e812ec56ed273e9270265005723e1f2864688b04f3b852a90145fba4ea0ddf1e02b39d99e33d28f761b07a04d46e0e4257d8909ff9

/data/user/0/com.rduzmauwns.jieliysagr/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.rduzmauwns.jieliysagr/app_webview/metrics_guid

MD5 55e5e2117a740613f6b050101a505a87
SHA1 cd812e003b2e51727aa59596aace7a1a4587a1b3
SHA256 be371b4a6b540c81a1562a905279b1bde5683092705998b523c79417eb889c5b
SHA512 10fb5159a63cf2b9929af76c3ab1f5282f98c4d5e66b29f0c665f11e23ff88134d4153f29fd23ea3124ab964cd01b63273c7ac1df0ffe397d18ed4a49d28fc66

/data/user/0/com.rduzmauwns.jieliysagr/app_webview/Web Data

MD5 b663831f8cc130493476d94f2d7a5330
SHA1 043a1956ab8e40821d67043f8a9110a8eb36fb93
SHA256 c109aa8bfc364d5fd0756f1c9d35ee3d6df31325061ac70d8469f28cfc882ab7
SHA512 e8ee923192cdf16318febdc23362f3eeaf5c914b923f80cd3a91a2e83e94bced54460d4ef1e54accc26a7d54b89e2e10c00097e60002cf6427298dc5f18fed16

/data/user/0/com.rduzmauwns.jieliysagr/app_webview/Web Data-journal

MD5 767caf10abd2cd0b885795a5c8ec030e
SHA1 04addcc8bf7ee792ed3d605a3a0efff636d49568
SHA256 e63cda601da18d39d15cbf30a79b4161592c007356fe301f0703ff959e96d03e
SHA512 6a1ca5aa5621a367f9ff2257daf0698f84540bfcc7b9b801b43bff744b79452af695bcc17c222bf465f5b6b040845a078a31a8fdef18ef7a8277046cc50a6306

/data/user/0/com.rduzmauwns.jieliysagr/cache/org.chromium.android_webview/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.rduzmauwns.jieliysagr/cache/org.chromium.android_webview/Code Cache/js/index-dir/temp-index

MD5 83f35afd9e16f5496e22c3e2e3ddeeeb
SHA1 23fbc8a940b7aae7572f537396b6aa3396293a55
SHA256 f1096e2e85edffac717e865bab00cf48ba0ffc34836a923a520de207637f9077
SHA512 8adb0cec3bec5854e4a9258231f6d53aa2f4a01fea38662772d9c97ca78218e6818cd761f2fbd7a5f832ede14e62f46c5910a6fb2f8ee880f76959df34aa6e0f

/data/user/0/com.rduzmauwns.jieliysagr/cache/WebView/Crashpad/settings.dat

MD5 cfedc4150d4ecfc186101a35bdc0adc6
SHA1 e97d6aa3ba185e3665a5ca45c100606a02b3a6dd
SHA256 b15209f79b348eef8deebee83adcc9153856f1c00dacdf30431f51f2d075d946
SHA512 d6bcf0d2ea53d32e32913e721cbebc88b2174d2475d2635e490f6ebb25e4f3249c20f0dfbbcbfe1f63c97edb8f1dd310919a8d4e0e3a86e8d1cad14ee8e170a2

/data/user/0/com.rduzmauwns.jieliysagr/app_webview/.com.google.Chrome.oXqFc6

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral3

Detonation Overview

Submitted

2023-02-06 11:15

Reported

2023-02-06 11:19

Platform

android-x64-arm64-20220823-en

Max time network

180s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.208.110:443 android.apis.google.com tcp
NL 142.250.179.206:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
NL 142.250.179.170:80 play.googleapis.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
DE 142.250.185.170:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
NL 142.251.39.109:443 accounts.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.208.110:443 android.apis.google.com tcp
US 1.1.1.1:53 imzlcqxjpjqpdbh udp
US 1.1.1.1:53 nzaufiao udp
US 1.1.1.1:53 dqgcabx udp
US 1.1.1.1:53 growth-pa.googleapis.com udp
US 1.1.1.1:53 lh3-dz.googleusercontent.com udp
NL 216.58.214.1:443 lh3-dz.googleusercontent.com tcp
US 1.1.1.1:53 lh3.googleusercontent.com udp
GB 216.58.208.110:443 android.apis.google.com tcp
US 1.1.1.1:53 dqgcabx udp
US 1.1.1.1:53 imzlcqxjpjqpdbh udp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
NL 142.251.36.10:443 mdh-pa.googleapis.com tcp

Files

N/A