Malware Analysis Report

2024-10-19 12:08

Sample ID 230310-haj4gsdf5t
Target 831346106da21d6edd95d62d22065a705e1c8c3edd29a31fb4ca7431d50d5cb1
SHA256 831346106da21d6edd95d62d22065a705e1c8c3edd29a31fb4ca7431d50d5cb1
Tags
ransomware banker evasion
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

831346106da21d6edd95d62d22065a705e1c8c3edd29a31fb4ca7431d50d5cb1

Threat Level: Likely malicious

The file 831346106da21d6edd95d62d22065a705e1c8c3edd29a31fb4ca7431d50d5cb1 was found to be: Likely malicious.

Malicious Activity Summary

ransomware banker evasion

Makes use of the framework's Accessibility service.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

Requests dangerous framework permissions

Requests enabling of the accessibility settings.

Loads dropped Dex/Jar

Acquires the wake lock.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-03-10 06:31

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-10 06:31

Reported

2023-03-10 06:34

Platform

android-x64-20220823-en

Max time kernel

3392835s

Max time network

131s

Command Line

com.frontbynpxa

Signatures

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.frontbynpxa/cache/apjorsma N/A N/A
N/A /data/user/0/com.frontbynpxa/cache/apjorsma N/A N/A

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.frontbynpxa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 4-u.wtf udp
US 1.1.1.1:53 fitnessstyle.xyz udp
US 1.1.1.1:53 sportsstyle.club udp
US 1.1.1.1:53 sportsstyle.club udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.174:443 android.apis.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
NL 172.217.168.237:443 accounts.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.202:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 kgsscehmqll udp
US 1.1.1.1:53 gqjojvlzs udp
US 1.1.1.1:53 bzeysvbtvszmid udp
US 1.1.1.1:53 sportsstyle.club udp
US 1.1.1.1:53 bzeysvbtvszmid udp
US 1.1.1.1:53 sportsstyle.club udp
US 1.1.1.1:53 sportsstyle.club udp

Files

/data/user/0/com.frontbynpxa/cache/apjorsma

MD5 d4cd337c961cce8a496a5e6e020e54c7
SHA1 62d731ab9f40470e649a51b8d7e61af61f23cd8b
SHA256 ecc2807e8038a7bf3e899041ed0dcd4e3d970175a0418165db105368f40ecd1a
SHA512 531398aaa3661831b881697b2bcb7d9d384d7cebf66f9cd9e8843e931e2eb82914c55081ab3412ed1a434e61e1c7e86d7b53df024e896ffa72d3f47f8c6a4b24

/data/user/0/com.frontbynpxa/cache/apjorsma

MD5 d4cd337c961cce8a496a5e6e020e54c7
SHA1 62d731ab9f40470e649a51b8d7e61af61f23cd8b
SHA256 ecc2807e8038a7bf3e899041ed0dcd4e3d970175a0418165db105368f40ecd1a
SHA512 531398aaa3661831b881697b2bcb7d9d384d7cebf66f9cd9e8843e931e2eb82914c55081ab3412ed1a434e61e1c7e86d7b53df024e896ffa72d3f47f8c6a4b24

/data/user/0/com.frontbynpxa/cache/apjorsma

MD5 d4cd337c961cce8a496a5e6e020e54c7
SHA1 62d731ab9f40470e649a51b8d7e61af61f23cd8b
SHA256 ecc2807e8038a7bf3e899041ed0dcd4e3d970175a0418165db105368f40ecd1a
SHA512 531398aaa3661831b881697b2bcb7d9d384d7cebf66f9cd9e8843e931e2eb82914c55081ab3412ed1a434e61e1c7e86d7b53df024e896ffa72d3f47f8c6a4b24

/data/user/0/com.frontbynpxa/cache/oat/apjorsma.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.frontbynpxa/shared_prefs/main.xml

MD5 8ab9a0a95c3f5eb625f342819a50373e
SHA1 d9041766dc803620a1b8017f8359194931c0135c
SHA256 0a198288500263b12b6af4aee1854d1e22d500ecedda9b49ac6c5d9f96a7b4ad
SHA512 44550793c9882c357cae06e9cdf7869f1b897a3e49b0e7f8774e41a1a7e5da479898d7e2fdef2d3a3e80c2e16660c5b95858e53384f27e64446876b8013fd93a

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-10 06:31

Reported

2023-03-10 06:34

Platform

android-x86-arm-20220823-en

Max time kernel

3389231s

Max time network

130s

Command Line

com.frontbynpxa

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

banker
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.getInstalledApplications N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.frontbynpxa/cache/apjorsma N/A N/A
N/A /data/user/0/com.frontbynpxa/cache/apjorsma N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.frontbynpxa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.174:443 android.apis.google.com tcp
NL 142.250.179.174:443 android.apis.google.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
GB 216.58.208.106:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 4-u.wtf udp
US 1.1.1.1:53 fitnessstyle.xyz udp
US 1.1.1.1:53 sportsstyle.club udp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp

Files

/data/user/0/com.frontbynpxa/cache/apjorsma

MD5 d4cd337c961cce8a496a5e6e020e54c7
SHA1 62d731ab9f40470e649a51b8d7e61af61f23cd8b
SHA256 ecc2807e8038a7bf3e899041ed0dcd4e3d970175a0418165db105368f40ecd1a
SHA512 531398aaa3661831b881697b2bcb7d9d384d7cebf66f9cd9e8843e931e2eb82914c55081ab3412ed1a434e61e1c7e86d7b53df024e896ffa72d3f47f8c6a4b24

/data/user/0/com.frontbynpxa/cache/apjorsma.x86.flock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.frontbynpxa/cache/apjorsma

MD5 d4cd337c961cce8a496a5e6e020e54c7
SHA1 62d731ab9f40470e649a51b8d7e61af61f23cd8b
SHA256 ecc2807e8038a7bf3e899041ed0dcd4e3d970175a0418165db105368f40ecd1a
SHA512 531398aaa3661831b881697b2bcb7d9d384d7cebf66f9cd9e8843e931e2eb82914c55081ab3412ed1a434e61e1c7e86d7b53df024e896ffa72d3f47f8c6a4b24

/data/user/0/com.frontbynpxa/cache/apjorsma

MD5 d4cd337c961cce8a496a5e6e020e54c7
SHA1 62d731ab9f40470e649a51b8d7e61af61f23cd8b
SHA256 ecc2807e8038a7bf3e899041ed0dcd4e3d970175a0418165db105368f40ecd1a
SHA512 531398aaa3661831b881697b2bcb7d9d384d7cebf66f9cd9e8843e931e2eb82914c55081ab3412ed1a434e61e1c7e86d7b53df024e896ffa72d3f47f8c6a4b24

/data/user/0/com.frontbynpxa/cache/oat/apjorsma.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.frontbynpxa/shared_prefs/main.xml

MD5 37a292b3925d074524eec62fcd50a33b
SHA1 70d72fb8d51d8c915ea54c2a2964bc8bd04c7018
SHA256 193105f6e2d03efc4d71d7abdea642da1013381579bbce2e60e0f115695ccbf9
SHA512 2874bc8025efaf5ff8dc4fc2630ecc94ea529ed24f498368892c191ade8a20ae3884812f27c8b3085317bd67fbf6ddbd07e47e8c920d8bfe31ee3e2f16095205