xenomorph | 9ce2ad40f3998860ca1ab21d97ea7346bf9d26ff867fc69c4d005c477c67a899

Analysis

max time kernel
4136089s
max time network
34s
platform
android_x86
resource
android-x86-arm-20220823-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20220823-enlocale:en-usos:android-9-x86system
submitted
07-05-2023 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ce2ad40f3998860ca1ab21d97ea7346bf9d26ff867fc69c4d005c477c67a899.apk
Size

2.2MB
MD5

8ce057ff57478e98c0e246355ccd27db
SHA1

1d3cc636883c72d45e8f336344bdea97ec8d91d1
SHA256

9ce2ad40f3998860ca1ab21d97ea7346bf9d26ff867fc69c4d005c477c67a899
SHA512

5fd1345c3d605859bc56cf4cf7088712b63d929a3d576e99a88406eaa3387e4a996361c3bcc78275650609ad967636b7042fa42c244b183da96a0e7cfff78a1f
SSDEEP

49152:grrgUCuMhTKb+/CZFLqtBOU3t95tnUAqkp3IQRRiEKfaFEjI:uTOKb+qXmBOuPUAqkpIQDGsEjI

Score

10^/10

xenomorph banker evasion infostealer ransomware trojan

Malware Config

Extracted

Family

xenomorph

dedeperesere.xyz

vldeolan.com

cofi.hk

Extracted

Family

xenomorph

AES_key

Signatures

Xenomorph
Xenomorph is an Android banking trojan that is seemingly tied with AlienBot.
banker trojan infostealer xenomorph

Xenomorph v3 payload 2 IoCs

Processes:

resource	yara_rule
/data/user/0/com.great.calm/app_DynamicOptDex/hDpdaxQ.json	family_xenomorph_v3
/data/user/0/com.great.calm/app_DynamicOptDex/hDpdaxQ.json	family_xenomorph_v3

Makes use of the framework's Accessibility service. 3 IoCs

Processes:

com.great.calm

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.great.calm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.great.calm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.great.calm

Acquires the wake lock. 1 IoCs

Processes:

com.great.calm

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.great.calm

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.great.calm

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.great.calm/app_DynamicOptDex/hDpdaxQ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.great.calm/app_DynamicOptDex/oat/x86/hDpdaxQ.odex --compiler-filter=quicken --class-loader-context=&com.great.calm

ioc	pid	process
/data/user/0/com.great.calm/app_DynamicOptDex/hDpdaxQ.json	4178	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.great.calm/app_DynamicOptDex/hDpdaxQ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.great.calm/app_DynamicOptDex/oat/x86/hDpdaxQ.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.great.calm/app_DynamicOptDex/hDpdaxQ.json	4132	com.great.calm

Removes a system notification. 1 IoCs
evasion

Processes:

com.great.calm

description ioc process

Framework service call android.app.INotificationManager.cancelNotificationWithTag com.great.calm
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.great.calm

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.great.calm

description	ioc	process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.great.calm

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.great.calm

com.great.calm
1⤵
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4132

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.great.calm/app_DynamicOptDex/hDpdaxQ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.great.calm/app_DynamicOptDex/oat/x86/hDpdaxQ.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4178

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.great.calm/app_DynamicOptDex/hDpdaxQ.json
Filesize
934KB

MD5
637d3020a6e8d9aa114d51e7939fe6a0

SHA1
7e172dabca14040635c9118920942805ddfc964a

SHA256
cc3c058fd60da1fd0c3c8f0e58fecd355eef4ecc1d138fe8c6b9da8920cf9797

SHA512
e426c769af5af742f4b6f2f0f1dce4df0543d55fa8652759417c850943c750e90ea4033a7ce5ebd1063779238c4961a82840f3074b00f7d62e7bcf9978b91e2b

Download Submit
/data/user/0/com.great.calm/app_DynamicOptDex/hDpdaxQ.json
Filesize
2.6MB

MD5
749ad09821c704469e50582298d5724e

SHA1
3eda0f7c169b309bcffa6c2d5c7d7480dfb8b52e

SHA256
ea1dfc385ac0862c0c0e8ed8214f7dc18df52a9bbaa2bc20cc1e70b63628c3a9

SHA512
6931a13b5f3816b5b99a40f7bb0fe455293f53be12e5323ff70cec2712674947dcec103479cd60c3a3177008bf1c6e83dd0a9c289c1ce50ab059eaa32a56c244

Download Submit
/data/user/0/com.great.calm/app_DynamicOptDex/hDpdaxQ.json
Filesize
2.6MB

MD5
033e4993902fa453fc96b86248ea7ae7

SHA1
efb980435f0b7de14861fef21e4c09434b519c4d

SHA256
b28162d529728bf31f7dac4eadf40825a0ea1e5e6039e9b521d5906280c29196

SHA512
fe27307d7401dbc3881b3f7aec18b228ea48285d3f8fa8ffab51b29a51a8eba91d677ebf7bdd9b44ece60c9f87a36604272ff98ff8c25102cb162f49f61aaca3

Download Submit
/data/user/0/com.great.calm/app_DynamicOptDex/hDpdaxQ.json.x86.flock
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.great.calm/app_DynamicOptDex/oat/hDpdaxQ.json.cur.prof
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.great.calm/app_DynamicOptDex/oat/x86/hDpdaxQ.odex
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.great.calm/app_DynamicOptDex/oat/x86/hDpdaxQ.vdex
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.great.calm/app_webview/Cookies
Filesize
64KB

MD5
cb7543c4df600f2af58097cce0e334ba

SHA1
83cc92f38c27fdb4fa519b1ce2f37912f24af1f0

SHA256
64c022ae708f94ffde986e105d88f708884de325720bfb9925c4160a6d417233

SHA512
ad51cad0472327bd68aa2d791341cfafed58971752352537bb603ed18b15a3f9185e9150983a28ecd09606e8dcaef6d1c9d93213dd246ef7720f39842eb3d980

Download Submit
/data/user/0/com.great.calm/app_webview/Cookies-journal
Filesize
1KB

MD5
5027427a7e251321644b7cd7d4fa2528

SHA1
358d95b093a57f9c35490b24dbc2917207c2d791

SHA256
dcb64eda61fca183b23c44db748ef0275f972bba5f458238228facf99eb687ba

SHA512
f65bef81f30c422b2cf466062fee8b4f4a8c8259b3667fd4c6ba2c989d674c3406a43d97e7e26d96a9fe7b8ee9298c23f0709d865f8ce01270d7dd490b1d584f

Download Submit
/data/user/0/com.great.calm/app_webview/GPUCache/index
Filesize
20B

MD5
93027d42b314432c4216e6cfca48b384

SHA1
43448dd8102979c3926828182579691945eedd4e

SHA256
3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

SHA512
a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

Download Submit
/data/user/0/com.great.calm/app_webview/GPUCache/index-dir/temp-index
Filesize
48B

MD5
86bc3811e43edbb8f1469d58d122def0

SHA1
65391d180aeed279149749368cd304ed34775a9f

SHA256
fc32238a1d1984e83e3ca7f2b1de016325be192be713b32cb552baf76a2943b2

SHA512
f45dbf1c908eb36904f00df419e70a2a6678286c3c3926e90db94daf6f0dc444cf5268b3f57a207ce70914518c899f67a69fb18f1f3071d7149ba852519eb798

Download Submit
/data/user/0/com.great.calm/app_webview/GPUCache/index-dir/temp-index
Filesize
48B

MD5
29aaf70ba0114ae9bdb977b392c049be

SHA1
3d4c2182be22972d210d38d77b471b5d5b636de6

SHA256
07c8082033fbf030bf7ed886ee02268a748e77e3caf3cf3d13ade236d0ded903

SHA512
b43ff979391720579e610082228506092397b97d5e1935056a20d031a5d638bc1a1e922e7b1714a5cbb71b01d941c876640da22eded644e2fc86c91a8194b036

Download Submit
/data/user/0/com.great.calm/app_webview/Web Data
Filesize
104KB

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/com.great.calm/app_webview/Web Data-journal
Filesize
1KB

MD5
f54a1c142c53f67779d900f89ef7ff9e

SHA1
1c507a1feb63b7b50219a03dae490e71bd325d3b

SHA256
0ee453f36e195403e52d5a06195a9e7e72339e6f229aa0948670377ab68eb213

SHA512
2d561aa4fd9bd0b7cca6915a972340097b061d7e96452f89f4c9f2b6af55f744d9c5d4f33d2885962c493184675c5b165237eeaa59581923e5629e57c8de5fed

Download Submit
/data/user/0/com.great.calm/app_webview/metrics_guid
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.great.calm/app_webview/metrics_guid
Filesize
36B

MD5
5d1e0a79c944f8596fbc5741d5fd6d70

SHA1
8dc0f756aa0e19b5dec3cd8fc9acc4bfcb590a75

SHA256
971a9c8bcc6f8a9aec2396b4eea4106781060ee28c67410dd88d7e2a3fd0cfa5

SHA512
72fe3ee8ccb36726b6a6c1fc7ec91fd457dd2e9f7f1ba74af2f3cf5748446f006eb1e069fcdca8b346db699376bc230c9431dfeace199dde383be0b353a0a55f

Download Submit
/data/user/0/com.great.calm/app_webview/variations_seed_new
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.great.calm/app_webview/variations_stamp
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.great.calm/app_webview/webview_data.lock
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.great.calm/cache/org.chromium.android_webview/21a97041b40c53c6_0
Filesize
6KB

MD5
bdb11a994dd84145ffe0310c36a7e489

SHA1
10cc3759cc52162e9252bc88a6d785d47c5b8c21

SHA256
c59705deb955e0fa5daaf292354644b5baab2c45c13bf1d6b747825358e3e384

SHA512
94ed3db5f16a797c55e42b0b5f67aefb265bf55daacbd002583dad728c6499a2f451b18081c52f6e8c6a9d89a2991f8315556cb7a68de0fe6c68d6bf1d8688ba

Download Submit
/data/user/0/com.great.calm/cache/org.chromium.android_webview/5dcc6771ad552215_0
Filesize
6KB

MD5
f0c8643677717800ade8047b7dbe64fe

SHA1
22ca5348a2e3a2efd04e4afc1c9e227d3f2eff41

SHA256
0982288fa4950b025eeda82369b5ce668df1f47bd5d41a3f6353fd53cbbf14fe

SHA512
b7f211764d5407c2764344de80d95f5fb004310fb54d350cfe70a74f612ff1f4eef390e49358a72ec379d6f1e957375b60e6d141d88ddf59ec1f322cd398e8af

Download Submit
/data/user/0/com.great.calm/cache/org.chromium.android_webview/624f2bd216494a6f_0
Filesize
6KB

MD5
f6980187633f70f56bf6945a8e25510b

SHA1
31352f54abb6eda7a5a4c7ca62d2b9b8ac43ed00

SHA256
31a193c090b129676cb7d1330c5cba3279dac2d1c0cb1529e3960f27cb4b38c2

SHA512
70719724b21307d72ac0506f48ae9d982be99c12854974f7c793190c66a99a177543c62f7bb8a1c66b25fe21c6d9f4bf6d99334aba9a319b9604774add3ef04d

Download Submit
/data/user/0/com.great.calm/cache/org.chromium.android_webview/a0c2ffc2995089d9_0
Filesize
6KB

MD5
a4d5694a7805551b16032ecceccc2b89

SHA1
25a8c6688a66037e7802affca18a6f326d834fef

SHA256
8668b4a7f42e6681f2048c1ede35ecd0dd71860470ec625e27bec4d085657395

SHA512
93d2d68c4970f8b305f3e4b107d6593547e83ebbc61fa04be35c2b60f1dc76371b8b2ddb39cc958c50f3d8087f1f17911ccdf3cb49ead6dcefb95b52ba09fd18

Download Submit
/data/user/0/com.great.calm/cache/org.chromium.android_webview/ba6620262a558c11_0
Filesize
6KB

MD5
335643c8154659d152224f764d7723ee

SHA1
26294b7887a5dd12c2f7e37320a6c796fef0f6bf

SHA256
57d052a0e15f2c7f8adeead14d6aa967e87bfc60dba371c5b7a3cf049cf1db2d

SHA512
22c8d5133d247b62d419931ef043868474674ad606052a0784bf9bd24089d539f62872ce021ee9105649506a275c6c205131adc7ae8b7e9d20362d306a765695

Download Submit
/data/user/0/com.great.calm/cache/org.chromium.android_webview/c74c995875787a06_0
Filesize
189KB

MD5
ec83d4b543480e57adb630ae9806f626

SHA1
847316c3f9156fd5be6db694f8c3e48c4268c1b9

SHA256
fd634a2e69ae7e4f6677a92b22cc785c78b3ca87023c4452381376631f00a83e

SHA512
1d1294aa6629f87fa9a02bb3b534fb9f103de9115544efae16222aaec98d18931e36504cff0c6cb0653cde36a62a816d4f7aef89f010052707ef141db451f589

Download Submit
/data/user/0/com.great.calm/cache/org.chromium.android_webview/index
Filesize
20B

MD5
93027d42b314432c4216e6cfca48b384

SHA1
43448dd8102979c3926828182579691945eedd4e

SHA256
3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c

SHA512
a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

Download Submit
/data/user/0/com.great.calm/cache/org.chromium.android_webview/index-dir/temp-index
Filesize
48B

MD5
81603ccf237253db9ea315e4771be27c

SHA1
4d19db522bca7647c40ff376a0fd1a5836c35697

SHA256
14c2e4561fd0b06ae7f78f79a03bd0c79da3e19e7ec83680eb7ee544e8c13702

SHA512
0a5d3611679a2f8a6a24ca9397581bd9af3c7b8abe40a9220898653230a0c81f70fee242ad1e9c684d3f80ced7b2a2579a2b3f99d90e0bb621a26b30bfcdd186

Download Submit
/data/user/0/com.great.calm/shared_prefs/WebViewChromiumPrefs.xml
Filesize
127B

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit