fakecalls | 7f4670ae852ec26f890129a4a3d3e95c079f2f289e16f1aa089c86ea7077b3d8 | Triage

Resubmissions

26/05/2023, 05:13

230526-fwmqdsdh49 10

17/05/2023, 09:59

230517-lz81paef44 10

16/05/2023, 11:19

230516-nfb8qahe6t 8

16/05/2023, 11:19

230516-nev97sae35 7

16/05/2023, 11:17

230516-nd61baae27 7

16/05/2023, 09:19

230516-k9564saf5v 8

Sharing

General

Target

7f4670ae852ec26f890129a4a3d3e95c079f2f289e16f1aa089c86ea7077b3d8
Size

10.7MB
Sample

230526-fwmqdsdh49
MD5

703b22fcea432d2c681cebbc150394f1
SHA1

f561e628ae17d7a547ca55b0be72ebaf1ed88af3
SHA256

7f4670ae852ec26f890129a4a3d3e95c079f2f289e16f1aa089c86ea7077b3d8
SHA512

aecedd324311c3e95a93ad4129eddc4e46974db635e71bec406256be91bac7a1cb2817ea6b6e410a58d669cd32af4605ec393e5273d62ff078fa6bc9cd1fea1c
SSDEEP

196608:ZynCaYQLCbkUYUMjNgR39mR70CyCopc24BFix/Q+hT1/XQqrj:G5YQCYeW90C8D4DiFZhmqrj

Score

10^/10

fakecalls android banker evasion infostealer ransomware rat trojan

Malware Config

Extracted

Family

fakecalls

C2

http://o20.orange-app.today/

Targets

- Target
  
  7f4670ae852ec26f890129a4a3d3e95c079f2f289e16f1aa089c86ea7077b3d8
- Size
  
  10.7MB
- MD5
  
  703b22fcea432d2c681cebbc150394f1
- SHA1
  
  f561e628ae17d7a547ca55b0be72ebaf1ed88af3
- SHA256
  
  7f4670ae852ec26f890129a4a3d3e95c079f2f289e16f1aa089c86ea7077b3d8
- SHA512
  
  aecedd324311c3e95a93ad4129eddc4e46974db635e71bec406256be91bac7a1cb2817ea6b6e410a58d669cd32af4605ec393e5273d62ff078fa6bc9cd1fea1c
- SSDEEP
  
  196608:ZynCaYQLCbkUYUMjNgR39mR70CyCopc24BFix/Q+hT1/XQqrj:G5YQCYeW90C8D4DiFZhmqrj
Score

10^/10

fakecalls banker infostealer rat trojan
- FakeCalls
  FakeCalls is an Android banking trojan first seen in April 2022.
  rat trojan infostealer banker fakecalls
- FakeCalls payload
behavioral1 behavioral2 behavioral3
- Target
  
  introduction.html
- Size
  
  9.9MB
- MD5
  
  c49b09791a37654a3ffd38e27a11ee98
- SHA1
  
  447bf2765a8c24daafb09ffa1229a1180e77c230
- SHA256
  
  a65994b7ce0a8dfa02eb5d0b918cc6361212dbad901f27425620d814088aa657
- SHA512
  
  73805ddd4e19d4d39e1449e2b2f95cbcefc805a24c41ef7ed1fb0d20370c17c17731338029d6505dc8b93ea3051e000e044103e880c607249d2cfce8a94f1a2c
- SSDEEP
  
  196608:VOBv2iwEXoOjdHnopTKz1sjCbWWQsgtBHZ/pGBX+Y+IbL4k:VEvTwEX5dQjCbXgtZGIdIbJ
Score

9^/10

evasion ransomware
- Renames multiple (130) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Renames multiple (148) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Makes use of the framework's Accessibility service.
- Acquires the wake lock.
- Checks known Qemu files.
  Checks for known Qemu files that exist on Android virtual device images.
- Checks known Qemu pipes.
  Checks for known pipes used by the Android emulator to communicate with the host.
- Enumerates running processes
  Discovers information about currently running processes on the system
- Reads information about phone network operator.
- Removes a system notification.
  evasion
- Uses Crypto APIs (Might try to encrypt user data).
  ransomware
behavioral4 behavioral5 behavioral6
- Target
  
  ring.html
- Size
  
  799KB
- MD5
  
  7e8306dcce35fc73a040bd66114e12bb
- SHA1
  
  94fa85ebb971e8fa5fdae099bb62472686122664
- SHA256
  
  706e662046e2bcd67d37779e87212286cff47164bbe7e8c4dacb3d6e6e5fe9b1
- SHA512
  
  f844ecf01e075cb29aa029b685894b2c29194f659c9b7d4a8c8f041182b57c4e0c6d5276c455bbe6a4c5c89081c49a6e2748f93f329faa32d4f62bab87df12c7
- SSDEEP
  
  12288:gA3szfEz8GqdmcR+0vjUAZuIURbFd2L6xnnjILH6Asw8gAtkDbMKHv:OfHsL0vIgOFd2+xnjILj8geOMKHv
Score

6^/10

evasion
- Requests disabling of battery optimizations (often used to enable hiding in the background).
  evasion
behavioral7 behavioral8 behavioral9

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

behavioral3

fakecallsbankerinfostealerrattrojan

behavioral4

behavioral5

evasionransomware

behavioral6

evasionransomware

behavioral7

behavioral8

behavioral9