Resubmissions

03-10-2023 04:57

231003-flel2agd3x 10

02-10-2023 04:19

231002-exzwnsgh69 10

10-03-2023 06:31

230310-haj4gsdf5t 8

15-06-2022 10:31

220615-mkec7sdehq 8

General

  • Target

    831346106da21d6edd95d62d22065a705e1c8c3edd29a31fb4ca7431d50d5cb1

  • Size

    123KB

  • Sample

    231002-exzwnsgh69

  • MD5

    b08c833107b4fc22289386fe47dd997f

  • SHA1

    fe6673b28888d22b1d3181e26b5e708d96d3f602

  • SHA256

    831346106da21d6edd95d62d22065a705e1c8c3edd29a31fb4ca7431d50d5cb1

  • SHA512

    9b26a007c1c3a107c41992f14df40f094880c045a0586cd67a3fca091fc9937ec513a40733b74950b7c4bdfaffd3a8142be3333f4981e5ff07898d5a1b1bc52f

  • SSDEEP

    3072:ZXWaaDA/UsmY9KFdlvg08HHf1yhEZeXGA4FYP8R4V7/I6EPCLps:ZXP/5P6Y1NlepPnV7/pEKLm

Malware Config

Extracted

Family

coper

C2

https://4-u.wtf/

https://fitnessstyle.xyz/

https://sportsstyle.club/

AES_key

Targets

    • Target

      831346106da21d6edd95d62d22065a705e1c8c3edd29a31fb4ca7431d50d5cb1

    • Size

      123KB

    • MD5

      b08c833107b4fc22289386fe47dd997f

    • SHA1

      fe6673b28888d22b1d3181e26b5e708d96d3f602

    • SHA256

      831346106da21d6edd95d62d22065a705e1c8c3edd29a31fb4ca7431d50d5cb1

    • SHA512

      9b26a007c1c3a107c41992f14df40f094880c045a0586cd67a3fca091fc9937ec513a40733b74950b7c4bdfaffd3a8142be3333f4981e5ff07898d5a1b1bc52f

    • SSDEEP

      3072:ZXWaaDA/UsmY9KFdlvg08HHf1yhEZeXGA4FYP8R4V7/I6EPCLps:ZXP/5P6Y1NlepPnV7/pEKLm

    • Coper

      Coper is an Android banking Trojan with a multi-stage infection mechanism first seen in July 2021.

    • Coper payload

    • Makes use of the framework's Accessibility service.

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).

    • Removes its main activity from the application launcher

    • Acquires the wake lock.

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Requests enabling of the accessibility settings.

    • Reads information about phone network operator.

    • Requests disabling of battery optimizations (often used to enable hiding in the background).

    • Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK Matrix

Tasks