Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

6

32add2fcb6...8d.apk

android-9-x86

8

32add2fcb6...8d.apk

android-10-x64

8

32add2fcb6...8d.apk

android-11-x64

8

Analysis

  • max time kernel
    2197963s
  • max time network
    154s
  • platform
    android_x64
  • resource
    android-x64-arm64-20231215-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
  • submitted
    19/12/2023, 13:26 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    32add2fcb6364cc8b3c2343b3940f98d.apk

  • Size

    999KB

  • MD5

    32add2fcb6364cc8b3c2343b3940f98d

  • SHA1

    b01ff05841555d1a9724011b0dd62eb3cbea14af

  • SHA256

    9e945ebd56d1ec80f1ea98cd16ff40ece788e4c51f11152a17943051ba5a2ffd

  • SHA512

    c0c2bbaa9b9f7f043a5125f3fdeb38c7514c72d885d02f2490debeacbdb4479ba13cf69fec5ddaf8c51e99032b0713fa893f642fbf49abadb9fe857d9a39fe6b

  • SSDEEP

    24576:Wa2uW+MI4hJQJpkUf1WKi/8+eAX/QlKloxsL9ddS5YrIvn:CuWfbhJQj/f1KU+Y4loxgS5Y8/

Score
8/10
evasionstealthtrojan

Malware Config

Signatures

  • Makes use of the framework's Accessibility service 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Removes its main activity from the application launcher 1 IoCs
    stealthtrojan
  • Loads dropped Dex/Jar 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests enabling of the accessibility settings. 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
    evasion
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs
    evasion

Processes

  • com.xocvwnowpqn.vbswxt
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Requests enabling of the accessibility settings.
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Listens for changes in the sensor environment (might be used to detect emulation)
    PID:4596

Network

  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.187.232
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.178.14
  • flag-us
    DNS
    car.ru
    Remote address:
    1.1.1.1:53
    Request
    car.ru
    IN A
    Response
    car.ru
    IN A
    176.99.4.65
  • flag-ru
    POST
    https://car.ru/o1o/a16.php
    Remote address:
    176.99.4.65:443
    Request
    POST /o1o/a16.php HTTP/1.1
    Content-Length: 0
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: car.ru
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 403 Forbidden
    Server: nginx
    Date: Tue, 19 Dec 2023 16:56:48 GMT
    Content-Type: text/html
    Transfer-Encoding: chunked
    Connection: keep-alive
    Content-Encoding: gzip
  • flag-us
    DNS
    t.me
    Remote address:
    1.1.1.1:53
    Request
    t.me
    IN A
    Response
    t.me
    IN A
    149.154.167.99
  • flag-nl
    GET
    https://t.me/yalinbaba
    Remote address:
    149.154.167.99:443
    Request
    GET /yalinbaba HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: t.me
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Tue, 19 Dec 2023 16:56:48 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 3643
    Connection: keep-alive
    Set-Cookie: stel_ssid=7c9ee546b6e56c2306_4638200176835398035; expires=Wed, 20 Dec 2023 16:56:48 GMT; path=/; samesite=None; secure; HttpOnly
    Pragma: no-cache
    Cache-control: no-store
    X-Frame-Options: ALLOW-FROM https://web.telegram.org
    Content-Security-Policy: frame-ancestors https://web.telegram.org
    Content-Encoding: gzip
    Strict-Transport-Security: max-age=35768000
  • flag-nl
    GET
    https://t.me/yalinbaba
    Remote address:
    149.154.167.99:443
    Request
    GET /yalinbaba HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 11; Pixel 2 Build/RSR1.210722.013)
    Host: t.me
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Tue, 19 Dec 2023 16:56:48 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 3643
    Connection: keep-alive
    Set-Cookie: stel_ssid=1dd638c3739866a8f8_16907685465136154281; expires=Wed, 20 Dec 2023 16:56:48 GMT; path=/; samesite=None; secure; HttpOnly
    Pragma: no-cache
    Cache-control: no-store
    X-Frame-Options: ALLOW-FROM https://web.telegram.org
    Content-Security-Policy: frame-ancestors https://web.telegram.org
    Content-Encoding: gzip
    Strict-Transport-Security: max-age=35768000
  • 142.250.178.10:443
    tls, https
    1.3kB
     40 B
     1
    1
  • 142.250.178.10:443
    tls, https
    530 B
     40 B
     1
    1
  • 142.250.187.232:443
    ssl.google-analytics.com
    tls
    1.3kB
     5.9kB
     8
    9
  • 142.250.179.238:443
    tls, https
    695 B
     40 B
     1
    1
  • 142.250.179.238:443
    tls, https
    695 B
     40 B
     1
    1
  • 142.250.178.14:443
    android.apis.google.com
    tls
    3.9kB
     7.8kB
     18
    18
  • 176.99.4.65:443
    https://car.ru/o1o/a16.php
    tls, http
    1.7kB
     5.4kB
     14
    9

    HTTP Request

    POST https://car.ru/o1o/a16.php

    HTTP Response

    403
  • 149.154.167.99:443
    https://t.me/yalinbaba
    tls, http
    2.0kB
     15.7kB
     19
    20

    HTTP Request

    GET https://t.me/yalinbaba

    HTTP Response

    200

    HTTP Request

    GET https://t.me/yalinbaba

    HTTP Response

    200
  • 142.250.200.4:443
    520 B
     10
  • 142.250.200.4:443
    520 B
     10
  • 142.250.200.4:443
    www.google.com
    tls
    11.4kB
     10.8kB
     29
    37
  • 176.99.4.65:443
    car.ru
    tls
    1.6kB
     5.5kB
     12
    9
  • 149.154.167.99:443
    t.me
    tls
    4.3kB
     51.1kB
     31
    53
  • 176.99.4.65:443
    car.ru
    tls
    1.3kB
     917 B
     9
    8
  • 176.99.4.65:443
    car.ru
    tls
    1.3kB
     917 B
     9
    8
  • 176.99.4.65:443
    car.ru
    tls
    1.3kB
     917 B
     9
    8
  • 176.99.4.65:443
    car.ru
    tls
    1.2kB
     782 B
     7
    6
  • 224.0.0.251:5353
    3.7kB
     11
  • 142.250.200.10:443
    https
    51 B
     50 B
     1
    1
  • 142.250.200.46:443
    https
    51 B
     50 B
     1
    1
  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
     86 B
     1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.187.232

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.178.14

  • 1.1.1.1:53
    car.ru
    dns
    52 B
     68 B
     1
    1

    DNS Request

    car.ru

    DNS Response

    176.99.4.65

  • 1.1.1.1:53
    t.me
    dns
    50 B
     66 B
     1
    1

    DNS Request

    t.me

    DNS Response

    149.154.167.99

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/user/0/com.xocvwnowpqn.vbswxt/app_files/iwuhnajbdo.jar
    Filesize

    185KB

    MD5

    91838b3b4c7d4ad37cb91ae57a0766a2

    SHA1

    49374763ee0931e93d6d1917e7f4c0fa4cc10f8b

    SHA256

    4289b4fee1d94b55410a6d88a4a253533d36f5c29d639f44a3bc59100bf6d91e

    SHA512

    234907ae67bf52114e5dc33640d6755f2cb05aa6cb93f20e4d056a0e091a4c414d43eb72c20af80bb1e3f39a1af67d2be6e2d0ee54a9eb5715d5b627f5f6383c

    Download Submit

  • /data/user/0/com.xocvwnowpqn.vbswxt/app_files/iwuhnajbdo.jar
    Filesize

    370KB

    MD5

    e407c09bba6612a7ec9de47b0888a3c1

    SHA1

    b10704316e55e70e6ec9ed752f9a519939897080

    SHA256

    e8e0ccc403bbdd14f33bb919af6dafbfb141ec5d8cf074b5301c287360f198c3

    SHA512

    8bcbc0f298574412058caaf746c3fc27d1d8db74bd24d34063d5056635216fa56871c2e7d8cc0c22a278e8e7431b99e9e00308f8ad5738079f690bab5767efe7

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.