xenomorph | 9ce2ad40f3998860ca1ab21d97ea7346bf9d26ff867fc69c4d005c477c67a899

Analysis

max time kernel
151s
max time network
141s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
29-01-2024 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

com.great.calm.apk
Size

2.2MB
MD5

8ce057ff57478e98c0e246355ccd27db
SHA1

1d3cc636883c72d45e8f336344bdea97ec8d91d1
SHA256

9ce2ad40f3998860ca1ab21d97ea7346bf9d26ff867fc69c4d005c477c67a899
SHA512

5fd1345c3d605859bc56cf4cf7088712b63d929a3d576e99a88406eaa3387e4a996361c3bcc78275650609ad967636b7042fa42c244b183da96a0e7cfff78a1f
SSDEEP

49152:grrgUCuMhTKb+/CZFLqtBOU3t95tnUAqkp3IQRRiEKfaFEjI:uTOKb+qXmBOuPUAqkpIQDGsEjI

Score

10^/10

xenomorph banker evasion infostealer stealth trojan

Malware Config

Extracted

Family

xenomorph

dedeperesere.xyz

vldeolan.com

cofi.hk

Extracted

Family

xenomorph

AES_key

Signatures

Xenomorph
Xenomorph is an Android banking trojan that is seemingly tied with AlienBot.
banker trojan infostealer xenomorph

Xenomorph v3 payload 1 IoCs

Processes:

resource	yara_rule
/data/user/0/com.great.calm/app_DynamicOptDex/hDpdaxQ.json	family_xenomorph_v3

Makes use of the framework's Accessibility service 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

Processes:

com.great.calm

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.great.calm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.great.calm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.great.calm

Removes its main activity from the application launcher 2 IoCs
stealth trojan

Processes:

com.great.calm

pid process

4508 com.great.calm
4508 com.great.calm
Loads dropped Dex/Jar 1 IoCs
Runs executable file dropped to the device during analysis.

Processes:

com.great.calm

ioc pid process

/data/user/0/com.great.calm/app_DynamicOptDex/hDpdaxQ.json 4508 com.great.calm
Acquires the wake lock 1 IoCs

Processes:

com.great.calm

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.great.calm
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
evasion

Processes:

com.great.calm

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.great.calm
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes:

com.great.calm

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.great.calm

pid	process
4508	com.great.calm
4508	com.great.calm

ioc	pid	process
/data/user/0/com.great.calm/app_DynamicOptDex/hDpdaxQ.json	4508	com.great.calm

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.great.calm

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.great.calm

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.great.calm

com.great.calm
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.great.calm/app_DynamicOptDex/hDpdaxQ.json
Filesize
934KB

MD5
637d3020a6e8d9aa114d51e7939fe6a0

SHA1
7e172dabca14040635c9118920942805ddfc964a

SHA256
cc3c058fd60da1fd0c3c8f0e58fecd355eef4ecc1d138fe8c6b9da8920cf9797

SHA512
e426c769af5af742f4b6f2f0f1dce4df0543d55fa8652759417c850943c750e90ea4033a7ce5ebd1063779238c4961a82840f3074b00f7d62e7bcf9978b91e2b

Download Submit
/data/data/com.great.calm/app_DynamicOptDex/hDpdaxQ.json
Filesize
934KB

MD5
13c26e4a46edc658f323eb5979a67123

SHA1
c0f7ee80aa681547772272eab1e0fa2c74b78096

SHA256
e70c20e42897de68174d9906dc3baeb73f3849689730735c7bcaa31a2a575847

SHA512
1743ad6e0397b948920b663421bc878bc9de26f844cb2ddc823ba6e324a8cbafaf3561b2a1ff870c3382f7a0df4ae1b9af250fa8c8ef7cf8346f2e8f2e49f7b8

Download Submit
/data/data/com.great.calm/app_DynamicOptDex/oat/hDpdaxQ.json.cur.prof
Filesize
2KB

MD5
6339e0be90770cf567636cc3a7fdb08b

SHA1
23f59e7cbb88dee7bcae39ca7c09173052fcfb2f

SHA256
8a69731d03d6c69c907ebae3e30ab6ffeddfb92014c4373c27e995e214ba70ab

SHA512
47fec329da6a2d85a0d3baec19a9adeb40282d68eb08fa40ead941d4912afc993ec40c2df58ba5263a846a092aa16e5af89085d6cd1606cd08e4efd730273de8

Download Submit
/data/user/0/com.great.calm/app_DynamicOptDex/hDpdaxQ.json
Filesize
2.6MB

MD5
033e4993902fa453fc96b86248ea7ae7

SHA1
efb980435f0b7de14861fef21e4c09434b519c4d

SHA256
b28162d529728bf31f7dac4eadf40825a0ea1e5e6039e9b521d5906280c29196

SHA512
fe27307d7401dbc3881b3f7aec18b228ea48285d3f8fa8ffab51b29a51a8eba91d677ebf7bdd9b44ece60c9f87a36604272ff98ff8c25102cb162f49f61aaca3

Download Submit