Malware Analysis Report

2025-01-19 05:34

Sample ID 240306-mbw7nagf9s
Target b72d2fc730fd7eaf0b922624adcfa91f
SHA256 4b20bf30e3f1a2acca6d5f1afdf4775eab72da7e1c9ba58d551b91fac4fd3aa6
Tags
evasion stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4b20bf30e3f1a2acca6d5f1afdf4775eab72da7e1c9ba58d551b91fac4fd3aa6

Threat Level: Likely malicious

The file b72d2fc730fd7eaf0b922624adcfa91f was found to be: Likely malicious.

Malicious Activity Summary

evasion stealth trojan

Removes its main activity from the application launcher

Requests dangerous framework permissions

Acquires the wake lock

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-06 10:18

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-06 10:18

Reported

2024-03-06 10:20

Platform

android-x86-arm-20240221-en

Max time kernel

145s

Max time network

152s

Command Line

com.tencent.system

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Processes

com.tencent.system

chmod 777 /data/data/com.tencent.system/files/xtech_app

chmod 777 /data/data/com.tencent.system/files/daemon

com.tencent.system:process1

com.tencent.system:checkroot

su -c id

com.tencent.system:checkroot

su -c id

com.tencent.system:checkroot

su -c id

com.tencent.system:checkroot

su -c id

com.tencent.system:checkroot

su -c id

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
CN 124.117.238.231:19989 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
CN 124.117.238.231:19989 tcp

Files

/data/data/com.tencent.system/files/busybox

MD5 38051de1af7c11f138c3014fc5b4bbbf
SHA1 3975ff218a207c0dc603d7847ae19d277426ee61
SHA256 ce9ac842dda26190135c0e0b193772aafdd8f9c160055bed8f5853496a20a7fb
SHA512 f8ffac05ead41e939b064b2df5f24f8f5e5ed27064a6a743e0a8b021f8d1cb2b402f715cecfc987f6c923002a23303701470af031a99dc43376f23f0ec030f4a

/data/data/com.tencent.system/files/daemon

MD5 552e94069a5730b29e719e47a12d5403
SHA1 16d27fb95dc75bd1ac08dee18b68cfce9375b90c
SHA256 04164d2327a06ab507200cc3f8be9f4ad4fa93557c17606525eb046d0dd2c89e
SHA512 0020f6d31b056f4790ef818123d700a63e2389d1bf4593f717c4ffbab5d3d00f3f28b3fdb014072807c08b52b9f77e0b07479be3cf399cae221480ef47a2f5f4

/data/data/com.tencent.system/files/xtech

MD5 dab02e406ca86a984267e6466a27e5a1
SHA1 137eb11ec78e34cd2c530d54bd406d44a679d29b
SHA256 5ec1c3dd8638a3f41500b859854c89641658237bdd93cd9b51e3fd0fad2e4cb7
SHA512 0c10df727d14cf1d6ec16123a170f9271a8886abe259b0566385d30e4c0f0a38daf9e7f62a52365b2001e4ca9e0876fe965a9be7d5f751bf126419521a108d2d

/data/data/com.tencent.system/files/xtech_app

MD5 9c2bca7aed931c7be95210b22de655c5
SHA1 f543579faeb05c5141659a2f2ac8825107d8cc18
SHA256 4dad9f19a430bc6a9a02a1fa55132b39fdd91899c3b493407ff9104bd250919b
SHA512 bbf418aba9a97f8ffa0d4c2d96cb854add1dc33d1c32a7de38e67a16551d166295fc906c2eb0b56ddf023f1a36b35a970fef54d11c7b9def218f029b523777ff