Malware Analysis Report

2025-01-19 05:35

Sample ID 240311-pt1znsah6y
Target c09bc12ca7b36f922f0e5c5af136a78c
SHA256 d63a834a3187fae69e34c5a85fe147046a1252624b339591fea12f96b4d8d60f
Tags
evasion stealth trojan discovery
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d63a834a3187fae69e34c5a85fe147046a1252624b339591fea12f96b4d8d60f

Threat Level: Likely malicious

The file c09bc12ca7b36f922f0e5c5af136a78c was found to be: Likely malicious.

Malicious Activity Summary

evasion stealth trojan discovery

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Declares services with permission to bind to the system

Requests dangerous framework permissions

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 12:38

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 12:38

Reported

2024-03-11 12:40

Platform

android-x86-arm-20240221-en

Max time kernel

137s

Max time network

140s

Command Line

com.lima.bjmfd.wsmfmedwuya

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar N/A N/A
N/A /data/user/0/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.lima.bjmfd.wsmfmedwuya

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.lima.bjmfd.wsmfmedwuya/app_tfile/oat/x86/fields.odex --compiler-filter=quicken --class-loader-context=&

com.lima.bjmfd.wsmfmedwuya:RemoteProcess

getprop ro.miui.ui.version.name

com.lima.bjmfd.wsmfmedwuya:guard

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api.adsnative123.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 172.217.169.10:443 tcp

Files

/data/data/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar

MD5 07f164db880c1b6691b5c54862e9a3c4
SHA1 6dd9102eff0b0134fb9bbafd0122bfae719565fd
SHA256 2e6db810857d45da5ea6f084812401401f0f7a2bd6e7c3a7a96c7d46995551fe
SHA512 46bec2510d5ed27d54248f32556d2b7969d0e2557f17fe2f1f6f18177e2dbfc42598cfe555d44b38a2bc2480212aec036f4a4df392ca39dafe09a830b03f93f9

/data/user/0/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar

MD5 35926f0158766813027fbfe1ab5b1125
SHA1 8f166af95ff940dc45b933462ee7ffdf30dd5d06
SHA256 47a1ed442aa97ce2a6c313cbd64547cd506b809593745707d3fc9585f6a6c3f4
SHA512 b0fb1d19eedb27b3efda5354ac947db9ec89901d0f5c5b9a64325f2d74f4e11f5330f984bb9a9e5ad1c2d3abcd62e1516d94e7778d273ed5df51993dc9573ba3

/data/user/0/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar

MD5 c5a85e582687f87ae272d29669f86ac2
SHA1 6a43b5324e2da8211ccaa66827b299d37eb9fa2f
SHA256 352258d4187366e7254fbd5aa8c80e8f89e31b41fe9e903ca5dac027ca3d04ec
SHA512 d1183315453b6dcf1265694d8dcf45bbc2aa3d131dfa904a1ddf7b9f8d818d63a3d42d365f5f671c4c500c16ba98abb1131cb475299cc3805bec055d8a02f506

/data/data/com.lima.bjmfd.wsmfmedwuya/databases/tbcom.lima.bjmfd.wsmfmedwuya-journal

MD5 ee0a39457d15b0a4e9df2db193d26e91
SHA1 89afa4b81452abc971c4fe1c1a23e0c9a13afec7
SHA256 234ccee16bd3dd1960c234b61b5dc296dc67ef06f38c938d42d4e3c80b7af9dd
SHA512 b7a41b9be2fd2ee350a8877ff75ce293b97cf66ff1bc92c318fea9f9f903531260577ef68ae0c78a5c253b0519e08c278e082aeda25ef1d80d6e78a11ce8d327

/data/data/com.lima.bjmfd.wsmfmedwuya/databases/tbcom.lima.bjmfd.wsmfmedwuya

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.lima.bjmfd.wsmfmedwuya/databases/tbcom.lima.bjmfd.wsmfmedwuya-wal

MD5 1e671d8c9a4b599ddabf3e614229a704
SHA1 820fb914f80b867d57046cee743441ea64827d81
SHA256 9a1962fe865b903039478b1950ae8e822036ade3d266fe4d3c4e2616bd70943a
SHA512 f29683eb587e4fe6e70c220ee1e3965724f02b1077c32ee124bb36d93730826ccce969e613d7e58e47db07c1c2ee6a37a8a9fc983026bf9bd79e1489ebe7708c

/storage/emulated/0/Download/sdsid

MD5 b8c37e33defde51cf91e1e03e51657da
SHA1 dd01903921ea24941c26a48f2cec24e0bb0e8cc7
SHA256 fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71
SHA512 e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 12:38

Reported

2024-03-11 12:40

Platform

android-x64-20240221-en

Max time kernel

153s

Max time network

147s

Command Line

com.lima.bjmfd.wsmfmedwuya

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.lima.bjmfd.wsmfmedwuya

com.lima.bjmfd.wsmfmedwuya:RemoteProcess

com.lima.bjmfd.wsmfmedwuya:guard

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.adsnative123.com udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 172.217.169.78:443 tcp
GB 142.250.200.34:443 tcp
GB 216.58.213.10:443 tcp

Files

/data/data/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar

MD5 07f164db880c1b6691b5c54862e9a3c4
SHA1 6dd9102eff0b0134fb9bbafd0122bfae719565fd
SHA256 2e6db810857d45da5ea6f084812401401f0f7a2bd6e7c3a7a96c7d46995551fe
SHA512 46bec2510d5ed27d54248f32556d2b7969d0e2557f17fe2f1f6f18177e2dbfc42598cfe555d44b38a2bc2480212aec036f4a4df392ca39dafe09a830b03f93f9

/data/user/0/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar

MD5 35926f0158766813027fbfe1ab5b1125
SHA1 8f166af95ff940dc45b933462ee7ffdf30dd5d06
SHA256 47a1ed442aa97ce2a6c313cbd64547cd506b809593745707d3fc9585f6a6c3f4
SHA512 b0fb1d19eedb27b3efda5354ac947db9ec89901d0f5c5b9a64325f2d74f4e11f5330f984bb9a9e5ad1c2d3abcd62e1516d94e7778d273ed5df51993dc9573ba3

/data/data/com.lima.bjmfd.wsmfmedwuya/databases/tbcom.lima.bjmfd.wsmfmedwuya-journal

MD5 d0d0ba26ac021e6368c1f39600f1d908
SHA1 01373966a4e94f140c02732f997f5ba0ce4cd954
SHA256 849661603b1097144a9688b750f1db1e4b7145b468d7ba200a298183ca81e22d
SHA512 037bd58e63eb994694e0b1e08ed2af391f0134be3ae718323cc0b59f5c1e3a22856ecb4cf66b1b4a9c1fc315a9242f8f05cf540e74942ccc875e89770573307b

/data/data/com.lima.bjmfd.wsmfmedwuya/databases/tbcom.lima.bjmfd.wsmfmedwuya

MD5 163b0e3f017becbc89b9d7f330b78f09
SHA1 1ef9cd8ac8655190468d0ccece0a4738634ab0f9
SHA256 cf01452c3b494692386f6c5faac340eb3eb894bd416391002d56645aa8a9ea36
SHA512 6a85a30d16fa58a4fbbb05d469778ee69ca79deaa74316ccb5be3ee07fdf78dde22e95db3edb1b88b18478e8747047445f85baaf9556b9a1e55d9a02a80baffd

/data/data/com.lima.bjmfd.wsmfmedwuya/databases/tbcom.lima.bjmfd.wsmfmedwuya-journal

MD5 a4633ce94205a4f2d7ca649311fdbfb0
SHA1 09138d8049aa4e2ee33581dbba9a88a6a8bf9909
SHA256 bd213ec5c652c5d1afd0fbe70d0e014b1d51adf3570ecc814fda650266eea8ac
SHA512 290467cb44883ce28bb693048d4c770bfb9f52e51def7b39fac8df811fa061ea86bc3460ecac9018d3f7542cf8d29a4947dfeb1f85b2519b58b01538b08a91c6

/data/data/com.lima.bjmfd.wsmfmedwuya/databases/tbcom.lima.bjmfd.wsmfmedwuya-journal

MD5 3184e8d74a73318e248999c14d52fcca
SHA1 a8f33646f96ea99e787303343d2377ce01c90439
SHA256 eb29bf80eae393a2441631ce9fea87d102f41b2e01a69401fb9af875ba3c9e97
SHA512 e5462b5573b1d32c2deab881e428a0cd32269f37aa152d65e09f264586e01b5550ef000a0f9b9e2bd678f76401c3e1a621f042529042327189c5fd212081c1a5

/storage/emulated/0/Download/sdsid

MD5 b8c37e33defde51cf91e1e03e51657da
SHA1 dd01903921ea24941c26a48f2cec24e0bb0e8cc7
SHA256 fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71
SHA512 e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7

/data/data/com.lima.bjmfd.wsmfmedwuya/app_tfile/oat/fields.jar.cur.prof

MD5 55a4a53784369c527cafb31ca5fa625d
SHA1 8e7dbf092ab840d6365b76faa57d04e9272174e9
SHA256 20872e83b6189b0545fb4b2a317c8adecc0a57474d04fd03e6e35eb52fc2d36f
SHA512 16cf958a4016a0e3eab6f4feb153a3517b9295f13497dc0a04a753c7af3959452197d63495d488800b5ee6afe7a85ba69cb035ae804259b665953ce872b24b48

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-11 12:38

Reported

2024-03-11 12:40

Platform

android-x64-arm64-20240221-en

Max time kernel

149s

Max time network

145s

Command Line

com.lima.bjmfd.wsmfmedwuya

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.lima.bjmfd.wsmfmedwuya

com.lima.bjmfd.wsmfmedwuya:RemoteProcess

com.lima.bjmfd.wsmfmedwuya:guard

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 udp
GB 142.250.200.14:443 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.adsnative123.com udp
GB 142.250.200.4:443 tcp
GB 142.250.200.4:443 tcp

Files

/data/user/0/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar

MD5 07f164db880c1b6691b5c54862e9a3c4
SHA1 6dd9102eff0b0134fb9bbafd0122bfae719565fd
SHA256 2e6db810857d45da5ea6f084812401401f0f7a2bd6e7c3a7a96c7d46995551fe
SHA512 46bec2510d5ed27d54248f32556d2b7969d0e2557f17fe2f1f6f18177e2dbfc42598cfe555d44b38a2bc2480212aec036f4a4df392ca39dafe09a830b03f93f9

/data/user/0/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar

MD5 35926f0158766813027fbfe1ab5b1125
SHA1 8f166af95ff940dc45b933462ee7ffdf30dd5d06
SHA256 47a1ed442aa97ce2a6c313cbd64547cd506b809593745707d3fc9585f6a6c3f4
SHA512 b0fb1d19eedb27b3efda5354ac947db9ec89901d0f5c5b9a64325f2d74f4e11f5330f984bb9a9e5ad1c2d3abcd62e1516d94e7778d273ed5df51993dc9573ba3

/data/user/0/com.lima.bjmfd.wsmfmedwuya/databases/tbcom.lima.bjmfd.wsmfmedwuya-journal

MD5 50bb6eb6d7ff818049c7d9535e6524ca
SHA1 99e918ef106bdb50373d98e7f3ee002cf1865506
SHA256 c48025d42ca028520c8becffc6e5d4700ba1a706f9861a3113b20bcea0c58e53
SHA512 8917c866ce85b4f603b3978e9c6396794cb6e3ea90e60cc412aa9d18f16b1aa7661d6160f774a607d02743a102157bbbf67e1518d9314a25f81477de27883d71

/data/user/0/com.lima.bjmfd.wsmfmedwuya/databases/tbcom.lima.bjmfd.wsmfmedwuya

MD5 f41f531c07d4141546a531ff9caffdcd
SHA1 9dcac5aed06972d0ff6bd4cc1f1cdff85b36d3f5
SHA256 bb8dee5b5c3779f175abbd142722eb0022b98d374783aa80145b34614a4de646
SHA512 e0c8d1a820cb4c098e45776e8b50ea8c83944ef2e3f005cb0acbfc07688974d370f78100ae022f62564fc4c12acfdc43b710c18ca1c30f4f575bc08b9b12d2d4

/data/user/0/com.lima.bjmfd.wsmfmedwuya/databases/tbcom.lima.bjmfd.wsmfmedwuya-journal

MD5 a036b665b3ed155ff1e9446cadf483ec
SHA1 f00cf88b84ab3aa7eeca80ee558db47aea4f2a18
SHA256 3c78da761ae75a2d725803b9b08fcc606ec7da8d68e5c5e797d1f599e2d6c1e1
SHA512 725d025beae798e9d64a9092b3977ffd44ee9e0f04720fe08b2052193bf51b5d7c2ced6f57424da6c3603dae3e2fcba82f6109b31f35a9efe4bf358ea55d06da

/data/user/0/com.lima.bjmfd.wsmfmedwuya/databases/tbcom.lima.bjmfd.wsmfmedwuya-journal

MD5 337490f91f7289ff503230a52aa64a30
SHA1 e6ebd753bde248bfe52aca812baa44874cb53044
SHA256 c7fbaa18a9685d16e0c8680ebfd24bd70f9c45b68973c99c6b7db72a3495b820
SHA512 54fd2772053c1bca81a00aef5e780cc94a82af1adc5b94691a15ac9bf09f84f3ff9b92ee2328905c351166fd2b9d60aebe6e627c2e1e886bcf286a16b2320f3f

/storage/emulated/0/Download/sdsid

MD5 b8c37e33defde51cf91e1e03e51657da
SHA1 dd01903921ea24941c26a48f2cec24e0bb0e8cc7
SHA256 fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71
SHA512 e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7