Malware Analysis Report

2025-01-19 05:36

Sample ID 240311-stryjseb5w
Target c0ee0cabb5ba83bcb20d81f37f58a46f
SHA256 51ce9f6802a2283a972c71759c960de637ff0ca261f548103a974de522fbc8bb
Tags
discovery evasion stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

51ce9f6802a2283a972c71759c960de637ff0ca261f548103a974de522fbc8bb

Threat Level: Likely malicious

The file c0ee0cabb5ba83bcb20d81f37f58a46f was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion stealth trojan

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Declares services with permission to bind to the system

Requests dangerous framework permissions

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 15:25

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 15:25

Reported

2024-03-11 15:28

Platform

android-x86-arm-20240221-en

Max time kernel

138s

Max time network

140s

Command Line

com.okasa.hhcwhiay.conmjmpe

Signatures

N/A

Processes

com.okasa.hhcwhiay.conmjmpe

com.okasa.hhcwhiay.conmjmpe:RemoteProcess

com.okasa.hhcwhiay.conmjmpe:guard

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 172.217.169.10:443 tcp

Files

/data/data/com.okasa.hhcwhiay.conmjmpe/app_tfile/fields.jar

MD5 cceb8db3b057d24673d49eda229e9892
SHA1 b18f6353b2156410249079a3b7b86ef3a530e8ee
SHA256 e900cb4c3fe9d8f45196a7457e9645c65b0f3cde820f4161950252cff67a4d97
SHA512 4a42cde3165a706e823caa1362001ed8aa647caf22325a4f2554c64fc4ebcd79afe44fe5eab5474221806f26e7aca9d2901026de6e597ef62fe867f123e4bd57

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 15:25

Reported

2024-03-11 15:28

Platform

android-x64-20240221-en

Max time kernel

149s

Max time network

147s

Command Line

com.okasa.hhcwhiay.conmjmpe

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.okasa.hhcwhiay.conmjmpe/app_tfile/fields.jar N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.okasa.hhcwhiay.conmjmpe

com.okasa.hhcwhiay.conmjmpe:RemoteProcess

com.okasa.hhcwhiay.conmjmpe:guard

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.adsnative123.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 216.58.212.202:443 tcp
GB 216.58.204.66:443 tcp
GB 142.250.180.14:443 tcp

Files

/data/data/com.okasa.hhcwhiay.conmjmpe/app_tfile/fields.jar

MD5 cceb8db3b057d24673d49eda229e9892
SHA1 b18f6353b2156410249079a3b7b86ef3a530e8ee
SHA256 e900cb4c3fe9d8f45196a7457e9645c65b0f3cde820f4161950252cff67a4d97
SHA512 4a42cde3165a706e823caa1362001ed8aa647caf22325a4f2554c64fc4ebcd79afe44fe5eab5474221806f26e7aca9d2901026de6e597ef62fe867f123e4bd57

/data/user/0/com.okasa.hhcwhiay.conmjmpe/app_tfile/fields.jar

MD5 73b11c4c10150bbd4f29ad012dc11dde
SHA1 65c83ad32c29f9811c32eda75d7fcdc92ef42dda
SHA256 52132037e9b950a9cb48d6374ee2c6747a6bfe776e13a726395771f1b40ee9da
SHA512 3e53b1ee22a00e60896da86d2695195e0965c93d190c4d1c0dba2eb5c611d670ee7693a9f8756858255e2b170cb82a753719dd4d6a827af437309b7a1dcc6f01

/data/data/com.okasa.hhcwhiay.conmjmpe/databases/tbcom.okasa.hhcwhiay.conmjmpe-journal

MD5 776a4c296414cfe8b6e3b3e6192c9cdb
SHA1 d4a2917619e66acb62eaa6c58b9a19f5b6a21f6b
SHA256 fe5d4011a1f35a5b464b17fb62853bc4e67c9d0ab67ac05982c1731ee2bf0a82
SHA512 fb5aa4ea95c321b64eef2902f93815c1226f86939e2244d31c2845eb42e9044fb8c4026e05d03f0c2710acbf40d01acfa63eb13bb7b2197492de301e380ab5c5

/data/data/com.okasa.hhcwhiay.conmjmpe/databases/tbcom.okasa.hhcwhiay.conmjmpe

MD5 80dce168e54723437188699ee51f63be
SHA1 7a4eb57503738cddb032515616af86af0f5fdc3a
SHA256 2ea7dc2a5750d212a972ab598c8cd912e291161de3c21f4d6d85eaed76056bea
SHA512 ac50c0b1a1e6c270e403433185709c59638d7897694670db9055a326d7f3bf1b7fd4f36a35e34b695c3228e69e08d0e20a5af27476906f979292cd1ce22491f5

/data/data/com.okasa.hhcwhiay.conmjmpe/databases/tbcom.okasa.hhcwhiay.conmjmpe-journal

MD5 921afa2febbefc98eb0f712a8f9ec8cc
SHA1 c4464191ca7a62d139125e67f5b09c9d161ccc24
SHA256 827151c743b51a272e8b0e81a3fe20937f3fc3ab4ca70ef897dfbb89de7485e7
SHA512 6d27990956ae8b1184fdbbb02785e2f7459b633724104b55834460b2a1d505ab1415660a5dfc92350f70cf0cde8e422349cdff763d824e3f10dd7a45c42adc18

/data/data/com.okasa.hhcwhiay.conmjmpe/databases/tbcom.okasa.hhcwhiay.conmjmpe-journal

MD5 074e8c225755bfb3f48f446a2b8e5e12
SHA1 e831da4cff7a81d55ada3d9d75685e77d8c92777
SHA256 bebe7387cb6260b6c9bceab3803cbbc643271e17c4546ebac458d2793a1a6179
SHA512 53dc3e645771b3f8297781370a5e708613b57fd450b869243db9d1804384d82a230c38939eafdc37a8c99046b1b71140214c3d5f4d902f0cb35e12f963dc30f1

/storage/emulated/0/Download/sdsid

MD5 b8c37e33defde51cf91e1e03e51657da
SHA1 dd01903921ea24941c26a48f2cec24e0bb0e8cc7
SHA256 fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71
SHA512 e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7

/data/data/com.okasa.hhcwhiay.conmjmpe/app_tfile/oat/fields.jar.cur.prof

MD5 f004b80cd3e6f9e72361a7d6a46d8f95
SHA1 7c0715671079be672d2e92245c082367c99f6ff3
SHA256 95a7971d163fec7cb1deeb50716f74ebbb2adb0f3cf27e17282927af40598014
SHA512 71a1dc2ab6f15605d0477fbde6a1785f19ed262a70a36b6cbe71c877680dff9a93191ca35617534be8c7cf933591335cc79f4277ca469396fb906f7bfad114bf

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-11 15:25

Reported

2024-03-11 15:28

Platform

android-x64-arm64-20240221-en

Max time kernel

148s

Max time network

158s

Command Line

com.okasa.hhcwhiay.conmjmpe

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.okasa.hhcwhiay.conmjmpe/app_tfile/fields.jar N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.okasa.hhcwhiay.conmjmpe

com.okasa.hhcwhiay.conmjmpe:RemoteProcess

com.okasa.hhcwhiay.conmjmpe:guard

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 udp
GB 142.250.200.46:443 udp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 api.adsnative123.com udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 142.250.187.226:443 tcp

Files

/data/user/0/com.okasa.hhcwhiay.conmjmpe/app_tfile/fields.jar

MD5 cceb8db3b057d24673d49eda229e9892
SHA1 b18f6353b2156410249079a3b7b86ef3a530e8ee
SHA256 e900cb4c3fe9d8f45196a7457e9645c65b0f3cde820f4161950252cff67a4d97
SHA512 4a42cde3165a706e823caa1362001ed8aa647caf22325a4f2554c64fc4ebcd79afe44fe5eab5474221806f26e7aca9d2901026de6e597ef62fe867f123e4bd57

/data/user/0/com.okasa.hhcwhiay.conmjmpe/app_tfile/fields.jar

MD5 73b11c4c10150bbd4f29ad012dc11dde
SHA1 65c83ad32c29f9811c32eda75d7fcdc92ef42dda
SHA256 52132037e9b950a9cb48d6374ee2c6747a6bfe776e13a726395771f1b40ee9da
SHA512 3e53b1ee22a00e60896da86d2695195e0965c93d190c4d1c0dba2eb5c611d670ee7693a9f8756858255e2b170cb82a753719dd4d6a827af437309b7a1dcc6f01

/data/user/0/com.okasa.hhcwhiay.conmjmpe/databases/tbcom.okasa.hhcwhiay.conmjmpe-journal

MD5 47673597024b3e9e75274de558b24aa8
SHA1 bb50d12bc0db04b39264fe6f53cd8211af332511
SHA256 3b6d7130bb4a827a475c478bdf190e724440aab156a6ad24b919c71863c0481d
SHA512 46938835553d8f961ca2973f30279e94dd908c8ae0e1affe0f55a1d5c4437e4318768481215a2532dd6105d15992ce87572f768683f13864e27f28e80c7ae09e

/data/user/0/com.okasa.hhcwhiay.conmjmpe/databases/tbcom.okasa.hhcwhiay.conmjmpe

MD5 f41f531c07d4141546a531ff9caffdcd
SHA1 9dcac5aed06972d0ff6bd4cc1f1cdff85b36d3f5
SHA256 bb8dee5b5c3779f175abbd142722eb0022b98d374783aa80145b34614a4de646
SHA512 e0c8d1a820cb4c098e45776e8b50ea8c83944ef2e3f005cb0acbfc07688974d370f78100ae022f62564fc4c12acfdc43b710c18ca1c30f4f575bc08b9b12d2d4

/data/user/0/com.okasa.hhcwhiay.conmjmpe/databases/tbcom.okasa.hhcwhiay.conmjmpe-journal

MD5 725184a9dd69c81e5b4957d199d15ddb
SHA1 4ed6e75cd26add292be833a18b2189008b4a15e8
SHA256 33d60c99f29408697a3ab845083498d96a6f26eb3a2fb20fbb8338f74e0d6ca0
SHA512 17d0b7fe3389a14a96c45ddb371305ae60c43514e9b70beef28ae25378133cab7b8600d67c3d4152514954cbe556a32097dc15a658988cb2f003586becaf32b8