Malware Analysis Report

2025-01-19 05:35

Sample ID 240312-dgzejaed5z
Target c248c63c7832ca58587b1453b5a46d20
SHA256 7c6000a4724f1c7c0b2d577e4c94f0cb494b7e65d901d1b7de66f9e1dd368929
Tags
discovery evasion stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

7c6000a4724f1c7c0b2d577e4c94f0cb494b7e65d901d1b7de66f9e1dd368929

Threat Level: Likely malicious

The file c248c63c7832ca58587b1453b5a46d20 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion stealth trojan

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Reads information about phone network operator.

Declares services with permission to bind to the system

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-12 02:59

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-12 02:59

Reported

2024-03-12 03:02

Platform

android-x64-20240221-en

Max time kernel

149s

Max time network

149s

Command Line

com.osaka.qwmqqfq.ctipfreq

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.osaka.qwmqqfq.ctipfreq

com.osaka.qwmqqfq.ctipfreq:RemoteProcess

com.osaka.qwmqqfq.ctipfreq:guard

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.adsnative123.com udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 api.adsnative123.com udp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp
GB 142.250.178.14:443 tcp
GB 216.58.212.226:443 tcp

Files

/data/data/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar

MD5 cceb8db3b057d24673d49eda229e9892
SHA1 b18f6353b2156410249079a3b7b86ef3a530e8ee
SHA256 e900cb4c3fe9d8f45196a7457e9645c65b0f3cde820f4161950252cff67a4d97
SHA512 4a42cde3165a706e823caa1362001ed8aa647caf22325a4f2554c64fc4ebcd79afe44fe5eab5474221806f26e7aca9d2901026de6e597ef62fe867f123e4bd57

/data/user/0/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar

MD5 73b11c4c10150bbd4f29ad012dc11dde
SHA1 65c83ad32c29f9811c32eda75d7fcdc92ef42dda
SHA256 52132037e9b950a9cb48d6374ee2c6747a6bfe776e13a726395771f1b40ee9da
SHA512 3e53b1ee22a00e60896da86d2695195e0965c93d190c4d1c0dba2eb5c611d670ee7693a9f8756858255e2b170cb82a753719dd4d6a827af437309b7a1dcc6f01

/data/data/com.osaka.qwmqqfq.ctipfreq/databases/tbcom.osaka.qwmqqfq.ctipfreq-journal

MD5 60c46befb03aa5318f7ba102400d055b
SHA1 d9bf1c22615ab3da3ebc2772032d5efbf5534227
SHA256 d5137ca5dfb726ffaebf75bf5fd85ab33978d60aaf3dbfc7301659702657d22e
SHA512 d910800595c105adabff025d23c774c1b5f831a50a38b346a6d0dd1f3995d84be9e9df0c900e4dc4c7220592e0e0f462a5641d6d9f73bf7a89f630afde1353fc

/data/data/com.osaka.qwmqqfq.ctipfreq/databases/tbcom.osaka.qwmqqfq.ctipfreq

MD5 163b0e3f017becbc89b9d7f330b78f09
SHA1 1ef9cd8ac8655190468d0ccece0a4738634ab0f9
SHA256 cf01452c3b494692386f6c5faac340eb3eb894bd416391002d56645aa8a9ea36
SHA512 6a85a30d16fa58a4fbbb05d469778ee69ca79deaa74316ccb5be3ee07fdf78dde22e95db3edb1b88b18478e8747047445f85baaf9556b9a1e55d9a02a80baffd

/data/data/com.osaka.qwmqqfq.ctipfreq/databases/tbcom.osaka.qwmqqfq.ctipfreq-journal

MD5 05397d0ee45b65bf118b1464b614efa1
SHA1 c4cb294f97daabd1c2b622f0c6930c72cdc05fdf
SHA256 d1e4847e52faff855287a4d8c5a2553f225f5aae00fbe6f9d77d6e318215693a
SHA512 5763902a9812dcb395d589a7ff71d917a95ac127fe1985a3724ce778c2f272e14e1869f48cf0f94cd636da1144a3d6f3fc752d5b14e97d1b85337ae96ffccd87

/data/data/com.osaka.qwmqqfq.ctipfreq/databases/tbcom.osaka.qwmqqfq.ctipfreq-journal

MD5 b491d94915ae5bdb814f19800249b53b
SHA1 412519868ae27fc797d8838645c795202e3edf5a
SHA256 71527be13748f80bc4bc2de9f50bba82f52ae132083dd6dd855c90764f945b55
SHA512 d6b346a04570dc09aa41e41947dafa0382acdc482852d21b3d5aa655aec2e38eb1b41b2fcadc35536e9462d5ef421693d7e586e4c9c58c4e34b53bf6cb9ca929

/storage/emulated/0/Download/sdsid

MD5 b8c37e33defde51cf91e1e03e51657da
SHA1 dd01903921ea24941c26a48f2cec24e0bb0e8cc7
SHA256 fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71
SHA512 e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7

/data/data/com.osaka.qwmqqfq.ctipfreq/app_tfile/oat/fields.jar.cur.prof

MD5 6de41202d76cfb91657a014430e7f33d
SHA1 1c066a98ee1dae3493881522b42a6978ef72ffee
SHA256 51491488aa5999f64c4d74c50676559497e9890b2a3978cdc8f07dc782e945ec
SHA512 765ef4f4ca7a832af8677b8cb38b705a5cf809b6d321f7d86bcb03471d5e55d8c9b8dc04dbad9f89b10febd5e87b29d29e1bd36fa91259ba00ea863ad1225236

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-12 02:59

Reported

2024-03-12 03:02

Platform

android-x64-arm64-20240221-en

Max time kernel

154s

Max time network

132s

Command Line

com.osaka.qwmqqfq.ctipfreq

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.osaka.qwmqqfq.ctipfreq

com.osaka.qwmqqfq.ctipfreq:RemoteProcess

com.osaka.qwmqqfq.ctipfreq:guard

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.179.234:443 udp
GB 172.217.169.46:443 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.adsnative123.com udp
GB 216.58.212.228:443 tcp
GB 216.58.212.228:443 tcp

Files

/data/user/0/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar

MD5 cceb8db3b057d24673d49eda229e9892
SHA1 b18f6353b2156410249079a3b7b86ef3a530e8ee
SHA256 e900cb4c3fe9d8f45196a7457e9645c65b0f3cde820f4161950252cff67a4d97
SHA512 4a42cde3165a706e823caa1362001ed8aa647caf22325a4f2554c64fc4ebcd79afe44fe5eab5474221806f26e7aca9d2901026de6e597ef62fe867f123e4bd57

/data/user/0/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar

MD5 73b11c4c10150bbd4f29ad012dc11dde
SHA1 65c83ad32c29f9811c32eda75d7fcdc92ef42dda
SHA256 52132037e9b950a9cb48d6374ee2c6747a6bfe776e13a726395771f1b40ee9da
SHA512 3e53b1ee22a00e60896da86d2695195e0965c93d190c4d1c0dba2eb5c611d670ee7693a9f8756858255e2b170cb82a753719dd4d6a827af437309b7a1dcc6f01

/data/user/0/com.osaka.qwmqqfq.ctipfreq/databases/tbcom.osaka.qwmqqfq.ctipfreq-journal

MD5 68c383cf86a1d3d15b29fe3f6d565dc0
SHA1 e6fe87b01f5ab96f19554f46c729d5b964d2fb25
SHA256 8f394aabfb3411ebbe5f8e44a06fc2982d8492c15aa3de38088f149016743ab2
SHA512 2ce306cfa7d665d7fcccef10c1bef7e93c056fa3380979cb350abd486c71385fc790b914b8f30781ff61a05f8ba0eac6c29a1ac044579abb0e20700e1a74dd31

/data/user/0/com.osaka.qwmqqfq.ctipfreq/databases/tbcom.osaka.qwmqqfq.ctipfreq

MD5 f41f531c07d4141546a531ff9caffdcd
SHA1 9dcac5aed06972d0ff6bd4cc1f1cdff85b36d3f5
SHA256 bb8dee5b5c3779f175abbd142722eb0022b98d374783aa80145b34614a4de646
SHA512 e0c8d1a820cb4c098e45776e8b50ea8c83944ef2e3f005cb0acbfc07688974d370f78100ae022f62564fc4c12acfdc43b710c18ca1c30f4f575bc08b9b12d2d4

/data/user/0/com.osaka.qwmqqfq.ctipfreq/databases/tbcom.osaka.qwmqqfq.ctipfreq-journal

MD5 a60b5e5c1dd5eaaa5bfd55219d9ee8ca
SHA1 875456d3089b5e2de8665e1f65b47318ed140dbb
SHA256 28bcbf977ac76f873fd4fc7b7714af95cbcf078e0885e7a5be84ac0ce36db2cd
SHA512 28b2e658be7e82f3998cd5b282a028ddb715c1b7f2b2a8a953eefce7a73342b34a69e912fd64710dde2837f933b496f0fa1082f01f978526375b35d1ad953c14

/data/user/0/com.osaka.qwmqqfq.ctipfreq/databases/tbcom.osaka.qwmqqfq.ctipfreq-journal

MD5 34e44315ced64d9dff09dc266dcf1cfb
SHA1 fc5be1d1b4d9a5596433778c2d8aeef9a18c38ca
SHA256 bf882a5c4a2e105bdc3b2ad167389206c97192462c2429b2976cd212ad83ead6
SHA512 48a6a1265359a562f5ff6c1d74598b9a677e7555af83fe37425890008f5a8283abeaee5ddd83d0f0fb56401071d6d46e864bfaf1731cf541d30538d519378004

/storage/emulated/0/Download/sdsid

MD5 b8c37e33defde51cf91e1e03e51657da
SHA1 dd01903921ea24941c26a48f2cec24e0bb0e8cc7
SHA256 fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71
SHA512 e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-12 02:59

Reported

2024-03-12 03:02

Platform

android-x86-arm-20240221-en

Max time kernel

147s

Max time network

130s

Command Line

com.osaka.qwmqqfq.ctipfreq

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar N/A N/A
N/A /data/user/0/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.osaka.qwmqqfq.ctipfreq

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.osaka.qwmqqfq.ctipfreq/app_tfile/oat/x86/fields.odex --compiler-filter=quicken --class-loader-context=&

com.osaka.qwmqqfq.ctipfreq:RemoteProcess

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api.adsnative123.com udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp

Files

/data/data/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar

MD5 cceb8db3b057d24673d49eda229e9892
SHA1 b18f6353b2156410249079a3b7b86ef3a530e8ee
SHA256 e900cb4c3fe9d8f45196a7457e9645c65b0f3cde820f4161950252cff67a4d97
SHA512 4a42cde3165a706e823caa1362001ed8aa647caf22325a4f2554c64fc4ebcd79afe44fe5eab5474221806f26e7aca9d2901026de6e597ef62fe867f123e4bd57

/data/user/0/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar

MD5 73b11c4c10150bbd4f29ad012dc11dde
SHA1 65c83ad32c29f9811c32eda75d7fcdc92ef42dda
SHA256 52132037e9b950a9cb48d6374ee2c6747a6bfe776e13a726395771f1b40ee9da
SHA512 3e53b1ee22a00e60896da86d2695195e0965c93d190c4d1c0dba2eb5c611d670ee7693a9f8756858255e2b170cb82a753719dd4d6a827af437309b7a1dcc6f01

/data/user/0/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar

MD5 4654f352b1b2095d54e0945af0e3948c
SHA1 4819b9827e70025c72a74869a85c996d92603931
SHA256 71c5cdeeaea45916c993908370cb7b1d60911d8e233dc9d1def0e75915e4548e
SHA512 a58ba607dbdb9af50beb9bec719e24c7d4e457e6bd9a6ef71460b0ee629f002788ac8a93d2d18728304c695fca3ac000138f19427c064cd66c628dab8a839ce3

/data/data/com.osaka.qwmqqfq.ctipfreq/databases/tbcom.osaka.qwmqqfq.ctipfreq-journal

MD5 b20b796013f67e1a3c0b9ca2a8db6c98
SHA1 c1de77674c0f2bebf301a19f95c3a40ee405f824
SHA256 d2050ce12017bb20d480161b523620d6bd82634e46b92a6e685a08c45f16c3b6
SHA512 2e10f5b0ae24f41d639d175f60e90855a0b966d11662abb9f14be430993f1fe9e643bc5b77fe2ab7fc01b94a7471ce17c8384ec589ecd5670b785c5935ecbf0e

/data/data/com.osaka.qwmqqfq.ctipfreq/databases/tbcom.osaka.qwmqqfq.ctipfreq

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.osaka.qwmqqfq.ctipfreq/databases/tbcom.osaka.qwmqqfq.ctipfreq-wal

MD5 8dcfe42c4fe1ceed6d9818140bdc7908
SHA1 ddeb51e011cd84efdb0aa943a88d7cd6131afec2
SHA256 8869c8f9f440a2b5faf29a8c3119c93c3fba2ffaf4877a7f93e7a4029f5529ca
SHA512 f5a453c72c3e5298fa6416b1f9b8f58f292cda68a5356397b9d9d2aa54a05e8aecf66c3f0f9260122c98c594ea78d7029bd15911471fd543fb8e149c9ec02977

/storage/emulated/0/Download/sdsid

MD5 b8c37e33defde51cf91e1e03e51657da
SHA1 dd01903921ea24941c26a48f2cec24e0bb0e8cc7
SHA256 fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71
SHA512 e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7

/data/data/com.osaka.qwmqqfq.ctipfreq/app_tfile/oat/fields.jar.cur.prof

MD5 32a4520c9cad04b1cd62f76af786c3e9
SHA1 1be52c0960e291f9452e8458b602a4fc1837b2b6
SHA256 d098125bd4518f25cd38fddd6ac78b2b077d5d921aa40e6998a6c99734ee71d1
SHA512 9b742d4159ea119907852abe676383a7c432ea981434e0353e870a5a913d1364635c42e10c471bda8268d9e177f567e0db0fd469feb74456e785d8fe28c564d7