Analysis Overview
SHA256
85efe6a53fdfb4ba34ae29579a162e6aeca17f0d96fd5883a3a8815041419fb1
Threat Level: Likely malicious
The file 85efe6a53fdfb4ba34ae29579a162e6aeca17f0d96fd5883a3a8815041419fb1.bin was found to be: Likely malicious.
Malicious Activity Summary
Removes its main activity from the application launcher
Makes use of the framework's Accessibility service
Loads dropped Dex/Jar
Requests disabling of battery optimizations (often used to enable hiding in the background).
Declares services with permission to bind to the system
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-13 22:02
Signatures
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-13 22:02
Reported
2024-03-13 22:11
Platform
android-x86-arm-20240221-en
Max time network
4s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-13 22:02
Reported
2024-03-13 22:11
Platform
android-x64-20240221-en
Max time network
4s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-03-13 22:02
Reported
2024-03-13 22:11
Platform
android-x64-arm64-20240221-en
Max time network
4s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.10:443 | udp | |
| GB | 142.250.200.14:443 | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-13 22:02
Reported
2024-03-13 22:13
Platform
android-x86-arm-20240221-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.scaleup.chatai/app_DynamicOptDex/WMEzllatHtIKVBY.json | N/A | N/A |
| N/A | /data/user/0/com.scaleup.chatai/app_DynamicOptDex/WMEzllatHtIKVBY.json | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Processes
com.scaleup.chatai
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.scaleup.chatai/app_DynamicOptDex/WMEzllatHtIKVBY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.scaleup.chatai/app_DynamicOptDex/oat/x86/WMEzllatHtIKVBY.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.169.14:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | incb5rp01od082rye5z7.xyz | udp |
| US | 1.1.1.1:53 | incb5rp01od082rye5z7.xyz | udp |
Files
/data/data/com.scaleup.chatai/app_DynamicOptDex/WMEzllatHtIKVBY.json
| MD5 | 6174aeb9f36dc2ad9fb03f34b0e2fe3a |
| SHA1 | e51a9413fad936339f9c3b23fc03b8d20110e4bb |
| SHA256 | dfba12529c2bce21b5898fdff7210d215b02286099deab06384b045912a748fc |
| SHA512 | 4b59c4466484884e709216304ef23b9ec7d31be66ea00b6c0630a33c807ab9c9ae2f801cb1fbf05adfbc04305cf6a3a0e2aeeea377f1983a7bbf6bf90db80e72 |
/data/data/com.scaleup.chatai/app_DynamicOptDex/WMEzllatHtIKVBY.json
| MD5 | e6fb3e9186be5fba940062186afaeae0 |
| SHA1 | f271e4e2f5767cdf16e8e643aea51553ad1e2ca1 |
| SHA256 | e8fc8490e6a2d501f5429852a4fb7a727341852aec9665fe6a2f6d74ce6915d0 |
| SHA512 | 84abec0f0ade9440d3eccd2a06a1997851d5bcafeebe679f602f7dd5351d3cc58b5662806bc93bbd772c2c9767f2c3297421b8b99f2d092296ad35c18bd50abe |
/data/user/0/com.scaleup.chatai/app_DynamicOptDex/WMEzllatHtIKVBY.json
| MD5 | 5b1db642b22f13c2ca97ae340e250338 |
| SHA1 | 89766d40419188961b43faa5a9691507eac43449 |
| SHA256 | b22eccdcc560a96a7d5914a5c5b840b709cb1de694949da1b2d2afd1f1ddd2b6 |
| SHA512 | 5c777e8ec8f0b3811e21bfc2b6b68506d07e6639fe74985ff4ab2022409795d36cbfc04f4b10a2435188354e24c8caecc2edc6423202133a3fb48a0d542b6d7f |
/data/user/0/com.scaleup.chatai/app_DynamicOptDex/WMEzllatHtIKVBY.json
| MD5 | d4d582bc8525ee41d1f8a2fa33d8a9d0 |
| SHA1 | f6b1462c5ccb3b6e271499bc713e07ffa0361ad4 |
| SHA256 | 4271e330d3e9c6ebee44e6d5a6a4c3b4d11892a190d4befabb4c109be82981ed |
| SHA512 | 0bcf0cbedc07edcf7829b754aad35f3369dfa0b4b69d110ec8c00e8016df66ed6c421e7bb56ebe92720b177faa2a6caa8cf97cf1ebfcdf6c3cee603375daa493 |
/data/data/com.scaleup.chatai/app_DynamicOptDex/oat/WMEzllatHtIKVBY.json.cur.prof
| MD5 | 0f151e5d3f72db9645069a14c715e5b0 |
| SHA1 | f6cb68df0aa2f858e632088ebf21de1c70d1da73 |
| SHA256 | 45917a5e2604314915d340e2ade2322ab8b95cdd68b3ed8074c05ed0dc52b7f7 |
| SHA512 | cd020e5943070dc93a5f423d5bdd3195153cfdbbadec298ee589c37e7684fb5be6e016948bf222c261989f39c336f716e0c700405cc7e7a088b0b8a2a889f481 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-13 22:02
Reported
2024-03-13 22:13
Platform
android-33-x64-arm64-20240229-en
Max time kernel
14s
Max time network
155s
Command Line
Signatures
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.scaleup.chatai/app_DynamicOptDex/WMEzllatHtIKVBY.json | N/A | N/A |
Processes
com.scaleup.chatai
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.200.4:443 | udp | |
| GB | 142.250.200.4:443 | tcp | |
| BE | 108.177.15.188:5228 | tcp | |
| GB | 142.250.200.4:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.179.228:443 | udp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 216.58.212.206:443 | udp | |
| GB | 216.58.212.206:443 | tcp | |
| GB | 216.58.212.227:443 | tcp | |
| GB | 216.58.212.206:443 | tcp | |
| US | 1.1.1.1:53 | remoteprovisioning.googleapis.com | udp |
| US | 1.1.1.1:53 | gmscompliance-pa.googleapis.com | udp |
| GB | 216.58.213.10:443 | gmscompliance-pa.googleapis.com | tcp |
| GB | 142.250.200.46:443 | tcp | |
| GB | 142.250.200.4:443 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 162.159.61.3:443 | tcp | |
| US | 162.159.61.3:443 | tcp | |
| US | 162.159.61.3:443 | tcp | |
| GB | 172.217.169.3:443 | tcp | |
| GB | 172.217.169.3:443 | tcp | |
| US | 162.159.61.3:443 | udp | |
| GB | 172.217.169.3:443 | udp | |
| US | 1.1.1.1:53 | incb5rp01od082rye5z7.xyz | udp |
| US | 1.1.1.1:53 | incb5rp01od082rye5z7.xyz | udp |
Files
/data/user/0/com.scaleup.chatai/app_DynamicOptDex/WMEzllatHtIKVBY.json
| MD5 | 6174aeb9f36dc2ad9fb03f34b0e2fe3a |
| SHA1 | e51a9413fad936339f9c3b23fc03b8d20110e4bb |
| SHA256 | dfba12529c2bce21b5898fdff7210d215b02286099deab06384b045912a748fc |
| SHA512 | 4b59c4466484884e709216304ef23b9ec7d31be66ea00b6c0630a33c807ab9c9ae2f801cb1fbf05adfbc04305cf6a3a0e2aeeea377f1983a7bbf6bf90db80e72 |
/data/user/0/com.scaleup.chatai/app_DynamicOptDex/WMEzllatHtIKVBY.json
| MD5 | e6fb3e9186be5fba940062186afaeae0 |
| SHA1 | f271e4e2f5767cdf16e8e643aea51553ad1e2ca1 |
| SHA256 | e8fc8490e6a2d501f5429852a4fb7a727341852aec9665fe6a2f6d74ce6915d0 |
| SHA512 | 84abec0f0ade9440d3eccd2a06a1997851d5bcafeebe679f602f7dd5351d3cc58b5662806bc93bbd772c2c9767f2c3297421b8b99f2d092296ad35c18bd50abe |
/data/user/0/com.scaleup.chatai/app_DynamicOptDex/WMEzllatHtIKVBY.json
| MD5 | 5b1db642b22f13c2ca97ae340e250338 |
| SHA1 | 89766d40419188961b43faa5a9691507eac43449 |
| SHA256 | b22eccdcc560a96a7d5914a5c5b840b709cb1de694949da1b2d2afd1f1ddd2b6 |
| SHA512 | 5c777e8ec8f0b3811e21bfc2b6b68506d07e6639fe74985ff4ab2022409795d36cbfc04f4b10a2435188354e24c8caecc2edc6423202133a3fb48a0d542b6d7f |