Malware Analysis Report

2025-01-19 05:34

Sample ID 240313-1x9lrsce65
Target 85efe6a53fdfb4ba34ae29579a162e6aeca17f0d96fd5883a3a8815041419fb1.bin
SHA256 85efe6a53fdfb4ba34ae29579a162e6aeca17f0d96fd5883a3a8815041419fb1
Tags
collection evasion stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

85efe6a53fdfb4ba34ae29579a162e6aeca17f0d96fd5883a3a8815041419fb1

Threat Level: Likely malicious

The file 85efe6a53fdfb4ba34ae29579a162e6aeca17f0d96fd5883a3a8815041419fb1.bin was found to be: Likely malicious.

Malicious Activity Summary

collection evasion stealth trojan

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-13 22:02

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-13 22:02

Reported

2024-03-13 22:11

Platform

android-x86-arm-20240221-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-13 22:02

Reported

2024-03-13 22:11

Platform

android-x64-20240221-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-13 22:02

Reported

2024-03-13 22:11

Platform

android-x64-arm64-20240221-en

Max time network

4s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 udp
GB 142.250.200.14:443 udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 22:02

Reported

2024-03-13 22:13

Platform

android-x86-arm-20240221-en

Max time kernel

148s

Max time network

150s

Command Line

com.scaleup.chatai

Signatures

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.scaleup.chatai/app_DynamicOptDex/WMEzllatHtIKVBY.json N/A N/A
N/A /data/user/0/com.scaleup.chatai/app_DynamicOptDex/WMEzllatHtIKVBY.json N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.scaleup.chatai

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.scaleup.chatai/app_DynamicOptDex/WMEzllatHtIKVBY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.scaleup.chatai/app_DynamicOptDex/oat/x86/WMEzllatHtIKVBY.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
US 1.1.1.1:53 incb5rp01od082rye5z7.xyz udp
US 1.1.1.1:53 incb5rp01od082rye5z7.xyz udp

Files

/data/data/com.scaleup.chatai/app_DynamicOptDex/WMEzllatHtIKVBY.json

MD5 6174aeb9f36dc2ad9fb03f34b0e2fe3a
SHA1 e51a9413fad936339f9c3b23fc03b8d20110e4bb
SHA256 dfba12529c2bce21b5898fdff7210d215b02286099deab06384b045912a748fc
SHA512 4b59c4466484884e709216304ef23b9ec7d31be66ea00b6c0630a33c807ab9c9ae2f801cb1fbf05adfbc04305cf6a3a0e2aeeea377f1983a7bbf6bf90db80e72

/data/data/com.scaleup.chatai/app_DynamicOptDex/WMEzllatHtIKVBY.json

MD5 e6fb3e9186be5fba940062186afaeae0
SHA1 f271e4e2f5767cdf16e8e643aea51553ad1e2ca1
SHA256 e8fc8490e6a2d501f5429852a4fb7a727341852aec9665fe6a2f6d74ce6915d0
SHA512 84abec0f0ade9440d3eccd2a06a1997851d5bcafeebe679f602f7dd5351d3cc58b5662806bc93bbd772c2c9767f2c3297421b8b99f2d092296ad35c18bd50abe

/data/user/0/com.scaleup.chatai/app_DynamicOptDex/WMEzllatHtIKVBY.json

MD5 5b1db642b22f13c2ca97ae340e250338
SHA1 89766d40419188961b43faa5a9691507eac43449
SHA256 b22eccdcc560a96a7d5914a5c5b840b709cb1de694949da1b2d2afd1f1ddd2b6
SHA512 5c777e8ec8f0b3811e21bfc2b6b68506d07e6639fe74985ff4ab2022409795d36cbfc04f4b10a2435188354e24c8caecc2edc6423202133a3fb48a0d542b6d7f

/data/user/0/com.scaleup.chatai/app_DynamicOptDex/WMEzllatHtIKVBY.json

MD5 d4d582bc8525ee41d1f8a2fa33d8a9d0
SHA1 f6b1462c5ccb3b6e271499bc713e07ffa0361ad4
SHA256 4271e330d3e9c6ebee44e6d5a6a4c3b4d11892a190d4befabb4c109be82981ed
SHA512 0bcf0cbedc07edcf7829b754aad35f3369dfa0b4b69d110ec8c00e8016df66ed6c421e7bb56ebe92720b177faa2a6caa8cf97cf1ebfcdf6c3cee603375daa493

/data/data/com.scaleup.chatai/app_DynamicOptDex/oat/WMEzllatHtIKVBY.json.cur.prof

MD5 0f151e5d3f72db9645069a14c715e5b0
SHA1 f6cb68df0aa2f858e632088ebf21de1c70d1da73
SHA256 45917a5e2604314915d340e2ade2322ab8b95cdd68b3ed8074c05ed0dc52b7f7
SHA512 cd020e5943070dc93a5f423d5bdd3195153cfdbbadec298ee589c37e7684fb5be6e016948bf222c261989f39c336f716e0c700405cc7e7a088b0b8a2a889f481

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-13 22:02

Reported

2024-03-13 22:13

Platform

android-33-x64-arm64-20240229-en

Max time kernel

14s

Max time network

155s

Command Line

com.scaleup.chatai

Signatures

Makes use of the framework's Accessibility service

collection evasion
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.scaleup.chatai/app_DynamicOptDex/WMEzllatHtIKVBY.json N/A N/A

Processes

com.scaleup.chatai

Network

Country Destination Domain Proto
GB 142.250.200.4:443 udp
GB 142.250.200.4:443 tcp
BE 108.177.15.188:5228 tcp
GB 142.250.200.4:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.179.228:443 udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.212.206:443 udp
GB 216.58.212.206:443 tcp
GB 216.58.212.227:443 tcp
GB 216.58.212.206:443 tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
US 1.1.1.1:53 gmscompliance-pa.googleapis.com udp
GB 216.58.213.10:443 gmscompliance-pa.googleapis.com tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.4:443 udp
US 1.1.1.1:53 android.apis.google.com udp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
GB 172.217.169.3:443 tcp
GB 172.217.169.3:443 tcp
US 162.159.61.3:443 udp
GB 172.217.169.3:443 udp
US 1.1.1.1:53 incb5rp01od082rye5z7.xyz udp
US 1.1.1.1:53 incb5rp01od082rye5z7.xyz udp

Files

/data/user/0/com.scaleup.chatai/app_DynamicOptDex/WMEzllatHtIKVBY.json

MD5 6174aeb9f36dc2ad9fb03f34b0e2fe3a
SHA1 e51a9413fad936339f9c3b23fc03b8d20110e4bb
SHA256 dfba12529c2bce21b5898fdff7210d215b02286099deab06384b045912a748fc
SHA512 4b59c4466484884e709216304ef23b9ec7d31be66ea00b6c0630a33c807ab9c9ae2f801cb1fbf05adfbc04305cf6a3a0e2aeeea377f1983a7bbf6bf90db80e72

/data/user/0/com.scaleup.chatai/app_DynamicOptDex/WMEzllatHtIKVBY.json

MD5 e6fb3e9186be5fba940062186afaeae0
SHA1 f271e4e2f5767cdf16e8e643aea51553ad1e2ca1
SHA256 e8fc8490e6a2d501f5429852a4fb7a727341852aec9665fe6a2f6d74ce6915d0
SHA512 84abec0f0ade9440d3eccd2a06a1997851d5bcafeebe679f602f7dd5351d3cc58b5662806bc93bbd772c2c9767f2c3297421b8b99f2d092296ad35c18bd50abe

/data/user/0/com.scaleup.chatai/app_DynamicOptDex/WMEzllatHtIKVBY.json

MD5 5b1db642b22f13c2ca97ae340e250338
SHA1 89766d40419188961b43faa5a9691507eac43449
SHA256 b22eccdcc560a96a7d5914a5c5b840b709cb1de694949da1b2d2afd1f1ddd2b6
SHA512 5c777e8ec8f0b3811e21bfc2b6b68506d07e6639fe74985ff4ab2022409795d36cbfc04f4b10a2435188354e24c8caecc2edc6423202133a3fb48a0d542b6d7f