Malware Analysis Report

2025-01-19 05:34

Sample ID 240314-bpfw2sfa7x
Target c75185f9bb13f7e05ea5d1f93522dde2
SHA256 65c8fc97a2855d1c7484cf2ca29352d7347ef92cfd1bdf7a3d6279a12752b4ca
Tags
discovery evasion stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

65c8fc97a2855d1c7484cf2ca29352d7347ef92cfd1bdf7a3d6279a12752b4ca

Threat Level: Likely malicious

The file c75185f9bb13f7e05ea5d1f93522dde2 was found to be: Likely malicious.

Malicious Activity Summary

discovery evasion stealth trojan

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Requests dangerous framework permissions

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-14 01:18

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-14 01:18

Reported

2024-03-14 01:21

Platform

android-x86-arm-20240221-en

Max time kernel

7s

Max time network

135s

Command Line

com.browsers.version

Signatures

N/A

Processes

com.browsers.version

Network

Country Destination Domain Proto
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 172.217.169.74:443 safebrowsing.googleapis.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.179.227:443 update.googleapis.com tcp
US 1.1.1.1:53 fcksujdrp udp
US 1.1.1.1:53 ejsnaesbnwlzqu udp
US 1.1.1.1:53 fcrzbfiq udp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/com.browsers.version/app_tfile/fields.jar

MD5 a73395915062ab8bf0c8d9482fb546b2
SHA1 48ec3c39f5aff863f09e53bd0dafba414c5bd8b9
SHA256 e372d30419c46ab8a4eed0602c7cf289cba4922847d12c04627320096e79a2f5
SHA512 1a3feac83f916d5577ebccdddcc43c069b38bfdc364aeddcef4969cf2a187030cce75261eb129fc1dcef75b2b41baeada12838fc96fee164cfc02aa9d043dafd

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-14 01:18

Reported

2024-03-14 01:21

Platform

android-x64-20240221-en

Max time kernel

154s

Max time network

152s

Command Line

com.browsers.version

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.browsers.version/app_tfile/fields.jar N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.browsers.version

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.71.84:443 accounts.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
GB 216.58.204.68:443 www.google.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 172.217.169.42:443 safebrowsing.googleapis.com tcp
US 1.1.1.1:53 clients1.google.com udp
GB 142.250.187.238:443 clients1.google.com tcp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp
US 1.1.1.1:53 update.googleapis.com udp
US 1.1.1.1:53 iqbrgdzyz udp
US 1.1.1.1:53 teabhsoz udp
US 1.1.1.1:53 ylqgqiedbfjlcif udp
US 1.1.1.1:53 api.adsnative123.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.204.66:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/data/com.browsers.version/app_tfile/fields.jar

MD5 f9dcd2055286977fdcc69c5a553e1e07
SHA1 c63060bfb53e300e18d144d662404079192320b1
SHA256 7129e1c337c57a3f14bb8ac1508d1bafdbcf7d3b58258ff9d897ba731a9b9a84
SHA512 a635a7221dc43abea9663fb0982c44b6aba20f93c31e75fc9acb94ac2216e194aed13f0024354f6b5984ca5df220e4cd6e3f0ad2cda3ea5145a2b1e09f3e7dda

/data/user/0/com.browsers.version/app_tfile/fields.jar

MD5 a5c2edba25a231329548b4cc5aaf421a
SHA1 5e2b4210c0c0d927b850ad3a71dae1127cdb6ec4
SHA256 8ce0c19fdecbfd0a2cd64655b2ad2c864b5f15c6d0aedf3f8c4d8c55608778b5
SHA512 23ed76637486d7211a8ccbcf771c7b200f497b497538211b9507c4b24d93c595fc53ac9d289e052792710c7bbc842646283560e62db631bec580d1d218a68a2b

/data/data/com.browsers.version/databases/tbcom.browsers.version-journal

MD5 7cd1b2bc162f53f95218c650df2bdffc
SHA1 9466ecb822bce7e1723ba1d7fca63e31fdcc6399
SHA256 96d696dc9ae37623cce6d92ff751a75a5a83e2907cb70f9284a5a776ec570f35
SHA512 551ca7eb3ee6d479d8cbb33773642560ed9dd2d5f1e9f5ff2ec243cdb3480ea14de189a6eedf49c8ee9388679a20334f3606f3938446d8a9e351281f6f5ab8cb

/data/data/com.browsers.version/databases/tbcom.browsers.version

MD5 163b0e3f017becbc89b9d7f330b78f09
SHA1 1ef9cd8ac8655190468d0ccece0a4738634ab0f9
SHA256 cf01452c3b494692386f6c5faac340eb3eb894bd416391002d56645aa8a9ea36
SHA512 6a85a30d16fa58a4fbbb05d469778ee69ca79deaa74316ccb5be3ee07fdf78dde22e95db3edb1b88b18478e8747047445f85baaf9556b9a1e55d9a02a80baffd

/data/data/com.browsers.version/databases/tbcom.browsers.version-journal

MD5 2e56f29c75773208315da565f20c6935
SHA1 cc9e73dc8044c247df11734585f9b9c75d70a9ad
SHA256 0a2152aa0b0bac3f2ef0e8ca1e5e1755f57161e8b94c08513adeee08cdc730bc
SHA512 e0c5d7f9d6bd2e76afab363110acd0163f2e3e1a53c3bcbe852755b96f5927970d1a942f6d2ad69ae3de7108c14c9d936ecc123dcef7fd91466dddaf91955efe

/data/data/com.browsers.version/databases/tbcom.browsers.version-journal

MD5 81db056d7515dfa2dd5d6cef5852c04b
SHA1 80abd258864ca58300b57df06982311d8a8207b3
SHA256 3ee8d2ef652839a182bf0e45389de8e61dd9cc11684d8af2a65f072b9a8bfbc7
SHA512 6b27412f70620ae14e5b0c6379ff804d494ddc248dbd1cd93d4584ee93d5d2e8b8ece5a32eacfb6070283dde6d194678a67b9905c44a9b25456657314726f58f

/storage/emulated/0/Download/sdsid

MD5 b8c37e33defde51cf91e1e03e51657da
SHA1 dd01903921ea24941c26a48f2cec24e0bb0e8cc7
SHA256 fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71
SHA512 e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-14 01:18

Reported

2024-03-14 01:21

Platform

android-x64-arm64-20240221-en

Max time kernel

154s

Max time network

132s

Command Line

com.browsers.version

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.browsers.version/app_tfile/fields.jar N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.browsers.version

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 172.217.169.74:443 safebrowsing.googleapis.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 www.google.com udp
BE 64.233.166.84:443 accounts.google.com tcp
GB 216.58.204.68:443 www.google.com tcp
US 1.1.1.1:53 clients1.google.com udp
GB 142.250.180.14:443 clients1.google.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.200.35:443 update.googleapis.com tcp
US 1.1.1.1:53 kyjtkjalephuzq udp
US 1.1.1.1:53 quuvgsuqtbbs udp
US 1.1.1.1:53 ulgxyoku udp
US 1.1.1.1:53 api.adsnative123.com udp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.187.226:443 tcp
US 1.1.1.1:53 update.googleapis.com udp

Files

/data/user/0/com.browsers.version/app_tfile/fields.jar

MD5 f9dcd2055286977fdcc69c5a553e1e07
SHA1 c63060bfb53e300e18d144d662404079192320b1
SHA256 7129e1c337c57a3f14bb8ac1508d1bafdbcf7d3b58258ff9d897ba731a9b9a84
SHA512 a635a7221dc43abea9663fb0982c44b6aba20f93c31e75fc9acb94ac2216e194aed13f0024354f6b5984ca5df220e4cd6e3f0ad2cda3ea5145a2b1e09f3e7dda

/data/user/0/com.browsers.version/app_tfile/fields.jar

MD5 a5c2edba25a231329548b4cc5aaf421a
SHA1 5e2b4210c0c0d927b850ad3a71dae1127cdb6ec4
SHA256 8ce0c19fdecbfd0a2cd64655b2ad2c864b5f15c6d0aedf3f8c4d8c55608778b5
SHA512 23ed76637486d7211a8ccbcf771c7b200f497b497538211b9507c4b24d93c595fc53ac9d289e052792710c7bbc842646283560e62db631bec580d1d218a68a2b

/data/user/0/com.browsers.version/databases/tbcom.browsers.version-journal

MD5 b764bd77104d9c05170af0ddd2d9ccc0
SHA1 7d6328d2a019a5b38a19c8aa66626f994b093557
SHA256 14e4cdbaf83681c2d1c92b8d721007157ba3b9574307caf91d6cbe77d55a4d28
SHA512 a0106947c370903cf82e79c53f5a1f2936f7f985cdee8a80d96a7c14b8425195f1311ee15668c8ab9e3aabe20999565c2e27f6ced89c82d16e938bc9e126397e

/data/user/0/com.browsers.version/databases/tbcom.browsers.version

MD5 f41f531c07d4141546a531ff9caffdcd
SHA1 9dcac5aed06972d0ff6bd4cc1f1cdff85b36d3f5
SHA256 bb8dee5b5c3779f175abbd142722eb0022b98d374783aa80145b34614a4de646
SHA512 e0c8d1a820cb4c098e45776e8b50ea8c83944ef2e3f005cb0acbfc07688974d370f78100ae022f62564fc4c12acfdc43b710c18ca1c30f4f575bc08b9b12d2d4

/data/user/0/com.browsers.version/databases/tbcom.browsers.version-journal

MD5 0ee1335bdcc1da0345b86b06753b2348
SHA1 4baa2dcb7944b483df503b739b167f9e9c1f58e8
SHA256 f34e39dc673c078458dcf287aaeb61e43827bf62978cc981051f229122cbecad
SHA512 d32e480b2c5ec64c704828c7f3ff3caeeb20f784a1df358d728850e8f9f0f844936d8f19c1e32a43ea53954102a92e1e54c13eb0753be14bf4718af0ef9a2fdb

/data/user/0/com.browsers.version/databases/tbcom.browsers.version-journal

MD5 277084dca3aff1273cd495cb2cc7f825
SHA1 ce8b9a513e1557ba6eb280c64daf6330d68e7627
SHA256 cb9fddacb85bf6b631f62bd21a73b8bf225a9c5aedfc62dad777cf51c6d11c53
SHA512 6d738415e12290432abec4b08d3fc4b22c0a2b5b9caa939affcfcf849be0f7834f4bd53fc9d80bd3aa657af6d1f88358f2f6709c7e8733a0df8589be915717ef

/storage/emulated/0/Download/sdsid

MD5 b8c37e33defde51cf91e1e03e51657da
SHA1 dd01903921ea24941c26a48f2cec24e0bb0e8cc7
SHA256 fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71
SHA512 e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7