c17d5c8b8b68e6e574688e93b9c80e4cdcb15162614f465be0baecec0f261974

Resubmissions

22-04-2024 07:29

240422-jbclgaha6t 8

18-04-2024 07:14

240418-h263bsed84 8

Analysis

max time kernel
299s
max time network
304s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
22-04-2024 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c17d5c8b8b68e6e574688e93b9c80e4cdcb15162614f465be0baecec0f261974.apk
Size

4.2MB
MD5

00aa9900205771b8c9e7927153b77cf2
SHA1

b43094c27584f5e0fc5feaa5c621e56d7c2f3ccb
SHA256

c17d5c8b8b68e6e574688e93b9c80e4cdcb15162614f465be0baecec0f261974
SHA512

a19d2e339b25bea61b158bbd13f632793aeb4c3f20776793dd0bee15c4bd9283644d7915d55b46b6adf5803ca30651392dc6ccb40f843bdf0c72208fb70890d1
SSDEEP

98304:FZxlRoI9e3PxUjrBbuF1voH30PITIgN/S6zYx/EmZMRye0vLOYrlQEjLE:Huke3Px0u/QH70OYdEmGye0jLc

Score

8^/10

banker collection discovery evasion persistence stealth trojan

Malware Config

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

T1418.001
Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

T1628.001

Processes:

wgkx.wuar.jbkl

pid process

4179 wgkx.wuar.jbkl
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
evasion discovery

T1633.001

T1426

Processes:

wgkx.wuar.jbkl

description ioc process

File opened for read /proc/cpuinfo wgkx.wuar.jbkl
Checks known Qemu pipes. 1 TTPs 2 IoCs
Checks for known pipes used by the Android emulator to communicate with the host.
evasion

T1633.001

Processes:

wgkx.wuar.jbkl

ioc process

/dev/socket/qemud wgkx.wuar.jbkl
/dev/qemu_pipe wgkx.wuar.jbkl

pid	process
4179	wgkx.wuar.jbkl

description	ioc	process
File opened for read	/proc/cpuinfo	wgkx.wuar.jbkl

ioc	process
/dev/socket/qemud	wgkx.wuar.jbkl
/dev/qemu_pipe	wgkx.wuar.jbkl

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

T1407

Processes:

wgkx.wuar.jbkl/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/wgkx.wuar.jbkl/app_dex/classes.dex --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/wgkx.wuar.jbkl/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/user/0/wgkx.wuar.jbkl/app_dex/classes.dex	4179	wgkx.wuar.jbkl
/data/user/0/wgkx.wuar.jbkl/app_dex/classes.dex	4271	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/wgkx.wuar.jbkl/app_dex/classes.dex --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/wgkx.wuar.jbkl/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/wgkx.wuar.jbkl/app_dex/classes.dex	4179	wgkx.wuar.jbkl

Queries account information for other applications stored on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect account information stored on the device.
collection

T1409

Processes:

wgkx.wuar.jbkl

description ioc process

Framework service call android.accounts.IAccountManager.getAccounts wgkx.wuar.jbkl
Reads the contacts stored on the device. 1 TTPs 1 IoCs
collection

T1636.003

Processes:

wgkx.wuar.jbkl

description ioc process

URI accessed for read content://com.android.contacts/contacts wgkx.wuar.jbkl
Reads the content of photos stored on the user's device. 1 TTPs 1 IoCs
collection

T1533

Processes:

wgkx.wuar.jbkl

description ioc process

URI accessed for read content://media/external/images/media wgkx.wuar.jbkl
Reads the content of the MMS message. 1 TTPs 1 IoCs
collection

T1636.004

Processes:

wgkx.wuar.jbkl

description ioc process

URI accessed for read content://mms/ wgkx.wuar.jbkl
Reads the content of the SMS messages. 1 TTPs 1 IoCs
collection

T1636.004

Processes:

wgkx.wuar.jbkl

description ioc process

URI accessed for read content://sms/ wgkx.wuar.jbkl
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

T1624.001

Processes:

wgkx.wuar.jbkl

description ioc process

Framework service call android.app.IActivityManager.registerReceiver wgkx.wuar.jbkl
Acquires the wake lock 1 IoCs

Processes:

wgkx.wuar.jbkl

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock wgkx.wuar.jbkl
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

T1421

Processes:

wgkx.wuar.jbkl

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo wgkx.wuar.jbkl
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
evasion

T1628.002

Processes:

wgkx.wuar.jbkl

description ioc process

Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS wgkx.wuar.jbkl
Checks the presence of a debugger
evasion

description	ioc	process
Framework service call	android.accounts.IAccountManager.getAccounts	wgkx.wuar.jbkl

description	ioc	process
URI accessed for read	content://com.android.contacts/contacts	wgkx.wuar.jbkl

description	ioc	process
URI accessed for read	content://media/external/images/media	wgkx.wuar.jbkl

description	ioc	process
URI accessed for read	content://mms/	wgkx.wuar.jbkl

description	ioc	process
URI accessed for read	content://sms/	wgkx.wuar.jbkl

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	wgkx.wuar.jbkl

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	wgkx.wuar.jbkl

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	wgkx.wuar.jbkl

description	ioc	process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	wgkx.wuar.jbkl

wgkx.wuar.jbkl
1⤵
- Removes its main activity from the application launcher
- Checks CPU information
- Checks known Qemu pipes.
- Loads dropped Dex/Jar
- Queries account information for other applications stored on the device
- Reads the contacts stored on the device.
- Reads the content of photos stored on the user's device.
- Reads the content of the MMS message.
- Reads the content of the SMS messages.
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Checks if the internet connection is available
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4179

/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/wgkx.wuar.jbkl/app_dex/classes.dex --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/wgkx.wuar.jbkl/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4271

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/wgkx.wuar.jbkl/app_dex/classes.dex
Filesize
6.6MB

MD5
a434e967a9b2cb476844050a37efaae1

SHA1
e3c72a1e0e848787dacb5844ee53a6e84de5fc4e

SHA256
a8b55f4f939040651a2ae22dc971433262ce37eb61487ec9fe5535e9fc5722b0

SHA512
549c2e07acbad0719a720fad187646fde54c4711953a6d0e70bd1c7d967d816d5aecd8d3c7098c0f987bcab23d0374e98438d6e4090260a70f7d2d8e284559b2

Download Submit
/data/data/wgkx.wuar.jbkl/databases/com.google.android.datatransport.events
Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/wgkx.wuar.jbkl/databases/com.google.android.datatransport.events-journal
Filesize
512B

MD5
306beef293562976c6f6174e16e5f476

SHA1
8b3ba7521fe27ef5f65679b28e92d097eaff7958

SHA256
48d163cd034abc81d88ab982fb24cf5d73677e6821c4ea66a3ea42091352039f

SHA512
ad3604b7a5ff26a11343749946ad84ad820617d3384f70887073517ffd9267154e663d1ff3a1278cc6aeee175846c7a78f96c157c653a8b11772f11b1ca1e0f2

Download Submit
/data/data/wgkx.wuar.jbkl/databases/com.google.android.datatransport.events-shm
Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/wgkx.wuar.jbkl/databases/com.google.android.datatransport.events-wal
Filesize
68KB

MD5
07e8f8d8b3b82c63ed65a48ccb8e6c05

SHA1
cb4a68a92212aa9183bcee502f8836f3a8f78e26

SHA256
f371149d3f18dfa23d4180ad2feca8428c1b01e4ec960cd1ca5e582421ba2480

SHA512
121acdacc6b14d918e28eb551eacd78171c959f560a1ea6123235b10987c48386188fcf1c49af9946f37b9c6f29f7d5725d752fbf1cd61b0f0d53bd04f5b8813

Download Submit
/data/data/wgkx.wuar.jbkl/databases/mqttAndroidService.db-journal
Filesize
512B

MD5
d33682d333f47843f2c24818e0661c49

SHA1
342e52474acc784fc22d5c3f2218745bc752e396

SHA256
01ed8cb12f97c181e17bbaa9134d00bf3efc3d07b4bee7f9b38c4595ead8e37c

SHA512
252c2de48a9357d4ecc1054fc90106c78ebdb22fb65e8196987118cb8a1f7c77ab65799db0b2b9f7693115fb0f8bce889ebf83d2d48efbf9345b0edb2fed13b4

Download Submit
/data/data/wgkx.wuar.jbkl/databases/mqttAndroidService.db-wal
Filesize
32KB

MD5
65800e3dc697aa121d2d70edeb073b02

SHA1
50c57e4a3479ebee67bc41f25ce15c2c86d18649

SHA256
55c07e4ec5f15bacbef209ebc33591647870c25ad3bfa0355aa1144772b1d1b5

SHA512
bc5472109335b835a0a53e851957efa36f19c43030001906ba546f88ab0f98dfd7dcae53c819171d15817cafeeff573018923854802d5986d2523f005c516195

Download Submit
/data/data/wgkx.wuar.jbkl/files/PersistedInstallation2850292976851815077tmp
Filesize
570B

MD5
fb57d3ae417282e21d14e94927f5eb9c

SHA1
9bd42c7c941250e08752d97cff77e30e727e3ae1

SHA256
b91b84669396f12c9c00505644e0324ee0c7e46107262f07f8d4de8006dfe988

SHA512
2632aed621631e23b22fc5520df56f6b2ebf43c5126be0237e56fdab0d32aeefcd6b8404ed5cfea9632e3b345cfbfcf43d06da1223f3f075c8c7e8504849021d

Download Submit
/data/data/wgkx.wuar.jbkl/files/PersistedInstallation6372990652264455248tmp
Filesize
90B

MD5
794ab0a49a10cd7808f7342632285d71

SHA1
c376197c675fe0c0c393f25c18fc2cf6d623efef

SHA256
63bb1ee41db76ec71120432b833d2b364c21589de9cf259ea5c980b5b4c06c44

SHA512
4dc6f83700924060d71e7178bff16d18e08d87646310e4368b69205fcd68796c1948c8f644c8ec538fa67740d93c9ccfd4357840f6af1080d6ad81547656f2a2

Download Submit
/data/data/wgkx.wuar.jbkl/files/mmkv/mmkv.default
Filesize
4KB

MD5
620f0b67a91f7f74151bc5be745b7110

SHA1
1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d

SHA256
ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7

SHA512
2d23913d3759ef01704a86b4bee3ac8a29002313ecc98a7424425a78170f219577822fd77e4ae96313547696ad7d5949b58e12d5063ef2ee063b595740a3a12d

Download Submit
/data/data/wgkx.wuar.jbkl/no_backup/androidx.work.workdb-journal
Filesize
512B

MD5
b375123c0298872ef76d348765241db4

SHA1
f9a2a705c18f07fe1e32a1bf238f2e5e47970c61

SHA256
024e4805cfcacca00e137b5887a0ee055fa5e9fe467e51841b43539804e812de

SHA512
2daac015263d2ace74f7625b8e360b42f63110481b8c9325c8d65a793192b18b78f4adc65f876edf2dc840360d25e4cec03edf7a00d08f9b8c7f97472fadb0a7

Download Submit
/data/data/wgkx.wuar.jbkl/no_backup/androidx.work.workdb-wal
Filesize
16KB

MD5
939a1b2b3e6c6e2dab9868a4a4b80d55

SHA1
4dd0454ceb562b23c984dc2ecb268ea904aea068

SHA256
033cbc5ec566a7e4e381abe739934c33761749c32821c60448f6fe7d05bca509

SHA512
11ffbdcfb6b106806e80dd1cc29a9b02e27042010f9d79b6e321119e00d297ce40de61fc41fe15753208b6ca8933db3c4be663ed1dc8b239de4f8cb4618e2e0c

Download Submit
/data/data/wgkx.wuar.jbkl/no_backup/androidx.work.workdb-wal
Filesize
108KB

MD5
d8e181626a7be9768cf8686197a718ce

SHA1
d51f4a48bcd0f6b33356bac4d57186cdaf1d8934

SHA256
a07b2a70e993c7dabba5899cdc92c1250653e15d431767b078a9598758a25a0c

SHA512
dc3d2c2ae68d2551b970d76364f30465985c3f0670c571acee6591aa34d5f3135e05fb1cb995617434b192c2904cc998e05ed80eb834be48aa61c51a159109e5

Download Submit
/data/data/wgkx.wuar.jbkl/no_backup/androidx.work.workdb-wal
Filesize
229KB

MD5
26535482c55e0372d3d17af5877f4c1e

SHA1
4484b25bdfcb9b8599561030e3c5a99c2891d590

SHA256
4cfd79de7dc2f055d10fdedc06696ccf17facef6d97014f3eb4350beca617abe

SHA512
e64a3b3aaf3e393bd09f1012e2e8e9820278d36f6bcba3229db8b3808853f2d2c7aced78c20e04df4de002fb6d2cfce1b4694fbef883a664061cab83b3677d79

Download Submit