Malware Analysis Report

2024-09-09 14:35

Sample ID 240501-1xpxcsha9y
Target a68281c33408fd04d6ff24bbaa2df6935ada43d1d6e73189a8194ba3fbd527b5.bin
SHA256 a68281c33408fd04d6ff24bbaa2df6935ada43d1d6e73189a8194ba3fbd527b5
Tags
hook collection credential_access discovery evasion impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a68281c33408fd04d6ff24bbaa2df6935ada43d1d6e73189a8194ba3fbd527b5

Threat Level: Known bad

The file a68281c33408fd04d6ff24bbaa2df6935ada43d1d6e73189a8194ba3fbd527b5.bin was found to be: Known bad.

Malicious Activity Summary

hook collection credential_access discovery evasion impact infostealer persistence rat stealth trojan

Hook

Makes use of the framework's Accessibility service

Removes its main activity from the application launcher

Registers a broadcast receiver at runtime (usually for listening for system events)

Obtains sensitive information copied to the device clipboard

Checks memory information

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Checks CPU information

Queries information about running processes on the device

Acquires the wake lock

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-01 22:01

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-01 22:01

Reported

2024-05-01 22:09

Platform

android-x64-arm64-20240221-en

Max time kernel

150s

Max time network

160s

Command Line

com.wirigacetoze.yuwazu

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.wirigacetoze.yuwazu/app_DynamicOptDex/PKYxWX.json N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.wirigacetoze.yuwazu

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
RU 176.100.42.11:3434 tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp

Files

/data/user/0/com.wirigacetoze.yuwazu/app_DynamicOptDex/PKYxWX.json

MD5 758f2306a80b4f1fb18ebb52abf5694d
SHA1 dc006c95d0ccb09c1c6ec9da72ce32ec8299f7fa
SHA256 9067c8538c67eaee28346cec3e222f39ed32bb9e08e7b22d12962516f61a9222
SHA512 fcf5f1c5fae54337ea32c95b544358bb6cc380e02ac37e12331d94c1f483744216dd81e1cd80c63f0fb2f36b3c6361e35e510474f8fd8e55438639e7ba051267

/data/user/0/com.wirigacetoze.yuwazu/app_DynamicOptDex/PKYxWX.json

MD5 df058f1ae6a32a19f50a213fa8774804
SHA1 ee6ee53975b57756fd86bb6bffe83ae8d581e252
SHA256 3a18c67faf537283e187310614d6acef46c4392f7a33520da3419dfb1633b8a2
SHA512 afd9502c7f29e3ce97b4888aabd33d24443dcbf38b87c03a27c634fdce74c700d10b4c5788db4eb27ab2808e4f6fee862ad2f5b50277adde96575a2168b8e3cc

/data/user/0/com.wirigacetoze.yuwazu/app_DynamicOptDex/PKYxWX.json

MD5 625f582689b89479997507f9805e6f4a
SHA1 0f98b131a7ab157d319c4cbc0443cb3726993706
SHA256 7ee6e8208623447487d48a3a0d476826e470718baf81cbac74eef2f4d50499ff
SHA512 3d1d36de17e37d5861d9a83de01b0b3b9509c41b3f1cf1954b404e149a65cc37fd209a458140e7877795c9448d61d050051b615d461bdb53d32a57b6fc322211

/data/user/0/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb-journal

MD5 9e132310f390d2885daa2c038db745c5
SHA1 17da5aa9fce595ccbc76550be8c2a025c7071f47
SHA256 406466da10b1c7cc13fd62095c37d1fff88ca3d1367a89969e3dbcb4b4c928f4
SHA512 e8a51c76c13dbfa4f523ac8fa6ded3336c9a5ecc9fc8f2c086fb09e07964977154ce3ed89cb4eecf053aa74ff73244fa0b1e2ed1036a9b3eca60a1d56e969997

/data/user/0/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb-wal

MD5 83a98156fb930f1c3654bd16d6139406
SHA1 0fd712516e84d4a5aa96f280097114057b906124
SHA256 c5b472ab190237615b41258405f8d2e92e8614e0539575c824ef344a2a9a3cb1
SHA512 5c734fe4c04758b2b912ed1f9c53b5bee656ccba754be51311b63e6ddf202eb4d0ebbed5bbfc3b64dc23cffcc28487cb4ac838419ba8be23f1fda862dec17458

/data/user/0/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb-wal

MD5 03d98ee08d908748307ac5686b5bb9cc
SHA1 cc691de8b4f7128456dd02cbd14b5cc9a39fd0ad
SHA256 30eab360be0079cce172cc9315c13274f1dbb78bdffb685616c5c8ce6e020ff9
SHA512 e243eb342aaababeb21b881f59d43c95a91babd893bfc467356bdbc76d0db41aa7b2597e03527d199cb7ff823aa65812bdbccf82de545484ee6719f2a38bfd61

/data/user/0/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb-wal

MD5 31339cd6734f183bebc84aa6643128fd
SHA1 98729a589b101bda460eeb2d8d0f6462c8815b86
SHA256 6bffe9f8fcbb188d816d97fee594b281b5b2fb2e8bee1cc803ee8dc5843fc51d
SHA512 d99241bdbfeab48c46e33ed1de4e35183f45bd3815d427e0844c8484afb00c47accd9fe7f41ef599d928a358da14b5b40a3252489b8e2eeb0c6fb40f63795578

/data/user/0/com.wirigacetoze.yuwazu/app_DynamicOptDex/oat/PKYxWX.json.cur.prof

MD5 6216b7c8db106d2b80dcfc0486138573
SHA1 30d09be3817b67308395e7078670c4bf4bf34c82
SHA256 503fd34c1acf9ac6edb1df909a59c564ddfbcd931900ba846921c732f44366d6
SHA512 9ef5a68e4af1d5bde2759cdd04a425bf540223d0b0411e2cdd3d6fbf14fe2c5300cc0228d910151601d5b3d8527fcc3977a7a6f4df2897abdf6480b4d4270276

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-01 22:01

Reported

2024-05-01 22:09

Platform

android-x86-arm-20240221-en

Max time kernel

148s

Max time network

157s

Command Line

com.wirigacetoze.yuwazu

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.wirigacetoze.yuwazu/app_DynamicOptDex/PKYxWX.json N/A N/A
N/A /data/user/0/com.wirigacetoze.yuwazu/app_DynamicOptDex/PKYxWX.json N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.wirigacetoze.yuwazu

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.wirigacetoze.yuwazu/app_DynamicOptDex/PKYxWX.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.wirigacetoze.yuwazu/app_DynamicOptDex/oat/x86/PKYxWX.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
RU 176.100.42.11:3434 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp

Files

/data/data/com.wirigacetoze.yuwazu/app_DynamicOptDex/PKYxWX.json

MD5 758f2306a80b4f1fb18ebb52abf5694d
SHA1 dc006c95d0ccb09c1c6ec9da72ce32ec8299f7fa
SHA256 9067c8538c67eaee28346cec3e222f39ed32bb9e08e7b22d12962516f61a9222
SHA512 fcf5f1c5fae54337ea32c95b544358bb6cc380e02ac37e12331d94c1f483744216dd81e1cd80c63f0fb2f36b3c6361e35e510474f8fd8e55438639e7ba051267

/data/data/com.wirigacetoze.yuwazu/app_DynamicOptDex/PKYxWX.json

MD5 df058f1ae6a32a19f50a213fa8774804
SHA1 ee6ee53975b57756fd86bb6bffe83ae8d581e252
SHA256 3a18c67faf537283e187310614d6acef46c4392f7a33520da3419dfb1633b8a2
SHA512 afd9502c7f29e3ce97b4888aabd33d24443dcbf38b87c03a27c634fdce74c700d10b4c5788db4eb27ab2808e4f6fee862ad2f5b50277adde96575a2168b8e3cc

/data/user/0/com.wirigacetoze.yuwazu/app_DynamicOptDex/PKYxWX.json

MD5 625f582689b89479997507f9805e6f4a
SHA1 0f98b131a7ab157d319c4cbc0443cb3726993706
SHA256 7ee6e8208623447487d48a3a0d476826e470718baf81cbac74eef2f4d50499ff
SHA512 3d1d36de17e37d5861d9a83de01b0b3b9509c41b3f1cf1954b404e149a65cc37fd209a458140e7877795c9448d61d050051b615d461bdb53d32a57b6fc322211

/data/user/0/com.wirigacetoze.yuwazu/app_DynamicOptDex/PKYxWX.json

MD5 9e3001c0619a77686a820114ffcfccbe
SHA1 111e731a90cd75fc479f3dd87578b161c4f3c907
SHA256 61ce0d98306e47962a2f39b1978325c5a4cff2a8c32ba3ede38f5a5cd337cdcb
SHA512 b99775c55138edda24a6c020c702e3778a97ca7c0f10aa02f6149b61a4d13835a1e66fa22c0f59e4f5d56edc44b933aaf9cadc0130e40cbfe62fd562f54b4d8b

/data/data/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb-journal

MD5 015e409b030344d0ef628a395ec213cb
SHA1 e341b03e348d71a797b4ef3f961855cbe7324195
SHA256 f6de34403afd328fab7bacd23a83680e6ff1c1a5b21e8bb74ff851bd5da3fb5c
SHA512 9fa4adbc1f41832d9164ed17413b76b373811ecd70b61fb785218a67ab23e087b4b638ace09d00ffdf1083c594755a1e1abddd4c304b2e606d0d19e352d0bb9b

/data/data/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb-wal

MD5 fd3c7773e7ae2294535f1f8a4c73f655
SHA1 6b636d02bbd43f612c28b609a43d83abba51a980
SHA256 8100ae2ab8293e8f5532e2915c52ba1633a56ac882f7e5e0512f202c40fe6e3c
SHA512 a3947e447d8907aa891d2856a69b0b8aa80bf334daa8bc97bf94bb2b3f80471a07ba52a5ea319f20fd8ed63f6b482cd9c4c4fb3d7136d1b07bf97c651a61dd9c

/data/data/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb-wal

MD5 3c373450216f246204b9d1caccff5edd
SHA1 ffaefe7d451041b66523855fd618369dcf482d7a
SHA256 f3175927401205274adc4c264602a94027e4fda21b187ad7d7de2b7c858ee95c
SHA512 ea3b719348ac1ef798fc82985bbd16027221bb24a9adc0cd57c87978e30abbd2c6aedcaa2509fa442117cddfb3a150c2a9db22573355fa147304f4a555146f22

/data/data/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb-wal

MD5 8badf0f8da69ba1c1e331a34c51279ed
SHA1 d2f06a63d7f85698a7c85c291fb2a57007d93f73
SHA256 85e7ae7f3b6d2864954b2c7b7677f310d70561c7e829e2a2fb7c18118ffa331f
SHA512 b4895613814b0abcfdd1e9ec1520abe0f91bec448f0eaf61c86bdf54f031ea42072a7d5a8f1435403370424950143ef0521be20264071212a10d70782158e354

/data/data/com.wirigacetoze.yuwazu/app_DynamicOptDex/oat/PKYxWX.json.cur.prof

MD5 3b73623405f1c625a4207d88f58af6c6
SHA1 eb4f77560fcfaa5f18df4d9085c9dca981310a13
SHA256 ea234bc91291f7185fab2570d8903de85412fe57108eb67bb2a50202382be45f
SHA512 734690daf48e622ddd875e74bcf6cd0f59900a5188aec2c9d73e8ac2748560a7957f0bdde698d77a6bd8400737f919897f4553acd56f76c43328dba90738bd6e

/data/data/com.wirigacetoze.yuwazu/app_DynamicOptDex/oat/PKYxWX.json.cur.prof

MD5 4fd10885c809d5f36f2590091b1f4f2c
SHA1 0362a912eb4648e833c063c48b15091d98520cc5
SHA256 3be512999725667ef77dddc77af1f0b9d310d53978cd60415cd01974fe6f4f98
SHA512 28f6039b08cf8e5a1d3c2613b3e7f48f28ba206e29d063282b4c3d2122510e4d1535ed131be3a0c6b720b03d40f93cdf78ae7ca05546933010f66fc6f82facaa

/data/data/com.wirigacetoze.yuwazu/app_DynamicOptDex/oat/PKYxWX.json.cur.prof

MD5 a368127851aaf1d82d54d4dac6a80f54
SHA1 994ab74456b76086ddc788c84bc4864444cb71c3
SHA256 966a0cb50f1aa059524ea06fd31cd3be7c379ce54ee0757bc558358062cbb8de
SHA512 82265c02897aaaf545245741842ed1689244b84eb3242b20eb92b3b6e665f47198dc7851b7e2baf2d3a6d380dfb7a23579e0fdb923776613bff77af1784c627b

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-01 22:01

Reported

2024-05-01 22:09

Platform

android-x64-20240221-en

Max time kernel

152s

Max time network

161s

Command Line

com.wirigacetoze.yuwazu

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.wirigacetoze.yuwazu/app_DynamicOptDex/PKYxWX.json N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

discovery

Processes

com.wirigacetoze.yuwazu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
RU 176.100.42.11:3434 tcp
GB 142.250.187.195:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
GB 142.250.187.238:443 tcp
GB 172.217.169.34:443 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp
RU 176.100.42.11:3434 tcp

Files

/data/data/com.wirigacetoze.yuwazu/app_DynamicOptDex/PKYxWX.json

MD5 758f2306a80b4f1fb18ebb52abf5694d
SHA1 dc006c95d0ccb09c1c6ec9da72ce32ec8299f7fa
SHA256 9067c8538c67eaee28346cec3e222f39ed32bb9e08e7b22d12962516f61a9222
SHA512 fcf5f1c5fae54337ea32c95b544358bb6cc380e02ac37e12331d94c1f483744216dd81e1cd80c63f0fb2f36b3c6361e35e510474f8fd8e55438639e7ba051267

/data/data/com.wirigacetoze.yuwazu/app_DynamicOptDex/PKYxWX.json

MD5 df058f1ae6a32a19f50a213fa8774804
SHA1 ee6ee53975b57756fd86bb6bffe83ae8d581e252
SHA256 3a18c67faf537283e187310614d6acef46c4392f7a33520da3419dfb1633b8a2
SHA512 afd9502c7f29e3ce97b4888aabd33d24443dcbf38b87c03a27c634fdce74c700d10b4c5788db4eb27ab2808e4f6fee862ad2f5b50277adde96575a2168b8e3cc

/data/user/0/com.wirigacetoze.yuwazu/app_DynamicOptDex/PKYxWX.json

MD5 625f582689b89479997507f9805e6f4a
SHA1 0f98b131a7ab157d319c4cbc0443cb3726993706
SHA256 7ee6e8208623447487d48a3a0d476826e470718baf81cbac74eef2f4d50499ff
SHA512 3d1d36de17e37d5861d9a83de01b0b3b9509c41b3f1cf1954b404e149a65cc37fd209a458140e7877795c9448d61d050051b615d461bdb53d32a57b6fc322211

/data/data/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb-journal

MD5 d1c21a267d34c9ad17390958e8966ecb
SHA1 4bf51abbf5daf52f87fa975aa6440dbd28712736
SHA256 0735c24de5176c364e5faf937db5f0e53c3004002b68bf1bd06e3a75e0a2ba3a
SHA512 a428475e533cd1e71dca9f8520bf5687f3f09de0c402bd8339a1a04d6ea6cc3b52db1d2292147cb12bdded4e780990093e60124ad2b78f48b1230f667c6588b3

/data/data/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb-wal

MD5 003841766de43f3aac895e964ffe645a
SHA1 5f7b51ac6d41034073a6a0268e2a5038390f54b8
SHA256 60fb0fa3e53b342fbf7dc37e8a8bf9c250da6fd11c0e920d4f7662bb5ae48e8e
SHA512 38d4cbb1e07866011119cf625e718b982e6a48ddfcee839d198e91762da0215f8ff5f39826a800dffb5f494337973c25e91a195fc15cbb11cbbd673365916d60

/data/data/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb-wal

MD5 a5e43a0c98e9be1eb4da0476678931f0
SHA1 119e65050a4ea23fd1bc38264a09710a5e61d706
SHA256 c0fb1f9d933f0af66527790c5787fcd20ab6b03fd52af84ea57b840215085e67
SHA512 a17306a1342884a2674accfce3253374ed41a335e56477609337936374259f979bc375569a20cb38303d1c2805edcf0704869e0b6fb07d632490f916a9802ce7

/data/data/com.wirigacetoze.yuwazu/no_backup/androidx.work.workdb-wal

MD5 21e31dc66b3dde4b559c09200690ffa0
SHA1 6f4845a1d37ee1f59442db73e3a4ab05a1ebbb2c
SHA256 cbd2cebc61c6d759ddf8bc53b5ab254f0e3f08a7c17a9809f3fac4c9a43fec8a
SHA512 a03f31221b47d65fdcf3b51c26f626e89b3e47b54c19888fed674eb3dac93d469477b84eee8e9fdff90993358cb62320f224d1bc3f72031778c728c06065a242

/data/data/com.wirigacetoze.yuwazu/app_DynamicOptDex/oat/PKYxWX.json.cur.prof

MD5 d821bd5a137f490369e699aef99f1610
SHA1 8cb272b5f8af329be8735266737c1ab64822837e
SHA256 3f12eec2424528e5967834709b20b68923d93ee17e47166ca65faa5378878441
SHA512 d4ed922eb463ad95a1b5b0fc3acefbbba4f1d6e61df4599d708db4d2fcb9a8b4053999fa49152ffce68d41fef461719a1990f0443bcee964a1dfc95076440f4d

/data/data/com.wirigacetoze.yuwazu/app_DynamicOptDex/oat/PKYxWX.json.cur.prof

MD5 ee17efbcd6f3325a3d42ac12c6c3cf40
SHA1 82ec13eadac827ff19fad290bc13759c4aacf77d
SHA256 8b91d52978cf187dd7de671fb6278c3e7d6dbe581abca0972dc51823c5d8b4ee
SHA512 810b6c9020a02a9788949e11c661c4b7bf6351b74c73d21f44538fa3d3977136e777be4d418b33a8f6dad07e351cb8c142601bd86bfcfba4e46f8913cddb470b