Malware Analysis Report

2024-07-28 11:58

Sample ID 240612-tvtn7svfrn
Target a7399af80f9fc7c1f5dc871bf5276fa2ffef43f0ad3bed0b1c31e23231895f84.bin
SHA256 a7399af80f9fc7c1f5dc871bf5276fa2ffef43f0ad3bed0b1c31e23231895f84
Tags
collection credential_access evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a7399af80f9fc7c1f5dc871bf5276fa2ffef43f0ad3bed0b1c31e23231895f84

Threat Level: Shows suspicious behavior

The file a7399af80f9fc7c1f5dc871bf5276fa2ffef43f0ad3bed0b1c31e23231895f84.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access evasion persistence

Makes use of the framework's Accessibility service

Acquires the wake lock

Makes use of the framework's foreground persistence service

Requests enabling of the accessibility settings.

Declares services with permission to bind to the system

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 16:23

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 16:23

Reported

2024-06-12 16:26

Platform

android-x64-20240611.1-en

Max time kernel

166s

Max time network

148s

Command Line

com.ru.runner

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.ru.runner

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.179.226:443 tcp

Files

/data/misc/profiles/cur/0/com.ru.runner/primary.prof

MD5 ced7e74db59a983df5d5bf22b716f99e
SHA1 4c5d13ed949fd7194f5677fd1e6eebd7c7d52fef
SHA256 20c7bb2b045ad36e90fe474ac9dfb6d5a0f0f3e66ed02cc307ad3267ac19166e
SHA512 7376c87a925cfc11ced033a74983237344df6c2df2697bbf9da0ba082b873058c591e16a540f74891439899905bf39a3256de91056d9c32f612a895dcada022e

/data/data/com.ru.runner/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 55c965c3362e655692265a6491c38ddc
SHA1 4a417264d5c62146b876433e55b64b6495423643
SHA256 7e35c1382dc3c106e2c03754c98d12dac90f9a92db4472e36b2d181e3383a47c
SHA512 bddb8ef48fe14b10a527c304fe3c677081c994e7d8bd7eb2238a773eedbfb1c549d9e3749da400f1e4d476399a81bee6507993072bdf00f038f1a3c884145a27

/data/data/com.ru.runner/files/profileInstalled

MD5 b7d4c2cd37c3bd54edd62d8920784671
SHA1 2f69d65578f11efc52550f4721aa7c8df0c706b6
SHA256 f4bc7a5bcd167922616f6f2d41975ca2845d9c4bfb4d7dea025c554f4cd59076
SHA512 1f542bf783e70a247df0d06e0c93da141c4e89709d56096d1b63d9a7bca6c733a14b48312841c8e173aac478e438255d8c1017477e123e73e11a3322908ab777

/data/misc/profiles/cur/0/com.ru.runner/primary.prof

MD5 cabb9bf90026c19768a0825c9f30482d
SHA1 f8451b0ae3946f1f2894aa38357be663e78771c6
SHA256 58bac2fea837bc2fcf9f867c1adae6cfea8dc9b0ffdae44e2b7ef7a1b7da0c09
SHA512 aee39cf62c5cf8cf96df56da3b3ac902a7c3eea3527b8f354c2205be67e043ff967f6630dcb8b36369ab270bfddd36e1b4488656b9278738a9a45402992b8fe5

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 16:23

Reported

2024-06-12 16:26

Platform

android-x64-arm64-20240611.1-en

Max time kernel

165s

Max time network

132s

Command Line

com.ru.runner

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Processes

com.ru.runner

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/misc/profiles/cur/0/com.ru.runner/primary.prof

MD5 ced7e74db59a983df5d5bf22b716f99e
SHA1 4c5d13ed949fd7194f5677fd1e6eebd7c7d52fef
SHA256 20c7bb2b045ad36e90fe474ac9dfb6d5a0f0f3e66ed02cc307ad3267ac19166e
SHA512 7376c87a925cfc11ced033a74983237344df6c2df2697bbf9da0ba082b873058c591e16a540f74891439899905bf39a3256de91056d9c32f612a895dcada022e

/data/data/com.ru.runner/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 e45c754096caf344d563738b5290aa62
SHA1 a665aa0bcc5ec1c2e3f0c8fb019fc8df26e389c9
SHA256 57a683c99bc9a4825111eeeff893cf73edf50e00ebfeb3d08d26f1f5577247f4
SHA512 f6308d8b602ee84f18a7e92c000c36fd17a3c44141924d794a6d15589133d0fd0bc44f6a210ea4d610a40dc1f692101e2a32c6c33f2604d64156f2751a74a4bd

/data/misc/profiles/cur/0/com.ru.runner/primary.prof

MD5 68eac6cfbf3b5908a9fd32319d025707
SHA1 ff3f894e167ab4db128afae1b809b334dc3341bf
SHA256 08e3f4ee8a70ec2a3d5318eda8b2f3ca80399de801cdadc5730df2b59decba44
SHA512 44b291cd96a71f998a628351befb83702f0244d1a74495625d777d90f4a3638c62b15b8d041dd3a22618d1c5ca8e935a1c408307942c4c4e8776fdaa6a86bfaf

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 16:23

Reported

2024-06-12 16:26

Platform

android-x86-arm-20240611.1-en

Max time kernel

166s

Max time network

141s

Command Line

com.ru.runner

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.ru.runner

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/com.ru.runner/primary.prof

MD5 ced7e74db59a983df5d5bf22b716f99e
SHA1 4c5d13ed949fd7194f5677fd1e6eebd7c7d52fef
SHA256 20c7bb2b045ad36e90fe474ac9dfb6d5a0f0f3e66ed02cc307ad3267ac19166e
SHA512 7376c87a925cfc11ced033a74983237344df6c2df2697bbf9da0ba082b873058c591e16a540f74891439899905bf39a3256de91056d9c32f612a895dcada022e

/data/data/com.ru.runner/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 6be89eefc2ed279c38c4c6aecd09bc72
SHA1 46089dc32dae2cfb53a75e907dc5e4c0725aae7e
SHA256 1c91460143c26937d8c799df7fe3e73093028238113e49322ebd9ddd4758a43f
SHA512 dd8574728f90bd58ac7ef4e52b274c2a04ff520f275d544c7a6c37616103573f6d538e88d3a34d41d5a8f2af34070c5820507fe1e231171db39824f8c4bb68e5

/data/data/com.ru.runner/files/profileInstalled

MD5 26fe70c33d5fd6e3b68dddc031ad779d
SHA1 21ee2d5e0acc993bafaac31f4cfec0b57849ba64
SHA256 61e360f8a9c7be9f57eaacf8ff836d357d1ef2d69ff803953a08cca996199a20
SHA512 099aa2e21495acc57490716c7c006d1376a2cdb8e6f7befb93ef609973d3751ae9bc176bbce1689ab3c09e9d02021518abe859f4b975b76b63807b5652435460

/data/misc/profiles/cur/0/com.ru.runner/primary.prof

MD5 359b586caf024bdee486f7a459b4984d
SHA1 7867b32df6065eca0c88084c4aea26f4736fb529
SHA256 b2aec30f4c093ffc2418ae70bc7c82bd0bc098396f241d07b01d0f52f03bbbb4
SHA512 569e350c2be2f5b9c335b68a53794b83088b4ee788e813f4ae1b19c5ff8ae51c8e0acf1dec98c7072bf065166893213eae21156c26bd63cda35cdac8a2c76a7f