Malware Analysis Report

2024-09-09 16:16

Sample ID 240612-wr6kpsvbke
Target 106a1c053ec9b02d0669a9f8ea2a8b73114e6bc5ff4a7ba11c3b6dabee573cd7.bin
SHA256 106a1c053ec9b02d0669a9f8ea2a8b73114e6bc5ff4a7ba11c3b6dabee573cd7
Tags
collection credential_access evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

106a1c053ec9b02d0669a9f8ea2a8b73114e6bc5ff4a7ba11c3b6dabee573cd7

Threat Level: Shows suspicious behavior

The file 106a1c053ec9b02d0669a9f8ea2a8b73114e6bc5ff4a7ba11c3b6dabee573cd7.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access evasion

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 18:10

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 18:10

Reported

2024-06-12 18:13

Platform

android-x64-arm64-20240611.1-en

Max time kernel

152s

Max time network

133s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
SE 5.42.74.70:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 a170880b6ea89591777d063d1dba7fe7
SHA1 1935a975726a4bb62e9fb5e34ba3956abb1813df
SHA256 efec7d2f85d0edc595ff1a5ad55ba26e8887e0c494b54a965e2e4a80059195b3
SHA512 d499d27c2fb11b52abda074eb060c80c72ee6c1772f473ae293e4d182420a4ad8c2e9e491a45c8b6ae8b88de7a4a112b37dddcc22179fdb036904e237915bd7e

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 7956eaeba03f0abb0cd3874ffb28a6be
SHA1 63988cd2e6011de2a2f9d5c166540ee63284a21a
SHA256 1ebad92137326630da4603818119b194db8ed0ede1c83c1411659f816fe66292
SHA512 f4daf1ae370402ba17fcdee8e39fc592d5e657d6393c9b98374d70dd86502d89e071f55586d1c3fce88b0db8693e03ae112192a78db4f09c797466c53033ebe9

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 73fb8f4389345578250029063f5f0288
SHA1 30037f29e218f75ecc674ab9a7e0d294aaf8d433
SHA256 dd1f65f36beabe30219ba2dbedb25b0d5a9f149cb6bd2e4d6cdd794ad56f2579
SHA512 af45586c37c423d4459581ce6849ed628947a8296e1432a6ec957d58cd06de88f75dd3175256f22581939508e2824894c6b754da240e00deb30e1d43b415596c

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 18:10

Reported

2024-06-12 18:13

Platform

android-x86-arm-20240611.1-en

Max time kernel

153s

Max time network

136s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
SE 5.42.74.70:8080 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 a170880b6ea89591777d063d1dba7fe7
SHA1 1935a975726a4bb62e9fb5e34ba3956abb1813df
SHA256 efec7d2f85d0edc595ff1a5ad55ba26e8887e0c494b54a965e2e4a80059195b3
SHA512 d499d27c2fb11b52abda074eb060c80c72ee6c1772f473ae293e4d182420a4ad8c2e9e491a45c8b6ae8b88de7a4a112b37dddcc22179fdb036904e237915bd7e

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 c080cd394722268d98096d0f8547d1a3
SHA1 a207437ee93d3df36ed0832046794f1bc9d42dfc
SHA256 cb11c420f717471b5391c016123336da51104080882695981b7c133ad4d51129
SHA512 73c19c8cb944ad451676c4998581c55a80fa4f52579c7602abf941b87f2dec0da9594075f17a4cf8190164769bc451b8621a8e3250ba205c90145f63b9f9edbc

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 667d3438e7328df8bf4b4f7b1e9d89f0
SHA1 b54bbccfd66b7a5d29c043820145dc2c6eba2c27
SHA256 82c463c525162fed06abd19350b30200e58c0ecf80260a98aea08770b00f8cb1
SHA512 b8fd77ca4511a9ede644f4e4d9c83bfbe632a250b9555902929d257d2bb18aaab25dcac7f2d22b817831c8f2da1f069d824cf52f316cbd04d6adad5437676e83

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 4150efb7d10fb76b3ad1652173e4a8c1
SHA1 4950c68b8c0aac1e3970d1a65ac3af8dd5f5b6ea
SHA256 e27bf13c48428d8fcd5207336e232b1e2b1068b94aeaa3fb56667a4d3c20bdac
SHA512 7d2deb2ea5a224bde8f6b5a21155d411c19ff4b58bbe4386a4226e02515b3c91aacc0e0482cc2388d152424c00405f7b5012ec144118f9558dbb62d9187cb8dc

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 18:10

Reported

2024-06-12 18:13

Platform

android-x64-20240611.1-en

Max time kernel

153s

Max time network

160s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
SE 5.42.74.70:8080 tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.204.78:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.187.226:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 a170880b6ea89591777d063d1dba7fe7
SHA1 1935a975726a4bb62e9fb5e34ba3956abb1813df
SHA256 efec7d2f85d0edc595ff1a5ad55ba26e8887e0c494b54a965e2e4a80059195b3
SHA512 d499d27c2fb11b52abda074eb060c80c72ee6c1772f473ae293e4d182420a4ad8c2e9e491a45c8b6ae8b88de7a4a112b37dddcc22179fdb036904e237915bd7e

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 97541a4409a3912cab9d9d40473dfbd0
SHA1 4d4af1841da3e74a8efc922fc0a1b62b2d0f4092
SHA256 5f0813813b48a611f026e4449bb90671e6c8470bd1f12f7be89d3b2892f1bedc
SHA512 9fbfc5eca8263360d79b485d4721c84f4a8d803c416be0b0e22fbc827817da8e77c8d849edb053e4ef487e85d28f5d8032299ac0c57d958b792577e8f55a1be4

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 d133fef714afe5259fa65c1be9f47128
SHA1 651ab4ad1c46d42cb16b5ad47ff97232cd827d67
SHA256 81787515bf625b98d95c8dd248bb0fb219e4ebeacebdf15c9a286311440199d4
SHA512 b4067db8e5ea06aa2a870a30db80b301e67c070a1400490dd08f91f6a16057bc0bb2ff6e3884a69cb54f4fd73fde167337f095f5093ae49e585e631b7e64a893

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 2e89b23162bc8daea7d034841772d7b3
SHA1 a0145f3ee59f99b283c6244786e8a51fbbaaecf8
SHA256 2e2734cb8f2741a29196c3133db06feb92c756547346e1a7999b4431daab06c3
SHA512 88d0734ba62700b2af37268118cfb769b5421a843f34ac8cd1b3ac9a2e1990ec0a19254f9cb23649c42fd717683ac48ea6ecdaeb56d6f3a7bab6c658cf9d41a9