Malware Analysis Report

2024-09-09 16:33

Sample ID 240612-x7anmsxblc
Target a52e657422b5742850eed02bddbafd1c2e8dba3b1dba2593f13044cdd24d401d.bin
SHA256 a52e657422b5742850eed02bddbafd1c2e8dba3b1dba2593f13044cdd24d401d
Tags
collection credential_access evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a52e657422b5742850eed02bddbafd1c2e8dba3b1dba2593f13044cdd24d401d

Threat Level: Shows suspicious behavior

The file a52e657422b5742850eed02bddbafd1c2e8dba3b1dba2593f13044cdd24d401d.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access evasion

Makes use of the framework's Accessibility service

Requests dangerous framework permissions

Declares services with permission to bind to the system

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 19:29

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 19:29

Reported

2024-06-12 19:32

Platform

android-x86-arm-20240611.1-en

Max time kernel

160s

Max time network

131s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
RU 5.42.66.38:8080 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 60a82bbb9a59b92fbac90d2931dc966e
SHA1 b144521a14b998367f992a8f1c9308c12801b02b
SHA256 47ddab04b5b8fc724300c51e0a64e67da82a095ae0508efe71f420668b8f8779
SHA512 70beac49b104532f9eb88e0553f299f096849c18733ae830766cd76d8d13d909bf7bbe5ac5519568ae4341743c5c8c5b3716fe5cac5f401eb1e04f2dff1846cc

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 46a813a82c1bdf1c8dc0920563b05fa8
SHA1 5ea231860dd0dacbbf48dacec66f7e64fa66cef1
SHA256 8869f41faa9388cc8e50b78dbaca11fe87a5a1b05df15097325bc3d8644c2081
SHA512 7340a889aea919b14e60971961074dd4348d5b1e59c1b134dae12925afced1009c8cbf78559b0f43dcaeffb7686de7840a9c9ad4342765b2411d0f8aeb71037e

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 0fe31c63e85136875e4620bbfaebde2b
SHA1 0d122bd92b1d6f8c693bbc3d7a4d584e866a02c5
SHA256 6afde1d59f2649591178d96a29e30086bd910e39288734f266e5647590e91323
SHA512 21269275c3a182b77e7510bd3163ebb59c79c129b844a2cc0706e1836fde7a084d622721c820b144b1e10338eaaf022b0d3d2adc1d4c35b660dbdd68ccd700e2

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 ab6d34558eae192cdbba6336cfa544f1
SHA1 9c6d089d5df563a4980ecc026a603706d812ea28
SHA256 db54dece708b1c70cd17c766211fd905a9ef04490c098eeba3c0592ae2c89fc5
SHA512 c3ae47481e0ce4a7fbca0c226d37f5c9d6984632c141226b6d29a0758cff2a273e97277e7365959524c7f04d75d30e276e00a26366bae1ea5f8a01ac70088956

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 19:29

Reported

2024-06-12 19:32

Platform

android-x64-20240611.1-en

Max time kernel

156s

Max time network

151s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
RU 5.42.66.38:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.204.78:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.187.226:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 60a82bbb9a59b92fbac90d2931dc966e
SHA1 b144521a14b998367f992a8f1c9308c12801b02b
SHA256 47ddab04b5b8fc724300c51e0a64e67da82a095ae0508efe71f420668b8f8779
SHA512 70beac49b104532f9eb88e0553f299f096849c18733ae830766cd76d8d13d909bf7bbe5ac5519568ae4341743c5c8c5b3716fe5cac5f401eb1e04f2dff1846cc

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 9d51322eee80610b71a83136e8f3eb06
SHA1 e9cc2829b8afe919a90640f904c7ec51fcdc4646
SHA256 4f1f634fa87918a0f321fb3971e05efbf52219f0e223231dd069ed808cd5d860
SHA512 3f6083f4f678244648b6f4b9e902bd03956c3472082bba49652e4f39db385f7d1b2e9711cc69b3e325ca47d00d7a7ec210615dbec7f83048a88fdd52adafed04

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 f08855afdb91e32525bfa7726ee16ba1
SHA1 021e780d91e4298abd70b4db9374feb905901614
SHA256 7c5ae03ecda2f5c9894154ad575750e268ca101f1d896e21ce7ec4bf4bc358e5
SHA512 519728dcf0fca641df89e059e4dc678c589f62e84abee89a43638b20a86012ade40080a60abb5c7464cf5d83865a4bb46ee8e63ee1e79bfa1e15311bb4cfe4ed

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 65cec07f7d41a4ad058907a087dbc1dc
SHA1 3c6398f16f0f6895260224a06ee1ebd05c64540b
SHA256 2d2848e2ea0851fb6478f9a4af48c82b9da18f2f6a9de2993e3eee3aca3e3e87
SHA512 f7d2f3c08675e9b09c4d274d540393d57f791ec49d6f7c1c6b55385a81dde79a1cee7d2314c286e6d7f7d3f9eae80124519398302abdc6c6f0f437885c83bc13

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 19:29

Reported

2024-06-12 19:32

Platform

android-x64-arm64-20240611.1-en

Max time kernel

156s

Max time network

132s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
RU 5.42.66.38:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 60a82bbb9a59b92fbac90d2931dc966e
SHA1 b144521a14b998367f992a8f1c9308c12801b02b
SHA256 47ddab04b5b8fc724300c51e0a64e67da82a095ae0508efe71f420668b8f8779
SHA512 70beac49b104532f9eb88e0553f299f096849c18733ae830766cd76d8d13d909bf7bbe5ac5519568ae4341743c5c8c5b3716fe5cac5f401eb1e04f2dff1846cc

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 b382091ea1aa4b334c3d94a8c33061a2
SHA1 19ac2ffc94c15719997872161aba6f3d7536334d
SHA256 fa368754085607cd731637ce331ba8b9b6374dd68f9d3ee7b82ff96c73d2036f
SHA512 abbb248296d08254bb4fb95dbbc634fd523b60ba699ce57378d8a98c6e7ed61c89adf56bbdb23a50c5f835e48eda658888e3303b9c172ba2212d2ce1deea7b32

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 166d89e6c0cecfa3f710c7b117e808bc
SHA1 4a969e7e77f330b3a27725414d988be3089354d2
SHA256 29fff4eddc4557971d11de9e7bc20acb9619c57006b9ae0e9ac166b438ef2f6f
SHA512 11928269fe9b6bd852823c527d937ff165605226d0d0b4f1e0382386dbb0372df00394511e949029a6d6816097484cc43f74a9352aaf2bf743703cea49b3fe71