Malware Analysis Report

2024-09-09 16:38

Sample ID 240612-xszn8aweph
Target 974033aa204a786efb5c3ad11ab7a18b8de6e86fc68dd9b2afbf2c40198ec0ab.bin
SHA256 974033aa204a786efb5c3ad11ab7a18b8de6e86fc68dd9b2afbf2c40198ec0ab
Tags
collection credential_access evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

974033aa204a786efb5c3ad11ab7a18b8de6e86fc68dd9b2afbf2c40198ec0ab

Threat Level: Shows suspicious behavior

The file 974033aa204a786efb5c3ad11ab7a18b8de6e86fc68dd9b2afbf2c40198ec0ab.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access evasion

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-12 19:07

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 19:07

Reported

2024-06-12 19:10

Platform

android-x86-arm-20240611.1-en

Max time kernel

131s

Max time network

139s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
GB 142.250.178.10:443 tcp
N/A 224.0.0.251:5353 udp
RU 46.226.160.19:8080 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 d63d58965296acfe683bec8b6f478168
SHA1 d18feddd10f7837e3b6d1a0540f8db96f8116592
SHA256 54d463f55a7a8e836c33c84f4c807877dae3de2e803fcaab8ae00914e2e05ed6
SHA512 e35e93b186cb215e9b735422197e8905d9d44eb26b71fc2dd7f2de3517e354e4c364762105e179eff30f89c1ccfe58bd6a2f5760864583b9aeb656f4a6022747

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 c7e60af582ec9361c24aa2dae27cb845
SHA1 cfd3168218c38e0d503d9ba17323a8469633f90e
SHA256 24a432be912ea1d85eaef7d863ef96dd9ea62e3d0334ce748941051ffdcc0928
SHA512 0b9ac994e9c019c9b009d78545b89c7a13cd2567da91c3eeeacb41b771371e08ea245b569b46e5d3d3088c6290e3c89ee1b30c6ee93ee6b00e60d22f3959b6cc

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 69ceac646fd96983e3d4b424340e18ed
SHA1 607fcc28ea12719722684fe289881145e2568641
SHA256 c8dd0c3af4fcee5b2e584a1d66dc2662571e54cefd213b864e32257415b0a8e6
SHA512 35edf322b98bfef7f1c93d4728598af7158af90b267d177df8ec9f04df4697922359b7b9bf1218da7b8b24a730c8389764b41945f20724d499a66ee9f67ff0d3

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 90c979cd94ad7666982ee7cffad3ee29
SHA1 d289836f825f8b03be9fba03236bd342e774a70c
SHA256 c7d1979c869d712462751812680678e5cc467d7ea3e54852a817cdf29e8d13c2
SHA512 4fcc81da4625830fd5275dbb1f32fb135e01c06926b7fec7d91c1cf4eb48385f3a0136aa414708560f5ccac9576cd64e4f27e03dcb9e12b28e14844d8614a5f6

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 19:07

Reported

2024-06-12 19:10

Platform

android-x64-20240611.1-en

Max time kernel

132s

Max time network

151s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
RU 46.226.160.19:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.200.46:443 tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 d63d58965296acfe683bec8b6f478168
SHA1 d18feddd10f7837e3b6d1a0540f8db96f8116592
SHA256 54d463f55a7a8e836c33c84f4c807877dae3de2e803fcaab8ae00914e2e05ed6
SHA512 e35e93b186cb215e9b735422197e8905d9d44eb26b71fc2dd7f2de3517e354e4c364762105e179eff30f89c1ccfe58bd6a2f5760864583b9aeb656f4a6022747

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 2351f5120256d2164297b013b5cfe940
SHA1 1d7c2db29c74fb1d71cc4747c5b5c12200b49cc6
SHA256 ca948611fabee202951faa49e5a90864882d678b218844f4aa71ef2dfe108b26
SHA512 311d3cddd38529a35e001153d6d1bc9dc7d7eb2820b3f599e3e0dedcfd9f7f1edc9dc95f748d94777abac9bb68a351d691fd86e8122645ab6cfdef8ace5c71e5

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 4a4abab57a9acf6297bb28df45ee36f4
SHA1 f5f4425ed10d601c012f9e29f4096754c0c3e627
SHA256 4e99928c67fd58519eabe0fc5e71ca2aa4f4adfd3a5c2254ebcacd4292103a39
SHA512 6a56b498a304cdc410019019ceeb663a11709803f9b5292646ffa7aebb02e58f3b817c241ef3c86bdb11da5f4c308e1d4db248507ca5cc34efd1189247218503

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 084e0edace3b6933fd5b706723b90e19
SHA1 113c0b66859ca8275f206a9eeec5e22fd18ae624
SHA256 5f64365268507aa0ba14e96395f4ce225421181277f9311fa9c825890f1bb18a
SHA512 dab2dd0d5dd481b51695c7ce3000c85e2411029fe46f9c55174a04701d86735e8b76ab84a638d4f87ebb8ac4aead7fcb47539031f06358b20304d19f8839ef37

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-12 19:07

Reported

2024-06-12 19:10

Platform

android-x64-arm64-20240611.1-en

Max time kernel

131s

Max time network

132s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
RU 46.226.160.19:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 d63d58965296acfe683bec8b6f478168
SHA1 d18feddd10f7837e3b6d1a0540f8db96f8116592
SHA256 54d463f55a7a8e836c33c84f4c807877dae3de2e803fcaab8ae00914e2e05ed6
SHA512 e35e93b186cb215e9b735422197e8905d9d44eb26b71fc2dd7f2de3517e354e4c364762105e179eff30f89c1ccfe58bd6a2f5760864583b9aeb656f4a6022747

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 fd3df302d740708dbf39292120dc0b17
SHA1 9b316affff74f3cf30bcb5f654f8d51499c6a7c5
SHA256 82def913b797e55fd2ca48667ac5a77f5b78d2dfd66ad9896901a3c57a77035b
SHA512 267181e625ec2e3775d7ff915f510ad4876d7d83f769718b2b610d4a408f8afa9e67358f8adf006c8fc033ffc33b4f4e04b3c8def5754ddf3e1a52e12131d266

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 a44911d7dc1b927c5cc8848b98aa85c8
SHA1 d32bf18823f1cbb3fd11a099ad7510fbceb76a79
SHA256 33133494199f6d72f523a63119674f43f9c14730d0de47aa4cfbc359ab6c5e31
SHA512 6e8fa9c0cb2a920abecd7eb513451ec6ee8535c1fe82e75cbe4dded40a508165b8bded2caa1cde0990322eaf2aa4b979d9320a9ce7428ce567a242555be97b04