Malware Analysis Report

2024-09-09 13:00

Sample ID 240613-21rqssxhpn
Target f732d87a3001a1a8f774b630f639ee90bef7e0d6e79f44033f376b630a5ef493.bin
SHA256 f732d87a3001a1a8f774b630f639ee90bef7e0d6e79f44033f376b630a5ef493
Tags
collection credential_access evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f732d87a3001a1a8f774b630f639ee90bef7e0d6e79f44033f376b630a5ef493

Threat Level: Shows suspicious behavior

The file f732d87a3001a1a8f774b630f639ee90bef7e0d6e79f44033f376b630a5ef493.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access evasion

Makes use of the framework's Accessibility service

Requests dangerous framework permissions

Declares services with permission to bind to the system

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 23:03

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 23:03

Reported

2024-06-13 23:06

Platform

android-x64-arm64-20240611.1-en

Max time kernel

158s

Max time network

132s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
RU 77.221.140.154:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 ccf7100c15d31b55e8a304cffd725055
SHA1 0cc70a14bf1dcdc4cf2fad5119cb138f3d78caab
SHA256 ec72bea1fb1da7218ce21af3f1f7759495e5d249c37ae3697ca8e2f80b8ce5c1
SHA512 6263bd3062b711a66abc3d1249af2ae8f128a4e858c7d742ace5437241876110d1c502b0dadbe4aaa0b7e5aac9e89be474d52db88738993b1917362cf2a23073

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 9a2e47210a0b4f48d413209ba20e7a7a
SHA1 363069a3429c3d63947424ae93104b204a1e7ac6
SHA256 07e7e147e050c1f5b3b8df8e3713a8835fc7220be4dd6635a1a07c3bbeb47a00
SHA512 d566e7367434e8359250c93059e215fea561c1b678e7c7dbec0be5d9b5b5b0be252e54807aa8372f2cd8e5a92c98fbe0a91afba73149b4057a9af0410a587f3e

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 e4ca222bddae98279de1ff65cee063b9
SHA1 010b2b620877249572ecbc8799d16d4a35f5f687
SHA256 bed84c2dbee0487c74bffe5921dc0bd6ae735e4173bc69103be5f237a7f22830
SHA512 180ad772d0d3b3838a3a9dc8a690682e872dea833c4cf51831e36632318df76cdc70cb8ed7fdf0b1fd112d6bb27476ebad5386f67aa87d28a0571c4cc1773e31

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 23:03

Reported

2024-06-13 23:06

Platform

android-x86-arm-20240611.1-en

Max time kernel

159s

Max time network

131s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
RU 77.221.140.154:8080 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 ccf7100c15d31b55e8a304cffd725055
SHA1 0cc70a14bf1dcdc4cf2fad5119cb138f3d78caab
SHA256 ec72bea1fb1da7218ce21af3f1f7759495e5d249c37ae3697ca8e2f80b8ce5c1
SHA512 6263bd3062b711a66abc3d1249af2ae8f128a4e858c7d742ace5437241876110d1c502b0dadbe4aaa0b7e5aac9e89be474d52db88738993b1917362cf2a23073

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 5cdf36eeafa23b5bb051582c710c874a
SHA1 b0d822bab6abc62fb32db5853a9e21868c45a5f1
SHA256 50201966384f2e2e9a61eaea47a6bf828d2b97ef6f486c6daf033d72df459c00
SHA512 a8790a084ad5fb1946da7f1c38a22297ecd2fb1ba8c738f06889028e0231be6cfe3c51ffa70248edb4a258e590fd0e39f831c3f3d0921be7beb19be47e3dcd1e

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 4a095382aa66b0655cfc22a5a12a1752
SHA1 bb93e341e471634b0f8d3795310eacd75a0aa477
SHA256 9bb7de5d53dfe66564fcd1276e6844e111ecc8c6a0f20399aa98cc06477c206a
SHA512 f8566c988985f801592394c53e9f1ab22672b0dded8751a001fef4511aeee7c5bc0308b5bc713708b750ad64763d6620932138a431a8892479b6d348a37a3ee1

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 684dc9ee8d21fee135292bad03a9f94f
SHA1 82523ec4518396c90cf16697391e44deb503dfb0
SHA256 2f03d5989385cddc0a996a2d7084944ff70cc5d69da6b6118132fb5f29758a9c
SHA512 1cb522e6152db3f282c97b6de95223f848b3105026ba5169c81a9a29381bafa94247cc6cb056225c006a5ad2881b8968e1849610713504ea570af946d1b615d4

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 23:03

Reported

2024-06-13 23:06

Platform

android-x64-20240611.1-en

Max time kernel

158s

Max time network

151s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
RU 77.221.140.154:8080 tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.178.14:443 tcp
GB 142.250.187.226:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 ccf7100c15d31b55e8a304cffd725055
SHA1 0cc70a14bf1dcdc4cf2fad5119cb138f3d78caab
SHA256 ec72bea1fb1da7218ce21af3f1f7759495e5d249c37ae3697ca8e2f80b8ce5c1
SHA512 6263bd3062b711a66abc3d1249af2ae8f128a4e858c7d742ace5437241876110d1c502b0dadbe4aaa0b7e5aac9e89be474d52db88738993b1917362cf2a23073

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 3f0b1814cd2659fec1e732eff5e43f31
SHA1 c50737494cec52ad2b9295b8dcaf0386d5364ba9
SHA256 8c934e2af78f358a1423b3567a1224cd743f1c52df18c13b73853c03d626a879
SHA512 6e769444a210a1591b6ef2d7dc6546df9299affdc4eebf312184d1ad714f99e313609ca769aa5b525be4423019c907869b2466a0fffd39a57ff5a77f0b045284

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 e9385fe36e8fbeb8e3e80b42f950951b
SHA1 eab140dbe5bf0a9d4ea1d3b34257bfb24bfa1bfa
SHA256 434b025a9524c98211bf4af8c45e0e6bf06f37ecf753dd08a282188b76ab3707
SHA512 317bc1e8cac53f0e4ce05553ec3bb6dbc0c1841e4b44b645a38977a687e22049997bf5d60e778c3b0d3b9b2ce4fa1ddd879b98e2464620f53257c73ee088546e

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 d461e4a18a92b166a67f74a00ddaf520
SHA1 b6b26ebcb23574b14f27dc29172d6a2c45c396ae
SHA256 7ffe19e57658c105d84254ced7f1f446228adc6ce47fc8efdb210fc48728540f
SHA512 ee202f6cd41cde3a42bcdf7d7df5eac49752ff46b3e72cdf00cdae04556da03b1b561f872ded223fa250e287e655acff29ccd62cb765b4bce5e0a3cb350fbc03