Malware Analysis Report

2024-09-09 12:45

Sample ID 240613-271x2syckk
Target 5e8021a72a74124cf95e5417594d2c813c701a82e1ad92bc7200c0b6e4473ed6.bin
SHA256 5e8021a72a74124cf95e5417594d2c813c701a82e1ad92bc7200c0b6e4473ed6
Tags
collection credential_access evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5e8021a72a74124cf95e5417594d2c813c701a82e1ad92bc7200c0b6e4473ed6

Threat Level: Shows suspicious behavior

The file 5e8021a72a74124cf95e5417594d2c813c701a82e1ad92bc7200c0b6e4473ed6.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access evasion

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-13 23:14

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 23:14

Reported

2024-06-13 23:17

Platform

android-x86-arm-20240611.1-en

Max time kernel

163s

Max time network

140s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
RU 46.226.160.19:8080 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 30e8f9f0d065da376c5f929b00d66d99
SHA1 30e1cf6db1af33a5179c7c2bd00ee5f3e1176433
SHA256 6f1a126d9dc2045a00e1b20c233ca64d1d86bea7c005f01392d9cd8ad9aa53ce
SHA512 d5c0489bb984bc30ff90fc2455d2cb39b7c202d9f2c615ab2acc8198225b3339e117310f417a5830a363087b63b1c84515a7148ff94b0e5136bd61014ed3ee52

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 da6af4bc2c7ffaa68b56f2bd7cd0c3b8
SHA1 b7e7eab07ba42f766b0cbf42c4b4eed5689bad93
SHA256 09159f695d6fcf9a98db06c8b2bb5721f3653fd0f2da25b1844f5f226098b61d
SHA512 09b7e87d46964818bf1a658193a9265620810e65163622d2dcaa668a40b4769a784015d3db1850a816b5de2bf0e8679f517c7bd290b7efb5bc5baa3344bcc134

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 58daf6de9569fa76e9d07817c9629362
SHA1 edb87de1efba79670095cbb174c2227bb67487be
SHA256 fc0909477ec710a0f75e67ccdc560f448b02bfdfee1863422083a45f18e17cce
SHA512 6a1e87973d025c8df9b24902e0c176fe3dd449d1501bbc7e1a4b553bbaa64281dce3aa7f75591b0b9a69cc5dae55a076dc5cdc75d93eca742831a59968d67593

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 ba386cefe1037aec5539aeed04b25e9a
SHA1 f6b75e3fd088065c2f0c993bde05a646dd8a1b1b
SHA256 dd76c8ded9e96c01a6a8851a7a79399a9fd4580495bc1ec5a1d7cc73eabe65e7
SHA512 cda2ab106bf98f9bda240dd3d2f7e2e3987390d11b276483e6a1cecb9a183ef7c7ef5497fec8d427e7d03c51ba5691d4ebc426fc401e259ae70925a7e7e1f2a6

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 23:14

Reported

2024-06-13 23:17

Platform

android-x64-20240611.1-en

Max time kernel

163s

Max time network

151s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
RU 46.226.160.19:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.200.46:443 tcp
GB 216.58.212.238:443 tcp
GB 142.250.200.2:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 30e8f9f0d065da376c5f929b00d66d99
SHA1 30e1cf6db1af33a5179c7c2bd00ee5f3e1176433
SHA256 6f1a126d9dc2045a00e1b20c233ca64d1d86bea7c005f01392d9cd8ad9aa53ce
SHA512 d5c0489bb984bc30ff90fc2455d2cb39b7c202d9f2c615ab2acc8198225b3339e117310f417a5830a363087b63b1c84515a7148ff94b0e5136bd61014ed3ee52

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 d302751aa59572dcda14ebdf3ef2a9c7
SHA1 370becec9575d573b04129dcd80a58a6d532b2d5
SHA256 871ecc80aecda646b2f7790bc15fdefdb50e5cfe745b69318b19e379a5be58d2
SHA512 bbada194f65e41fb4dd9dd670f6c3a70218554a6ee2a1d1284f8669b8455a3f89122a1f0f63fef2f4486c7356d1071d39110811091b84cea3f4b149585f77285

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 a84896b32d56c8a1514ed62c58930aa7
SHA1 561264f35db0ee09f05acc819b9859194487d523
SHA256 bca1f09a73d8a14aeccd0df518f87c1e202ba9f239bfb2b0e493f92e4611f2cc
SHA512 ea37af03edf3c802165257d2855999c24826fe47063fb42bba9d801a2b6718ad9bfcc0b4440d8b7a81ed27da0af9f27a2ccc5ba8f870cc5f662166a1978f3114

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 e4b7b12d877a730f22e9becbcf826333
SHA1 8d379f5766be1ff1c530602869339e48de71837b
SHA256 72729c51dc67be769450eeb615eac165ae6c9e695c53b32765b0552e59acf80b
SHA512 d976bcd5668d10da7e4296e4ac1a2640c9fba93de9b5728ffcb7ccbe24cd77b902ec9e467eff5b76b694e464955494d81fe3bd3bb898cb3747f9ca61f6e60fc1

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 23:14

Reported

2024-06-13 23:17

Platform

android-x64-arm64-20240611.1-en

Max time kernel

165s

Max time network

132s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.10:443 tcp
RU 46.226.160.19:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 30e8f9f0d065da376c5f929b00d66d99
SHA1 30e1cf6db1af33a5179c7c2bd00ee5f3e1176433
SHA256 6f1a126d9dc2045a00e1b20c233ca64d1d86bea7c005f01392d9cd8ad9aa53ce
SHA512 d5c0489bb984bc30ff90fc2455d2cb39b7c202d9f2c615ab2acc8198225b3339e117310f417a5830a363087b63b1c84515a7148ff94b0e5136bd61014ed3ee52

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 23d987f506cc8ef98f8ccd84dad40dfe
SHA1 f2851eb92ad8b8ff7f9e4cddbeb7bd70786793ea
SHA256 3ff45d37129b1f18e04dfd9085d48816703dc462d88c0c0a30ff49872cf3a984
SHA512 8c93407a2cd31eac1a0fb5e1af008d28858a04413a7fe2a4dc684d463cb65e4a7d3d031a50af797fa87d19fd21cbe99ba48cab184e4ebca78cd14e95367cec18

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 ebbce72790ffd338e8fc8e7da024ace8
SHA1 2fafdc6eb75f097f2e3706903a6214d0d831fce9
SHA256 5bfc9ed9663217a9779d5ada9ff2410c77b70ad55bf424931b5d9303840a4fa7
SHA512 21816f7f4c95398b9583377f80445fcb4ffcec28633c9cd125f0223d6a46f85737071528741677a16cc6ad8580009135c639df1f12983dbf5d123265d5945a05