Malware Analysis Report

2024-09-09 13:32

Sample ID 240614-2nh8wssgrm
Target 80f4b2a7dff768ce67ca462260e1157d267aacbd397f90421373458952e06aca.bin
SHA256 80f4b2a7dff768ce67ca462260e1157d267aacbd397f90421373458952e06aca
Tags
hook banker collection credential_access discovery evasion execution impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

80f4b2a7dff768ce67ca462260e1157d267aacbd397f90421373458952e06aca

Threat Level: Known bad

The file 80f4b2a7dff768ce67ca462260e1157d267aacbd397f90421373458952e06aca.bin was found to be: Known bad.

Malicious Activity Summary

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat stealth trojan

Hook

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Queries information about running processes on the device

Loads dropped Dex/Jar

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Declares services with permission to bind to the system

Requests enabling of the accessibility settings.

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Acquires the wake lock

Queries information about the current Wi-Fi connection

Declares broadcast receivers with permission to handle system events

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-14 22:43

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 22:43

Reported

2024-06-14 22:46

Platform

android-x86-arm-20240611.1-en

Max time kernel

176s

Max time network

182s

Command Line

gafagajags.agakavs.aagajav

Signatures

Hook

rat trojan infostealer hook

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/gafagajags.agakavs.aagajav/app_apkprotector_dex/LgFBxOP5.bin N/A N/A
N/A /data/user/0/gafagajags.agakavs.aagajav/app_apkprotector_dex/LgFBxOP5.bin N/A N/A
N/A /data/user/0/gafagajags.agakavs.aagajav/app_apkprotector_dex/LgFBxOP5.bin N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

gafagajags.agakavs.aagajav

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/gafagajags.agakavs.aagajav/app_apkprotector_dex/LgFBxOP5.bin --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/gafagajags.agakavs.aagajav/app_apkprotector_dex/oat/x86/LgFBxOP5.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 216.58.204.67:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.201.106:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp

Files

/data/data/gafagajags.agakavs.aagajav/app_apkprotector_dex/LgFBxOP5.bin

MD5 8ee0a9df9185bb950ea8279c16f209a1
SHA1 3cf04ef77560667068fa85cfc6f65595f83a8de8
SHA256 edf35361402a6a75a442942474c71f5868aa7eaa61f6cefe742792a0dc36ced5
SHA512 14e1de04dec24dbf8aea4166b1fc5aaf6d6b0db2d9a518edf4920e4fc61f30256bca2c5a074fd9d606f0192d445398b5a4e4363d7f1fa0089edfa83efa370dee

/data/user/0/gafagajags.agakavs.aagajav/app_apkprotector_dex/LgFBxOP5.bin

MD5 d8e7dc9dba1d9bd3a010a8b986b43c0c
SHA1 408fef0b84cd840aa8b0769ed8c450fc749f15b6
SHA256 b42464c3103675fb7aa60654733fb77c0250aa183aadf5f341fb61e568eed099
SHA512 d9162b6a135da96df3c3d29a5d0d353f65d20001ea4ac9ca10326b933e3a0abc5661e1075633fdb50b944daf3d5f3d1cc39f63c1c1d6efe46af66aa6d72389d6

/data/data/gafagajags.agakavs.aagajav/no_backup/androidx.work.workdb-journal

MD5 1995cf4124de37daffcf99f6852cc94b
SHA1 30fa55cadc489cebbf93d1423898e4899960555c
SHA256 3d5a2e2b922432a4fb74ff40a8f8573bbeca10160f704c24b9d711e4e8f9c83d
SHA512 98a0bfae5b7a41037cab6b40ed4324e59c7cb1007cfaeda7a9a60b846f7795a077193ed4674887ce4e283e4e1a987b741de703c371317523231d2d8fdeda40cc

/data/data/gafagajags.agakavs.aagajav/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/gafagajags.agakavs.aagajav/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/gafagajags.agakavs.aagajav/no_backup/androidx.work.workdb-wal

MD5 4b537dab85fc9e707e33453c786d9221
SHA1 c12e8d72bc28d9781d03ab342ba3866aaf0b5eb2
SHA256 2c487f7df385db231a4505b01400a8aa6fa912596ca224e1de947d2c16825d85
SHA512 1e1c6d0adaa75c9a435dee9879dba60262281eca95dd358d90ea2bb6d0306263b0514380641758fb5d7db53f3cdf3245ce4221b3e7f913191b6400ffda1ea800

/data/data/gafagajags.agakavs.aagajav/no_backup/androidx.work.workdb-wal

MD5 f388729c9bf60688f436cf8820ec56f4
SHA1 d59b6968fc32a544c1827a7f21efad88047c1b4c
SHA256 9c841e0c416379801b7fb3154e11386133c09d8ff6afdd1f31042cb8d61a4f30
SHA512 54908a0460b7c373a309d1b963a937d932b5281bccf2e50a66dc1546aec00a3841f3082ab79bbfb5e3cffe6e5bfff4541c50c548ed453d49cc5b9035d2354494

/data/data/gafagajags.agakavs.aagajav/no_backup/androidx.work.workdb-wal

MD5 bba56a0b2f32f50307632d43c7fe0fc8
SHA1 ca789a1f2f4d22827147e6ed0daa3be64c7c7dfd
SHA256 ab142f418dc5c70598b4ff6b682a70be453621c93a1b95771856c12b6653d2b4
SHA512 0a1c3daca5909dd663963e9bbc59ed402928382a672b6e696fcd12e80231db41b28c12da8e1ea24ccda175e469ab3d338500911d8c9dae7bce16736776ee4f09

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 22:43

Reported

2024-06-14 22:46

Platform

android-x64-20240611.1-en

Max time kernel

20s

Max time network

181s

Command Line

gafagajags.agakavs.aagajav

Signatures

Hook

rat trojan infostealer hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/gafagajags.agakavs.aagajav/app_apkprotector_dex/LgFBxOP5.bin N/A N/A
N/A /data/user/0/gafagajags.agakavs.aagajav/app_apkprotector_dex/LgFBxOP5.bin N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

gafagajags.agakavs.aagajav

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.179.234:443 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.179.226:443 tcp
GB 216.58.204.67:443 tcp
GB 216.58.204.67:443 tcp
GB 142.250.200.46:443 android.apis.google.com tcp
BE 173.194.76.188:5228 tcp
GB 172.217.169.42:443 tcp
GB 172.217.169.42:443 tcp
GB 142.250.179.228:443 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
US 1.1.1.1:53 g.tenor.com udp
GB 142.250.179.234:443 g.tenor.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 142.250.187.234:443 safebrowsing.googleapis.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com tcp
US 1.1.1.1:53 growth-pa.googleapis.com udp
GB 172.217.169.74:443 growth-pa.googleapis.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.133.84:443 accounts.google.com tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 tcp
NL 91.92.251.201:3434 tcp
NL 91.92.251.201:3434 tcp
NL 91.92.251.201:3434 tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 i.ytimg.com udp
GB 142.250.200.54:443 i.ytimg.com udp
GB 142.250.200.54:443 i.ytimg.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.228:443 www.google.com udp
GB 216.58.212.228:443 www.google.com tcp

Files

/data/data/gafagajags.agakavs.aagajav/app_apkprotector_dex/LgFBxOP5.bin

MD5 8ee0a9df9185bb950ea8279c16f209a1
SHA1 3cf04ef77560667068fa85cfc6f65595f83a8de8
SHA256 edf35361402a6a75a442942474c71f5868aa7eaa61f6cefe742792a0dc36ced5
SHA512 14e1de04dec24dbf8aea4166b1fc5aaf6d6b0db2d9a518edf4920e4fc61f30256bca2c5a074fd9d606f0192d445398b5a4e4363d7f1fa0089edfa83efa370dee

/data/data/gafagajags.agakavs.aagajav/no_backup/androidx.work.workdb-journal

MD5 08ecea6179556b62851b5ee09cd70eff
SHA1 dca238af8654940337b7329d67b3d859dbc35db6
SHA256 2209d874aaab7410510396a53836d3ed94adeea09bdac4e8e0205e21b0538565
SHA512 d78cdbe456cf13809ad549883b57eed94ef71e1b304efce84c20e5ae392fc85f60bba097ec8904bca3f8ed1f2ed89060a65512c714bc7455e19525d505974e01

/data/data/gafagajags.agakavs.aagajav/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/gafagajags.agakavs.aagajav/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/gafagajags.agakavs.aagajav/no_backup/androidx.work.workdb-wal

MD5 081ce64740015207fd9cf4254e4b3a75
SHA1 3adbea9ef73693059ddcd3573e11948c102ec45a
SHA256 23e550dd197e9a7a7d862fcf597955a4156df7a48bab2761ecab8df1927557ee
SHA512 2ddbd35139d1e918515d081fdf6860fa2e4e94f0b416d2bf3efbac8ab7cd10235e44ab14825980bb99d2204f2805e7b3c80fe40bbf647ce13be7bf61536a19d1

/data/data/gafagajags.agakavs.aagajav/no_backup/androidx.work.workdb-wal

MD5 dd3dabc1252c265b4ccee2ae4094fd7e
SHA1 abd9c0fd113f6c1d941dae9971f083f8e4cc5a8a
SHA256 fa978a87458da669cb474ed2fea1a2417c74df3a95cf44e73b38893f5350abfc
SHA512 cb6313a283d187c3d8aea72006aac366941d02b4c6512eaccfbe7565998fd0f1339c58fc681fc7c739be4a5d6bac88b52a0b1b1acb7ab1353c017e94f2823f65

/data/data/gafagajags.agakavs.aagajav/no_backup/androidx.work.workdb-wal

MD5 988445f378f9afda0a5d09c7d5aa601a
SHA1 8d59cfecda7165124674d28a75514561d928948a
SHA256 fe5d1263ca3e8e757bd149e1c500477877806cf6d6a6c1c07c07324c72bc8fea
SHA512 e4ae82fa3d67e650de33ffcdcb1a7102d45e0e6bfecfb98fabb4da0cb282ef8c3a0eb875369cee1ef6a8bb35109ecad0f2c21a1c85c60332652ec8227b8c9f71

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 22:43

Reported

2024-06-14 22:46

Platform

android-x64-arm64-20240611.1-en

Max time kernel

178s

Max time network

186s

Command Line

gafagajags.agakavs.aagajav

Signatures

Hook

rat trojan infostealer hook

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/gafagajags.agakavs.aagajav/app_apkprotector_dex/LgFBxOP5.bin N/A N/A
N/A /data/user/0/gafagajags.agakavs.aagajav/app_apkprotector_dex/LgFBxOP5.bin N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

gafagajags.agakavs.aagajav

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
NL 91.92.251.201:3434 91.92.251.201 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp

Files

/data/data/gafagajags.agakavs.aagajav/app_apkprotector_dex/LgFBxOP5.bin

MD5 8ee0a9df9185bb950ea8279c16f209a1
SHA1 3cf04ef77560667068fa85cfc6f65595f83a8de8
SHA256 edf35361402a6a75a442942474c71f5868aa7eaa61f6cefe742792a0dc36ced5
SHA512 14e1de04dec24dbf8aea4166b1fc5aaf6d6b0db2d9a518edf4920e4fc61f30256bca2c5a074fd9d606f0192d445398b5a4e4363d7f1fa0089edfa83efa370dee

/data/data/gafagajags.agakavs.aagajav/no_backup/androidx.work.workdb-journal

MD5 adcb6d367f55cdf359f9877c2d3f9d8e
SHA1 1883917a7a99c0d9263da1b311f1edd26cd50ea7
SHA256 cee49a78245e16ddb5db3c79f1985e43e28a392401ccaf7151cdda67e56441bd
SHA512 1f151cf0bea6e6531043835efbb08fd09d45980f0dac390572743a6cb963540bf00d96da5faca90d52f4832afb78d17298a4d0d3421c1a3e817411ac50579ccc

/data/data/gafagajags.agakavs.aagajav/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/gafagajags.agakavs.aagajav/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/gafagajags.agakavs.aagajav/no_backup/androidx.work.workdb-wal

MD5 0bc06c75f9429d8ed1ad5510c29d0c6b
SHA1 0047e3d5b92a1c070ac55cefaa7d1d99a6b2d8f2
SHA256 5ffa5969eeca1340d8906b3ca15dd778427c046a0cee4859e68b8d2a3d077727
SHA512 465ed504a1cddda15145873919ad42b84b824b88b30554b9d0f9df93aa00b78a8f3843c97f2f4560052ceb5bad6bdf2f7ad69d7426c7f97a0ca6e2bed3021464

/data/data/gafagajags.agakavs.aagajav/no_backup/androidx.work.workdb-wal

MD5 c22d345e8b56c0916f96b75c2a34e8ee
SHA1 4da963c99b95d3d76fbec73c734d129f851f0943
SHA256 2e2b9dcd151daf3445fc5303df37cad4dcdc7e880977b15bea7c8a200cda6c1b
SHA512 b4f6986cd30f47371c5704e9cf3ca4205541ec94c551a3a26ebb9e13631f34cdd01d5ef8da05438dcb4a88a7338ab788e3f8f32b1b3857e8e2dc4d0aac4149d5

/data/data/gafagajags.agakavs.aagajav/no_backup/androidx.work.workdb-wal

MD5 5df21c41be9eeffa61fe20b3acefebfb
SHA1 738322954863ff8d29267119b1ab63240ec99ea9
SHA256 98e02a4873c79728bcffcf358f152961bd248f07fcdfa5ecd83b68ad7dbe5e05
SHA512 19aa25843eb61ae110c2c71b390ae124570dcb4c05d7379215e070c15c3b0ac547a1606703eef60c9756b21cef0b02355a972da768be83bfbae78e1424f271ee