Analysis Overview
SHA256
8f215662c9c337e16b1e831c7c9ce67af756cece227e9fd10076e776a4b1b603
Threat Level: Shows suspicious behavior
The file 8f215662c9c337e16b1e831c7c9ce67af756cece227e9fd10076e776a4b1b603.bin was found to be: Shows suspicious behavior.
Malicious Activity Summary
Makes use of the framework's Accessibility service
Loads dropped Dex/Jar
Obtains sensitive information copied to the device clipboard
Queries the mobile country code (MCC)
Declares services with permission to bind to the system
Requests dangerous framework permissions
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks memory information
Checks CPU information
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-14 00:51
Signatures
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 00:51
Reported
2024-06-14 00:55
Platform
android-x64-20240611.1-en
Max time kernel
50s
Max time network
153s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.perl.gqm/[email protected] | N/A | N/A |
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.perl.gqm
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.201.104:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | site.ok-success.com | udp |
| US | 1.1.1.1:53 | down.sinhan-bank.com | udp |
| US | 172.67.134.184:443 | down.sinhan-bank.com | tcp |
| US | 1.1.1.1:53 | ctef503oop.freemall-kr.top | udp |
| US | 104.21.49.242:443 | ctef503oop.freemall-kr.top | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| GB | 172.217.169.46:443 | tcp | |
| GB | 172.217.16.226:443 | tcp | |
| GB | 142.250.178.14:443 | tcp | |
| GB | 142.250.178.4:443 | tcp | |
| GB | 142.250.178.4:443 | tcp |
Files
/data/data/com.perl.gqm/app_outdex/libdexprotector.5135.so
| MD5 | 8aba148186257a51ed99d39762886ea4 |
| SHA1 | 8d355231499bca8b0bb9f791ff68a18d084b4943 |
| SHA256 | 13c5c92b9be3a499a0d67577c8c2de0b42d2bbfc89fb62425d8c84ce25012c2a |
| SHA512 | 3424fa627db7b06db8453f5fa7a7fc96639e8258ca3ebd8610c74252e9d6d2841604183a7b2e5498fe59e00f1ddb34f3d7066fc6f20640b5416b6b90b802a9cc |
/data/user/0/com.perl.gqm/[email protected]
| MD5 | 7c80da100acf95df2c9629e515898a6b |
| SHA1 | 28c7d9a00126bc12a0760f9cc6270abea6866d73 |
| SHA256 | ed26ed598d0393b52cb68fd71e26f7eb5fba998f72c1c30eae4622bb0752692f |
| SHA512 | b2eb8340ae3dd3ddbe2a5cf3de6b735a33bb15b51b728f01643fed02375c8962f37fcbd4827fd578cb73678847cc47c45290d763281be5caeded67fa8923c6a2 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-14 00:51
Reported
2024-06-14 00:55
Platform
android-x64-arm64-20240611.1-en
Max time kernel
25s
Max time network
132s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /system_ext/framework/androidx.window.sidecar.jar | N/A | N/A |
| N/A | /system_ext/framework/androidx.window.sidecar.jar | N/A | N/A |
| N/A | /data/user/0/com.perl.gqm/[email protected] | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.perl.gqm
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.10:443 | tcp | |
| GB | 142.250.200.10:443 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.201.104:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | site.ok-success.com | udp |
| US | 1.1.1.1:53 | down.sinhan-bank.com | udp |
| US | 104.21.6.104:443 | down.sinhan-bank.com | tcp |
| US | 1.1.1.1:53 | ctef503oop.freemall-kr.top | udp |
| US | 104.21.49.242:443 | ctef503oop.freemall-kr.top | tcp |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.201.110:443 | android.apis.google.com | tcp |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp |
Files
/system_ext/framework/androidx.window.sidecar.jar
| MD5 | bdf3529e80318eb14e53a5bf3720c10d |
| SHA1 | 25c9ace4b1af6e80ebb2572345972c56505969ba |
| SHA256 | bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b |
| SHA512 | 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b |
/data/user/0/com.perl.gqm/app_outdex/libdexprotector.4440.so
| MD5 | 8aba148186257a51ed99d39762886ea4 |
| SHA1 | 8d355231499bca8b0bb9f791ff68a18d084b4943 |
| SHA256 | 13c5c92b9be3a499a0d67577c8c2de0b42d2bbfc89fb62425d8c84ce25012c2a |
| SHA512 | 3424fa627db7b06db8453f5fa7a7fc96639e8258ca3ebd8610c74252e9d6d2841604183a7b2e5498fe59e00f1ddb34f3d7066fc6f20640b5416b6b90b802a9cc |
/data/user/0/com.perl.gqm/[email protected]
| MD5 | 7c80da100acf95df2c9629e515898a6b |
| SHA1 | 28c7d9a00126bc12a0760f9cc6270abea6866d73 |
| SHA256 | ed26ed598d0393b52cb68fd71e26f7eb5fba998f72c1c30eae4622bb0752692f |
| SHA512 | b2eb8340ae3dd3ddbe2a5cf3de6b735a33bb15b51b728f01643fed02375c8962f37fcbd4827fd578cb73678847cc47c45290d763281be5caeded67fa8923c6a2 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 00:51
Reported
2024-06-14 00:55
Platform
android-x86-arm-20240611.1-en
Max time kernel
24s
Max time network
131s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | Anonymous-DexFile@0xf36fe000-0xf36fe12c | N/A | N/A |
Makes use of the framework's Accessibility service
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.perl.gqm
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | site.ok-success.com | udp |
| US | 1.1.1.1:53 | down.sinhan-bank.com | udp |
| US | 104.21.6.104:443 | down.sinhan-bank.com | tcp |
| US | 1.1.1.1:53 | ctef503oop.freemall-kr.top | udp |
| US | 104.21.49.242:443 | ctef503oop.freemall-kr.top | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.206:443 | android.apis.google.com | tcp |
Files
/data/data/com.perl.gqm/app_outdex/libdexprotector.4259.so
| MD5 | f23f0980c22b7eb88d9bb6a9056b3cbc |
| SHA1 | 5e8afd5aebfbc0345bc9c1751a4771431377430e |
| SHA256 | f73b58f3545d8f94e8d9436f3747c657f9c0522c9e85ad831dac2b54acfa4ab8 |
| SHA512 | 438a639030dd09ceb3d1c42e5e6a2ab8cc192d1366ef1474b3344e11206d3215b2b0e3888527697da3eb53e5667a7f8aaa98bf881fa20e9613db0785fc4dbca0 |
Anonymous-DexFile@0xf36fe000-0xf36fe12c
| MD5 | 7c80da100acf95df2c9629e515898a6b |
| SHA1 | 28c7d9a00126bc12a0760f9cc6270abea6866d73 |
| SHA256 | ed26ed598d0393b52cb68fd71e26f7eb5fba998f72c1c30eae4622bb0752692f |
| SHA512 | b2eb8340ae3dd3ddbe2a5cf3de6b735a33bb15b51b728f01643fed02375c8962f37fcbd4827fd578cb73678847cc47c45290d763281be5caeded67fa8923c6a2 |