Malware Analysis Report

2024-09-09 16:00

Sample ID 240615-aqcekswdlr
Target 3a84ca08bce61750bcbac1d1d899d96da3ab150d1d03982c0ea84f55a2c819d2.bin
SHA256 3a84ca08bce61750bcbac1d1d899d96da3ab150d1d03982c0ea84f55a2c819d2
Tags
collection credential_access evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3a84ca08bce61750bcbac1d1d899d96da3ab150d1d03982c0ea84f55a2c819d2

Threat Level: Shows suspicious behavior

The file 3a84ca08bce61750bcbac1d1d899d96da3ab150d1d03982c0ea84f55a2c819d2.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access evasion

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Requests dangerous framework permissions

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 00:24

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 00:24

Reported

2024-06-15 00:27

Platform

android-x86-arm-20240611.1-en

Max time kernel

136s

Max time network

140s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
GB 142.250.178.10:443 tcp
N/A 224.0.0.251:5353 udp
RU 109.120.134.161:8080 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 350c811c04f8a17d65d24ff8dc9ddab6
SHA1 68b473c16db5d0976ed2f9db106abb3edb3bd254
SHA256 c1fdbaf61209609b6b5d1ac43d9a02512747c5632f2fb773915b920d60c9d131
SHA512 34a844abdd348387454dca002b46951400ce83872ad242cf659e34546ed63e106ffebee318f39a572f7b9208fced8bbf6eb46985ba769d6699b54bc8d747ef17

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 e3e92561168cacc91135a1fae20ff219
SHA1 5e7fe6604a9e548cf39595148c570fc2bdaf0726
SHA256 8ea714b5a9ed2a019d84e03417ff17ba340881b84d6467b0437924e37d712338
SHA512 737cecc94d1cfbc3a3d205dc64fd2d4bafe875be97c73f58a9974d6e5f7ac91ff35916cf54a0d859e5fac37572fc5eb376c9a6a0680289d5317952a082c7df69

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 931eda86af5ee95a365bcc39e1be658f
SHA1 1fd074781faf126601ba4a76a373d508092b6577
SHA256 d30c3278f4277cabeff3bca98e3c37c468193af6a9a95d91de880047eefd971e
SHA512 ee4a9506351d243be6135e7af9b76a4885e4f3f1008c0e0defa535d6b79462e619910f1533c0d4bdb8fd753e3ba0ba5609af0539cdfeb55d91dd310eb89c876c

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 e876d9288f963e005535e6808698dc09
SHA1 9bf9a251ab53acbd5143bf33bc39e9964bd162d3
SHA256 4379e51b01572c3a2e4091ed5e29acac06355226514dfea85a259b7d4cbd9693
SHA512 ced8befe9bfddcd51e2610de9ff32924aeffff3c71d74b0b18868ad282ef8b403ab109795e74362788f549783e9741f19b9c4c99b008062fd2470d3a072ace2d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 00:24

Reported

2024-06-15 00:27

Platform

android-x64-20240611.1-en

Max time kernel

136s

Max time network

154s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
RU 109.120.134.161:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 172.217.169.46:443 tcp
GB 142.250.178.4:443 tcp
GB 142.250.178.4:443 tcp
GB 172.217.16.226:443 tcp
GB 142.250.178.14:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 350c811c04f8a17d65d24ff8dc9ddab6
SHA1 68b473c16db5d0976ed2f9db106abb3edb3bd254
SHA256 c1fdbaf61209609b6b5d1ac43d9a02512747c5632f2fb773915b920d60c9d131
SHA512 34a844abdd348387454dca002b46951400ce83872ad242cf659e34546ed63e106ffebee318f39a572f7b9208fced8bbf6eb46985ba769d6699b54bc8d747ef17

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 3b9efe99bd6f7bd0f1bc95a2c35ac10e
SHA1 42064411c64030fd96d04a560025d3aa11e6f59e
SHA256 b6b72d27d28015de4c5fa50e75866e303f05df790910203cd5df8cbefce23610
SHA512 7f19abd60e98c7a48e08a9db0e643db3b56e9913e1f23091527201dad461ebffde7f38bebd7e166f3489da8ff056bc4ee9bdc33c5e58ad0f3d027707fefb0ceb

/data/data/org.zzzz.aaa/files/profileInstalled

MD5 6aff557a82a347ab35160afad246cba4
SHA1 5a1e4e83915f30b24c10f74f0ecb20e2ed3dd10d
SHA256 f522eb72000da8e7b02b87f1352692ef7552c78e1693dd4adaf0b65fd343f1ab
SHA512 ce604c1847fa380ed443b0c4e1341dba8a9eda2da06755002a3fd22a6361ca96f41e3bc1c076203ef3a28b44d6855917f54631b740ac696d85c1816b7b02b3f5

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 c4f01481ff6245ec3661ac2bf22134fe
SHA1 4a68618a41cf05924be8f0c4f2b1ee9b6562bca2
SHA256 6238ddb4262463d1e200808061446fdb4aa96c3f1032203791e9d96d18186d8b
SHA512 9b74df34a6f410a56009a3417eceb16c26de8cefec8dc33965c14a5c6d731bd3f1f56c7c48023fced03c3cd9635cd0fadaf178e265a914af36561de0f810881a

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 00:24

Reported

2024-06-15 00:27

Platform

android-x64-arm64-20240611.1-en

Max time kernel

136s

Max time network

132s

Command Line

org.zzzz.aaa

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Processes

org.zzzz.aaa

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.10:443 tcp
GB 142.250.178.10:443 tcp
RU 109.120.134.161:8080 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 350c811c04f8a17d65d24ff8dc9ddab6
SHA1 68b473c16db5d0976ed2f9db106abb3edb3bd254
SHA256 c1fdbaf61209609b6b5d1ac43d9a02512747c5632f2fb773915b920d60c9d131
SHA512 34a844abdd348387454dca002b46951400ce83872ad242cf659e34546ed63e106ffebee318f39a572f7b9208fced8bbf6eb46985ba769d6699b54bc8d747ef17

/data/data/org.zzzz.aaa/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 36cc73d77475820cc86004bf6667f2b3
SHA1 afbb93e3c57bce78485c6a2479b7c9829fbb2a5b
SHA256 60ff3745cc5c9d4ce4c699607bbc559b9ee4ec4c796cd9bfd71e938234d91174
SHA512 c69121b2da253d232babed6727cb52a34fa62c75c8cc74ac7b7549fd40f4909b96645c60c129fc13fd971d6687b9785ae5305bec2dd667f7e2ee770ac4630a84

/data/misc/profiles/cur/0/org.zzzz.aaa/primary.prof

MD5 7bbf7901e3f06431bc44d34c73c1d26b
SHA1 d2fdfab95204c888b88658b3d55c38461fe7ddf0
SHA256 a3e7309edaf6bed981fb8015f5d7bfe0c5ef6c5ac51619872ffea30f5f56e2f4
SHA512 2aaca9a1e2569bb2898c9eac1f2a6e15fea00e235c7420525f0700d3fc5d687a051d70cd9ab8ceb6ee467d9e733c05153d165617face849915ddd4a9d9737ef3