Malware Analysis Report

2024-09-09 16:00

Sample ID 240615-ba8zaaxbrl
Target 06b9badf985e9821ce5114988cfcbe93a45fea188176df56dbd6e5621b047e0a.bin
SHA256 06b9badf985e9821ce5114988cfcbe93a45fea188176df56dbd6e5621b047e0a
Tags
collection credential_access evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

06b9badf985e9821ce5114988cfcbe93a45fea188176df56dbd6e5621b047e0a

Threat Level: Shows suspicious behavior

The file 06b9badf985e9821ce5114988cfcbe93a45fea188176df56dbd6e5621b047e0a.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access evasion persistence

Makes use of the framework's Accessibility service

Requests enabling of the accessibility settings.

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

Makes use of the framework's foreground persistence service

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-15 00:57

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 00:57

Reported

2024-06-15 01:00

Platform

android-x86-arm-20240611.1-en

Max time kernel

139s

Max time network

131s

Command Line

com.ru.runner

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.ru.runner

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
N/A 224.0.0.251:5353 udp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/com.ru.runner/primary.prof

MD5 ced7e74db59a983df5d5bf22b716f99e
SHA1 4c5d13ed949fd7194f5677fd1e6eebd7c7d52fef
SHA256 20c7bb2b045ad36e90fe474ac9dfb6d5a0f0f3e66ed02cc307ad3267ac19166e
SHA512 7376c87a925cfc11ced033a74983237344df6c2df2697bbf9da0ba082b873058c591e16a540f74891439899905bf39a3256de91056d9c32f612a895dcada022e

/data/data/com.ru.runner/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 4eacd18f518fee33aec5694102e6540a
SHA1 b05b4f0e1ab2c04111fbd1f771f0b2e12ae68d68
SHA256 d332717e686e8474832845f7624b82b1bb3f144155b40228927c47dc0b3b489f
SHA512 e7da07cedaa869364a34f779e627973cde99638693a212152f8ba074d3e6702224979b20ef8993a6f7d4693c5b05b749ac7d1def273546f6744365af9cc219d8

/data/data/com.ru.runner/files/profileInstalled

MD5 a4ddf7509a0166b422d32671bc11cc15
SHA1 0a7c972960ffb28c4f2ee6149a4819907bcb7328
SHA256 749faaf38beab1dde144045d2ff4dbe963b3f762beda232af869495598072055
SHA512 b320d759ea4a1fccf92df4f1c4dc9f89e1d0a71f03e302fe0515478961fb154dda691f67a84463cd44a6ab5f6290d995f8d056ef130187c97584e343ee1ae2d0

/data/misc/profiles/cur/0/com.ru.runner/primary.prof

MD5 359b586caf024bdee486f7a459b4984d
SHA1 7867b32df6065eca0c88084c4aea26f4736fb529
SHA256 b2aec30f4c093ffc2418ae70bc7c82bd0bc098396f241d07b01d0f52f03bbbb4
SHA512 569e350c2be2f5b9c335b68a53794b83088b4ee788e813f4ae1b19c5ff8ae51c8e0acf1dec98c7072bf065166893213eae21156c26bd63cda35cdac8a2c76a7f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 00:57

Reported

2024-06-15 01:00

Platform

android-x64-20240611.1-en

Max time kernel

138s

Max time network

149s

Command Line

com.ru.runner

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.ru.runner

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.178.14:443 tcp
GB 142.250.187.226:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.204.78:443 tcp

Files

/data/misc/profiles/cur/0/com.ru.runner/primary.prof

MD5 ced7e74db59a983df5d5bf22b716f99e
SHA1 4c5d13ed949fd7194f5677fd1e6eebd7c7d52fef
SHA256 20c7bb2b045ad36e90fe474ac9dfb6d5a0f0f3e66ed02cc307ad3267ac19166e
SHA512 7376c87a925cfc11ced033a74983237344df6c2df2697bbf9da0ba082b873058c591e16a540f74891439899905bf39a3256de91056d9c32f612a895dcada022e

/data/data/com.ru.runner/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 0e5b14879e4ac50b163a7cc419e32666
SHA1 3ab9280e4031d4ddb8d8ecf65cfe9f989b3a819b
SHA256 08656936801a5e32dd8e2b7e148101610d92a6042f5fe2a9b8615bee23efb85d
SHA512 111242fd98eb2c4f3bcdc1e16158cc4ea8c22b61039a04590fa2a8eb30d0f67684fcec34055f4f583d714f92d8167a5d7e788f8073f0deb5f90e4c5b648e90b7

/data/data/com.ru.runner/files/profileInstalled

MD5 27bf392bbd004de736948d1985ea77cf
SHA1 80f7fa994933f838fc19b9ba286c706214ac90e7
SHA256 e70740f92bbb45f7561d9bea7a9f8be42241f39b66af08f38c29d35bac9d842c
SHA512 5778db56d45c17605016e698c868eccd97b9a548853163c429e6a4c7adb86003a6b5b40941b2047f2979274a8a9cf203c448a442140bc6d04a3f605adc23c9a5

/data/misc/profiles/cur/0/com.ru.runner/primary.prof

MD5 cabb9bf90026c19768a0825c9f30482d
SHA1 f8451b0ae3946f1f2894aa38357be663e78771c6
SHA256 58bac2fea837bc2fcf9f867c1adae6cfea8dc9b0ffdae44e2b7ef7a1b7da0c09
SHA512 aee39cf62c5cf8cf96df56da3b3ac902a7c3eea3527b8f354c2205be67e043ff967f6630dcb8b36369ab270bfddd36e1b4488656b9278738a9a45402992b8fe5

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 00:57

Reported

2024-06-15 01:00

Platform

android-x64-arm64-20240611.1-en

Max time kernel

137s

Max time network

133s

Command Line

com.ru.runner

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Processes

com.ru.runner

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
N/A 224.0.0.251:5353 udp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
JP 5.104.83.73:4000 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/misc/profiles/cur/0/com.ru.runner/primary.prof

MD5 ced7e74db59a983df5d5bf22b716f99e
SHA1 4c5d13ed949fd7194f5677fd1e6eebd7c7d52fef
SHA256 20c7bb2b045ad36e90fe474ac9dfb6d5a0f0f3e66ed02cc307ad3267ac19166e
SHA512 7376c87a925cfc11ced033a74983237344df6c2df2697bbf9da0ba082b873058c591e16a540f74891439899905bf39a3256de91056d9c32f612a895dcada022e

/data/data/com.ru.runner/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 8928c29220d5ef90e7608ff9e428ce77
SHA1 a72d860d8b40d6218eb107899f5b617cf6f0118a
SHA256 6e229c681fdb2f136b883c6df4ff683662f9fc13ad8daee3de78989fd7b111b9
SHA512 85373f390433c2bb35d4452186738aeaf354b758ef1304dde17cca7917c4324821196d17b7136aa7ac5626133977fa5c4b3b1c504b402937f55bf9628954453c

/data/misc/profiles/cur/0/com.ru.runner/primary.prof

MD5 68eac6cfbf3b5908a9fd32319d025707
SHA1 ff3f894e167ab4db128afae1b809b334dc3341bf
SHA256 08e3f4ee8a70ec2a3d5318eda8b2f3ca80399de801cdadc5730df2b59decba44
SHA512 44b291cd96a71f998a628351befb83702f0244d1a74495625d777d90f4a3638c62b15b8d041dd3a22618d1c5ca8e935a1c408307942c4c4e8776fdaa6a86bfaf