Malware Analysis Report

2025-01-19 07:59

Sample ID 240616-zxf4saxgrh
Target Advanced+Xperia+Z+Launcher+v2.0.4.apk
SHA256 06325b83aec99f4f5f0aace6b8b7333cf81f2a732c1c118f3d351fdcefbe9756
Tags
banker discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

06325b83aec99f4f5f0aace6b8b7333cf81f2a732c1c118f3d351fdcefbe9756

Threat Level: Shows suspicious behavior

The file Advanced+Xperia+Z+Launcher+v2.0.4.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery evasion impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 21:05

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 21:05

Reported

2024-06-16 21:07

Platform

android-33-x64-arm64-20240611.1-en

Max time kernel

41s

Max time network

64s

Command Line

com.ra3al.launcher

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.ra3al.launcher

Network

Country Destination Domain Proto
GB 216.58.204.74:443 tcp
BE 142.251.168.188:5228 tcp
GB 142.250.179.228:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.68:443 udp
GB 172.217.169.68:443 tcp
GB 216.58.204.74:443 udp
GB 142.250.180.10:443 udp
GB 142.250.180.10:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 216.58.201.99:443 tcp
US 172.64.41.3:443 udp
GB 216.58.201.99:443 udp
GB 172.217.169.68:443 udp
GB 142.250.179.228:443 udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/user/0/com.ra3al.launcher/files/statistics.xml.gz.tmp

MD5 c2e1add1613396fa889f19d937cc62ba
SHA1 28b46c007c9c1599dc130ff543f9d240cb7f500e
SHA256 a6dbfbb6376019556785921ed0206d79d53872d6021998834d38cd8bb7246cda
SHA512 f288ccb8dc846f9f661ee235b85d19ec03fd5c0f5fa7a8d83803d5e98903f8b46a43e0db990d49f2c35c581553fe74da56f76f71d9b9de1d6d44f7ba5d25ae91

/data/user/0/com.ra3al.launcher/files/desktop.xml.gz.tmp

MD5 4697e8a67ccf9ab9de9d24a33b6ab3b5
SHA1 b879fdbc90d68348ece4d3c06bc814203b333020
SHA256 395e08f1a8b30b595e1e57841c99898adf3ff845cc1ce675fe733d6e69a24062
SHA512 a7b99b099e0066eb00dfd0ba06f02ac01071a9ac8512b1f46fe882f261fe4353b754c3bc694bfc81fe28be7ae6cfcde140ebfbc7847c776cad5c3f2797e2866d

/data/user/0/com.ra3al.launcher/files/stage.xml.gz.tmp

MD5 0e50a4dfdf1305f33a4436fcb50d9438
SHA1 69c89647b1ed83119e2091aa318d552d2b47bdac
SHA256 02bc89417d32ae8d95375aed5cdd67c594203398b9ba4c4255b0cfc2d18f92d3
SHA512 df719963f3b18bde2db261af05951785aae972a3389506e529544dc804fa38b9af74f11eb37f153811ac78d7294b4edf44464fac370cc21169fa616935324ed8

/data/user/0/com.ra3al.launcher/files/apptray.xml.gz.tmp

MD5 44014f4a05403aa8748b9f06a7d04db4
SHA1 ab17b9d4601e42da324706e41e9f967cf6394678
SHA256 298c21c0c65e455ef436feb157699cd340b3c2680dbe78fdb2b9eed98afe47f7
SHA512 1e2d2fff09fd365f8fa5841d9424b7af9cd996b77f93efae88f06c99bdaa60c9b58c701c6e51f143ea7cad221c1f6263bc368f98701379bd8f74b7782c5c8a7b

/data/user/0/com.ra3al.launcher/files/gaClientId

MD5 755efe757997be521c8a4da710e5ae8a
SHA1 a10f5e9542a0ce9f466eea8da70a6a95cb2a51a6
SHA256 16f4b2e6d8fdcaf8a10a42bdeaad057b609619d7850eb8df411c1417e7133983
SHA512 24800099b7573f1ce101da4bd22498e39d821641f1122d4f6acb2e890f1416dbfe34440e6e11b5e9552a3e73db689d7bb8a38277cdafc2ef1df5ab137b0ad61c