Malware Analysis Report

2024-10-19 11:58

Sample ID 240704-1xj14stena
Target 8c1e77c4c5bb724bda41f6c4a18372b1442dd1cc2134dd9f192a90092e78dbca.bin
SHA256 8c1e77c4c5bb724bda41f6c4a18372b1442dd1cc2134dd9f192a90092e78dbca
Tags
collection credential_access discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

8c1e77c4c5bb724bda41f6c4a18372b1442dd1cc2134dd9f192a90092e78dbca

Threat Level: Likely malicious

The file 8c1e77c4c5bb724bda41f6c4a18372b1442dd1cc2134dd9f192a90092e78dbca.bin was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Requests enabling of the accessibility settings.

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Queries the unique device ID (IMEI, MEID, IMSI)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-04 22:01

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to recognize physical activity. android.permission.ACTIVITY_RECOGNITION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to receive WAP push messages. android.permission.RECEIVE_WAP_PUSH N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Required to be able to discover and pair nearby Bluetooth devices. android.permission.BLUETOOTH_SCAN N/A N/A
Allows financial apps to read filtered sms messages. android.permission.SMS_FINANCIAL_TRANSACTIONS N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to use SIP service. android.permission.USE_SIP N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to access data from sensors that the user uses to measure what is happening inside their body, such as heart rate. android.permission.BODY_SENSORS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows the app to answer an incoming phone call. android.permission.ANSWER_PHONE_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 22:01

Reported

2024-07-04 22:07

Platform

android-x86-arm-20240624-en

Max time kernel

17s

Max time network

131s

Command Line

zbsq.xzohy.fjcs

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A Anonymous-DexFile@0xd5f87000-0xd5fb1e34 N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/bikc.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/bikc.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/bikc.dex N/A N/A
N/A Anonymous-DexFile@0xd4c02000-0xd4c2ae20 N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes1.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

zbsq.xzohy.fjcs

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/bikc.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/oat/x86/bikc.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 netfosite123.freeddns.org udp
MD 45.84.0.182:5060 netfosite123.freeddns.org tcp
US 1.1.1.1:53 geomobileservices-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.213.10:443 geomobileservices-pa.googleapis.com tcp
GB 142.250.180.14:443 tcp
GB 172.217.169.34:443 tcp

Files

Anonymous-DexFile@0xd5f87000-0xd5fb1e34

MD5 4d2015ff34118e8b472d77e9775adc70
SHA1 dc6ac441cf0c6f0d88521f67630893aad2be7378
SHA256 a27f78c65cd9fff3d35f6384348f3dc9b7b04349916605529bf123526d5e795c
SHA512 429b581c1a62f257a6a44a54835d1dcbfb5db7e05571968407f8566081dfba8da048972d9fe1b7ff8702d974683e2d40863de83ce5d7e215748025d1a81e11a4

/data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/bikc.dex

MD5 493e26343912179aa7244002b3decee7
SHA1 4546f95b5b6ef134792a4b0a80e3887586fa9837
SHA256 cdacd1fb59aacab59dfa26517a6b13779fdfe3127a6a811adc4dcff5baec0b62
SHA512 78962e3f42c496e98ac633155df2de2e2a0fa1f91f1a028e4137b35eb76017a0cadee41fc6fb184efe05ce830c2c0708894b6d49a43c34c3672e3c21c85f694f

Anonymous-DexFile@0xd4c02000-0xd4c2ae20

MD5 28f5b27fc4e99ed8e65833e6f764fd8a
SHA1 d33641927253c0b824010cdd8fbd88f92b3734ee
SHA256 8c9af932b9f6ae79ddb9699d96b9b606d8a86aa450be6184468cf2901a3eb77c
SHA512 e397d04cb263f8c58fe366954ad1cabefb9dde7b238ecdfdaeec326761b52d0b0638c568251a5742caf6c972ef27431eecea92869f4cd6a9499472dff4bc1d05

/data/data/zbsq.xzohy.fjcs/files/Factory/Plugins/classes1.dex

MD5 2c36e9be721b0883f5bc1f71b3f2d918
SHA1 1c4d662470eae7f0af3364f1563b78472183e7a0
SHA256 0ea0c0a03a1999a9d3471a8ce584eea7e16f60ceeeabb6474fada356fc72779d
SHA512 fb99247128256c045ea49c7edfc3012d1e074419c30c684399ca6e4563823a2109917af7b42ba6399e891081f06a4be98625a4cf696a0a19eeba08ab450132a8

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 22:01

Reported

2024-07-04 22:07

Platform

android-x64-20240624-en

Max time kernel

179s

Max time network

183s

Command Line

zbsq.xzohy.fjcs

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/zbsq.xzohy.fjcs/[email protected] N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/bikc.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/bikc.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/[email protected] N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes1.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes1.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

zbsq.xzohy.fjcs

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 netfosite123.freeddns.org udp
MD 45.84.0.182:5060 netfosite123.freeddns.org tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 172.217.16.238:443 tcp
GB 216.58.212.234:443 tcp
GB 216.58.201.98:443 tcp

Files

/data/user/0/zbsq.xzohy.fjcs/[email protected]

MD5 4d2015ff34118e8b472d77e9775adc70
SHA1 dc6ac441cf0c6f0d88521f67630893aad2be7378
SHA256 a27f78c65cd9fff3d35f6384348f3dc9b7b04349916605529bf123526d5e795c
SHA512 429b581c1a62f257a6a44a54835d1dcbfb5db7e05571968407f8566081dfba8da048972d9fe1b7ff8702d974683e2d40863de83ce5d7e215748025d1a81e11a4

/data/data/zbsq.xzohy.fjcs/oat/x86_64/[email protected]

MD5 f190f7e272e6a791ed7a8ed4041878eb
SHA1 9273e365ac0fc69a6c61de13572201748e36a6f5
SHA256 22f4925287602e154beae474de070fadfe7ba3f68da3c0434965bcc092f3486e
SHA512 8f397a449db86404c6bc7316e321a1c60bc212d9c52593da31634edb200b4ede65a6865a45b6f9a529700789d1782d787a5348415f2002a7534444fd81cd459a

/data/user/0/zbsq.xzohy.fjcs/[email protected]

MD5 28f5b27fc4e99ed8e65833e6f764fd8a
SHA1 d33641927253c0b824010cdd8fbd88f92b3734ee
SHA256 8c9af932b9f6ae79ddb9699d96b9b606d8a86aa450be6184468cf2901a3eb77c
SHA512 e397d04cb263f8c58fe366954ad1cabefb9dde7b238ecdfdaeec326761b52d0b0638c568251a5742caf6c972ef27431eecea92869f4cd6a9499472dff4bc1d05

/data/data/zbsq.xzohy.fjcs/oat/x86_64/[email protected]

MD5 940fc1b09ad0ebc94f5cde0cc68054e1
SHA1 d74549efc7d2af9213f5b4bb0553089a114d0a7c
SHA256 bd453400f8303d3e05adddbcf3d8334fe7707d24503b6fc6273b0013397ff64d
SHA512 6520cb4fc554555ad4489095b3339b99b6192768c6bdc7eee0188e21e06731631138c3bff2145433db15af09db005096166bb38c2705367a695a25a65a87e7cb

/data/data/zbsq.xzohy.fjcs/files/Factory/Plugins/classes1.dex

MD5 2c36e9be721b0883f5bc1f71b3f2d918
SHA1 1c4d662470eae7f0af3364f1563b78472183e7a0
SHA256 0ea0c0a03a1999a9d3471a8ce584eea7e16f60ceeeabb6474fada356fc72779d
SHA512 fb99247128256c045ea49c7edfc3012d1e074419c30c684399ca6e4563823a2109917af7b42ba6399e891081f06a4be98625a4cf696a0a19eeba08ab450132a8

/data/data/zbsq.xzohy.fjcs/files/Factory/Plugins/classes2.dex

MD5 19b705d3574791cfcc095173c8cabc8d
SHA1 05ab01d27521b77b02597b03265c9b859a1e3988
SHA256 4ed3aa44064cc17b3c2ece322d6a95d8074e6a4f8f35913523304a0bddfca804
SHA512 099df3863d305903a87ba7131a5897598dc2565ab82f85e2d084897cd3c0327b314bdf81bfffc676161aa6dc62c7d66445b881514b9fd287cb31233d6d0136d2

/data/data/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex

MD5 4883ac1657fa237da009253bc9a28b02
SHA1 fe697aa7be00f3e976bf1fe7ab4edbdfd64ab113
SHA256 8c81b2696863b825b399872029d82794b88c52455862bdb6a5a0403ac8a1e262
SHA512 183e20bec9d7ae2bbbdbe7e4170fb89519c0f8ad8b8f29185ab8c1e2b9758bb9015afa3e042c1e7d8bdc28eaba9d331cbc026463af57ab31ddcf3d76d821fdc1

/data/data/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex

MD5 c988c8ad5214967f7e8928bdbbfb70b0
SHA1 af58e3a4f99f27ba483b2d076e7be41181bf6f34
SHA256 a51308f107878dc829d6791b93419c5cba2aecf8697979060aab12231a988d74
SHA512 1a56d6dc3f6c184c3f4e5296c773a59d4b71b7c924e53774331986e58404611e8c5241010906e279c5f2c1d4251b8f80c21f8e29dc716b1424c049e7234984a9

/data/data/zbsq.xzohy.fjcs/files/Factory/Plugins/oat/bikc.dex.cur.prof

MD5 a2e8e10d4ae0f2adea12323f9816b58e
SHA1 52a739ffbebc545681d399a86d66881b1ec3a543
SHA256 949b9370668651f888df695502df109f8207bcb81bb9b2a06229871c63639548
SHA512 0f84b22749bc5356bf6001f16da0c459964b84d7cc44a089ea09bb717b08e10fb5406d98901a658c993c334a08a8f1bc6cfc2704f22ad71df602b1daa3d21cfa

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-04 22:01

Reported

2024-07-04 22:07

Platform

android-x64-arm64-20240624-en

Max time kernel

179s

Max time network

180s

Command Line

zbsq.xzohy.fjcs

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/zbsq.xzohy.fjcs/[email protected] N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/bikc.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/bikc.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/[email protected] N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes1.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes1.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Processes

zbsq.xzohy.fjcs

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 netfosite123.freeddns.org udp
MD 45.84.0.182:5060 netfosite123.freeddns.org tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/user/0/zbsq.xzohy.fjcs/[email protected]

MD5 4d2015ff34118e8b472d77e9775adc70
SHA1 dc6ac441cf0c6f0d88521f67630893aad2be7378
SHA256 a27f78c65cd9fff3d35f6384348f3dc9b7b04349916605529bf123526d5e795c
SHA512 429b581c1a62f257a6a44a54835d1dcbfb5db7e05571968407f8566081dfba8da048972d9fe1b7ff8702d974683e2d40863de83ce5d7e215748025d1a81e11a4

/data/user/0/zbsq.xzohy.fjcs/oat/x86_64/[email protected]

MD5 bc9f7be08bf3fb2e0cf537e0068ec051
SHA1 7f1e4bb74fb272f408d6333a1f52b8d53de21d64
SHA256 674157c7c143466d57878927f87c40a80a1508508fa3a6ebc3f7e7015f7fd61e
SHA512 4cbacd1b8dba13c6040d017d793fc797f32baa9d16a1501aa32cb6436169ec287583f8c8567df13f60c13c57b009aef172b3495c9bd93b56d5414c8a80b27a41

/data/user/0/zbsq.xzohy.fjcs/[email protected]

MD5 28f5b27fc4e99ed8e65833e6f764fd8a
SHA1 d33641927253c0b824010cdd8fbd88f92b3734ee
SHA256 8c9af932b9f6ae79ddb9699d96b9b606d8a86aa450be6184468cf2901a3eb77c
SHA512 e397d04cb263f8c58fe366954ad1cabefb9dde7b238ecdfdaeec326761b52d0b0638c568251a5742caf6c972ef27431eecea92869f4cd6a9499472dff4bc1d05

/data/user/0/zbsq.xzohy.fjcs/oat/x86_64/[email protected]

MD5 a9120ce031104b6312a1bcf353eeda0e
SHA1 b942f10e16a0ba44d41989ae08e54398c1857530
SHA256 c1e9f045fe4949a542a808bf305ead5d5a791b7dbc7fc452da9ea768ed4fb91f
SHA512 a017f4dcb08b65178640ca40cecff1309f8e43742b219e3264e3792a5bed4b91bf919986961a470ac59b70c2c015af71a1dc8d0171f79256aaeecd072af62e10

/data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes1.dex

MD5 2c36e9be721b0883f5bc1f71b3f2d918
SHA1 1c4d662470eae7f0af3364f1563b78472183e7a0
SHA256 0ea0c0a03a1999a9d3471a8ce584eea7e16f60ceeeabb6474fada356fc72779d
SHA512 fb99247128256c045ea49c7edfc3012d1e074419c30c684399ca6e4563823a2109917af7b42ba6399e891081f06a4be98625a4cf696a0a19eeba08ab450132a8

/data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes2.dex

MD5 19b705d3574791cfcc095173c8cabc8d
SHA1 05ab01d27521b77b02597b03265c9b859a1e3988
SHA256 4ed3aa44064cc17b3c2ece322d6a95d8074e6a4f8f35913523304a0bddfca804
SHA512 099df3863d305903a87ba7131a5897598dc2565ab82f85e2d084897cd3c0327b314bdf81bfffc676161aa6dc62c7d66445b881514b9fd287cb31233d6d0136d2

/data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex

MD5 4883ac1657fa237da009253bc9a28b02
SHA1 fe697aa7be00f3e976bf1fe7ab4edbdfd64ab113
SHA256 8c81b2696863b825b399872029d82794b88c52455862bdb6a5a0403ac8a1e262
SHA512 183e20bec9d7ae2bbbdbe7e4170fb89519c0f8ad8b8f29185ab8c1e2b9758bb9015afa3e042c1e7d8bdc28eaba9d331cbc026463af57ab31ddcf3d76d821fdc1

/data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex

MD5 c988c8ad5214967f7e8928bdbbfb70b0
SHA1 af58e3a4f99f27ba483b2d076e7be41181bf6f34
SHA256 a51308f107878dc829d6791b93419c5cba2aecf8697979060aab12231a988d74
SHA512 1a56d6dc3f6c184c3f4e5296c773a59d4b71b7c924e53774331986e58404611e8c5241010906e279c5f2c1d4251b8f80c21f8e29dc716b1424c049e7234984a9

/data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/oat/bikc.dex.cur.prof

MD5 8c7c157e7b3b3f9872f92581f580d97b
SHA1 0e6d10eaaff04f75966cbca24ef9031d3c864b1e
SHA256 809340217af353efa4f73a6c5a9d3c7d3c4dfbcd412143eec61c70f56f5b05bb
SHA512 e93d2adda53fea5818fc13130a6d312a669f89cd895cc653749df8230222e68f3a030706544ac56d0a4fba9a46258926a048c507dc23e208795ea58c1d001128