Malware Analysis Report

2024-10-19 11:58

Sample ID 240704-1z5etstgkd
Target f59aa1316b5b06523a3cacf063d482c5c3d6bb6a94bc9f9cc3edbd691b69ab22.bin
SHA256 f59aa1316b5b06523a3cacf063d482c5c3d6bb6a94bc9f9cc3edbd691b69ab22
Tags
collection credential_access discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f59aa1316b5b06523a3cacf063d482c5c3d6bb6a94bc9f9cc3edbd691b69ab22

Threat Level: Likely malicious

The file f59aa1316b5b06523a3cacf063d482c5c3d6bb6a94bc9f9cc3edbd691b69ab22.bin was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Declares broadcast receivers with permission to handle system events

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests enabling of the accessibility settings.

Acquires the wake lock

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Sends BOOT_COMPLETED broadcast intent.

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-04 22:06

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows financial apps to read filtered sms messages. android.permission.SMS_FINANCIAL_TRANSACTIONS N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Required to be able to discover and pair nearby Bluetooth devices. android.permission.BLUETOOTH_SCAN N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to receive WAP push messages. android.permission.RECEIVE_WAP_PUSH N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows the app to answer an incoming phone call. android.permission.ANSWER_PHONE_CALLS N/A N/A
Allows an application to access data from sensors that the user uses to measure what is happening inside their body, such as heart rate. android.permission.BODY_SENSORS N/A N/A
Allows an application to use SIP service. android.permission.USE_SIP N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to recognize physical activity. android.permission.ACTIVITY_RECOGNITION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 22:06

Reported

2024-07-04 22:19

Platform

android-x86-arm-20240624-en

Max time kernel

49s

Max time network

119s

Command Line

buya.tgfrj.fhzv

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A Anonymous-DexFile@0xc902f000-0xc9059e30 N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/pueq.dex N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/pueq.dex N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/pueq.dex N/A N/A
N/A Anonymous-DexFile@0xc7e09000-0xc7e31e20 N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes1.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Sends BOOT_COMPLETED broadcast intent.

persistence
Description Indicator Process Target
Intent action android.intent.action.BOOT_COMPLETED N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

buya.tgfrj.fhzv

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/pueq.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/oat/x86/pueq.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 netfosite123.freeddns.org udp
MD 45.84.0.182:5060 netfosite123.freeddns.org tcp
US 1.1.1.1:53 geomobileservices-pa.googleapis.com udp
GB 142.250.178.10:443 geomobileservices-pa.googleapis.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.178.10:443 geomobileservices-pa.googleapis.com tcp

Files

Anonymous-DexFile@0xc902f000-0xc9059e30

MD5 7dfc40a506bdc99a7fcd6546549f562b
SHA1 149893d5cc023a3d5f18a15346d8e1a3407573e9
SHA256 e5b16930a9f12bef13e04c6ee340e0a51710493729adcc05762bcc7c7fc20aba
SHA512 333026cc464663b1b6b16e4d61051be43e46fa8ddd40206bebfbac99a172e905d6beddd4782e049764460f52a096fb588514b16d8cfb4567bb5ae9c9f40c2b53

/data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/pueq.dex

MD5 82c0c796dcdf9c0d62d0e7300d4b2558
SHA1 e8d333c3120560fda15f4d046831bffded60d92c
SHA256 c70a03c2acb39b2c64fe56d2521290d78a4d45000b92ed0bfb905235e676cd6d
SHA512 3d4212e36dc4b4858ce5af88f2c27325766462746da20a527da9226af1d3487cbc53122776face3c1997e5fdd3a780f13f732d923c8e4fbd3d4720c784773682

Anonymous-DexFile@0xc7e09000-0xc7e31e20

MD5 28f5b27fc4e99ed8e65833e6f764fd8a
SHA1 d33641927253c0b824010cdd8fbd88f92b3734ee
SHA256 8c9af932b9f6ae79ddb9699d96b9b606d8a86aa450be6184468cf2901a3eb77c
SHA512 e397d04cb263f8c58fe366954ad1cabefb9dde7b238ecdfdaeec326761b52d0b0638c568251a5742caf6c972ef27431eecea92869f4cd6a9499472dff4bc1d05

/data/data/buya.tgfrj.fhzv/files/Factory/Plugins/classes1.dex

MD5 2c36e9be721b0883f5bc1f71b3f2d918
SHA1 1c4d662470eae7f0af3364f1563b78472183e7a0
SHA256 0ea0c0a03a1999a9d3471a8ce584eea7e16f60ceeeabb6474fada356fc72779d
SHA512 fb99247128256c045ea49c7edfc3012d1e074419c30c684399ca6e4563823a2109917af7b42ba6399e891081f06a4be98625a4cf696a0a19eeba08ab450132a8

/data/data/buya.tgfrj.fhzv/files/Factory/Plugins/oat/pueq.dex.cur.prof

MD5 6e4513a1a165729738824b067a3ed358
SHA1 dc3fb02b05c5ec5a026d03bb9243f6696a055ee8
SHA256 1b8da6fe576ef99e4e7713a51ac37605949e6943bedf1b592e7c79a36964df7d
SHA512 0a9c6be670d43010bb503cc0fbc3fb35cb5f448655c6a3da21db5144e40e5447172fa34a6f2b41b5cf5851ce14fd3ecd6a74949fd17aed3563c8debee432b224

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 22:06

Reported

2024-07-04 22:19

Platform

android-x64-20240624-en

Max time kernel

179s

Max time network

182s

Command Line

buya.tgfrj.fhzv

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/buya.tgfrj.fhzv/[email protected] N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/pueq.dex N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/pueq.dex N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/[email protected] N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes1.dex N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes1.dex N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes4.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

buya.tgfrj.fhzv

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 netfosite123.freeddns.org udp
MD 45.84.0.182:5060 netfosite123.freeddns.org tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.212.206:443 tcp
GB 142.250.200.2:443 tcp

Files

/data/user/0/buya.tgfrj.fhzv/[email protected]

MD5 7dfc40a506bdc99a7fcd6546549f562b
SHA1 149893d5cc023a3d5f18a15346d8e1a3407573e9
SHA256 e5b16930a9f12bef13e04c6ee340e0a51710493729adcc05762bcc7c7fc20aba
SHA512 333026cc464663b1b6b16e4d61051be43e46fa8ddd40206bebfbac99a172e905d6beddd4782e049764460f52a096fb588514b16d8cfb4567bb5ae9c9f40c2b53

/data/data/buya.tgfrj.fhzv/oat/x86_64/[email protected]

MD5 ffa57ecaa540853d871ad7d2ad17dad8
SHA1 22e1c452434642e1cb884a7db8d9a12182dc662a
SHA256 8e973f05dd29df1362f655a85b4be22c57ac3bdcc46641b215f034091fd154d0
SHA512 5e5e8b5a51c9e6ddf3a4fa2af95f94be153f763f706327f4b6dec8e72a4f55868d4241f8c3ae523942b78161c2bcf4058dfe9632812d5e02d2f7e673f23ad874

/data/user/0/buya.tgfrj.fhzv/[email protected]

MD5 28f5b27fc4e99ed8e65833e6f764fd8a
SHA1 d33641927253c0b824010cdd8fbd88f92b3734ee
SHA256 8c9af932b9f6ae79ddb9699d96b9b606d8a86aa450be6184468cf2901a3eb77c
SHA512 e397d04cb263f8c58fe366954ad1cabefb9dde7b238ecdfdaeec326761b52d0b0638c568251a5742caf6c972ef27431eecea92869f4cd6a9499472dff4bc1d05

/data/data/buya.tgfrj.fhzv/oat/x86_64/[email protected]

MD5 152510aafce588be86edd785dd51077c
SHA1 cfc9710774e006a5d3949b9486bffeb3935c3d20
SHA256 002ba8519631df1de5e2b86eed056c1d346bb6993c09ebffc7f76ed3081de7b9
SHA512 90a07869bbc5a4825d6e0d988419eada019ac893187bec8b0402ee7e62e15e43b4dbb817905eeb7c2d88ae1f770efbfc6dbaaa8c2d64e1eb01ccd86784662079

/data/data/buya.tgfrj.fhzv/files/Factory/Plugins/classes1.dex

MD5 2c36e9be721b0883f5bc1f71b3f2d918
SHA1 1c4d662470eae7f0af3364f1563b78472183e7a0
SHA256 0ea0c0a03a1999a9d3471a8ce584eea7e16f60ceeeabb6474fada356fc72779d
SHA512 fb99247128256c045ea49c7edfc3012d1e074419c30c684399ca6e4563823a2109917af7b42ba6399e891081f06a4be98625a4cf696a0a19eeba08ab450132a8

/data/data/buya.tgfrj.fhzv/files/Factory/Plugins/classes2.dex

MD5 19b705d3574791cfcc095173c8cabc8d
SHA1 05ab01d27521b77b02597b03265c9b859a1e3988
SHA256 4ed3aa44064cc17b3c2ece322d6a95d8074e6a4f8f35913523304a0bddfca804
SHA512 099df3863d305903a87ba7131a5897598dc2565ab82f85e2d084897cd3c0327b314bdf81bfffc676161aa6dc62c7d66445b881514b9fd287cb31233d6d0136d2

/data/data/buya.tgfrj.fhzv/files/Factory/Plugins/classes3.dex

MD5 4883ac1657fa237da009253bc9a28b02
SHA1 fe697aa7be00f3e976bf1fe7ab4edbdfd64ab113
SHA256 8c81b2696863b825b399872029d82794b88c52455862bdb6a5a0403ac8a1e262
SHA512 183e20bec9d7ae2bbbdbe7e4170fb89519c0f8ad8b8f29185ab8c1e2b9758bb9015afa3e042c1e7d8bdc28eaba9d331cbc026463af57ab31ddcf3d76d821fdc1

/data/data/buya.tgfrj.fhzv/files/Factory/Plugins/classes4.dex

MD5 c988c8ad5214967f7e8928bdbbfb70b0
SHA1 af58e3a4f99f27ba483b2d076e7be41181bf6f34
SHA256 a51308f107878dc829d6791b93419c5cba2aecf8697979060aab12231a988d74
SHA512 1a56d6dc3f6c184c3f4e5296c773a59d4b71b7c924e53774331986e58404611e8c5241010906e279c5f2c1d4251b8f80c21f8e29dc716b1424c049e7234984a9

/data/data/buya.tgfrj.fhzv/files/Factory/Plugins/oat/pueq.dex.cur.prof

MD5 e55abe2943451de21caf6ba703c13626
SHA1 eda966a06617cb33385392b45fcd4df9dcfc26e5
SHA256 bfe79da74d9eae7d2730d987c272bfc8d41f158eca425c27dd876613c36850fc
SHA512 3cc2cf0eef5a563e30d420c5bb4e5820260947666f84b987d2a0c05fa8ca6f17947962db9be0ee8cf20500921af20d3c0593659f5bdace3f104c635862a1fb8f

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-04 22:06

Reported

2024-07-04 22:16

Platform

android-x64-arm64-20240624-en

Max time network

5s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A