Malware Analysis Report

2024-10-19 11:58

Sample ID 240707-1wvffsyfpq
Target 8758999e18a0e8ad8ae07929cacaf348011c692d8ed53acf0a40640c08bbb33e.bin
SHA256 8758999e18a0e8ad8ae07929cacaf348011c692d8ed53acf0a40640c08bbb33e
Tags
collection credential_access discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

8758999e18a0e8ad8ae07929cacaf348011c692d8ed53acf0a40640c08bbb33e

Threat Level: Likely malicious

The file 8758999e18a0e8ad8ae07929cacaf348011c692d8ed53acf0a40640c08bbb33e.bin was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries the unique device ID (IMEI, MEID, IMSI)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-07 22:00

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to write the user's calendar data. android.permission.WRITE_CALENDAR N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows the app to answer an incoming phone call. android.permission.ANSWER_PHONE_CALLS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to receive WAP push messages. android.permission.RECEIVE_WAP_PUSH N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to access data from sensors that the user uses to measure what is happening inside their body, such as heart rate. android.permission.BODY_SENSORS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Required to be able to discover and pair nearby Bluetooth devices. android.permission.BLUETOOTH_SCAN N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows financial apps to read filtered sms messages. android.permission.SMS_FINANCIAL_TRANSACTIONS N/A N/A
Allows an application to use SIP service. android.permission.USE_SIP N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to recognize physical activity. android.permission.ACTIVITY_RECOGNITION N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-07 22:00

Reported

2024-07-07 22:03

Platform

android-x64-arm64-20240624-en

Max time kernel

179s

Max time network

185s

Command Line

hybz.kjsgu.otrn

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/hybz.kjsgu.otrn/[email protected] N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/xekl.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/xekl.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/[email protected] N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes1.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes1.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

hybz.kjsgu.otrn

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
PS 213.6.103.122:1150 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/user/0/hybz.kjsgu.otrn/[email protected]

MD5 6a053aec2b97522ec06101606f903979
SHA1 f1011740bca7f6f0d7fa5a2effd3db37d2d62333
SHA256 b84deb0f238bfcf3fd5c9f97695f90d31251baa0fe745a3a9884f4d34e244127
SHA512 45bb5a19b040f69451ff597f2d0b093a1497ba5bf83e8b982ed33826561e01b7b309922f09a1ea1e76691a7310e361bca8eec18e38f2628f84cb4c8215641984

/data/user/0/hybz.kjsgu.otrn/oat/x86_64/[email protected]

MD5 3884104b0435dfd9cca95e364b80a383
SHA1 3b863386e4e5ccf70639b76964fc2117ab06de6f
SHA256 5ade1752f5e29ece22215a6351ed0c8c511e42ccd76a77b57a42f86e1f41da04
SHA512 7c58e305697de37739d65fb62cc88176ce908a315f057d139148df9259a78fa132e4349f9cd35d30cff7084fb4d4e24934369d695fc02c40096a0c24a3616a28

/data/user/0/hybz.kjsgu.otrn/[email protected]

MD5 28f5b27fc4e99ed8e65833e6f764fd8a
SHA1 d33641927253c0b824010cdd8fbd88f92b3734ee
SHA256 8c9af932b9f6ae79ddb9699d96b9b606d8a86aa450be6184468cf2901a3eb77c
SHA512 e397d04cb263f8c58fe366954ad1cabefb9dde7b238ecdfdaeec326761b52d0b0638c568251a5742caf6c972ef27431eecea92869f4cd6a9499472dff4bc1d05

/data/user/0/hybz.kjsgu.otrn/oat/x86_64/[email protected]

MD5 7f8778cf69420c6cd4582a74972325be
SHA1 1c9162e0a533dda4c6bfb048c7949071402c606b
SHA256 cb556fc9d55a2854b7d491cf5df7e960f9b91ef18fccffecf3cbbfee7877ed1f
SHA512 097cb3f4fcb75168054adb8be9e4bbd3d16264db80d8958fe156cd0924307a97da437392048ca379b7b77588b4b57fe65bdda795740b07675e6189f07b1004d2

/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes1.dex

MD5 2c36e9be721b0883f5bc1f71b3f2d918
SHA1 1c4d662470eae7f0af3364f1563b78472183e7a0
SHA256 0ea0c0a03a1999a9d3471a8ce584eea7e16f60ceeeabb6474fada356fc72779d
SHA512 fb99247128256c045ea49c7edfc3012d1e074419c30c684399ca6e4563823a2109917af7b42ba6399e891081f06a4be98625a4cf696a0a19eeba08ab450132a8

/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex

MD5 19b705d3574791cfcc095173c8cabc8d
SHA1 05ab01d27521b77b02597b03265c9b859a1e3988
SHA256 4ed3aa44064cc17b3c2ece322d6a95d8074e6a4f8f35913523304a0bddfca804
SHA512 099df3863d305903a87ba7131a5897598dc2565ab82f85e2d084897cd3c0327b314bdf81bfffc676161aa6dc62c7d66445b881514b9fd287cb31233d6d0136d2

/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex

MD5 4883ac1657fa237da009253bc9a28b02
SHA1 fe697aa7be00f3e976bf1fe7ab4edbdfd64ab113
SHA256 8c81b2696863b825b399872029d82794b88c52455862bdb6a5a0403ac8a1e262
SHA512 183e20bec9d7ae2bbbdbe7e4170fb89519c0f8ad8b8f29185ab8c1e2b9758bb9015afa3e042c1e7d8bdc28eaba9d331cbc026463af57ab31ddcf3d76d821fdc1

/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex

MD5 c988c8ad5214967f7e8928bdbbfb70b0
SHA1 af58e3a4f99f27ba483b2d076e7be41181bf6f34
SHA256 a51308f107878dc829d6791b93419c5cba2aecf8697979060aab12231a988d74
SHA512 1a56d6dc3f6c184c3f4e5296c773a59d4b71b7c924e53774331986e58404611e8c5241010906e279c5f2c1d4251b8f80c21f8e29dc716b1424c049e7234984a9

/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/oat/xekl.dex.cur.prof

MD5 899f62750f50a04394296937a9e6d7d7
SHA1 ac674c933c1fb12e41f3b9753aa7e8648c249903
SHA256 bf1e31fbb6055a588c72db497f579e84b8dfae5c4feb6c5bb10e73beccf307c5
SHA512 a87b871ec4d0837060e509f37f4dc2429f4875e1b6f82d59521fbb0b81f50e67f1558096c738e0ee256fad1a541094b6aa9dfdc3f18a898501f9e7469c8fbf13

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-07 22:00

Reported

2024-07-07 22:03

Platform

android-x86-arm-20240624-en

Max time kernel

179s

Max time network

185s

Command Line

hybz.kjsgu.otrn

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A Anonymous-DexFile@0xc9157000-0xc9181e40 N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/xekl.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/xekl.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/xekl.dex N/A N/A
N/A Anonymous-DexFile@0xc7b99000-0xc7bc1e20 N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes1.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes1.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

hybz.kjsgu.otrn

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/xekl.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/oat/x86/xekl.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex --output-vdex-fd=43 --oat-fd=52 --oat-location=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/oat/x86/classes2.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex --output-vdex-fd=52 --oat-fd=53 --oat-location=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/oat/x86/classes4.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
PS 213.6.103.122:1150 tcp
US 1.1.1.1:53 geomobileservices-pa.googleapis.com udp
GB 142.250.180.10:443 geomobileservices-pa.googleapis.com tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.178.10:443 geomobileservices-pa.googleapis.com tcp

Files

Anonymous-DexFile@0xc9157000-0xc9181e40

MD5 6a053aec2b97522ec06101606f903979
SHA1 f1011740bca7f6f0d7fa5a2effd3db37d2d62333
SHA256 b84deb0f238bfcf3fd5c9f97695f90d31251baa0fe745a3a9884f4d34e244127
SHA512 45bb5a19b040f69451ff597f2d0b093a1497ba5bf83e8b982ed33826561e01b7b309922f09a1ea1e76691a7310e361bca8eec18e38f2628f84cb4c8215641984

/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/xekl.dex

MD5 928aface4d79d1ea949eff61bd9dee58
SHA1 c36bfd8a82164b0ae0a5c475102bdc707738d21c
SHA256 c876c2f873d63f4c74be04057ddcda3309d4f0aa4395f7c7003527fc677f6ecf
SHA512 6a82dd200c48a4184167987fb2dce51e732d05f9e3e4ed43dd3fbd1f3ea4b9a35c3e12ec1412fa2411c2683b51d62cc9421405b0dba92fd49d867a65676d7feb

Anonymous-DexFile@0xc7b99000-0xc7bc1e20

MD5 28f5b27fc4e99ed8e65833e6f764fd8a
SHA1 d33641927253c0b824010cdd8fbd88f92b3734ee
SHA256 8c9af932b9f6ae79ddb9699d96b9b606d8a86aa450be6184468cf2901a3eb77c
SHA512 e397d04cb263f8c58fe366954ad1cabefb9dde7b238ecdfdaeec326761b52d0b0638c568251a5742caf6c972ef27431eecea92869f4cd6a9499472dff4bc1d05

/data/data/hybz.kjsgu.otrn/files/Factory/Plugins/classes1.dex

MD5 2c36e9be721b0883f5bc1f71b3f2d918
SHA1 1c4d662470eae7f0af3364f1563b78472183e7a0
SHA256 0ea0c0a03a1999a9d3471a8ce584eea7e16f60ceeeabb6474fada356fc72779d
SHA512 fb99247128256c045ea49c7edfc3012d1e074419c30c684399ca6e4563823a2109917af7b42ba6399e891081f06a4be98625a4cf696a0a19eeba08ab450132a8

/data/data/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex

MD5 19b705d3574791cfcc095173c8cabc8d
SHA1 05ab01d27521b77b02597b03265c9b859a1e3988
SHA256 4ed3aa44064cc17b3c2ece322d6a95d8074e6a4f8f35913523304a0bddfca804
SHA512 099df3863d305903a87ba7131a5897598dc2565ab82f85e2d084897cd3c0327b314bdf81bfffc676161aa6dc62c7d66445b881514b9fd287cb31233d6d0136d2

/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex

MD5 fa33671436c87fdea53c796ba2a6beac
SHA1 b9c82e91047e6fe625b8264b4462ba6d51d5d43d
SHA256 5e82809e5012014b56ac83fd5a5d4518a5ab14f3dcb1a3844748d03bbaa4967f
SHA512 a3ea95757766b1599b79a1fd2ff006ebcc67e9e5c43a16c838efca258c638e868e481361cc04af6f36870aac95b0cd09f02ddbc7643f8c7449172add3edd928a

/data/data/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex

MD5 4883ac1657fa237da009253bc9a28b02
SHA1 fe697aa7be00f3e976bf1fe7ab4edbdfd64ab113
SHA256 8c81b2696863b825b399872029d82794b88c52455862bdb6a5a0403ac8a1e262
SHA512 183e20bec9d7ae2bbbdbe7e4170fb89519c0f8ad8b8f29185ab8c1e2b9758bb9015afa3e042c1e7d8bdc28eaba9d331cbc026463af57ab31ddcf3d76d821fdc1

/data/data/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex

MD5 c988c8ad5214967f7e8928bdbbfb70b0
SHA1 af58e3a4f99f27ba483b2d076e7be41181bf6f34
SHA256 a51308f107878dc829d6791b93419c5cba2aecf8697979060aab12231a988d74
SHA512 1a56d6dc3f6c184c3f4e5296c773a59d4b71b7c924e53774331986e58404611e8c5241010906e279c5f2c1d4251b8f80c21f8e29dc716b1424c049e7234984a9

/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex

MD5 e42382ea2d47d71bab246b374c6ee4bb
SHA1 a787a00abe09928e780f2a67c86c97aadfdd4569
SHA256 9332b539df650c023c42997d24a7618d75757dc053d4605b26f87dd92ab8907f
SHA512 17781a63b2c8616e14d303e3573d7248672b53cba848cd9e1d0a5990bf1d17a150f395f76a42b7ed3bd3465f6adc197eba50d33d03ff03202a5aaef66a2c0d89

/data/data/hybz.kjsgu.otrn/files/Factory/Plugins/oat/xekl.dex.cur.prof

MD5 29d01d37b31ad2d5ba04ff133d817f47
SHA1 20465f5f8c9df8a877a20961c889d70968ca0dfd
SHA256 a0edea549456e46888f3612dd62e4503ab9a69a0c94ac23f9dc68c3c8db5cea4
SHA512 ce45448791a7458a6356617a401e986cbe0cca3bf80199187b14c9701d0e5c51bb8bf5a308259bbf5b1e891553bb79acb7079b120506325554adf68483d9312a

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-07 22:00

Reported

2024-07-07 22:03

Platform

android-x64-20240624-en

Max time kernel

179s

Max time network

185s

Command Line

hybz.kjsgu.otrn

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/hybz.kjsgu.otrn/[email protected] N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/xekl.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/xekl.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/[email protected] N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes1.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes1.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

hybz.kjsgu.otrn

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
PS 213.6.103.122:1150 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 172.217.16.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.34:443 tcp
GB 216.58.204.78:443 tcp

Files

/data/user/0/hybz.kjsgu.otrn/[email protected]

MD5 6a053aec2b97522ec06101606f903979
SHA1 f1011740bca7f6f0d7fa5a2effd3db37d2d62333
SHA256 b84deb0f238bfcf3fd5c9f97695f90d31251baa0fe745a3a9884f4d34e244127
SHA512 45bb5a19b040f69451ff597f2d0b093a1497ba5bf83e8b982ed33826561e01b7b309922f09a1ea1e76691a7310e361bca8eec18e38f2628f84cb4c8215641984

/data/data/hybz.kjsgu.otrn/oat/x86_64/[email protected]

MD5 a179ea9212b9a1603ccb4442f7a8b684
SHA1 a3be77a7dc3a8ab8da15333067e02ccca2645a86
SHA256 e613ff4b2cc72fbdb9b38f9b11b98e79ef6580895ffadc20528ac9d21115ad60
SHA512 7aef0c5162da522852c3a3910adbd2022e970074631ada02ceebd0a1cab02205b926b022a11afe178faf4612427323aa00b0e02943f14bdd5843ea063c155444

/data/user/0/hybz.kjsgu.otrn/[email protected]

MD5 28f5b27fc4e99ed8e65833e6f764fd8a
SHA1 d33641927253c0b824010cdd8fbd88f92b3734ee
SHA256 8c9af932b9f6ae79ddb9699d96b9b606d8a86aa450be6184468cf2901a3eb77c
SHA512 e397d04cb263f8c58fe366954ad1cabefb9dde7b238ecdfdaeec326761b52d0b0638c568251a5742caf6c972ef27431eecea92869f4cd6a9499472dff4bc1d05

/data/data/hybz.kjsgu.otrn/oat/x86_64/[email protected]

MD5 685525c4ea81de1cc92a87cc340a5578
SHA1 40cc3be0f18e7114156521ef32e5dbeaef4226c1
SHA256 429261cc8cfa98fc7a49433e228f0af1d29e2f4d259d5124324db975fedb56ac
SHA512 9132e0e4209ac00dca63474dd4b9c8b69a2d8d8b3c3fb584be33a36e04e515567119d2fac1605fda1ce43d172f6ab69148a298b7c31f975dbe396e3ea851b523

/data/data/hybz.kjsgu.otrn/files/Factory/Plugins/classes1.dex

MD5 2c36e9be721b0883f5bc1f71b3f2d918
SHA1 1c4d662470eae7f0af3364f1563b78472183e7a0
SHA256 0ea0c0a03a1999a9d3471a8ce584eea7e16f60ceeeabb6474fada356fc72779d
SHA512 fb99247128256c045ea49c7edfc3012d1e074419c30c684399ca6e4563823a2109917af7b42ba6399e891081f06a4be98625a4cf696a0a19eeba08ab450132a8

/data/data/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex

MD5 19b705d3574791cfcc095173c8cabc8d
SHA1 05ab01d27521b77b02597b03265c9b859a1e3988
SHA256 4ed3aa44064cc17b3c2ece322d6a95d8074e6a4f8f35913523304a0bddfca804
SHA512 099df3863d305903a87ba7131a5897598dc2565ab82f85e2d084897cd3c0327b314bdf81bfffc676161aa6dc62c7d66445b881514b9fd287cb31233d6d0136d2

/data/data/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex

MD5 4883ac1657fa237da009253bc9a28b02
SHA1 fe697aa7be00f3e976bf1fe7ab4edbdfd64ab113
SHA256 8c81b2696863b825b399872029d82794b88c52455862bdb6a5a0403ac8a1e262
SHA512 183e20bec9d7ae2bbbdbe7e4170fb89519c0f8ad8b8f29185ab8c1e2b9758bb9015afa3e042c1e7d8bdc28eaba9d331cbc026463af57ab31ddcf3d76d821fdc1

/data/data/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex

MD5 c988c8ad5214967f7e8928bdbbfb70b0
SHA1 af58e3a4f99f27ba483b2d076e7be41181bf6f34
SHA256 a51308f107878dc829d6791b93419c5cba2aecf8697979060aab12231a988d74
SHA512 1a56d6dc3f6c184c3f4e5296c773a59d4b71b7c924e53774331986e58404611e8c5241010906e279c5f2c1d4251b8f80c21f8e29dc716b1424c049e7234984a9

/data/data/hybz.kjsgu.otrn/files/Factory/Plugins/oat/xekl.dex.cur.prof

MD5 fcc3238086dcac752dd477523c9274bb
SHA1 e6939fa8616d1fcb86dc52c46942df60747b4a7f
SHA256 74354823114d577de4db84d2323ce8983d4522681341a3d325ef8d60a22d433f
SHA512 5d96f253a82ab762829ec48e6a2ffb606dd88bcc1df4ffb2e89a3150f60531297c544688ae7afa37e1de965d1e6b0b2aabc2909667b543d9a56288872bcc1507