Malware Analysis Report

2025-01-19 05:20

Sample ID 240815-1w72jsxcmc
Target 9e9d4835b3de71cd335c35a61ec298eb8a47e0af5f73f4a08ddd532cfc411ed6.bin
SHA256 9e9d4835b3de71cd335c35a61ec298eb8a47e0af5f73f4a08ddd532cfc411ed6
Tags
collection credential_access discovery evasion persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

9e9d4835b3de71cd335c35a61ec298eb8a47e0af5f73f4a08ddd532cfc411ed6

Threat Level: Likely malicious

The file 9e9d4835b3de71cd335c35a61ec298eb8a47e0af5f73f4a08ddd532cfc411ed6.bin was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion persistence stealth trojan

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Queries information about running processes on the device

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries information about active data network

Requests enabling of the accessibility settings.

Declares services with permission to bind to the system

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Acquires the wake lock

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-15 22:01

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-15 22:01

Reported

2024-08-15 22:07

Platform

android-x86-arm-20240624-en

Max time kernel

180s

Max time network

131s

Command Line

com.turenak.ch

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Processes

com.turenak.ch

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 isbrs.com udp

Files

/data/data/com.turenak.ch/no_backup/androidx.work.workdb-journal

MD5 87b2dd266b4ef30d1faeb48cd1ed6185
SHA1 242ef0dd25b20b28f27a924bd30825128e96c23b
SHA256 cd2f84d581ae541f3e258d8c9b098645322750e9ad4c51080b92dd79a5cb3f8c
SHA512 54047a9e392a8da48c08604d04a910920324d38954dae2e420e07c9229b7c180e81099d8799cc0a0f8d9152c091df860d899e55bc08ca0508310f68bcb94ce54

/data/data/com.turenak.ch/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.turenak.ch/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.turenak.ch/no_backup/androidx.work.workdb-wal

MD5 1b63fbb300df6d9cbcaa4c7dd3697ba1
SHA1 3dcc6d3b4dc5ca558b4b518c0721139e493fd4b7
SHA256 fc10954762a91424721cfc4858e074cbf91084668705cdfceebc977802979332
SHA512 a6442ad5396b4019633f0fec671ac4fdf8234b0c53e016e91fa06202dc96546246d7ff615e4b8c98a427db97f1d2ad54cc578d9d0aef7877e37807048bf797b2

/data/data/com.turenak.ch/no_backup/androidx.work.workdb-wal

MD5 f1e45c609cd6b57dc41c61ce5dd69234
SHA1 8b1e0d0a00131945e4340d9d2c0824d4e4e44211
SHA256 f0c46f34b4835fcd9238b7f1d737b3ff1ca2fd1e83edaf86ee4e64f1c4638614
SHA512 0fc5d465ec5bb5aaafea8d619657a684119b551e92e3a8c010bde43d8375e1d797e15b2128af7c4e19dcf58e5c8c68cde8b14def068de4a3a090cbaee1347c2a

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-15 22:01

Reported

2024-08-15 22:07

Platform

android-x64-20240624-en

Max time kernel

179s

Max time network

150s

Command Line

com.turenak.ch

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Processes

com.turenak.ch

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
GB 216.58.213.14:443 tcp
GB 142.250.178.2:443 tcp
US 1.1.1.1:53 isbrs.com udp

Files

/data/data/com.turenak.ch/no_backup/androidx.work.workdb-journal

MD5 72fe7f1f0af9e66655a02aad1ed7507c
SHA1 9fbc1bb5fcdf392b6108dc0eb2f83336a728ad8e
SHA256 1b1d01c3524cb8d466e6534001e3a3d7b212fc47121be628c5aabe2c19121616
SHA512 a3f827ee326163d91d0323110cb7602405eb1f7039aebbf37761f0e3ae1682cd912c8ae70affad98c640de182394e62f458b118168388dcc9d1620eb8791bc59

/data/data/com.turenak.ch/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.turenak.ch/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.turenak.ch/no_backup/androidx.work.workdb-wal

MD5 72ff4061e77d5fe334ff8ae1ef1e77b8
SHA1 ecdac2bb2afc920624c52f7f76f370273167f2c3
SHA256 6ff08915dcfd6123ca8eff110ec5a0855eae7a576c7695be0fe64b890f9fb1df
SHA512 81bd939afcc3930838732b88593acd5a03f5ddf5eca8b22590b76d898e651bd58e5de83c8998c6cb45ec4b8a988504efd5b8114c385286846be39cc504b1ca3a

/data/data/com.turenak.ch/no_backup/androidx.work.workdb-wal

MD5 0f6a4679dacd6e45e44c492322433aaf
SHA1 c4323d0d2d84c67cae2ebcdfdf17de731b692748
SHA256 18db5622ee10921dba62db413bb2002995becb0b9603217dd1dacc207696692b
SHA512 24de25e7a53363d61c9c601c3cc58965c47955905806ac07f0872fb5184df6142e7d92c2a8275317a52c45a705171d5536f6142094909def49f9fcfe711d6edb

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-15 22:01

Reported

2024-08-15 22:07

Platform

android-x64-arm64-20240624-en

Max time kernel

179s

Max time network

132s

Command Line

com.turenak.ch

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Processes

com.turenak.ch

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 isbrs.com udp

Files

/data/data/com.turenak.ch/no_backup/androidx.work.workdb-journal

MD5 55fa5e74b542b14ab94de7e434d9ed9e
SHA1 9c226c7c1a3624fc0fc2d37d86add2abaf401af1
SHA256 cae02b212ff2a72994c0688743c806bd5ac51a06f3ba9499760865a7ab633d04
SHA512 60ee1ddb4aae752ed0d327ad9c5f0915b68ff4037c877913010c455ea85f1c36dbb3a46535d15e0448c445278e827367d4efbe7506a77a16e55bda6dc525ccb4

/data/data/com.turenak.ch/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.turenak.ch/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.turenak.ch/no_backup/androidx.work.workdb-wal

MD5 44454475cded0fb570f8690a0bf4fb63
SHA1 a4cb14421a7de733fbf166db3fef25d9977aa0fa
SHA256 7f740fb47f9c9744f38aff0e6cb9b5f463afc5b099b8a00c6cf4e62d85816517
SHA512 6771fadfd71f73900a7e3d27002f92d50da3ac48a16c02484fdc127bca381c4fc1e8a2f9a3d2cd39120a9b1a0520c57e65a176dde45fb52ffd3145ab881cb370

/data/data/com.turenak.ch/no_backup/androidx.work.workdb-wal

MD5 d416952cc16ceb8dff76a822dde82c39
SHA1 b9e77d3121da69f077be96d32fa07a0106f5b4d6
SHA256 5a5a4f00d980daad2c1fa9d0f8b5bdc07830c96918a1ab379fa22cea66f1f096
SHA512 b6b47f058c6bbd1ac823c670c52b54d3debc53a1cb4a3a09f7da711c164b8e12987dd61a339a3b86d2eb7c4c2bef938844a34548449f66c17b07c2fb8a693d9d