Malware Analysis Report

2025-01-19 05:19

Sample ID 240817-phvzaavemb
Target 462e131e3b1b3e72f475374496bd6d0067fb271b78d25302f4798764e961e529.apk
SHA256 462e131e3b1b3e72f475374496bd6d0067fb271b78d25302f4798764e961e529
Tags
collection credential_access evasion persistence stealth trojan execution
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

462e131e3b1b3e72f475374496bd6d0067fb271b78d25302f4798764e961e529

Threat Level: Likely malicious

The file 462e131e3b1b3e72f475374496bd6d0067fb271b78d25302f4798764e961e529.apk was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access evasion persistence stealth trojan execution

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Requests accessing notifications (often used to intercept notifications before users become aware).

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Requests dangerous framework permissions

Declares services with permission to bind to the system

Acquires the wake lock

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests enabling of the accessibility settings.

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-17 12:20

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-17 12:20

Reported

2024-08-17 12:21

Platform

android-x86-arm-20240624-en

Max time kernel

46s

Max time network

47s

Command Line

kcbemzsjob.pcqswfdcpw.xhnxkqw

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/uiBBLIE.json N/A N/A
N/A /data/user/0/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/uiBBLIE.json N/A N/A
N/A /data/user/0/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/uiBBLIE.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

kcbemzsjob.pcqswfdcpw.xhnxkqw

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/uiBBLIE.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/oat/x86/uiBBLIE.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.213.4:443 www.google.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/uiBBLIE.json

MD5 41f6439a763bf43aa4c74943d7fd745f
SHA1 ff02de7a300cb01782158cd9aba7d32795927f16
SHA256 3309cc667c5b49e829999302661109a3d47db1537c188f55d0d6ce26d7406142
SHA512 47a5eed43fdf86b65f6dadbbd1d8d4cb377b44df6d1f61f11d1d0976279d5cba453e980fb10c8664815cd9f2e1c295722d20f213359c0ab2b911370ab098b020

/data/data/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/uiBBLIE.json

MD5 74ba1ad4d3b3f1eea3f632a866928a9c
SHA1 c6bc9771b7954278d821dfc007d166bc8ae0dc6b
SHA256 229b305917067d34eef2cfec6f126627c89998d85393597d87fe926d26943f6e
SHA512 593e60351622445aa4e56f26844069f5d8b942f5869dbaec88744cda8dade5fef87886c895888cc5c9dfc19f596f03d58856d62816a914a5f173efc529f30bb7

/data/user/0/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/uiBBLIE.json

MD5 5ce1939db78329d67c511b4f04e3a78b
SHA1 0ef8e4bfa758ecdef4643597f9dc7e0f9454cc0e
SHA256 3205b40deae9793dbec8b36f4a6d57f08f7a3b81693f1cd3196947367eea505c
SHA512 8cf1c1bffb8674883a1421d7796fe6172d284cd8932c277dc5fa54fbe1e94957416cca3cc47dc4c6db3666f5858f61408c0afb7875ba999e8ca1aa55c13389a6

/data/data/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/oat/uiBBLIE.json.cur.prof

MD5 e48674461c613fbcc61337b95ffe8cd3
SHA1 b271957ca9049d9f0033b2688b913d459b176147
SHA256 394139703fdca2a579e9d1db0dad22ae462e55afdecf872361b5b8a5e7266810
SHA512 99b3c9981aa70e044850b5a645a674371e000174714d12d305d6d42f756e54cb06558125eaa9b18ec74ed3fd01e3b769059ab17aa1d3dafedbb81f57ed82486e

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-17 12:20

Reported

2024-08-17 12:23

Platform

android-x64-20240624-en

Max time kernel

37s

Max time network

149s

Command Line

kcbemzsjob.pcqswfdcpw.xhnxkqw

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/uiBBLIE.json N/A N/A
N/A /data/user/0/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/uiBBLIE.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

kcbemzsjob.pcqswfdcpw.xhnxkqw

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp

Files

/data/data/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/uiBBLIE.json

MD5 41f6439a763bf43aa4c74943d7fd745f
SHA1 ff02de7a300cb01782158cd9aba7d32795927f16
SHA256 3309cc667c5b49e829999302661109a3d47db1537c188f55d0d6ce26d7406142
SHA512 47a5eed43fdf86b65f6dadbbd1d8d4cb377b44df6d1f61f11d1d0976279d5cba453e980fb10c8664815cd9f2e1c295722d20f213359c0ab2b911370ab098b020

/data/data/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/uiBBLIE.json

MD5 74ba1ad4d3b3f1eea3f632a866928a9c
SHA1 c6bc9771b7954278d821dfc007d166bc8ae0dc6b
SHA256 229b305917067d34eef2cfec6f126627c89998d85393597d87fe926d26943f6e
SHA512 593e60351622445aa4e56f26844069f5d8b942f5869dbaec88744cda8dade5fef87886c895888cc5c9dfc19f596f03d58856d62816a914a5f173efc529f30bb7

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-17 12:20

Reported

2024-08-17 12:23

Platform

android-x64-arm64-20240624-en

Max time kernel

38s

Max time network

142s

Command Line

kcbemzsjob.pcqswfdcpw.xhnxkqw

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/uiBBLIE.json N/A N/A
N/A /data/user/0/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/uiBBLIE.json N/A N/A
N/A /data/user/0/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/uiBBLIE.json N/A N/A
N/A /data/user/0/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/uiBBLIE.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

kcbemzsjob.pcqswfdcpw.xhnxkqw

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/user/0/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/uiBBLIE.json

MD5 41f6439a763bf43aa4c74943d7fd745f
SHA1 ff02de7a300cb01782158cd9aba7d32795927f16
SHA256 3309cc667c5b49e829999302661109a3d47db1537c188f55d0d6ce26d7406142
SHA512 47a5eed43fdf86b65f6dadbbd1d8d4cb377b44df6d1f61f11d1d0976279d5cba453e980fb10c8664815cd9f2e1c295722d20f213359c0ab2b911370ab098b020

/data/user/0/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/uiBBLIE.json

MD5 74ba1ad4d3b3f1eea3f632a866928a9c
SHA1 c6bc9771b7954278d821dfc007d166bc8ae0dc6b
SHA256 229b305917067d34eef2cfec6f126627c89998d85393597d87fe926d26943f6e
SHA512 593e60351622445aa4e56f26844069f5d8b942f5869dbaec88744cda8dade5fef87886c895888cc5c9dfc19f596f03d58856d62816a914a5f173efc529f30bb7