Malware Analysis Report

2025-01-19 05:20

Sample ID 240824-mdltpsvgmh
Target c18c5ca32b80d4b595500853e1899d03edbe954d1e79da14f167aa888918d547.zip
SHA256 67a12d62e70cb2b58b02548a870032688793fb7f48ec4be0f95c11b54fd59be3
Tags
collection credential_access evasion execution persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

67a12d62e70cb2b58b02548a870032688793fb7f48ec4be0f95c11b54fd59be3

Threat Level: Likely malicious

The file c18c5ca32b80d4b595500853e1899d03edbe954d1e79da14f167aa888918d547.zip was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access evasion execution persistence stealth trojan

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Requests dangerous framework permissions

Acquires the wake lock

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-24 10:20

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-24 10:20

Reported

2024-08-24 10:21

Platform

android-x86-arm-20240624-en

Max time kernel

27s

Max time network

33s

Command Line

wcqrucdpzh.otstodvvsm.vrbnjqrsrr

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

wcqrucdpzh.otstodvvsm.vrbnjqrsrr

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 gapsoinasj.in udp
US 104.155.138.21:80 gapsoinasj.in tcp
US 104.155.138.21:80 gapsoinasj.in tcp
US 104.155.138.21:80 gapsoinasj.in tcp

Files

/storage/emulated/0/Android/data/.nomedia.Lucy

MD5 1f2e5a3c9615f7262c76f8f5c43c9822
SHA1 08aca827424fe5d020f85f72a5672517d2eddf33
SHA256 6dc7ff467524d442e4751401d1112542c1d34adaa80c855a90d06ae36f5b6f43
SHA512 c52df1b55e27deeebfe5fd37ca14a73af3da69a0e6cdfbbecabcd2196daef69dfe0833727952aae27604945216e04ccd59b9145500a1b0a85a5b8662fbbb3ad4

/storage/emulated/0/Android/data/.nomedia.Lucy

MD5 f8b496e8f5fca33ba496ccd068e2d588
SHA1 0966dc9a57380b426ce0623eccac79e686587996
SHA256 875a214c1da4d33af5d58e774caca07967ea95b21d6fd805e0769a3266b5b3b5
SHA512 8330164f0af4fb9ba468332dc070d6d7730c2844b7027f682df378c971a626ad33ab17d95fbb76c7d23c1dea28949ad700eb57ab50fe5405f65dc42a3b7ec3c2

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-24 10:20

Reported

2024-08-24 10:21

Platform

android-x64-20240624-en

Max time kernel

29s

Max time network

36s

Command Line

wcqrucdpzh.otstodvvsm.vrbnjqrsrr

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

wcqrucdpzh.otstodvvsm.vrbnjqrsrr

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 gapsoinasj.in udp
US 107.178.223.183:80 gapsoinasj.in tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp

Files

/storage/emulated/0/Android/data/.nomedia.Lucy

MD5 bd42cd13735e292889aeaf043738d15e
SHA1 2811cb68a43aa2bc8c76d113a4b3f2b5edb37b8d
SHA256 8e94a5b968157a3b143ba2d29cbf1b9981c176eaac274b3ce7aaa7850911f191
SHA512 f52e88ac338fecb2d2150aae9efbdae2f889b1d2572c45bca48bc4000eb28f8b8a6c176574f8e19152c0a015aba2d7420c35ec75a3e24f5cda0927772cdb3983

/storage/emulated/0/Android/data/.nomedia.Lucy

MD5 70c91d8e88c03c76ef0ac484d12bea91
SHA1 a88b73cf5369ce216215a05795157ef60b8472d9
SHA256 3677148382ff536e35aaacd6f6148b730bb373e20d67da9e6bf079fd71373b23
SHA512 4a83d9e0f212610d702f6e7af34e5a2c1462180a8b0c28025f2e35d6e77a6c75d785b43ae361ae5a7151379e1e8e0205e4624dfbf0b61be37fd9dd01a77724f2

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-24 10:20

Reported

2024-08-24 10:21

Platform

android-x64-arm64-20240624-en

Max time kernel

29s

Max time network

39s

Command Line

wcqrucdpzh.otstodvvsm.vrbnjqrsrr

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

wcqrucdpzh.otstodvvsm.vrbnjqrsrr

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
GB 142.250.200.36:443 tcp
BE 74.125.133.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
GB 173.194.76.84:443 accounts.google.com tcp
US 1.1.1.1:53 gapsoinasj.in udp
US 104.155.138.21:80 gapsoinasj.in tcp
US 104.155.138.21:80 gapsoinasj.in tcp

Files

N/A