Malware Analysis Report

2025-01-19 05:20

Sample ID 240825-f9hnlaxcpf
Target Indian Army.apk
SHA256 7f753c97e4d13bd94eda8f2505d6f228e97ea615692bf33ed030a4d4db78960b
Tags
banker discovery evasion impact persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

7f753c97e4d13bd94eda8f2505d6f228e97ea615692bf33ed030a4d4db78960b

Threat Level: Likely malicious

The file Indian Army.apk was found to be: Likely malicious.

Malicious Activity Summary

banker discovery evasion impact persistence stealth trojan

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Declares broadcast receivers with permission to handle system events

Legitimate hosting services abused for malware hosting/C2

Declares services with permission to bind to the system

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 05:34

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 05:34

Reported

2024-08-25 05:37

Platform

android-x64-arm64-20240624-en

Max time kernel

154s

Max time network

139s

Command Line

com.devicf

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.devicf/cache/natives_sec_blob968523387863523665.dex N/A N/A
N/A /data/user/0/com.devicf/cache/natives_sec_blob968523387863523665.dex N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.devicf

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 qmjy6.bemobtracks.com udp
US 1.1.1.1:53 qmjy6.bemobtracks.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 qmjy6.bemobtracks.com udp
DE 35.158.71.179:443 qmjy6.bemobtracks.com tcp
US 1.1.1.1:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 1.1.1.1:53 services.vlitag.com udp
US 104.22.59.199:443 services.vlitag.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 66.102.1.84:443 accounts.google.com tcp
US 104.22.59.199:443 services.vlitag.com tcp
US 1.1.1.1:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 1.1.1.1:53 dsp.vlitag.com udp
US 1.1.1.1:53 cmp.inmobi.com udp
US 1.1.1.1:53 s3.vlitag.com udp
US 1.1.1.1:53 securepubads.g.doubleclick.net udp
US 1.1.1.1:53 imasdk.googleapis.com udp
US 1.1.1.1:53 c.amazon-adsystem.com udp
GB 18.244.114.32:443 cmp.inmobi.com tcp
GB 142.250.200.34:443 securepubads.g.doubleclick.net tcp
GB 13.224.223.9:443 c.amazon-adsystem.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.200.35:443 update.googleapis.com tcp
GB 13.224.223.9:443 c.amazon-adsystem.com tcp
GB 18.244.114.32:443 cmp.inmobi.com tcp
GB 142.250.200.34:443 securepubads.g.doubleclick.net tcp
US 1.1.1.1:53 config.aps.amazon-adsystem.com udp
GB 108.156.39.61:443 config.aps.amazon-adsystem.com tcp
US 1.1.1.1:53 cdn.hadronid.net udp
US 104.22.52.173:443 cdn.hadronid.net tcp
US 1.1.1.1:53 api.cmp.inmobi.com udp
DE 18.197.222.173:443 api.cmp.inmobi.com tcp
US 1.1.1.1:53 id.hadron.ad.gt udp
US 172.67.23.234:443 id.hadron.ad.gt tcp
US 1.1.1.1:53 a.ad.gt udp
US 104.22.5.69:443 a.ad.gt tcp
US 1.1.1.1:53 p.ad.gt udp
US 1.1.1.1:53 ids.ad.gt udp
US 1.1.1.1:53 secure.adnxs.com udp
US 1.1.1.1:53 match.adsrvr.org udp
US 1.1.1.1:53 image2.pubmatic.com udp
US 1.1.1.1:53 token.rubiconproject.com udp
US 1.1.1.1:53 cm.g.doubleclick.net udp
US 104.22.5.69:443 p.ad.gt tcp
US 1.1.1.1:53 sync.1rx.io udp
US 44.236.200.196:443 ids.ad.gt tcp
US 44.236.200.196:443 ids.ad.gt tcp
US 44.236.200.196:443 ids.ad.gt tcp
NL 185.89.210.212:443 secure.adnxs.com tcp
US 52.223.40.198:443 match.adsrvr.org tcp
NL 198.47.127.205:443 image2.pubmatic.com tcp
NL 69.173.156.148:443 token.rubiconproject.com tcp
GB 216.58.213.2:443 cm.g.doubleclick.net tcp
NL 46.228.174.117:443 sync.1rx.io tcp
US 1.1.1.1:53 ssum-sec.casalemedia.com udp
US 104.22.5.69:443 p.ad.gt tcp
US 104.18.36.155:443 ssum-sec.casalemedia.com tcp
US 1.1.1.1:53 bh.contextweb.com udp
US 44.236.200.196:443 ids.ad.gt tcp
NL 208.93.169.131:443 bh.contextweb.com tcp
US 44.236.200.196:443 ids.ad.gt tcp
US 44.236.200.196:443 ids.ad.gt tcp
US 1.1.1.1:53 a.nel.cloudflare.com udp
US 1.1.1.1:53 ad.360yield.com udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
IE 63.33.11.39:443 ad.360yield.com tcp
US 1.1.1.1:53 pixels.ad.gt udp
US 172.67.23.234:443 pixels.ad.gt tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.200.35:443 update.googleapis.com tcp
US 1.1.1.1:53 pastebin.com udp
US 1.1.1.1:53 cdn.prod.uidapi.com udp
US 1.1.1.1:53 cdn.id5-sync.com udp
US 1.1.1.1:53 connectid.analytics.yahoo.com udp
US 1.1.1.1:53 static.criteo.net udp
US 1.1.1.1:53 oa.openxcdn.net udp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 1.1.1.1:53 cdn-ima.33across.com udp
US 104.22.52.86:443 cdn.id5-sync.com tcp
US 1.1.1.1:53 invstatic101.creativecdn.com udp
NL 178.250.1.3:443 static.criteo.net tcp
US 1.1.1.1:53 tags.crwdcntrl.net udp
US 34.102.146.192:443 oa.openxcdn.net tcp
US 151.101.65.229:443 cdn.jsdelivr.net tcp
GB 18.245.255.11:443 cdn.prod.uidapi.com tcp
GB 18.245.162.16:443 connectid.analytics.yahoo.com tcp
US 104.18.35.167:443 cdn-ima.33across.com tcp
US 34.96.70.87:443 invstatic101.creativecdn.com tcp
GB 18.245.143.83:443 tags.crwdcntrl.net tcp
US 1.1.1.1:53 id5-sync.com udp
US 104.18.35.167:443 cdn-ima.33across.com tcp
US 34.96.70.87:443 invstatic101.creativecdn.com tcp
US 1.1.1.1:53 oajs.openx.net udp
DE 162.19.138.82:443 id5-sync.com tcp
US 1.1.1.1:53 bcp.crwdcntrl.net udp
US 34.120.107.143:443 oajs.openx.net tcp
IE 54.154.69.222:443 bcp.crwdcntrl.net tcp
US 1.1.1.1:53 google-bidout-d.openx.net udp
US 34.98.64.218:443 google-bidout-d.openx.net tcp

Files

/data/user/0/com.devicf/cache/natives_sec_blob968523387863523665.dex

MD5 d743db0c89d4626d2e078ecebae80a04
SHA1 07faeec4f4892ea850bd76e31ad2779b8c3bda64
SHA256 2f1a706ebdb117e3f7c63deabdd1df7032352f9517293cd8f19dc126d66dbfb0
SHA512 9dd5126cbb4d0a887ef0231a7c8582e9c69ecbbed71204cb14c6ddcd1000f19479a0cbe11b663c3b617fd85acc57e15419d7220ecc5c7002e11b2ea432bf4955

/data/user/0/com.devicf/cache/oat/natives_sec_blob968523387863523665.dex.cur.prof

MD5 073fcef210080a7d20892b6ba6092868
SHA1 a752b0691aebf4de84936cbabe6dbc1cdbc24d0c
SHA256 1701a7c317a17b3383a8ae8451d73f3b3c54cdf09553997d96ad9c05b2e7c89a
SHA512 2f64a31bfc32aa18ec5711c0c22502e525e776ea68ed2ded8bba0e46cb9fae69b0b0f622a6df30dce7daa80ce86c354ee96ddb5454ab44aaf60f099dd3722524