Malware Analysis Report

2024-10-19 13:01

Sample ID 241002-1x3hfszakq
Target 6baf0211c7aae5041fc5553ee7e0a1ed496dec535999ec0486261cf1a9fb02be.bin
SHA256 6baf0211c7aae5041fc5553ee7e0a1ed496dec535999ec0486261cf1a9fb02be
Tags
hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6baf0211c7aae5041fc5553ee7e0a1ed496dec535999ec0486261cf1a9fb02be

Threat Level: Known bad

The file 6baf0211c7aae5041fc5553ee7e0a1ed496dec535999ec0486261cf1a9fb02be.bin was found to be: Known bad.

Malicious Activity Summary

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook

Obtains sensitive information copied to the device clipboard

Queries information about running processes on the device

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Declares broadcast receivers with permission to handle system events

Requests accessing notifications (often used to intercept notifications before users become aware).

Attempts to obfuscate APK file format

Acquires the wake lock

Performs UI accessibility actions on behalf of the user

Queries the mobile country code (MCC)

Reads information about phone network operator.

Queries information about the current Wi-Fi connection

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Requests dangerous framework permissions

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-02 22:02

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-02 22:02

Reported

2024-10-02 22:05

Platform

android-x64-20240910-en

Max time kernel

148s

Max time network

152s

Command Line

com.chxdsjsbz.dnykbpzhs

Signatures

Hook

rat trojan infostealer hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.chxdsjsbz.dnykbpzhs/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.chxdsjsbz.dnykbpzhs/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.chxdsjsbz.dnykbpzhs

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
RU 89.248.201.43:80 89.248.201.43 tcp
GB 142.250.200.46:443 tcp
GB 172.217.169.66:443 tcp
RU 89.248.201.43:80 89.248.201.43 tcp

Files

/data/data/com.chxdsjsbz.dnykbpzhs/cache/classes.zip

MD5 f17392ce10d688cdd977fa9f357ef0b6
SHA1 a56821309448ccf764fe9f0f529b54817a9a1795
SHA256 fa85100c43a032bff196627bdfe439ae0fe82375ffd55a33990f5fd913b6d800
SHA512 f7fd3a800d5a60f4b4e9c1e3fec33d5ee16cd8833c014c8ec3570a535064e6160e88c809a599d4bd7f081b7be3c4a9737aafcb8b86e8b374903d496fcf46ee0b

/data/data/com.chxdsjsbz.dnykbpzhs/cache/classes.dex

MD5 83d0bccc9a25538f24011655b434ab6f
SHA1 dbb4d103cb3e58dee14ac0d3ec80b34d433f8624
SHA256 a2bca56dc5cacee1a3dd2fbd65c73416960d0ab5a36af4861c92bddc416d1e31
SHA512 ef27bbfe333d734a33ba54738f0219371cc13f22732badf2cb0490c1851439cf52ff9d91fdeef55e66b03a35052f296aaa210f3cc5ff94ac90c145951cd2a395

/data/data/com.chxdsjsbz.dnykbpzhs/app_dex/classes.dex

MD5 623eb693bafd551433486df0ceb0429a
SHA1 d0e7090b942db9f6a2a54fd905e5d14d955624fb
SHA256 1c703e82ecc1e84afd950f6ff9b5cfe25a5971010a79ab1a75911eba06ee111e
SHA512 24376884977ba64dcc9a72ca4b70888e740a06a720fadbf11afcce5c85ce1876775f57abbf56be80fb24476b61c4a318511d1d29bcc45e6e52a70dc59e55b262

/data/data/com.chxdsjsbz.dnykbpzhs/no_backup/androidx.work.workdb-journal

MD5 c92073ac76b1c77276b47c151c4c3145
SHA1 970dfb5154ec988abd11a36f9f4c07b2040cd289
SHA256 e5fcfeb4ddfe0bdff5991280aee7ac67e99fa5765ffe4033daa5c8c8a5430532
SHA512 02f3b655e9cef860fb1e9f44ce1ac85cc42aeab712165b0f395b8f9cb05efc83fe635692ab4f411a564fa46d92fdd9748d4725707897306a2d22519513e936a0

/data/data/com.chxdsjsbz.dnykbpzhs/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.chxdsjsbz.dnykbpzhs/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.chxdsjsbz.dnykbpzhs/no_backup/androidx.work.workdb-wal

MD5 79d6ebfb37c3cc699fd21dbaffdf6391
SHA1 a23d8cdcbe61ab3cc6a5e4471f905bb954aa9616
SHA256 cf297193c10944ce41f65f0e5eeb83ecd4e345203a755e945b6efed297d002d9
SHA512 972b23c85734866346108195df6bdac62f35bb539069b0d1ef932e7532c69c0a8afbb1679ab1fa777bc074a3b1bca34d2827fdf69010d29697dde68cd4fa7796

/data/data/com.chxdsjsbz.dnykbpzhs/no_backup/androidx.work.workdb-wal

MD5 51405a9d06130131b520ceeb0a802719
SHA1 7156fc2eb380a8f97f3ae1979347bd7e330230bf
SHA256 88590d6d6aee146d587ce3c4ef880e6d0d2c8eb116009156ee19715c9a260a3b
SHA512 4b85bf3c57df26e0f387dc8d085ebb4c779f8ac238137d25123dbe8f088206342eea228788fa244fdc185eb0f0865e118c3ab286b0aee6ac8542b6cd2ecfcfac

/data/data/com.chxdsjsbz.dnykbpzhs/no_backup/androidx.work.workdb-wal

MD5 d4e069b3d1fa45a3e94604cf24f7f502
SHA1 b846d5e456398953e185dfbd0595fa810f821d0a
SHA256 dcbd7390108a37f8c49f0002ca35516f09c1366a09e316ee2ba9a15424a3a2ae
SHA512 6f17fe1a17b4b3d3d5529d27466c909c28b6c5a10db0f11530dea9246cb0ca202da55cb2d4657f8890226ae515d0fac5dac000621e7cb8c12314205454108fda

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-02 22:02

Reported

2024-10-02 22:05

Platform

android-x64-arm64-20240910-en

Max time kernel

149s

Max time network

150s

Command Line

com.chxdsjsbz.dnykbpzhs

Signatures

Hook

rat trojan infostealer hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.chxdsjsbz.dnykbpzhs/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.chxdsjsbz.dnykbpzhs/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.chxdsjsbz.dnykbpzhs

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com tcp
US 216.239.36.223:443 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
GB 142.250.187.193:443 tcp
GB 142.250.187.193:443 tcp
US 216.239.36.223:443 tcp
US 216.239.36.223:443 tcp

Files

/data/data/com.chxdsjsbz.dnykbpzhs/cache/classes.zip

MD5 f17392ce10d688cdd977fa9f357ef0b6
SHA1 a56821309448ccf764fe9f0f529b54817a9a1795
SHA256 fa85100c43a032bff196627bdfe439ae0fe82375ffd55a33990f5fd913b6d800
SHA512 f7fd3a800d5a60f4b4e9c1e3fec33d5ee16cd8833c014c8ec3570a535064e6160e88c809a599d4bd7f081b7be3c4a9737aafcb8b86e8b374903d496fcf46ee0b

/data/data/com.chxdsjsbz.dnykbpzhs/cache/classes.dex

MD5 83d0bccc9a25538f24011655b434ab6f
SHA1 dbb4d103cb3e58dee14ac0d3ec80b34d433f8624
SHA256 a2bca56dc5cacee1a3dd2fbd65c73416960d0ab5a36af4861c92bddc416d1e31
SHA512 ef27bbfe333d734a33ba54738f0219371cc13f22732badf2cb0490c1851439cf52ff9d91fdeef55e66b03a35052f296aaa210f3cc5ff94ac90c145951cd2a395

/data/data/com.chxdsjsbz.dnykbpzhs/app_dex/classes.dex

MD5 623eb693bafd551433486df0ceb0429a
SHA1 d0e7090b942db9f6a2a54fd905e5d14d955624fb
SHA256 1c703e82ecc1e84afd950f6ff9b5cfe25a5971010a79ab1a75911eba06ee111e
SHA512 24376884977ba64dcc9a72ca4b70888e740a06a720fadbf11afcce5c85ce1876775f57abbf56be80fb24476b61c4a318511d1d29bcc45e6e52a70dc59e55b262

/data/data/com.chxdsjsbz.dnykbpzhs/no_backup/androidx.work.workdb-journal

MD5 d77cbef575f4ec1edf58bf92ea822a1c
SHA1 d6bf8738780af1228da66d80d5dd510dc7413aca
SHA256 a872234653925fa6ce25a1570ba524b4837349de45312a11b63cd0a8a98f9823
SHA512 a0745aa2f98319512b362c59a6bf1e7fb5b4bb44cf169fdc0f5f73c467e135dfeb250cf6dc86449ed31fe3520e45b06382bb10ad13344f0cad01bf3087055215

/data/data/com.chxdsjsbz.dnykbpzhs/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.chxdsjsbz.dnykbpzhs/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.chxdsjsbz.dnykbpzhs/no_backup/androidx.work.workdb-wal

MD5 2306f7307cb3330bf65e733108d2ecec
SHA1 58ea38fb11cc1e7b099df5b2ee9bbda57422f935
SHA256 3865c1e2d36aa06989957e4795d744ec1e2e46b688a9534b8228187dbb932394
SHA512 017c7c25a4b24fe01f5fc4c444e8a7b5aebd4cfa82bc4011ae8f865e4df155c4cbb20fd93cb97259d3e64044e23a8801e26d42e23d2207e5343319791f52351f

/data/data/com.chxdsjsbz.dnykbpzhs/no_backup/androidx.work.workdb-wal

MD5 d792650d18df1b10fc3119672d71880d
SHA1 84e393f87e4c2126067114a68cbe8c63d2848052
SHA256 f15bc5867d85c9cf3039ea280425dcba474e9d1373d8d10f297135fecddda477
SHA512 0342de6780d0babe0eca4b427fc0d04bf77a3127f63dcf1e62f926fcf79a4b2c908dd53f457d049f0ee01633a384c2754c64cf1520440912cf6503ee0841a0a3

/data/data/com.chxdsjsbz.dnykbpzhs/no_backup/androidx.work.workdb-wal

MD5 16d9638bc7e714db0ec55eb626cdeb7d
SHA1 7e15bd329a244acfa9563f1c7c5bc7f829a04395
SHA256 ffbb3c0cedbe8a12262379d181181d8f427a13a2bf6e30a9aee3ba2f5ca9c5ed
SHA512 ca5529d2a1c71110d76a3dc88be85791673fbe5c0dbb7fb183d457cf7438d308bf0678135fef73cfc075825705fffa0643cf4e7b89179b812fe975a3c0bc4558

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-02 22:02

Reported

2024-10-02 22:05

Platform

android-x86-arm-20240910-en

Max time kernel

148s

Max time network

152s

Command Line

com.chxdsjsbz.dnykbpzhs

Signatures

Hook

rat trojan infostealer hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.chxdsjsbz.dnykbpzhs/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.chxdsjsbz.dnykbpzhs/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.chxdsjsbz.dnykbpzhs/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.chxdsjsbz.dnykbpzhs

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.chxdsjsbz.dnykbpzhs/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.chxdsjsbz.dnykbpzhs/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
RU 89.248.201.43:80 89.248.201.43 tcp
GB 142.250.187.196:80 tcp
GB 142.250.178.4:443 tcp
GB 142.250.187.195:80 tcp

Files

/data/data/com.chxdsjsbz.dnykbpzhs/cache/classes.zip

MD5 f17392ce10d688cdd977fa9f357ef0b6
SHA1 a56821309448ccf764fe9f0f529b54817a9a1795
SHA256 fa85100c43a032bff196627bdfe439ae0fe82375ffd55a33990f5fd913b6d800
SHA512 f7fd3a800d5a60f4b4e9c1e3fec33d5ee16cd8833c014c8ec3570a535064e6160e88c809a599d4bd7f081b7be3c4a9737aafcb8b86e8b374903d496fcf46ee0b

/data/data/com.chxdsjsbz.dnykbpzhs/cache/classes.dex

MD5 83d0bccc9a25538f24011655b434ab6f
SHA1 dbb4d103cb3e58dee14ac0d3ec80b34d433f8624
SHA256 a2bca56dc5cacee1a3dd2fbd65c73416960d0ab5a36af4861c92bddc416d1e31
SHA512 ef27bbfe333d734a33ba54738f0219371cc13f22732badf2cb0490c1851439cf52ff9d91fdeef55e66b03a35052f296aaa210f3cc5ff94ac90c145951cd2a395

/data/data/com.chxdsjsbz.dnykbpzhs/app_dex/classes.dex

MD5 623eb693bafd551433486df0ceb0429a
SHA1 d0e7090b942db9f6a2a54fd905e5d14d955624fb
SHA256 1c703e82ecc1e84afd950f6ff9b5cfe25a5971010a79ab1a75911eba06ee111e
SHA512 24376884977ba64dcc9a72ca4b70888e740a06a720fadbf11afcce5c85ce1876775f57abbf56be80fb24476b61c4a318511d1d29bcc45e6e52a70dc59e55b262

/data/user/0/com.chxdsjsbz.dnykbpzhs/app_dex/classes.dex

MD5 b0b9c8dc440cb2f472132c6512651b85
SHA1 f0059a26522dde3660040ce0944912e75ad1182e
SHA256 610a49a6828231e1618349ac7c4445b4779434b4e55e301915a285d20b5614a1
SHA512 fe7226011e61ca9af7e05026c82ae700daf55791576bb4f93db5d5719711f30f336a7f884bb071fd1ec59d277c756fa663d9ee6a36428b00fe04f53653f13522

/data/data/com.chxdsjsbz.dnykbpzhs/no_backup/androidx.work.workdb-journal

MD5 44bc3f3d614f56d13efce4c230915aa1
SHA1 a7d30ebd7afb6e36ae3c49efce547292de924fca
SHA256 740c4af293d52e36709a4b2f146cdb8b2e9fcafedd195b2cc74b6ec7619d52dc
SHA512 cb1e55ba547c61990e2ab992394e24f8f801cc6ee9f5c8be09b2d831fb20005e627c54e48b7ba594465104255011fe3d5bc759723c077d840c0381c224200790

/data/data/com.chxdsjsbz.dnykbpzhs/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.chxdsjsbz.dnykbpzhs/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.chxdsjsbz.dnykbpzhs/no_backup/androidx.work.workdb-wal

MD5 39062f255ac1c10555ba1fe922cce8e0
SHA1 77154a1e8fc4a7dbfb91e0e9ac81370fd30810ac
SHA256 c5854ed59c032bea8e904a2762a15160e1b463a85f80a5d8f9e4e7356f6bd75e
SHA512 f0e8ba89a8ffb5cd6ad9932f65c97a37bdcf7ef847adbeb817c16fd8eb5e7b4d9d5f1382c8df52ec511bab2fa56bd5409e36cd72bfc9a66df0ee763a0c6f070a

/data/data/com.chxdsjsbz.dnykbpzhs/no_backup/androidx.work.workdb-wal

MD5 9caed767887a1392fedec2ea6db1f4ff
SHA1 c69ca36ea89ea024a87d84fa3b3483630cfa92c4
SHA256 842d43ebd5f303982b3c973e6929edfb1303357610efee227f9da72aa637c2a6
SHA512 05151e81db038007052907904cb0b88c74b2c3c036efb9b8fa86d40ec0a48c8680c7a386ee04ea995d1dfbcb427e916110632c9cc7a1ab1c561e6024df29137c

/data/data/com.chxdsjsbz.dnykbpzhs/no_backup/androidx.work.workdb-wal

MD5 0c6b2697f261935049e46592fce2f40b
SHA1 e37792120978f457d868af987caff5fae13d68fb
SHA256 479c7d41f230ea8817bac92ec4c8a2adbed2d541483ae7b070d3f1ee754cdc6d
SHA512 e3c429c9f12e240128d04d6ab598b45c767f9cb2fe9597c058377d600dae7e5584beb083cffb3a4d94837281ab935092c8419362f9bd3b56243756b17b52c449