Malware Analysis Report

2024-10-19 13:01

Sample ID 241003-2afkvatcla
Target d6055a1fb1c8eb61f823411559876ee36cf3f018550fe5a383bf023ed2cd0876.bin
SHA256 d6055a1fb1c8eb61f823411559876ee36cf3f018550fe5a383bf023ed2cd0876
Tags
hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d6055a1fb1c8eb61f823411559876ee36cf3f018550fe5a383bf023ed2cd0876

Threat Level: Known bad

The file d6055a1fb1c8eb61f823411559876ee36cf3f018550fe5a383bf023ed2cd0876.bin was found to be: Known bad.

Malicious Activity Summary

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook

Obtains sensitive information copied to the device clipboard

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Acquires the wake lock

Queries the mobile country code (MCC)

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Looks up external IP address via web service

Makes use of the framework's foreground persistence service

Reads information about phone network operator.

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests dangerous framework permissions

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-03 22:22

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-03 22:22

Reported

2024-10-03 22:26

Platform

android-x86-arm-20240910-en

Max time kernel

147s

Max time network

150s

Command Line

com.cicmiduox.oqgbofrks

Signatures

Hook

rat trojan infostealer hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cicmiduox.oqgbofrks/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.cicmiduox.oqgbofrks/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.cicmiduox.oqgbofrks/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.cicmiduox.oqgbofrks

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cicmiduox.oqgbofrks/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.cicmiduox.oqgbofrks/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 api.ipify.org udp
US 1.1.1.1:53 maisrosoft.com udp
US 104.26.12.205:443 api.ipify.org tcp
US 172.67.182.68:80 maisrosoft.com tcp
US 172.67.182.68:80 maisrosoft.com tcp
US 172.67.182.68:80 maisrosoft.com tcp
US 1.1.1.1:53 nkjhgfjhsdhjfk.com udp
US 1.1.1.1:53 hjfgghjdfhgfdhgfd.net udp
US 1.1.1.1:53 kjhgfdrkjgkjgkjg.org udp
US 1.1.1.1:53 sdbgfguhcfwyutdityer.net udp
US 172.67.182.68:80 maisrosoft.com tcp
US 172.67.182.68:80 maisrosoft.com tcp
US 172.67.182.68:80 maisrosoft.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 172.67.182.68:80 maisrosoft.com tcp
GB 216.58.212.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.226:443 tcp

Files

/data/data/com.cicmiduox.oqgbofrks/cache/classes.zip

MD5 cf289fc9a6f83ba2ca2b59d91acc530e
SHA1 94b14017211e451807229f82ecd1d4b504a7ba4e
SHA256 210d9b0b4124076a4986313a0431eb6d538c21416eb934f65a9da41297584ea9
SHA512 7b6a1fcb581478ecaec8b0e4fc3ea6408285fbb7511dec0a36006b4a99bbad5af78653f9d4e97ece639c8bdf09a4ce22379373a7d9536eb6899f1a4f1f134433

/data/data/com.cicmiduox.oqgbofrks/cache/classes.dex

MD5 494ffd9be243e9587e1f9d613d25882f
SHA1 aa7f479dad887a6e751bd749536366280a0d59cd
SHA256 086e0541e083e685d3fcdbcacf4fc610747994366617f2d691ab37ad59d7f486
SHA512 b7dc2f846bcde8b9a103f14c7bf8e642c5f42cd496308bbd127c698e77862077dcfb2e4913cee60955912f14d44337cceba10ce6c4b70135ae13b2c7755bb530

/data/data/com.cicmiduox.oqgbofrks/app_dex/classes.dex

MD5 f54fa4f82bb979ab90223d528a6807ca
SHA1 4cbdb0a24bb1d17a7997ee1616bd1011f6f01118
SHA256 fae014b6d416ef8a86968380ccebb8974ef3bce4ae14a5b54d825edad9751731
SHA512 766323e9b69a30d4599be80a48986f55ac2e3946ede3d2e4dbca2f6956034a8bf6bed8f52345f6f011998c72d882a17d31941c98eec1cf86d6c995b0af5d451b

/data/user/0/com.cicmiduox.oqgbofrks/app_dex/classes.dex

MD5 75a3abe377e4a378876b10c91badeb75
SHA1 32eee94994688e8b884d4e65de67586493e399b1
SHA256 8bdb53155801e1349426b513ce50682e1a99df380e8c242d69814dc060e09b54
SHA512 dbcd793fc3e23b8f70553fbf2e65a15d3cea724b2d6864668aabdc7446f6db25dff160a982a9f8686708e6442e27ed622fce3e1ef23e130976a8263be9581271

/data/data/com.cicmiduox.oqgbofrks/no_backup/androidx.work.workdb-journal

MD5 0e3de21f615092d5050b9b42a7ef0602
SHA1 427535b55707babb48ee0195bec735e7c7fbbce4
SHA256 aa9d954b7c15e3b1e30c833fd89c201caa18c5ba89641ac33eafbb98942d640b
SHA512 1a4c4daa353b06da989dc9f4ba0046fe9b66a5e89d2208e40c8cecb7c1c3adbcfbc2fb94745d5cc57ee12b245c5a5b8bf17a90c46a979947e7bcbc905e831683

/data/data/com.cicmiduox.oqgbofrks/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.cicmiduox.oqgbofrks/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.cicmiduox.oqgbofrks/no_backup/androidx.work.workdb-wal

MD5 2e64d369ecb8c1219348d34fb0f2d130
SHA1 715757f17342d5db9e6d8dcd7e10e112a1c48064
SHA256 57e2bf261c120dab7a0ee3a5704d444ed759444029c9c4750a05603263dd63d3
SHA512 0665a6028be41dbaf0d14a9c0e1ead1ab9479b8dfedd11285b3325cb7af0fa416b5a4f7f18b2b78171f48d7bc94a59afae77eb4112b1fde69f34e6e9e82ec3fb

/data/data/com.cicmiduox.oqgbofrks/no_backup/androidx.work.workdb-wal

MD5 eb3ce4e4f69f1dbb4a6bc4ce5cbb2f63
SHA1 0f57be7f9c0abffefb827bef409f2de6a91fb207
SHA256 feb3befabb2cb10944334c3608ca11c86c3f5661f7ba4c707ec48f55e182f2f3
SHA512 2c9a7800dcc400869337a3fa5a664b78616e89916c2c1cca5b99dc568d0a9686d87ea31bdae087524b32848482e4b155d7e9835ccb07232c531589aaf9ca0d7b

/data/data/com.cicmiduox.oqgbofrks/no_backup/androidx.work.workdb-wal

MD5 5e555df3f2f0ec57ba03a699f7c5aa4f
SHA1 14bb27bfc38f81725abc1bc11b7c2a051ce488c9
SHA256 be14966efc1952aefafaf6852718dd3f5aaab35db2f6a1eb27694ca756cce7f6
SHA512 7ee2ff1c7059e77fdbb0aea0c85f0ff93fe56c298ed27390408e92c57db3bebf6ccdfa6249404a57aab48123e7db2481772ab5f0e67406d08063f07150702518

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-03 22:22

Reported

2024-10-03 22:25

Platform

android-x64-20240910-en

Max time kernel

31s

Max time network

151s

Command Line

com.cicmiduox.oqgbofrks

Signatures

Hook

rat trojan infostealer hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cicmiduox.oqgbofrks/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.cicmiduox.oqgbofrks/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.cicmiduox.oqgbofrks

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 api.ipify.org udp
US 1.1.1.1:53 maisrosoft.com udp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.182.68:80 maisrosoft.com tcp
US 172.67.182.68:80 maisrosoft.com tcp
US 172.67.182.68:80 maisrosoft.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 172.67.182.68:80 maisrosoft.com tcp
GB 172.217.169.14:443 android.apis.google.com tcp
US 172.67.182.68:80 maisrosoft.com tcp
GB 172.217.169.46:443 tcp
GB 142.250.200.2:443 tcp
US 1.1.1.1:53 g.tenor.com udp
GB 216.58.213.10:443 g.tenor.com tcp
US 172.67.74.152:443 api.ipify.org tcp
US 1.1.1.1:53 nkjhgfjhsdhjfk.com udp
US 1.1.1.1:53 hjfgghjdfhgfdhgfd.net udp
US 1.1.1.1:53 kjhgfdrkjgkjgkjg.org udp
US 1.1.1.1:53 sdbgfguhcfwyutdityer.net udp
US 172.67.182.68:80 maisrosoft.com tcp
US 172.67.182.68:80 maisrosoft.com tcp
US 172.67.182.68:80 maisrosoft.com tcp
US 172.67.182.68:80 maisrosoft.com tcp
US 172.67.182.68:80 maisrosoft.com tcp
US 172.67.182.68:80 maisrosoft.com tcp
GB 216.58.213.10:443 g.tenor.com tcp
GB 216.58.213.10:443 g.tenor.com tcp

Files

/data/data/com.cicmiduox.oqgbofrks/cache/classes.zip

MD5 cf289fc9a6f83ba2ca2b59d91acc530e
SHA1 94b14017211e451807229f82ecd1d4b504a7ba4e
SHA256 210d9b0b4124076a4986313a0431eb6d538c21416eb934f65a9da41297584ea9
SHA512 7b6a1fcb581478ecaec8b0e4fc3ea6408285fbb7511dec0a36006b4a99bbad5af78653f9d4e97ece639c8bdf09a4ce22379373a7d9536eb6899f1a4f1f134433

/data/data/com.cicmiduox.oqgbofrks/cache/classes.dex

MD5 494ffd9be243e9587e1f9d613d25882f
SHA1 aa7f479dad887a6e751bd749536366280a0d59cd
SHA256 086e0541e083e685d3fcdbcacf4fc610747994366617f2d691ab37ad59d7f486
SHA512 b7dc2f846bcde8b9a103f14c7bf8e642c5f42cd496308bbd127c698e77862077dcfb2e4913cee60955912f14d44337cceba10ce6c4b70135ae13b2c7755bb530

/data/data/com.cicmiduox.oqgbofrks/app_dex/classes.dex

MD5 f54fa4f82bb979ab90223d528a6807ca
SHA1 4cbdb0a24bb1d17a7997ee1616bd1011f6f01118
SHA256 fae014b6d416ef8a86968380ccebb8974ef3bce4ae14a5b54d825edad9751731
SHA512 766323e9b69a30d4599be80a48986f55ac2e3946ede3d2e4dbca2f6956034a8bf6bed8f52345f6f011998c72d882a17d31941c98eec1cf86d6c995b0af5d451b

/data/data/com.cicmiduox.oqgbofrks/no_backup/androidx.work.workdb-journal

MD5 5d0c8e119a1285259ae9c31a32dbbcbc
SHA1 ff6e47ebb8a43738061816075fb7243b76221c60
SHA256 0f00cb85ac0c5c4bf346d944b9417c161cba4fcc2c9dcd8f5a650eafa348b8ef
SHA512 204a9053f2a524b27682970ac5ac1bd2c92e69235205da65d28a42caa8d38d5a40e78f35db52aa60a865a6efcc79e9aca178bce18b059cdecbf715b51cc8f224

/data/data/com.cicmiduox.oqgbofrks/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.cicmiduox.oqgbofrks/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.cicmiduox.oqgbofrks/no_backup/androidx.work.workdb-wal

MD5 bb87dc2167ab2118c22deb0bffe12d65
SHA1 9f8ede096f2619c9b4614b7ce036aaffb7d214a4
SHA256 f39ef5346aedcccea3c19e1c5c6921c4b96c086d74f00d698239458802ff152c
SHA512 edec9254508ce294675eee4274e96445b3f6479bc55111ad1ea2f61ae0fc66c46321732e9c4018dfab0e4006a5cc4d1f2feceba50a244a8c1dcc3e070a8c8c58

/data/data/com.cicmiduox.oqgbofrks/no_backup/androidx.work.workdb-wal

MD5 18f9c3fd19fc57203c73bcf9b602cea6
SHA1 0a4394b8f5e65358394d2395e6d1d2a935bc41f1
SHA256 9dfc9fc9ffd866fc2eb496dc3030ed02abf1ac4e721bfb5047fa8753dffa0230
SHA512 b6989172547acdb9a258d352c7a4112d1fdd5c80d7124b255dfcdf358381bdde53ac688d70481cfb219deef06b8309d3c93245f2e7d6a90e85d3c71026d1e59b

/data/data/com.cicmiduox.oqgbofrks/no_backup/androidx.work.workdb-wal

MD5 75a9212aa4f48b8154da33b4fdc171f4
SHA1 ecd4dfe5b9bd0dcfb9aa59b3bb6e68aa87f2df6e
SHA256 578065dc9e298590540034d24d0eaf22e9325fa9b2c9b60a42eb7c7f97d697e6
SHA512 a775d3993c1d5008134837ffc39037e78d6ce97dde478a1dbf247b9e8b9937888fd4c5a933554565e59b845446111c9ef749d1f964e87fc5db89eb4dc4459d2d

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-03 22:22

Reported

2024-10-03 22:25

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

161s

Command Line

com.cicmiduox.oqgbofrks

Signatures

Hook

rat trojan infostealer hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cicmiduox.oqgbofrks/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.cicmiduox.oqgbofrks/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.cicmiduox.oqgbofrks

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 api.ipify.org udp
US 1.1.1.1:53 maisrosoft.com udp
US 172.67.74.152:443 api.ipify.org tcp
US 172.67.182.68:80 maisrosoft.com tcp
US 172.67.182.68:80 maisrosoft.com tcp
US 172.67.182.68:80 maisrosoft.com tcp
US 172.67.182.68:80 maisrosoft.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
US 172.67.182.68:80 maisrosoft.com tcp

Files

/data/data/com.cicmiduox.oqgbofrks/cache/classes.zip

MD5 cf289fc9a6f83ba2ca2b59d91acc530e
SHA1 94b14017211e451807229f82ecd1d4b504a7ba4e
SHA256 210d9b0b4124076a4986313a0431eb6d538c21416eb934f65a9da41297584ea9
SHA512 7b6a1fcb581478ecaec8b0e4fc3ea6408285fbb7511dec0a36006b4a99bbad5af78653f9d4e97ece639c8bdf09a4ce22379373a7d9536eb6899f1a4f1f134433

/data/data/com.cicmiduox.oqgbofrks/cache/classes.dex

MD5 494ffd9be243e9587e1f9d613d25882f
SHA1 aa7f479dad887a6e751bd749536366280a0d59cd
SHA256 086e0541e083e685d3fcdbcacf4fc610747994366617f2d691ab37ad59d7f486
SHA512 b7dc2f846bcde8b9a103f14c7bf8e642c5f42cd496308bbd127c698e77862077dcfb2e4913cee60955912f14d44337cceba10ce6c4b70135ae13b2c7755bb530

/data/data/com.cicmiduox.oqgbofrks/app_dex/classes.dex

MD5 f54fa4f82bb979ab90223d528a6807ca
SHA1 4cbdb0a24bb1d17a7997ee1616bd1011f6f01118
SHA256 fae014b6d416ef8a86968380ccebb8974ef3bce4ae14a5b54d825edad9751731
SHA512 766323e9b69a30d4599be80a48986f55ac2e3946ede3d2e4dbca2f6956034a8bf6bed8f52345f6f011998c72d882a17d31941c98eec1cf86d6c995b0af5d451b

/data/data/com.cicmiduox.oqgbofrks/no_backup/androidx.work.workdb-journal

MD5 774c628aa4c859507c51e323c870449b
SHA1 394948e4eb42ee62b2daaef369eac99106c028ba
SHA256 c1fcc7c31bac1806d8a2a8e2acb5ffc43af2b8a9c983cd19b1d3f1657ded16c7
SHA512 a8fede4f2d562122e8440fdfc61215cfdd47082e601a4741d0da0b0243f2f167e4b1fb2fbe4dba1f95b09c9fd9b5bb269ed96a8a235ac1b95932c673eeeaf27a

/data/data/com.cicmiduox.oqgbofrks/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.cicmiduox.oqgbofrks/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.cicmiduox.oqgbofrks/no_backup/androidx.work.workdb-wal

MD5 a5b281e69e401fa6db170078a0843652
SHA1 4f06ebd5c53bd5cf4e689783efc8e3039b0b54f6
SHA256 046820155b4f22a96d524940bdeecfe43dbd6d6578ca7b9147c06a0964913137
SHA512 18b4b3ff0ee3109eb8d99c60669ad1f096b4c39ee946f523243d6442bf22ad3f55560777ebce8e73eda1bd401160bcfb1ca3605e4e8c3db33fb93b5b4b6c7bf3

/data/data/com.cicmiduox.oqgbofrks/no_backup/androidx.work.workdb-wal

MD5 f3590face1c67b23190fd14c8f855dde
SHA1 5a9980f276ba28314e65ea869b351bf19052b0b2
SHA256 f7580c0b3e13359aa90356baaac741ac1bfb2f63c56a420823ab6cbf43beccfe
SHA512 5f03c9171c2e2951506a30cd8b6dda93700c85497bc6b54d3fb54ddf413e408708f2ed2bd231e51af19c99c3605c6e4c927eaaa9a21659e0a48b85126160686c

/data/data/com.cicmiduox.oqgbofrks/no_backup/androidx.work.workdb-wal

MD5 e8e6d45dbbc3c1ee73d5bb8e53ec1e72
SHA1 5afd92424145621a148c1122edacf25fd4ff430d
SHA256 808992e391190bf7ead6f98474021507732ce2f8ee1d5cb2a58d8d75dcfb8ba8
SHA512 debe2bc80a6a4eb1399822ad591bb23c9b7be6f2f53376b6b536823c9f0e35f0d581be3bf9802cd1b941d0ea8416796ad19b931adf0e96705fe9940704919745