Malware Analysis Report

2024-10-19 13:01

Sample ID 241005-yhfc9s1amk
Target Actulizacion APN CLARO 5 G.apk
SHA256 b08f7d6dd6997c97b08318c80f382c50965c29b2cea3eb1df4f7520af7bf366a
Tags
hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b08f7d6dd6997c97b08318c80f382c50965c29b2cea3eb1df4f7520af7bf366a

Threat Level: Known bad

The file Actulizacion APN CLARO 5 G.apk was found to be: Known bad.

Malicious Activity Summary

hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Attempts to obfuscate APK file format

Acquires the wake lock

Reads information about phone network operator.

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-05 19:46

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-05 19:46

Reported

2024-10-05 19:52

Platform

android-x86-arm-20240624-en

Max time kernel

184s

Max time network

189s

Command Line

com.jcoagcdag.kbzvxbdyv

Signatures

Hook

rat trojan infostealer hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.jcoagcdag.kbzvxbdyv/app_app_dex/sjmtxty.gum N/A N/A
N/A /data/user/0/com.jcoagcdag.kbzvxbdyv/app_app_dex/sjmtxty.gum N/A N/A
N/A /data/user/0/com.jcoagcdag.kbzvxbdyv/app_app_dex/sjmtxty.gum N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.jcoagcdag.kbzvxbdyv

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.jcoagcdag.kbzvxbdyv/app_app_dex/sjmtxty.gum --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.jcoagcdag.kbzvxbdyv/app_app_dex/oat/x86/sjmtxty.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
RU 176.111.174.221:3434 tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 m.facebook.com udp
US 1.1.1.1:53 m.facebook.com udp
GB 157.240.214.35:443 m.facebook.com tcp
GB 157.240.214.35:443 m.facebook.com tcp
US 1.1.1.1:53 z-m-static.xx.fbcdn.net udp
GB 157.240.214.36:443 z-m-static.xx.fbcdn.net tcp
GB 157.240.214.36:443 z-m-static.xx.fbcdn.net tcp
GB 157.240.214.36:443 z-m-static.xx.fbcdn.net tcp
GB 157.240.214.36:443 z-m-static.xx.fbcdn.net tcp
GB 157.240.214.36:443 z-m-static.xx.fbcdn.net tcp
GB 157.240.214.36:443 z-m-static.xx.fbcdn.net tcp
US 1.1.1.1:53 facebook.com udp
GB 163.70.147.35:443 facebook.com tcp
US 1.1.1.1:53 update.googleapis.com udp
US 1.1.1.1:53 www.facebook.com udp
GB 157.240.214.36:443 z-m-static.xx.fbcdn.net tcp
GB 157.240.214.36:443 z-m-static.xx.fbcdn.net tcp
GB 157.240.214.36:443 z-m-static.xx.fbcdn.net tcp
GB 157.240.214.36:443 z-m-static.xx.fbcdn.net tcp
US 1.1.1.1:53 scontent.xx.fbcdn.net udp
US 1.1.1.1:53 scontent.xx.fbcdn.net udp
US 1.1.1.1:53 scontent.xx.fbcdn.net udp
GB 163.70.151.21:443 scontent.xx.fbcdn.net tcp
GB 163.70.151.21:443 scontent.xx.fbcdn.net tcp
GB 172.217.16.227:443 update.googleapis.com tcp
US 1.1.1.1:53 static.xx.fbcdn.net udp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.36:443 www.google.com tcp
GB 216.58.212.196:443 www.google.com udp
GB 216.58.212.196:443 www.google.com tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp

Files

/data/data/com.jcoagcdag.kbzvxbdyv/app_app_dex/sjmtxty.gum

MD5 9e28e71b559fca9d2e9caa5d1e4f2f76
SHA1 f8cb37de35609c3c51887fe52c4464de5ef4ebd6
SHA256 c09e42194a904717dfe37c9a87af68db93eb17ef516c5d3c18db0d896cc948e2
SHA512 e9c37fb1db93abebedd5732e809aa32ea367750da252dd3a142c9b128bc852c7542fec1d188daf55f9b928cddfe3f63645ff29b98e6f0d2908e7ae13b771b0d3

/data/user/0/com.jcoagcdag.kbzvxbdyv/app_app_dex/sjmtxty.gum

MD5 de526b9ddb93005bbec8917bcb893297
SHA1 8d64d28b1e3b3d4c0fd311a3b78ddac3b70737f1
SHA256 b13cf9c509021cb7c3f0f9f0320f9ff1d8d24a9a92d75c8e211bb0e95a5cb4be
SHA512 66d4cd979719e580c93c2dd53aac3b1f10c6fb8da40d437128448337fd40b3a165be4c6046f8bb24ce133e45311e719a363496f9feb23fb2f460a7a8f320454d

/data/data/com.jcoagcdag.kbzvxbdyv/no_backup/androidx.work.workdb-journal

MD5 56982f1aa8d6277ca783cb721e2fcdfd
SHA1 450162447e51fcd3e09dffcc66e6c5545406c9d6
SHA256 71af32216d7973335649833bea9aad0c83dfd2d31caf75f6c53c20b71ba29e8c
SHA512 747c3796fd14c70930630d3080b7094a474c55b8ce4c1235c07725887cb3bb82d356382d15b0a48c3939bc45659436e9a79667bbba8652c8e053bd03d4ba47e3

/data/data/com.jcoagcdag.kbzvxbdyv/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.jcoagcdag.kbzvxbdyv/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.jcoagcdag.kbzvxbdyv/no_backup/androidx.work.workdb-wal

MD5 6056dc00a18a9fe1fa8d05370773f82b
SHA1 cfebb1a2c1dc899c3bcbb2437946ee73330cd1c1
SHA256 7e15d7976389bd41b41687694aa49cd0e119202653fb1f5d8cd6487f3879f237
SHA512 d12b1775205304641601a8ee0a8058a8651eac03bb9e2e74d22c28fea24bd0ac948813a51dfa6486ebdac4f48005238f65a8ef9f3cdc9ffb770f9df94399610f

/data/data/com.jcoagcdag.kbzvxbdyv/no_backup/androidx.work.workdb-wal

MD5 45aba8a4592b0962438e9202699ea6e7
SHA1 f82a7be840ac338f5a329dc73e3619233db8f810
SHA256 f458ea86d1db40e58b41eea554507324a20fad43c8842fcf7c583fd112d3836a
SHA512 428dcdd084551cedfaf10d7f4aad24b7622d2bab07bdef2dfd2e5e373ad626b76483c77a04b5efe4ca11e0dcce68a1d0e7bc0405bf956b8b9d1943236822c0b5

/data/data/com.jcoagcdag.kbzvxbdyv/no_backup/androidx.work.workdb-wal

MD5 ed04d21564fe6b752b6c26b03ce6449e
SHA1 a75fef0d42e273dd7e96130cc0f8547b208da4c0
SHA256 f2293bc012f21defa651c3d91a821f45227807c0a1c3f4b2448ccb1d3ac56559
SHA512 19df9aa8734084c25c31cc21c25354813835f3761e6a98b8886358d1fc6d9bdf151b3cac91cbec3ac7424e739bd79eef6ae8f31715d28bce58f6e0a007d2fe75

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-05 19:46

Reported

2024-10-05 19:51

Platform

android-x64-20240624-en

Max time kernel

147s

Max time network

156s

Command Line

com.jcoagcdag.kbzvxbdyv

Signatures

Hook

rat trojan infostealer hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.jcoagcdag.kbzvxbdyv/app_app_dex/sjmtxty.gum N/A N/A
N/A /data/user/0/com.jcoagcdag.kbzvxbdyv/app_app_dex/sjmtxty.gum N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.jcoagcdag.kbzvxbdyv

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
RU 176.111.174.221:3434 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp

Files

/data/data/com.jcoagcdag.kbzvxbdyv/app_app_dex/sjmtxty.gum

MD5 9e28e71b559fca9d2e9caa5d1e4f2f76
SHA1 f8cb37de35609c3c51887fe52c4464de5ef4ebd6
SHA256 c09e42194a904717dfe37c9a87af68db93eb17ef516c5d3c18db0d896cc948e2
SHA512 e9c37fb1db93abebedd5732e809aa32ea367750da252dd3a142c9b128bc852c7542fec1d188daf55f9b928cddfe3f63645ff29b98e6f0d2908e7ae13b771b0d3

/data/data/com.jcoagcdag.kbzvxbdyv/no_backup/androidx.work.workdb-journal

MD5 ec2dc1844fdcd9d5830b12b11e6886cb
SHA1 8e1437178d20c5d6643feb7e233310cfcaa8c6c9
SHA256 b46719c5eeb932cddd9a2533234ddf05db41b1ea622b1087297583dde7f47764
SHA512 6a046680920b69570da3c2d03f985a7b34ecb9add4035a07aa99064715c7c0ea67639c5e58998bc91113835b384e4df780b4d505b34e6991c8f90e14e4685d77

/data/data/com.jcoagcdag.kbzvxbdyv/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.jcoagcdag.kbzvxbdyv/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.jcoagcdag.kbzvxbdyv/no_backup/androidx.work.workdb-wal

MD5 91fe5d645496e34ff83cbd3bd6d918c7
SHA1 d7e2aff75d4392ac6ad32af4647d1b0d1c94088c
SHA256 2a7c9e5d8c65ffafdf7f422dfe44aa4917ef7d899c15e0c8c98b5c9eb6b16d30
SHA512 e5e136da05460a735ee252736cf789fd5581b3c10f2b1304d244023725e97d5ad789666399a384dc540fa82ff28baf09a640ea5d3eea0285564b9408ca991d14

/data/data/com.jcoagcdag.kbzvxbdyv/no_backup/androidx.work.workdb-wal

MD5 599958131268d1593f5a565c5ad8893f
SHA1 66399f95739a065d20c369e9a0848dec132ec8e8
SHA256 a6fa5b4fabd9a28bf7269afc1124a76d65bddf297cd478b30582217a1f6332b7
SHA512 5342e9dd75373a31865abf140a7d9917f41ca88d38b4ac42425288ff3b0a5f3a40df808211b83561fa47463c5a8e8ccf48e90e1c9b0136cd78274d0ddc57fb80

/data/data/com.jcoagcdag.kbzvxbdyv/no_backup/androidx.work.workdb-wal

MD5 4e0afccf72b731574736db3320a35d75
SHA1 092dc36c7ef947a3ea672391169add810d749591
SHA256 5b04ddd9255b53b16b9b03c633d7fb56ceb118bb768c64c5a8ad2fea2ee361e1
SHA512 0a2186c43069741b33b0909b2a4364b00c6f512fa192c8d8027b62b9c6de8cc9efdfca877fb982abd4cd5fe71e7cbca90003bacee587eb320064a9c7b3701f82

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-05 19:46

Reported

2024-10-05 19:51

Platform

android-x64-arm64-20240624-en

Max time kernel

148s

Max time network

155s

Command Line

com.jcoagcdag.kbzvxbdyv

Signatures

Hook

rat trojan infostealer hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.jcoagcdag.kbzvxbdyv/app_app_dex/sjmtxty.gum N/A N/A
N/A /data/user/0/com.jcoagcdag.kbzvxbdyv/app_app_dex/sjmtxty.gum N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.jcoagcdag.kbzvxbdyv

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp
RU 176.111.174.221:3434 tcp

Files

/data/data/com.jcoagcdag.kbzvxbdyv/app_app_dex/sjmtxty.gum

MD5 9e28e71b559fca9d2e9caa5d1e4f2f76
SHA1 f8cb37de35609c3c51887fe52c4464de5ef4ebd6
SHA256 c09e42194a904717dfe37c9a87af68db93eb17ef516c5d3c18db0d896cc948e2
SHA512 e9c37fb1db93abebedd5732e809aa32ea367750da252dd3a142c9b128bc852c7542fec1d188daf55f9b928cddfe3f63645ff29b98e6f0d2908e7ae13b771b0d3

/data/data/com.jcoagcdag.kbzvxbdyv/no_backup/androidx.work.workdb-journal

MD5 4634aa026fc68256fd583120d56fec34
SHA1 b2c4d7160529ba128018b4b96e63a199b3dd3628
SHA256 4b0583d933f4c97718593bd74302ba064bb479b2396d60263cf644bb87da2e7c
SHA512 15c57a2ef9b45d5e10529ad3cce9417e20841257da315bfcdd5afe70194b33ec7591b5579f8ef627065ecb88fd305b69ee5a7a1765ec0b10d49c83f6020a96ee

/data/data/com.jcoagcdag.kbzvxbdyv/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.jcoagcdag.kbzvxbdyv/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.jcoagcdag.kbzvxbdyv/no_backup/androidx.work.workdb-wal

MD5 89e1755bb0171b4aecef9b58d5971f58
SHA1 524d6b93f023522b3b104ddf1ef42b0fdd8249ac
SHA256 75be8b9d0e6e18403abcc12d88eb530b19b7bc03dbdcccac3119344b03797463
SHA512 54e0439b8e933767b38ba3212224049e426ac05feaf7c0f63a45dfaf8acfd34ecb8c93e42c56f36d11f3c1fdace889d7c9a71e03c9c7c0addcdc3b0637c44f48

/data/data/com.jcoagcdag.kbzvxbdyv/no_backup/androidx.work.workdb-wal

MD5 fa8ff9e78973a20406ac97b81f16f4be
SHA1 3c04e7a213b7db49217e85f7d999bb7720ed1075
SHA256 7dcd2648b04ebd6ccc376ee199e3d3121527639f821224993cc18101df964a87
SHA512 b51ef6518fddf9b7be352a6c7c4c646316b97e24d3d8787d725cf96a7a9a35b49716291957e8189b9f2964486ed42ab7e60bc20e22cae900a059ceadbab57736

/data/data/com.jcoagcdag.kbzvxbdyv/no_backup/androidx.work.workdb-wal

MD5 fafe742d0b908006c5553c617ba9923e
SHA1 224eb742710ae0574f2fb223b0b7d088ba819542
SHA256 8d3157ade28b7173bc98b51ebe9d61a9b40402adea153074dbb34360ca2e7383
SHA512 6c012696e013af360c82bdc87355caa5242ab681d3dcd9669d4e3b12f0eb052e5b8f87c9a634a58f5945f96d1ea42f5e713e74315be8009e9d846c421a6e415b