Malware Analysis Report

2024-10-19 13:01

Sample ID 241009-12pr6avgqm
Target d509b8190a0a0638f2843d5131b889bbd706e1fea92ca7afe9f6d36fa04dce31.bin
SHA256 d509b8190a0a0638f2843d5131b889bbd706e1fea92ca7afe9f6d36fa04dce31
Tags
hook banker collection credential_access discovery evasion execution impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d509b8190a0a0638f2843d5131b889bbd706e1fea92ca7afe9f6d36fa04dce31

Threat Level: Known bad

The file d509b8190a0a0638f2843d5131b889bbd706e1fea92ca7afe9f6d36fa04dce31.bin was found to be: Known bad.

Malicious Activity Summary

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat stealth trojan

Hook

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Queries information about running processes on the device

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Requests disabling of battery optimizations (often used to enable hiding in the background).

Performs UI accessibility actions on behalf of the user

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Queries information about the current Wi-Fi connection

Makes use of the framework's foreground persistence service

Acquires the wake lock

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-09 22:08

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-09 22:08

Reported

2024-10-09 22:13

Platform

android-x86-arm-20240624-en

Max time kernel

63s

Max time network

162s

Command Line

com.yxsfjxnfs.avkeoizrg

Signatures

Hook

rat trojan infostealer hook

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.yxsfjxnfs.avkeoizrg/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.yxsfjxnfs.avkeoizrg/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.yxsfjxnfs.avkeoizrg/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.yxsfjxnfs.avkeoizrg

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.yxsfjxnfs.avkeoizrg/app_dex/classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.yxsfjxnfs.avkeoizrg/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp

Files

/data/data/com.yxsfjxnfs.avkeoizrg/cache/classes.zip

MD5 bbae5bf3b8d7b3174cd6a68e2b8c91fe
SHA1 54187229d0fd597ffff8ee18f8668887986e0641
SHA256 aecfa3f2dcdf61bc8a2975dc25ca36d1ac811ed583a03451a712b861549fddf1
SHA512 7c802bf7be35a2c441b460b500011499b56c16d3b8bb5d021227fffaa6a493c466cf02161bb7dae1fbdef2e7792ba9adc0a02bbf32015654988056a39e2dadf1

/data/data/com.yxsfjxnfs.avkeoizrg/cache/classes.dex

MD5 7a315a420f1455f5a7197a2b88ac55dd
SHA1 c89c2bb2c037457969e1747f1e7ffbb5bcd05be1
SHA256 0c0cd8185278b34db1d76a4b3c54460a6d2b044bb88308d9de28e38a2e545121
SHA512 68a5d990432b9161dcd4ca811919d2c7c725661558ba30413c7347e5144b886d35160c35eba5efe6b273855f60d5aa42de0e24f6380e4d19069fb9163f979233

/data/data/com.yxsfjxnfs.avkeoizrg/app_dex/classes.dex

MD5 bda7cb8932f952def25e3f1198a095d6
SHA1 a770ca68717d1f3fa7b1e089ad55ab834ff9ab2d
SHA256 6f8a840bac0431d20b98765fa20cf0c8ee792eb31c70a1cfda03a84770f5c3d2
SHA512 a48451f24edf81365e9c92e379b7f8a10df376b0128240642204de2e12bad062f9ec1eaf6f647962fc801b6601d313a6d901b1996a1de0ddd46b0fd9598165d8

/data/user/0/com.yxsfjxnfs.avkeoizrg/app_dex/classes.dex

MD5 ff7adc9a0bb2be82f8bcfcd5b879e795
SHA1 5126e4e9d2a0c5dff59df8877286a483e0e5ae5f
SHA256 e794ea01ccf82a1524b99e1046872bf6ff4cd25625a44b7736f59f234eca096b
SHA512 8aa6c6a4bb38d6af1487d71aec4a3a301e2f2bedcd95950c91edf741c77955c945d55ab489c93bab67cc4d49971235b48cb25a8f2e1b10cb17e0bf01997f1855

/data/data/com.yxsfjxnfs.avkeoizrg/no_backup/androidx.work.workdb-journal

MD5 9d7e6cf5f890a2f09bf78bc71a2794a8
SHA1 5543eeb894d334a75122c57b73e87892c13bc2e5
SHA256 ac0472d763fe085665d99678d3ee7991e3b4ef3c53b3a84ccadd9ff6d7761cc4
SHA512 92a692176f83a496dae0bea620d0c9af377d7762f9763e0814209c798a45946affcfb13703c50787fda382e516f326e8cd9f85ce8045f76d3fd178fd9f1ba160

/data/data/com.yxsfjxnfs.avkeoizrg/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.yxsfjxnfs.avkeoizrg/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.yxsfjxnfs.avkeoizrg/no_backup/androidx.work.workdb-wal

MD5 8157f764f0c7ada562073b865055c01e
SHA1 427532ff39514a8fa6b0bbed6c14c719f0fc0688
SHA256 72efc6fcd0666699ba6f254c51e76dfab67c70ca8e941f7fbf9750be0d04663f
SHA512 784acf9acc0d8ced5a9d31e515acbe4c09f329a464bfa48d245d23e62903b2185379edddb985939d87d3946324b970ebbbd6a4c58ff7c380423374729e9aa0c1

/data/data/com.yxsfjxnfs.avkeoizrg/no_backup/androidx.work.workdb-wal

MD5 08dd8dac6e80de58442157b8e24cd3e2
SHA1 189df99271cc1e3264022a7d7d4d214bf516f49e
SHA256 3674cfc59f53d7076ef91f7013aed207f9fcd382509d12ffa4525ded95f2ff9b
SHA512 282e454b3d28ef9f3a386d3c6679ec3902d5e2badf197aef87a1fa7d853a2d25aefd2043500d9b34cf11ccfb693ee0e1130b646e8c9a8b32fe37a24b871768a3

/data/data/com.yxsfjxnfs.avkeoizrg/no_backup/androidx.work.workdb-wal

MD5 9e4a36153376f88d46def411d061716e
SHA1 64a06a7f6080f3f775ae6768313dd24ebb0525b8
SHA256 46df68d131fec9b5b1b24efb327cfd9b8994255cf00dbafd90a0307d3347fb27
SHA512 7d6af5ed1e94f120018dca4065723abb3d937c58a2e6c4c360e00a401299f3b9bcb701368e787d63ed0ba76fe520a3f2392715613be23ea1afb2d9365e594dd4

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-09 22:08

Reported

2024-10-09 22:13

Platform

android-x64-20240624-en

Max time kernel

20s

Max time network

164s

Command Line

com.yxsfjxnfs.avkeoizrg

Signatures

Hook

rat trojan infostealer hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.yxsfjxnfs.avkeoizrg/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.yxsfjxnfs.avkeoizrg/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.yxsfjxnfs.avkeoizrg

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
GB 142.250.179.238:443 tcp
GB 142.250.200.34:443 tcp
GB 216.58.201.99:443 tcp
GB 216.58.201.99:443 tcp
GB 216.58.201.99:443 tcp
US 216.239.38.223:443 tcp
BE 142.251.173.188:5228 tcp
US 216.239.38.223:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
GB 142.250.187.234:443 g.tenor.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 216.58.212.234:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 142.250.200.10:443 safebrowsing.googleapis.com tcp
RU 89.248.201.43:80 89.248.201.43 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.196:443 www.google.com tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
RU 89.248.201.43:80 89.248.201.43 tcp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com tcp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 growth-pa.googleapis.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.206.84:443 accounts.google.com tcp

Files

/data/data/com.yxsfjxnfs.avkeoizrg/cache/classes.zip

MD5 bbae5bf3b8d7b3174cd6a68e2b8c91fe
SHA1 54187229d0fd597ffff8ee18f8668887986e0641
SHA256 aecfa3f2dcdf61bc8a2975dc25ca36d1ac811ed583a03451a712b861549fddf1
SHA512 7c802bf7be35a2c441b460b500011499b56c16d3b8bb5d021227fffaa6a493c466cf02161bb7dae1fbdef2e7792ba9adc0a02bbf32015654988056a39e2dadf1

/data/data/com.yxsfjxnfs.avkeoizrg/cache/classes.dex

MD5 7a315a420f1455f5a7197a2b88ac55dd
SHA1 c89c2bb2c037457969e1747f1e7ffbb5bcd05be1
SHA256 0c0cd8185278b34db1d76a4b3c54460a6d2b044bb88308d9de28e38a2e545121
SHA512 68a5d990432b9161dcd4ca811919d2c7c725661558ba30413c7347e5144b886d35160c35eba5efe6b273855f60d5aa42de0e24f6380e4d19069fb9163f979233

/data/data/com.yxsfjxnfs.avkeoizrg/app_dex/classes.dex

MD5 bda7cb8932f952def25e3f1198a095d6
SHA1 a770ca68717d1f3fa7b1e089ad55ab834ff9ab2d
SHA256 6f8a840bac0431d20b98765fa20cf0c8ee792eb31c70a1cfda03a84770f5c3d2
SHA512 a48451f24edf81365e9c92e379b7f8a10df376b0128240642204de2e12bad062f9ec1eaf6f647962fc801b6601d313a6d901b1996a1de0ddd46b0fd9598165d8

/data/data/com.yxsfjxnfs.avkeoizrg/no_backup/androidx.work.workdb-journal

MD5 f782c43838b6157c3614dbd76f9518eb
SHA1 fde4d3c40f19f996086776cf1fe377a33f846434
SHA256 08348c5eca3a12303ece4fd17c10f1d7adaf56d7247ee413ccafb029c4e3b021
SHA512 4c5eeecd5d2f3d1e6421a7bf7331844eda04b6fa3f349312ed24c044e84f70345612bed4d146f714e3c798f26763c9dc121538fcf167faae9fb3ad3a1fe590ed

/data/data/com.yxsfjxnfs.avkeoizrg/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.yxsfjxnfs.avkeoizrg/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.yxsfjxnfs.avkeoizrg/no_backup/androidx.work.workdb-wal

MD5 fb45bc3f2ccaa835c752ba3b40578a87
SHA1 fe09e7600da426f450a732057049dce834c2cd4d
SHA256 a1ffae014acfbdfe6aa41f606ca322cce30fa3bdf6b7f1e56b6d1908ac13f45e
SHA512 b7064275b25d916578741193145a389bc0f03301160ffcf59be4524e1c32e22ccffde2e8e71e07de64875437d6f37869aae2c9489129c977f02ff9e25952d362

/data/data/com.yxsfjxnfs.avkeoizrg/no_backup/androidx.work.workdb-wal

MD5 a339ca0348e29767091e45baa148c343
SHA1 174b154bf18e4c8c2e16f67d873e111276d7ff14
SHA256 3864c4e624a1d1c6e539468e82eec8ad046c51c32158acab8f4eaeb96c6f9f69
SHA512 d587ffaeaad02d1f490f3bd50073c986cf5d22b8fb7cbd6a54752316ec0f690e870d665709185e6faef9642336df974ada6e4862314b4bfe2a4f53f60080977b

/data/data/com.yxsfjxnfs.avkeoizrg/no_backup/androidx.work.workdb-wal

MD5 b80f8f64a0c9313a20e56025d98a3737
SHA1 8d5da9c25d42fc74114f1144c41179bdbd23f8ca
SHA256 92bdc220edbd499c2651344ce5ffcd7787c6f1968b0c99af56a9e0fe89c15fe8
SHA512 b22cc65d8ca429c68bfd1c5cd467a8457e49cd604ccff1a5acfe265825d811f9503886ca5ac58cd7fafbc8349b00f0e41905410909e9c8c40400b2f2ef3d37e3

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-09 22:08

Reported

2024-10-09 22:13

Platform

android-x64-arm64-20240624-en

Max time kernel

138s

Max time network

163s

Command Line

com.yxsfjxnfs.avkeoizrg

Signatures

Hook

rat trojan infostealer hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.yxsfjxnfs.avkeoizrg/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.yxsfjxnfs.avkeoizrg/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.yxsfjxnfs.avkeoizrg

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/com.yxsfjxnfs.avkeoizrg/cache/classes.zip

MD5 bbae5bf3b8d7b3174cd6a68e2b8c91fe
SHA1 54187229d0fd597ffff8ee18f8668887986e0641
SHA256 aecfa3f2dcdf61bc8a2975dc25ca36d1ac811ed583a03451a712b861549fddf1
SHA512 7c802bf7be35a2c441b460b500011499b56c16d3b8bb5d021227fffaa6a493c466cf02161bb7dae1fbdef2e7792ba9adc0a02bbf32015654988056a39e2dadf1

/data/data/com.yxsfjxnfs.avkeoizrg/cache/classes.dex

MD5 7a315a420f1455f5a7197a2b88ac55dd
SHA1 c89c2bb2c037457969e1747f1e7ffbb5bcd05be1
SHA256 0c0cd8185278b34db1d76a4b3c54460a6d2b044bb88308d9de28e38a2e545121
SHA512 68a5d990432b9161dcd4ca811919d2c7c725661558ba30413c7347e5144b886d35160c35eba5efe6b273855f60d5aa42de0e24f6380e4d19069fb9163f979233

/data/data/com.yxsfjxnfs.avkeoizrg/app_dex/classes.dex

MD5 bda7cb8932f952def25e3f1198a095d6
SHA1 a770ca68717d1f3fa7b1e089ad55ab834ff9ab2d
SHA256 6f8a840bac0431d20b98765fa20cf0c8ee792eb31c70a1cfda03a84770f5c3d2
SHA512 a48451f24edf81365e9c92e379b7f8a10df376b0128240642204de2e12bad062f9ec1eaf6f647962fc801b6601d313a6d901b1996a1de0ddd46b0fd9598165d8

/data/data/com.yxsfjxnfs.avkeoizrg/no_backup/androidx.work.workdb-journal

MD5 197a24f3c420c9e02650c6f1a6282da7
SHA1 6d132d5c45e0c34302e4b1bdaa7e78f79f6e19cc
SHA256 898c19684038d384ca4116f5b3f1df36dafa91ef8e7abe365bd4546e8fad43fc
SHA512 6e73d4fd825a9f3d1de660b9b87679f069aca4ec63b163f6dcd61a5e1f91e4c22d6c7dac7f0a5bc65395adae81f8ec04aa277309295b6216574b4cb9d230977b

/data/data/com.yxsfjxnfs.avkeoizrg/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.yxsfjxnfs.avkeoizrg/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.yxsfjxnfs.avkeoizrg/no_backup/androidx.work.workdb-wal

MD5 af1547f725b20d89746b95ea01e46e5b
SHA1 2c66e3e41f2adf62f2bbff1d6a1a0bf57d73f7ed
SHA256 69d438a43cc87704f1834ca28644f1b6f6d9214d64185e65b31e57bedb139513
SHA512 54af671fc16f1ed10567faea41c88e32646cfba3ae242e9d7829288ac08aa17afeba083cfc7da883023864dda1a7339703ec2c84c80bbcb81f7118962b406e7b

/data/data/com.yxsfjxnfs.avkeoizrg/no_backup/androidx.work.workdb-wal

MD5 6b6a7b55778be96484e77c5fa989b641
SHA1 40692a25801f858584162107c44b9c41793a9009
SHA256 4ec504ecfd689f6c3d81c6c16735adf41a619969c233155a706e2c047f087d29
SHA512 e7dca685fecb971efe390ac0c4305f42b7dc7520a5e2aebb87afb02b87bcdf5b1ef2ef3360876703c666ec010bb2248f199f99136ee90b230cc2a8acaf76fece

/data/data/com.yxsfjxnfs.avkeoizrg/no_backup/androidx.work.workdb-wal

MD5 1265dfba4d96099565e93d26f105a966
SHA1 938df945c67bcede80fc3dbce1bcc4edd0a353fb
SHA256 244756e9c1160e4e728013d2ac6a1465b1748563dd9be68950c738f45f39e5dd
SHA512 815e44467561272b0182a43af752cbb6ce71b9ac9f6aa9e4d9fc31cada36a7380f3887c51112ed1653483814317259a5911098834f7c4dd51cd4e10308bec01d