Malware Analysis Report

2024-10-19 13:01

Sample ID 241010-17vklazbqe
Target baae85883ca0ee6910098ff917ee1765ba6d2924d84aae3c7c7f7aa759182652.bin
SHA256 baae85883ca0ee6910098ff917ee1765ba6d2924d84aae3c7c7f7aa759182652
Tags
hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

baae85883ca0ee6910098ff917ee1765ba6d2924d84aae3c7c7f7aa759182652

Threat Level: Known bad

The file baae85883ca0ee6910098ff917ee1765ba6d2924d84aae3c7c7f7aa759182652.bin was found to be: Known bad.

Malicious Activity Summary

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook

Queries information about running processes on the device

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads information about phone network operator.

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Makes use of the framework's foreground persistence service

Queries information about the current Wi-Fi connection

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Performs UI accessibility actions on behalf of the user

Requests accessing notifications (often used to intercept notifications before users become aware).

Attempts to obfuscate APK file format

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-10 22:17

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-10 22:17

Reported

2024-10-10 22:20

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

157s

Command Line

com.gamkstsaf.xopshmzuo

Signatures

Hook

rat trojan infostealer hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.gamkstsaf.xopshmzuo/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.gamkstsaf.xopshmzuo/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.gamkstsaf.xopshmzuo/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.gamkstsaf.xopshmzuo

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.gamkstsaf.xopshmzuo/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.gamkstsaf.xopshmzuo/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp

Files

/data/data/com.gamkstsaf.xopshmzuo/cache/classes.zip

MD5 992105042c21c7e01ea901e587897027
SHA1 ddf97ce5c6b9abc5e0f773ae270ebab654f60218
SHA256 103a38a4203e405c846698bb23630e185bb0a17fbb99c1580859830e12ee5e46
SHA512 8e6ddb5e9cc9047d4ec1a15325c8562132ca587f71203ed8a0545170bb20f1078801c1a5c4a7d9de68173af135f8b870e70b1000a750e51b37fb13b45e763970

/data/data/com.gamkstsaf.xopshmzuo/cache/classes.dex

MD5 cf61a5a4974c3d0304fca4d245eabb47
SHA1 0f3f1ad8fefc524874a82e6a032da113f4185193
SHA256 9dc65bbf7ce55da341975d314041e77e842abafa420613bb0d8343edba4c005c
SHA512 2b508712edbed2801b0afe5ae5a3e942d015682e62c434bce1e0d428f67affc834c7dac7bdf84bb8c7110e9cae5a82dea0daab38af58af7d13e3f3f99c38d42d

/data/data/com.gamkstsaf.xopshmzuo/app_dex/classes.dex

MD5 e1495a9d3763521120baab7ad49993ae
SHA1 691a2c40a6f7bb433e0bae39a5905d1dbb760270
SHA256 d248dd160c174e59a057cfe9267200619974798fafc1bde37d1f8e4332510649
SHA512 ea986489613d7508d8f5dea3f96b83fad17bc05305a88db194b242e9395aad2ecbeeac912c2560a651a8d4de62d137ceac83c01960c7aed06b5bb832e6e78a77

/data/user/0/com.gamkstsaf.xopshmzuo/app_dex/classes.dex

MD5 a8a53fb275303f7438582502d17943e4
SHA1 6999a3b8f1651247265fd9c779d3e8d52864a3ba
SHA256 21885efeb17d140f446c27a0af3ef00c1df33589706581bad02f85aa967d1dee
SHA512 870c9b8ab7f1ff3757b6aae52bb860b2a089728c5f4f01a564f85b070fce569e6e3fd20c594762fafda86bb3489fe881f636a695116e2b5319ee64fb5ea83d25

/data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb-journal

MD5 8b99977ba3bd1e0dabfbf9ac673ea142
SHA1 fcc6cdb48951ac1eed338ccdc4bed18bbaf5f817
SHA256 922e4d655d385bca678f84917892ac32a9ac5bc387dbdb60a3e0591833e55523
SHA512 6bb66c4a4922c887d9ab44380978e0200eb521bac2a84d0b5e1279957f7b3c2f629656dd182e6ca502a947377fd57d05e59c0600374f4715792b556542ae48b6

/data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb-wal

MD5 681925eb224abfd1625a9f4853c2827c
SHA1 07b39c87ff1923c10f1029cd3a75e5386a8f9554
SHA256 72a524ad27404e231a1d95ed148066f3f7f887c190851573fb1000a190b2b270
SHA512 6e4c31ed6506966b5f2b875034c61dfdbb952c30f75a70ccdb8786746978c8761634416ba072e9cd0275a3c74d9f26bbb7174d052ffc42a3e8dcc0757f39d980

/data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb-wal

MD5 d5e030beffa3953f68709c793452d843
SHA1 a8b4e6eab56d5e5160f54389b1b2799e5f3073e7
SHA256 44f8acc11cca7eff6f3953add0ccc338054adac0406f8b64564ff1d9f2698769
SHA512 7d912d147ed1033f499a6027ea4ca910751d82af3e091ffa333f7eb7171f6f82df2f5054cdf7951d73218aafb7564c600e38181aa0e391a64f96aa0dbeeb710b

/data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb-wal

MD5 b0e44f5070b83424c7103f9fcdf4f3a0
SHA1 f26a956a72d4cc2a3d911f01f94cb2f4b07d4932
SHA256 8ca4eb9f9aa491b1be502b55c1759f8a2337cd609f062f72cb421ee9162d5d3b
SHA512 42603f3a4e248ab988f925f42745b4be374c82679d673d5b38d88b5a7fa5759f4786dc9b9aaa4f64e78171d98b494802247965921ddf4757f637ce51bba20dbb

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-10 22:17

Reported

2024-10-10 22:20

Platform

android-x64-20240910-en

Max time kernel

13s

Max time network

152s

Command Line

com.gamkstsaf.xopshmzuo

Signatures

Hook

rat trojan infostealer hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.gamkstsaf.xopshmzuo/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.gamkstsaf.xopshmzuo/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.gamkstsaf.xopshmzuo

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
GB 142.250.180.14:443 tcp
GB 216.58.213.2:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
BE 108.177.15.188:5228 tcp
US 216.239.36.223:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 216.58.204.74:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 142.250.200.42:443 safebrowsing.googleapis.com tcp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com tcp
US 1.1.1.1:53 growth-pa.googleapis.com udp
GB 142.250.180.10:443 growth-pa.googleapis.com tcp
US 1.1.1.1:53 lh3-dz.googleusercontent.com udp
GB 172.217.16.225:443 lh3-dz.googleusercontent.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
GB 74.125.71.84:443 accounts.google.com tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp

Files

/data/data/com.gamkstsaf.xopshmzuo/cache/classes.zip

MD5 992105042c21c7e01ea901e587897027
SHA1 ddf97ce5c6b9abc5e0f773ae270ebab654f60218
SHA256 103a38a4203e405c846698bb23630e185bb0a17fbb99c1580859830e12ee5e46
SHA512 8e6ddb5e9cc9047d4ec1a15325c8562132ca587f71203ed8a0545170bb20f1078801c1a5c4a7d9de68173af135f8b870e70b1000a750e51b37fb13b45e763970

/data/data/com.gamkstsaf.xopshmzuo/cache/classes.dex

MD5 cf61a5a4974c3d0304fca4d245eabb47
SHA1 0f3f1ad8fefc524874a82e6a032da113f4185193
SHA256 9dc65bbf7ce55da341975d314041e77e842abafa420613bb0d8343edba4c005c
SHA512 2b508712edbed2801b0afe5ae5a3e942d015682e62c434bce1e0d428f67affc834c7dac7bdf84bb8c7110e9cae5a82dea0daab38af58af7d13e3f3f99c38d42d

/data/data/com.gamkstsaf.xopshmzuo/app_dex/classes.dex

MD5 e1495a9d3763521120baab7ad49993ae
SHA1 691a2c40a6f7bb433e0bae39a5905d1dbb760270
SHA256 d248dd160c174e59a057cfe9267200619974798fafc1bde37d1f8e4332510649
SHA512 ea986489613d7508d8f5dea3f96b83fad17bc05305a88db194b242e9395aad2ecbeeac912c2560a651a8d4de62d137ceac83c01960c7aed06b5bb832e6e78a77

/data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb-journal

MD5 f925118bbd7151997f573037be362c57
SHA1 2dbbd185c97523323c2ecddb66145e11f7587cd5
SHA256 e90b8a9d79c6495985a1e1084706f2a718d3ff3ebda8c66f577f84ce13cf781f
SHA512 66cf20612a6e6c6297ec1cd1dd099fae3cc1ce1afdce0324558018a0e4aa017c20dc210ba2c831d8111c9d11e748d4b9f074c437811eaefb99dc529c2617a8df

/data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb-wal

MD5 94f4d93c08261561a6d474e35f9f2316
SHA1 9cb7a381b0f9999acc251d13646f0a51c5497a05
SHA256 aa321107b21d1684c6dcee295831781b0886b524586a4187eb97e27f441d427b
SHA512 410dd35f3d330ab755a8ab5e03a2e583b03a8821cf60ebb05766bdf9df5f568ddbcab1d13dc76ea9953a1ec66da029d2ffc2d6e5cdf938d3339da379be09b777

/data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb-wal

MD5 6860c078aea754578051e2568e8f674a
SHA1 00341c5e1dc11077757598a7da2b51154fae7255
SHA256 6bc45a28a44ff5a1ee2243d65312b1736431104543d81c3b5f7c6a4f149583f7
SHA512 f77730af4227eb16fd5e0cd978e41825b418550f0206869b5f2743b6a60a33fd0c50b10993cd1bbc1c91f7150f13c5d78eb0813ab4b6ac7c705016106f67e680

/data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb-wal

MD5 e9310c886f54aeb20a83df1d00db1e1b
SHA1 ff24587618162346ab52f10e5fb9d56d29ef1a3b
SHA256 59023bc3b85be3713896022ea7f8a9abac36c5122827908eec50882a4c08641f
SHA512 02ded122f2b03cc502193cd2532cb95c50ef24164f0deaa2bf6b6850a0c20b8d21dd5cac7e3a9fe663d647c98635bc52704669ecb9c92fbc36be7579017b56de

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-10 22:17

Reported

2024-10-10 22:20

Platform

android-x64-arm64-20240910-en

Max time kernel

149s

Max time network

152s

Command Line

com.gamkstsaf.xopshmzuo

Signatures

Hook

rat trojan infostealer hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.gamkstsaf.xopshmzuo/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.gamkstsaf.xopshmzuo/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.gamkstsaf.xopshmzuo

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
GB 142.250.180.14:443 www.youtube.com udp
GB 142.250.180.14:443 www.youtube.com tcp
GB 172.217.169.46:443 android.apis.google.com tcp
US 216.239.38.223:443 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
RU 89.248.201.43:80 89.248.201.43 tcp
US 216.239.38.223:443 tcp
RU 89.248.201.43:80 89.248.201.43 tcp
GB 142.250.200.14:443 www.youtube.com tcp
GB 172.217.169.33:443 tcp
GB 216.58.201.97:443 tcp
US 216.239.38.223:443 tcp
US 216.239.38.223:443 tcp

Files

/data/data/com.gamkstsaf.xopshmzuo/cache/classes.zip

MD5 992105042c21c7e01ea901e587897027
SHA1 ddf97ce5c6b9abc5e0f773ae270ebab654f60218
SHA256 103a38a4203e405c846698bb23630e185bb0a17fbb99c1580859830e12ee5e46
SHA512 8e6ddb5e9cc9047d4ec1a15325c8562132ca587f71203ed8a0545170bb20f1078801c1a5c4a7d9de68173af135f8b870e70b1000a750e51b37fb13b45e763970

/data/data/com.gamkstsaf.xopshmzuo/cache/classes.dex

MD5 cf61a5a4974c3d0304fca4d245eabb47
SHA1 0f3f1ad8fefc524874a82e6a032da113f4185193
SHA256 9dc65bbf7ce55da341975d314041e77e842abafa420613bb0d8343edba4c005c
SHA512 2b508712edbed2801b0afe5ae5a3e942d015682e62c434bce1e0d428f67affc834c7dac7bdf84bb8c7110e9cae5a82dea0daab38af58af7d13e3f3f99c38d42d

/data/data/com.gamkstsaf.xopshmzuo/app_dex/classes.dex

MD5 e1495a9d3763521120baab7ad49993ae
SHA1 691a2c40a6f7bb433e0bae39a5905d1dbb760270
SHA256 d248dd160c174e59a057cfe9267200619974798fafc1bde37d1f8e4332510649
SHA512 ea986489613d7508d8f5dea3f96b83fad17bc05305a88db194b242e9395aad2ecbeeac912c2560a651a8d4de62d137ceac83c01960c7aed06b5bb832e6e78a77

/data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb-journal

MD5 2383b83ad23159736785af68fe3fb26b
SHA1 2071b3a5a13b78a1486ef4e2cc73c1680376ab77
SHA256 886581b9e8fd46f3604edd20718163daf9f7cc901cd3d384264f05b3b7473be8
SHA512 38a18f23aace3f16abb2c16a1de8b8abc710f6f319f24e26a38f2ca46a8418ae2bceb55c7d68d0e428d4b2d484eaab9f2e67846b7dd689123b4e330659ff5f3d

/data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb-wal

MD5 b2cd39f1a943716fbd83f5af1a2c38a3
SHA1 d6057a778f94cf0cf4265e96316518892cff399f
SHA256 02bdc58bafd0306bcc7c0b7d1dbf7888c82beaeb9446cedd86029a5fd72e5e47
SHA512 7cdb831846dba66f5c31ba653883d470a07a89a0627511b1cceec3339ce8ef586941ac71feab6605801e66043096588161469291497e9d84279b46e51662552f

/data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb-wal

MD5 7eac89354330eab4d300cf20710a8973
SHA1 45c215750e279797dc0058e47b2a7a10f54eb88b
SHA256 a4c79708fb1d81367a0e7f6ca2c94f2da8eee1b087751db12da2f47d4aa5f2ba
SHA512 8e3021871070b5572c19b5e6ed104b2d67c5890956a3a47b194ba3b0c47acadab6e0b006a0079f0c78f0f6e0b1f8174ecca6b063fe0b54b74c66c57504c6ae53

/data/data/com.gamkstsaf.xopshmzuo/no_backup/androidx.work.workdb-wal

MD5 0014e25f58a129d789be53e784289c96
SHA1 d3fd89842785d432ca4e5a8d3a8ebaa726a7bb49
SHA256 e8aa46ac02df689cb41340bf28e202de70a9341fbfb9b307b1a3c8cba165d667
SHA512 ec482df33428787f7bd8878f93e8f144ddefd10adb19f01ec987f4ca52b04745f93243b2b831d7c703cd8a4b77c1064e269c17258ee8586d69a1818ffb934aee