Malware Analysis Report

2024-10-19 13:01

Sample ID 241011-13qqva1erq
Target 6d9b27d9114543149f0608beba457a21ec585db965edd405e9dbc5055767dd5c.bin
SHA256 6d9b27d9114543149f0608beba457a21ec585db965edd405e9dbc5055767dd5c
Tags
hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d9b27d9114543149f0608beba457a21ec585db965edd405e9dbc5055767dd5c

Threat Level: Known bad

The file 6d9b27d9114543149f0608beba457a21ec585db965edd405e9dbc5055767dd5c.bin was found to be: Known bad.

Malicious Activity Summary

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Obtains sensitive information copied to the device clipboard

Queries information about running processes on the device

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Queries information about the current Wi-Fi connection

Requests accessing notifications (often used to intercept notifications before users become aware).

Attempts to obfuscate APK file format

Queries the mobile country code (MCC)

Acquires the wake lock

Reads information about phone network operator.

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-11 22:10

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-11 22:10

Reported

2024-10-11 22:13

Platform

android-x86-arm-20240910-en

Max time kernel

128s

Max time network

154s

Command Line

com.cdhzvploq.qkuswmgxh

Signatures

Hook

rat trojan infostealer hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cdhzvploq.qkuswmgxh/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.cdhzvploq.qkuswmgxh/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.cdhzvploq.qkuswmgxh/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.cdhzvploq.qkuswmgxh

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.cdhzvploq.qkuswmgxh/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.cdhzvploq.qkuswmgxh/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
GB 142.250.178.14:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
RU 194.26.135.117:80 194.26.135.117 tcp
RU 194.26.135.117:80 194.26.135.117 tcp
RU 194.26.135.117:80 194.26.135.117 tcp
RU 194.26.135.117:80 194.26.135.117 tcp
RU 194.26.135.117:80 194.26.135.117 tcp
RU 194.26.135.117:80 194.26.135.117 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/com.cdhzvploq.qkuswmgxh/cache/classes.zip

MD5 4d6cdc33360fd3986179fafa891adff8
SHA1 86ab24122adc62b6fb9b35a3b0ac0c56f56f50f6
SHA256 d3e08e70a5b634b11e67ccaa483b85e15a8b978baa440fc466c83b610fe7e74a
SHA512 fdcf1a6a3953124a275522ef2ba5b38036b44380cb8bd10c801aff1a4c5180df546c3c3381ccb2809d58f9239f9ad8dc172215df195d39d0b6bf0e6a59d048c6

/data/data/com.cdhzvploq.qkuswmgxh/cache/classes.dex

MD5 75d265b76567934bd29642e279dc7e77
SHA1 364a560e55e4e78ed102fcf6d4a6e55272320732
SHA256 20775d34b114f934c29ed4ee340036e87fb890a5bdbbdcc8f65bde43839a7cb9
SHA512 f0ce1a0dc7d9619277b10aff30ceb60b194285a34bcd559661d0b1871c383ffae089f144cb296ff6ffdbd70a4f060c1bc7297181438bf295b2ee38e183fd91b4

/data/data/com.cdhzvploq.qkuswmgxh/app_dex/classes.dex

MD5 363cc5155b51e5be849b1fc7b10003e3
SHA1 4c2ea09dbc62583193118bad444189c98dfc0916
SHA256 0880253110447ef29ae564d170f8ef91e0a24147ecfbd0aabde4a83de9319324
SHA512 88c5298de742e1568b5bec501b4a1e6e9d3033d020cf7c69090704d20c5a532d4508424a2a5b2306e3d1c3e3c1d53faf4b81bebcc20810458a11d490c2b34f84

/data/user/0/com.cdhzvploq.qkuswmgxh/app_dex/classes.dex

MD5 3733540aeabca08c300f16ea1969234a
SHA1 fa8800d1a386e034e336a0f294fa750921b2788a
SHA256 cca4c1fd4714ad777b0cdfbdedfac8cfff886f3dcb0d2bec248836fca487d557
SHA512 d113e7fd0f0fb01800fe20ce6eb483d2ffe41749f512f52d1295c8f3266ede60bacc70123b6cf2424f013e96800d9a6185f32b67fc3dee93511930c517e7c335

/data/data/com.cdhzvploq.qkuswmgxh/no_backup/androidx.work.workdb-journal

MD5 e7a861001e285f3285c43394ce924537
SHA1 fb67aacebbcec5c220cc722ab82d4f38cf2835aa
SHA256 0911ec9c9fea8eaa2165c123915ab58a26b69fc039d8c8fa96e58d207fbbe3c0
SHA512 97a8e388dcb7ab1df9f5035f299551cb5e0f37c319fa9e8f3aadd8563c4303a6b15682a67f123f3a4f5064d67404d09d99d9138a210683ed953d42348e01a8af

/data/data/com.cdhzvploq.qkuswmgxh/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.cdhzvploq.qkuswmgxh/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.cdhzvploq.qkuswmgxh/no_backup/androidx.work.workdb-wal

MD5 568fd868b57142ebc4b003fe6b8e6017
SHA1 23b5c77ce06ba3cf911ef89fc17210b626cf1e68
SHA256 b7fc5c2e9b400c0c60d847213ab295671d2db8462fea47791e78e400505776ff
SHA512 6320ee4df510d6eef0c5bafcbbe99af78b347ddc46b3a34709636bcd502f1435b16967a80d34d1aa1ab7806980a1a4dde1e36be270f8b6c941ba182f3253cda7

/data/data/com.cdhzvploq.qkuswmgxh/no_backup/androidx.work.workdb-wal

MD5 6617cd3feac92620d8888c7b4843e447
SHA1 5c0a2901ce262cdfb785f16acdca9efdc54a5405
SHA256 677284734a7d157753887a76817adadc89d925036458f9a7f97f92c0b7913658
SHA512 4cd204b4cbb2061092622f6541cd984a1ac2202c5dc5cf43ecb900e01fb0d65a55363bb5d443dd7c0728ea8e57a46d7d0b5e7edf8e63d157124a355800f95504

/data/data/com.cdhzvploq.qkuswmgxh/no_backup/androidx.work.workdb-wal

MD5 125ceb892d6c24181852bdd26b35eddb
SHA1 d34a624a15456a2e5b427570ff8e3ca29836448d
SHA256 28aa572fda1201a18b6441a56ada9e5ecb05038f7ce9cbd240f71afd72ff622c
SHA512 183ee4ebd829cd3cd6cd4be2b6738aa72b913e0c75e6bb3d775a460a871ececa5a4e94602ee1704126e43b086a5368cf8a66f1d50693df66684a09576abd16a2

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-11 22:10

Reported

2024-10-11 22:13

Platform

android-x64-20240910-en

Max time kernel

149s

Max time network

154s

Command Line

com.cdhzvploq.qkuswmgxh

Signatures

Hook

rat trojan infostealer hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cdhzvploq.qkuswmgxh/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.cdhzvploq.qkuswmgxh/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.cdhzvploq.qkuswmgxh

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.106:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
RU 194.26.135.117:80 194.26.135.117 tcp
RU 194.26.135.117:80 194.26.135.117 tcp
RU 194.26.135.117:80 194.26.135.117 tcp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 216.58.201.98:443 tcp
RU 194.26.135.117:80 194.26.135.117 tcp
RU 194.26.135.117:80 194.26.135.117 tcp

Files

/data/data/com.cdhzvploq.qkuswmgxh/cache/classes.zip

MD5 4d6cdc33360fd3986179fafa891adff8
SHA1 86ab24122adc62b6fb9b35a3b0ac0c56f56f50f6
SHA256 d3e08e70a5b634b11e67ccaa483b85e15a8b978baa440fc466c83b610fe7e74a
SHA512 fdcf1a6a3953124a275522ef2ba5b38036b44380cb8bd10c801aff1a4c5180df546c3c3381ccb2809d58f9239f9ad8dc172215df195d39d0b6bf0e6a59d048c6

/data/data/com.cdhzvploq.qkuswmgxh/cache/classes.dex

MD5 75d265b76567934bd29642e279dc7e77
SHA1 364a560e55e4e78ed102fcf6d4a6e55272320732
SHA256 20775d34b114f934c29ed4ee340036e87fb890a5bdbbdcc8f65bde43839a7cb9
SHA512 f0ce1a0dc7d9619277b10aff30ceb60b194285a34bcd559661d0b1871c383ffae089f144cb296ff6ffdbd70a4f060c1bc7297181438bf295b2ee38e183fd91b4

/data/data/com.cdhzvploq.qkuswmgxh/app_dex/classes.dex

MD5 363cc5155b51e5be849b1fc7b10003e3
SHA1 4c2ea09dbc62583193118bad444189c98dfc0916
SHA256 0880253110447ef29ae564d170f8ef91e0a24147ecfbd0aabde4a83de9319324
SHA512 88c5298de742e1568b5bec501b4a1e6e9d3033d020cf7c69090704d20c5a532d4508424a2a5b2306e3d1c3e3c1d53faf4b81bebcc20810458a11d490c2b34f84

/data/data/com.cdhzvploq.qkuswmgxh/no_backup/androidx.work.workdb-journal

MD5 fd4b892be70eb252b524ae8ccfddb12d
SHA1 bf864907294a0faedd01b8824e07b6d905cf90e7
SHA256 725b0512808726f8426d62b799b96f112d07f913c84dbf3a949c57044a02d87c
SHA512 e22beed342379a69e01f51e41d50b3982c607246718a0e74163de02de3ce3f3109aa03600c9b2ffd613ab8544bc7a5a4a6329542dbe3cc0e1a2694a563660b75

/data/data/com.cdhzvploq.qkuswmgxh/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.cdhzvploq.qkuswmgxh/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.cdhzvploq.qkuswmgxh/no_backup/androidx.work.workdb-wal

MD5 061a92adfa6c0aa73b1ea019599f1657
SHA1 97f802c6de35c7e73fd5ac5d22f1f49a0f8be65f
SHA256 04366e8a81190564adcd0747c37d7fe2315cc6ca3e34b82a73dbeb8de65c7c2b
SHA512 3f33d0a2c28faa73c257f557fc35de61020dcb2e4ab75e4957d97861aaf5ba105b00749fb4dce73d28d7a8452e1621ea303ece844f9be6d1177e804f647bc419

/data/data/com.cdhzvploq.qkuswmgxh/no_backup/androidx.work.workdb-wal

MD5 e1b253b13e87197429cad2b4b699911a
SHA1 b785f2b9c6b214c5fd0139b79f593062383665af
SHA256 0876da5d6a191786c9ae5c20428f5447e2d5d810d14d205693556faafc9816b2
SHA512 5386ae12b6eec2917c77d0f1afae1a52103b92d5771a36d286cc460707035d5d86bda799ac517ce8c1256236e8661015ed91a016bc1fb003d73de19abc2325d1

/data/data/com.cdhzvploq.qkuswmgxh/no_backup/androidx.work.workdb-wal

MD5 56ffe2d3d3bc2a7ad3ce2802afb0c8ac
SHA1 026bf9bba6f238583fb0fbb757408652dd6e8cdf
SHA256 0da76f5b0d059f9f6825421da75dbb90e0f357fff332eb6f0b548e7ec8917df0
SHA512 020a08cb718f3eb6954b25181231e5e19438abc29df8d78602b0ef4f9583ce07e9ae8b9e704efcbc66665c1b7d45ebc146c27d5762f4fd2d7e12c61576a4d378

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-11 22:10

Reported

2024-10-11 22:13

Platform

android-x64-arm64-20240910-en

Max time kernel

149s

Max time network

155s

Command Line

com.cdhzvploq.qkuswmgxh

Signatures

Hook

rat trojan infostealer hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.cdhzvploq.qkuswmgxh/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.cdhzvploq.qkuswmgxh/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.cdhzvploq.qkuswmgxh

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.46:443 www.youtube.com udp
GB 172.217.169.46:443 www.youtube.com tcp
GB 216.58.204.78:443 www.youtube.com tcp
US 216.239.32.223:443 tcp
RU 194.26.135.117:80 194.26.135.117 tcp
RU 194.26.135.117:80 194.26.135.117 tcp
RU 194.26.135.117:80 194.26.135.117 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
RU 194.26.135.117:80 194.26.135.117 tcp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
RU 194.26.135.117:80 194.26.135.117 tcp
RU 194.26.135.117:80 194.26.135.117 tcp
GB 172.217.16.238:443 www.youtube.com tcp
GB 142.250.187.225:443 tcp
US 216.239.32.223:443 tcp
GB 142.250.178.1:443 tcp
US 216.239.32.223:443 tcp

Files

/data/data/com.cdhzvploq.qkuswmgxh/cache/classes.zip

MD5 4d6cdc33360fd3986179fafa891adff8
SHA1 86ab24122adc62b6fb9b35a3b0ac0c56f56f50f6
SHA256 d3e08e70a5b634b11e67ccaa483b85e15a8b978baa440fc466c83b610fe7e74a
SHA512 fdcf1a6a3953124a275522ef2ba5b38036b44380cb8bd10c801aff1a4c5180df546c3c3381ccb2809d58f9239f9ad8dc172215df195d39d0b6bf0e6a59d048c6

/data/data/com.cdhzvploq.qkuswmgxh/cache/classes.dex

MD5 75d265b76567934bd29642e279dc7e77
SHA1 364a560e55e4e78ed102fcf6d4a6e55272320732
SHA256 20775d34b114f934c29ed4ee340036e87fb890a5bdbbdcc8f65bde43839a7cb9
SHA512 f0ce1a0dc7d9619277b10aff30ceb60b194285a34bcd559661d0b1871c383ffae089f144cb296ff6ffdbd70a4f060c1bc7297181438bf295b2ee38e183fd91b4

/data/data/com.cdhzvploq.qkuswmgxh/app_dex/classes.dex

MD5 363cc5155b51e5be849b1fc7b10003e3
SHA1 4c2ea09dbc62583193118bad444189c98dfc0916
SHA256 0880253110447ef29ae564d170f8ef91e0a24147ecfbd0aabde4a83de9319324
SHA512 88c5298de742e1568b5bec501b4a1e6e9d3033d020cf7c69090704d20c5a532d4508424a2a5b2306e3d1c3e3c1d53faf4b81bebcc20810458a11d490c2b34f84

/data/data/com.cdhzvploq.qkuswmgxh/no_backup/androidx.work.workdb-journal

MD5 9793e0e4b0ff8fc73bb62ef68becd97c
SHA1 7a1ca2bbe11b27000a6f41e317ea92343b8ae089
SHA256 30f2307f9390501d9c2f65e3ffe87d01fc1c1205a5bb1e8c674d913e5dc90068
SHA512 987f871c3956849afc5eadc0fb208abf773249afbd99cf375667ce6e17559623fb79569c3acfac736770978184136b5879b4fa464725d275d3c3c84dbf05c506

/data/data/com.cdhzvploq.qkuswmgxh/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.cdhzvploq.qkuswmgxh/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.cdhzvploq.qkuswmgxh/no_backup/androidx.work.workdb-wal

MD5 04f8fbd730f9bb8b359a2ca0a6b09a2f
SHA1 69e48665b6749fc428719195e9dc64b8ea921987
SHA256 5a785daf063f6ea50184c5a2f715c1aafec19efac831b4126cafdff333f21405
SHA512 c516d8a0a07eea54a8aca4f2559801608f74af11fd240cfdd6a857ff4d945c532112409d83ecd297cc7523c5e1e8222e9eefb9277406c1e5bbbe7cddb8aa4f35

/data/data/com.cdhzvploq.qkuswmgxh/no_backup/androidx.work.workdb-wal

MD5 b9cdf91a3e09043913f0ea387c69a04b
SHA1 11bdcaacce17e261e78f8221006ca783f0a9793d
SHA256 91e0a91aae2aafbdd3f788fb359415f58227cee949ba8b03f61a33829023b544
SHA512 244010c654ed9124a8a6bafdc4dc659f96288df7d429cda3a047ab18c8fe3f5ab5ed5e30b073e2f86800379cf9c1546518af153f522eb4715c5e76ced2e9cf0e

/data/data/com.cdhzvploq.qkuswmgxh/no_backup/androidx.work.workdb-wal

MD5 f35c4f747e05b727d2f101a52319ae56
SHA1 5f77009085525bbb70633aa61475f29fa218c44e
SHA256 ab1655773f11d5168481a780a786f03398432ca5e927d7d977d1d47e120b4415
SHA512 6c3c10482a321e523ef30e26a0880e711dfe51f2c16c6527a14141fbd5f4aa49359fe9608947735c9f503843246a45180dceee2648fb4fcd3ff9fc3bebc12a05