Malware Analysis Report

2025-08-10 16:45

Sample ID 241014-v2q3bsxard
Target b4b3ab34deb00c4c55ac990c2e276841601e6ccaf7357b65f147a99a49b049ac
SHA256 b4b3ab34deb00c4c55ac990c2e276841601e6ccaf7357b65f147a99a49b049ac
Tags
collection credential_access discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b4b3ab34deb00c4c55ac990c2e276841601e6ccaf7357b65f147a99a49b049ac

Threat Level: Shows suspicious behavior

The file b4b3ab34deb00c4c55ac990c2e276841601e6ccaf7357b65f147a99a49b049ac was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access discovery evasion persistence

Makes use of the framework's Accessibility service

Queries information about running processes on the device

Loads dropped Dex/Jar

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Declares services with permission to bind to the system

Acquires the wake lock

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-14 17:29

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-14 17:29

Reported

2024-10-14 17:30

Platform

android-x86-arm-20240624-en

Max time kernel

50s

Max time network

58s

Command Line

com.parvane.app

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.parvane.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 180.131.145.85:3000 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 180.131.145.85:3000 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 180.131.145.85:3000 tcp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 180.131.145.85:3000 tcp

Files

/data/misc/profiles/cur/0/com.parvane.app/primary.prof

MD5 4719f8d69a817a4b188d2d7a23c38dab
SHA1 e1681db1f807c553c700f583daaca7b733ba0f53
SHA256 320e8c68950b0af91f29c6f8f09d05c19dcdeca1699469172125babc4b82e7e9
SHA512 f3ed3d6a09fb06f7edd2b8ff7692715ada0c786b2f970ddf0ddbc4004f4a37043a8edc1461015e6842cab821ed437bb7dd684f2e312a1a4f3bd4a90287ae6e1f

/data/data/com.parvane.app/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 7b2633efa49a2839464a277cbca1ce1d
SHA1 c7a4566d2957b9ef04df9f67ad2b5ada25e3db5f
SHA256 9bab63f445ea1a8542484ea1d00d82b42335064e5c4b6c9c860f1f385fbf6edb
SHA512 13287d748a1589f20bbd4870f14ea95b308ced2250c8b70c52ab3d4a4c244653a6e417cc65ca841f83dd868fd4d163b128c38f9a4cf2b71180ceaabe2a2d6291

/data/data/com.parvane.app/files/profileInstalled

MD5 d340ec46d6a83ed679deb3b7f4e848b7
SHA1 10dd3602524760528b4bcf55d2f095f7d659da2e
SHA256 4c780ae3fda5be922da2fb529b3533e0f0b20f9b8bcc40265a53becd756a2aad
SHA512 213c5b5c4d7bc52d5dfbccef8d2bb807e760a89b4a4ed874e23e4b36827d7db25f6106a09ef88fd3439e510e82ee650842f6fb7ddeafca2c81ca76ff01834a65

/data/misc/profiles/cur/0/com.parvane.app/primary.prof

MD5 3a0f8e09d66248150090383d751dac66
SHA1 4ccec4a33b3fd0bc0d4ddd6bcb77c2dd7fbeff96
SHA256 1b5340fd0316116805e08dc5e0812a17dcf42bdfd04fb89adf0f9d1eadc79e58
SHA512 a1c0c0a53cc69a3dc2e3a3fb447b5595bae18bf2288bcce139a1f38c308b294e0e183b43bd27367fe19c66de6631d135713e0ca298726b55a7bcdfcae87278e5

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-14 17:29

Reported

2024-10-14 17:30

Platform

android-x64-20240624-en

Max time kernel

49s

Max time network

60s

Command Line

com.parvane.app

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.parvane.app

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 180.131.145.85:3000 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 180.131.145.85:3000 tcp
US 180.131.145.85:3000 tcp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 180.131.145.85:3000 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/misc/profiles/cur/0/com.parvane.app/primary.prof

MD5 4719f8d69a817a4b188d2d7a23c38dab
SHA1 e1681db1f807c553c700f583daaca7b733ba0f53
SHA256 320e8c68950b0af91f29c6f8f09d05c19dcdeca1699469172125babc4b82e7e9
SHA512 f3ed3d6a09fb06f7edd2b8ff7692715ada0c786b2f970ddf0ddbc4004f4a37043a8edc1461015e6842cab821ed437bb7dd684f2e312a1a4f3bd4a90287ae6e1f

/data/data/com.parvane.app/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 3eb874626962d1dfac7fe40060514adc
SHA1 f523fb06fa8482628d11c46c68b51a2267fc429f
SHA256 f51c03255fd3b7778e5e9a5e5aa2c9276df945f99228e0fe86c4933bc618464b
SHA512 ae40c6d9421597a25d968e09d280b99995c5082051f7f5999392ecc20f4f9fd9602a86a0434f4b2064dc0919365adefb3db6332b2a6e25fc7fdd3c59d77a3593

/data/data/com.parvane.app/files/profileInstalled

MD5 cf36818691ecc17954fcf10244a7aff2
SHA1 715d7774c228c2fb19ac58dfda88341d443c4450
SHA256 aa78c644a2ddfb657efd35cc6a6b46011274c6b15a2bbafd02c33eb490bfc95c
SHA512 9e544081a40d8e0e2ce961ca15d0f2540fcefe33a1f0595f20c5c001e3de19ee33208ac2929bc93ba39d868d4cb1f0874527e076de58015e1d6d678b7d6ddd6c

/data/misc/profiles/cur/0/com.parvane.app/primary.prof

MD5 5797bb452e1db694d6ecc2d2af1ad1f7
SHA1 9f007e1f41c1b4b13b0d30cc1f68b155926483fe
SHA256 be2b31387eca50844852912094671172082317aeb197cfac39b8c695c9ba8087
SHA512 fc89ecb61cade5e2771edc63d454f416adf68a03fd3a1fbcaceae8e528aac4727ce2b37db852ef6df0c9c770a3da14b6b288afa2b099882eebbc26cf47d3a262

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-14 17:29

Reported

2024-10-14 17:30

Platform

android-x64-arm64-20240624-en

Max time kernel

47s

Max time network

67s

Command Line

com.parvane.app

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Processes

com.parvane.app

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp
US 180.131.145.85:3000 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 180.131.145.85:3000 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 180.131.145.85:3000 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 180.131.145.85:3000 tcp

Files

/system_ext/framework/androidx.window.sidecar.jar

MD5 bdf3529e80318eb14e53a5bf3720c10d
SHA1 25c9ace4b1af6e80ebb2572345972c56505969ba
SHA256 bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b
SHA512 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b

/data/misc/profiles/cur/0/com.parvane.app/primary.prof

MD5 4719f8d69a817a4b188d2d7a23c38dab
SHA1 e1681db1f807c553c700f583daaca7b733ba0f53
SHA256 320e8c68950b0af91f29c6f8f09d05c19dcdeca1699469172125babc4b82e7e9
SHA512 f3ed3d6a09fb06f7edd2b8ff7692715ada0c786b2f970ddf0ddbc4004f4a37043a8edc1461015e6842cab821ed437bb7dd684f2e312a1a4f3bd4a90287ae6e1f

/data/data/com.parvane.app/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 fa2ba47d959bc905fa6c6a1f3a87d81e
SHA1 84cc9b9d8bbf24a6b218c00870f70f07dddb60fb
SHA256 998b91e6dc989e179e0b66a8ea8808900a2f8b57c25becabe89a708951253a7d
SHA512 cef015cee2ea3fc040c9c84a16f9cc8864d107102c35285f9546b71c57b67076411b28aeae4281f0e88149225042a1e2ae36bb83f63adc451ee3f58f7057bbba

/data/misc/profiles/cur/0/com.parvane.app/primary.prof

MD5 3d406670b37998748de1b2032c5f281d
SHA1 29b6c565464fd22d30f8b261f219af2df30da925
SHA256 3c38d1e85c9c83450344720aa25af08fe63716a19c0ddc74f94b1035ac373a40
SHA512 d36625bf2b329590abe6a09907c478b2b1e57d2300039a4ac0ab31d377061ee30cc39173850661afbfc322b545391d6ecfd2753db819902d32e5b46900948a0b