Malware Analysis Report

2025-08-10 16:44

Sample ID 241014-vt6stawfmd
Target 880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc
SHA256 880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc
Tags
collection credential_access discovery evasion impact persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc

Threat Level: Likely malicious

The file 880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion impact persistence stealth trojan

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Requests dangerous framework permissions

Performs UI accessibility actions on behalf of the user

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-14 17:17

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-14 17:17

Reported

2024-10-14 17:18

Platform

android-33-x64-arm64-20240624-en

Max time kernel

29s

Max time network

37s

Command Line

suds.expend.affiliate.rising

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/suds.expend.affiliate.rising/code_cache/decrypted.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

suds.expend.affiliate.rising

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.196:443 udp
GB 142.250.187.196:443 tcp
US 1.1.1.1:53 api.telegram.org udp
US 1.1.1.1:53 cmsspain.homes udp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 cmsspain.homes udp
US 1.1.1.1:53 4665e98d65bbac5.homes udp
US 1.1.1.1:53 4665e98d65bbac5.net udp
US 1.1.1.1:53 4665e98d65bbac5.click udp
US 1.1.1.1:53 4665e98d65bbac5.com udp
US 1.1.1.1:53 cmsspain.homes udp
US 1.1.1.1:53 4665e98d65bbac5.net udp
US 1.1.1.1:53 4665e98d65bbac5.click udp
US 1.1.1.1:53 4665e98d65bbac5.com udp
US 1.1.1.1:53 4665e98d65bbac5.homes udp

Files

/data/data/suds.expend.affiliate.rising/code_cache/decrypted.dex

MD5 f9d5b402acee67675f87d33d7d52b364
SHA1 c7ebf2adfd6482e1eb2c3b05f79cdff5c733c47b
SHA256 6c045a521d4d19bd52165ea992e91d338473a70962bcfded9213e592cea27359
SHA512 6b64569a675dd1186e11aebbc136d7cbd302f02493b48e82fe0916bdd86547a40b3e988a4c122895b11c562d857e0311b851f80b4915e28bf9111140afd47a31

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-14 17:17

Reported

2024-10-14 17:18

Platform

android-x86-arm-20240624-en

Max time kernel

29s

Max time network

34s

Command Line

suds.expend.affiliate.rising

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/suds.expend.affiliate.rising/code_cache/decrypted.dex N/A N/A
N/A /data/data/suds.expend.affiliate.rising/code_cache/decrypted.dex N/A N/A
N/A /data/data/suds.expend.affiliate.rising/code_cache/decrypted.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

suds.expend.affiliate.rising

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/suds.expend.affiliate.rising/code_cache/decrypted.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/data/suds.expend.affiliate.rising/code_cache/oat/x86/decrypted.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 api.telegram.org udp
US 1.1.1.1:53 api.telegram.org udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 cmsspain.homes udp
US 1.1.1.1:53 cmsspain.homes udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 cmsspain.homes udp
US 1.1.1.1:53 cmsspain.homes udp
US 1.1.1.1:53 4665e98d65bbac5.homes udp
US 1.1.1.1:53 4665e98d65bbac5.homes udp
US 1.1.1.1:53 4665e98d65bbac5.net udp
US 1.1.1.1:53 4665e98d65bbac5.com udp
US 1.1.1.1:53 4665e98d65bbac5.click udp
US 1.1.1.1:53 4665e98d65bbac5.com udp
US 1.1.1.1:53 4665e98d65bbac5.click udp
US 1.1.1.1:53 4665e98d65bbac5.net udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp

Files

/data/data/suds.expend.affiliate.rising/code_cache/decrypted.dex

MD5 f9d5b402acee67675f87d33d7d52b364
SHA1 c7ebf2adfd6482e1eb2c3b05f79cdff5c733c47b
SHA256 6c045a521d4d19bd52165ea992e91d338473a70962bcfded9213e592cea27359
SHA512 6b64569a675dd1186e11aebbc136d7cbd302f02493b48e82fe0916bdd86547a40b3e988a4c122895b11c562d857e0311b851f80b4915e28bf9111140afd47a31

/data/data/suds.expend.affiliate.rising/code_cache/decrypted.dex

MD5 a499d4c87d704e28c1d74fd352da5c84
SHA1 92a3bef63121a495aaf390497514f5d7d3d91abd
SHA256 9a871e9dd626e236bfa8f438e32dbe42f1b68ae5900bd8636fd37d438b596813
SHA512 c5360a5418b3a67eac85abc3523b2f07f58d596ed23ea90a486f526455a9ca497cd873f32bf18adefd16fcbd369296cd87d5a3ff3aaf4bf8fdfe60a749815db9