Malware Analysis Report

2025-08-10 16:44

Sample ID 241014-wb8ecs1gkk
Target 56dce6831256860e67f0f9b0f7cd592e57dd9f73a10913cbe4119efb64eafaae.zip
SHA256 fa11f94d64a4177a6ee9c1accea1b68d86eed41207452d6887740a14b3f7ba93
Tags
collection credential_access discovery evasion persistence stealth trojan impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

fa11f94d64a4177a6ee9c1accea1b68d86eed41207452d6887740a14b3f7ba93

Threat Level: Likely malicious

The file 56dce6831256860e67f0f9b0f7cd592e57dd9f73a10913cbe4119efb64eafaae.zip was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion persistence stealth trojan impact

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Obtains sensitive information copied to the device clipboard

Queries the phone number (MSISDN for GSM devices)

Reads information about phone network operator.

Performs UI accessibility actions on behalf of the user

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-14 17:45

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-14 17:45

Reported

2024-10-14 17:47

Platform

android-x86-arm-20240624-en

Max time kernel

56s

Max time network

62s

Command Line

stout.frame.backspace.atypical

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

stout.frame.backspace.atypical

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 consulting-service-andro.ru udp
US 1.1.1.1:53 consulting-service-andro.ru udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 consulting-service-andro.ru udp
US 1.1.1.1:53 consulting-service-andro.ru udp
US 1.1.1.1:53 6ad3afc76da8516.homes udp
US 1.1.1.1:53 6ad3afc76da8516.homes udp
US 1.1.1.1:53 6ad3afc76da8516.click udp
US 1.1.1.1:53 6ad3afc76da8516.click udp
US 1.1.1.1:53 6ad3afc76da8516.net udp
US 1.1.1.1:53 6ad3afc76da8516.com udp
US 1.1.1.1:53 6ad3afc76da8516.com udp
US 1.1.1.1:53 6ad3afc76da8516.net udp
US 1.1.1.1:53 consulting-service-andro.ru udp
US 1.1.1.1:53 consulting-service-andro.ru udp
US 1.1.1.1:53 6ad3afc76da8516.click udp
US 1.1.1.1:53 6ad3afc76da8516.homes udp
US 1.1.1.1:53 6ad3afc76da8516.homes udp
US 1.1.1.1:53 6ad3afc76da8516.click udp
US 1.1.1.1:53 6ad3afc76da8516.com udp
US 1.1.1.1:53 6ad3afc76da8516.com udp
US 1.1.1.1:53 6ad3afc76da8516.net udp
US 1.1.1.1:53 6ad3afc76da8516.net udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 consulting-service-andro.ru udp
US 1.1.1.1:53 consulting-service-andro.ru udp
US 1.1.1.1:53 6ad3afc76da8516.homes udp
US 1.1.1.1:53 6ad3afc76da8516.click udp
US 1.1.1.1:53 6ad3afc76da8516.homes udp
US 1.1.1.1:53 6ad3afc76da8516.click udp
US 1.1.1.1:53 6ad3afc76da8516.com udp
US 1.1.1.1:53 6ad3afc76da8516.net udp
US 1.1.1.1:53 6ad3afc76da8516.com udp
US 1.1.1.1:53 6ad3afc76da8516.net udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-14 17:45

Reported

2024-10-14 17:47

Platform

android-x64-20240624-en

Max time kernel

50s

Max time network

65s

Command Line

stout.frame.backspace.atypical

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

stout.frame.backspace.atypical

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 consulting-service-andro.ru udp
US 1.1.1.1:53 consulting-service-andro.ru udp
GB 142.250.178.10:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 consulting-service-andro.ru udp
US 1.1.1.1:53 consulting-service-andro.ru udp
US 1.1.1.1:53 6ad3afc76da8516.homes udp
US 1.1.1.1:53 6ad3afc76da8516.click udp
US 1.1.1.1:53 6ad3afc76da8516.homes udp
US 1.1.1.1:53 6ad3afc76da8516.click udp
US 1.1.1.1:53 6ad3afc76da8516.net udp
US 1.1.1.1:53 6ad3afc76da8516.com udp
US 1.1.1.1:53 6ad3afc76da8516.net udp
US 1.1.1.1:53 6ad3afc76da8516.com udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-14 17:45

Reported

2024-10-14 17:47

Platform

android-x64-arm64-20240624-en

Max time kernel

51s

Max time network

67s

Command Line

stout.frame.backspace.atypical

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

stout.frame.backspace.atypical

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 consulting-service-andro.ru udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 consulting-service-andro.ru udp
US 1.1.1.1:53 6ad3afc76da8516.click udp
US 1.1.1.1:53 6ad3afc76da8516.homes udp
US 1.1.1.1:53 6ad3afc76da8516.net udp
US 1.1.1.1:53 6ad3afc76da8516.com udp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
US 1.1.1.1:53 consulting-service-andro.ru udp
US 1.1.1.1:53 6ad3afc76da8516.com udp
US 1.1.1.1:53 6ad3afc76da8516.homes udp
US 1.1.1.1:53 6ad3afc76da8516.click udp
US 1.1.1.1:53 6ad3afc76da8516.net udp
US 1.1.1.1:53 consulting-service-andro.ru udp
US 1.1.1.1:53 6ad3afc76da8516.click udp
US 1.1.1.1:53 6ad3afc76da8516.homes udp
US 1.1.1.1:53 6ad3afc76da8516.net udp
US 1.1.1.1:53 6ad3afc76da8516.com udp

Files

N/A