Malware Analysis Report

2025-08-05 11:54

Sample ID 241015-1zs2sszbpf
Target 50b83546575bc63af113f2ac4b43814dd37a010ad3b4837203cff709f325e20d.bin
SHA256 50b83546575bc63af113f2ac4b43814dd37a010ad3b4837203cff709f325e20d
Tags
collection credential_access discovery evasion execution persistence stealth trojan impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

50b83546575bc63af113f2ac4b43814dd37a010ad3b4837203cff709f325e20d

Threat Level: Likely malicious

The file 50b83546575bc63af113f2ac4b43814dd37a010ad3b4837203cff709f325e20d.bin was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion execution persistence stealth trojan impact

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Performs UI accessibility actions on behalf of the user

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-15 22:05

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-15 22:05

Reported

2024-10-15 22:08

Platform

android-x86-arm-20240624-en

Max time kernel

147s

Max time network

129s

Command Line

org.twisevictory.apps

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/org.twisevictory.apps/app_DynamicOptDex/nAYGaDlhczKOcdhQ.json N/A N/A
N/A /data/user/0/org.twisevictory.apps/app_DynamicOptDex/nAYGaDlhczKOcdhQ.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

org.twisevictory.apps

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/org.twisevictory.apps/app_DynamicOptDex/nAYGaDlhczKOcdhQ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/org.twisevictory.apps/app_DynamicOptDex/oat/x86/nAYGaDlhczKOcdhQ.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 incb5rp01od082rye5z7.xyz udp

Files

/data/data/org.twisevictory.apps/app_DynamicOptDex/nAYGaDlhczKOcdhQ.json

MD5 a7d652c0740fe775d465ccc7a2b60a7e
SHA1 1c66ddf0dac433c8ee1d1eefc5c5fc340668ded9
SHA256 f63410ed9cb8cb2146ba2dc18784f960344f2c8882d112f07399f67a6d59322f
SHA512 2ebc1849996e8ae60ffb91795ccf7ed8614af520367edd70d958242f5d3c80f9289e5573d74869711afdfa30328cdf3bc20d79cef943f5fcc7050b06812fda0a

/data/data/org.twisevictory.apps/app_DynamicOptDex/nAYGaDlhczKOcdhQ.json

MD5 e6f00974f78355e6e9fcce1074bd27e0
SHA1 99735a6e0cb0bb0a4cd5b41cd954d672353301fa
SHA256 e73e421ea07b1f9d4994ea94d7d3ce88e1a9a23567558802f5e7c761d8f5a531
SHA512 80951537aeaa66ed980994874e0480f2e508f44697f809fc1ad3b9d14b55e992cb048b18dc0788a8a0a6339cb24d85d02fd68c0328c49682316ef01ef5185999

/data/user/0/org.twisevictory.apps/app_DynamicOptDex/nAYGaDlhczKOcdhQ.json

MD5 6e66c9de2c10224f3cea97f276a31883
SHA1 9fc334522d9c215490e8e7f44689c54766d19f7b
SHA256 f77387dc66df6778e45f9082bf8fd5d5344d0f5e7c89db88c6dbf3ea1b450c5a
SHA512 81744b0726586b9b9b311f395599a901bc3eead36e18e1fcfe76598eaf4f09645ddacbfa8e7bdd4d4c1462dd2b03d2638222ed0fb59f0f898b0beaac7376548f

/data/user/0/org.twisevictory.apps/app_DynamicOptDex/nAYGaDlhczKOcdhQ.json

MD5 2dcb425afed845361996d40b9e29a2de
SHA1 29cd704d0cd49c0b813227d8395acaa85a3a53f9
SHA256 8fa4b04136401f0f2ca892b7dd75245bd643636926ae9270fe7b1aa04a690b58
SHA512 79a5990311cd843e64d64c7f235e06ded1c78a7eb319dc233437743f47cd9246661c03a3a4b2d7874a5a3f2f8e6c3774c83763af59f1852be969f7e643585cce

/data/data/org.twisevictory.apps/app_DynamicOptDex/oat/nAYGaDlhczKOcdhQ.json.cur.prof

MD5 5d79673d5a17aef37aa37a9fb3b08369
SHA1 ee71afb25a19a7a4c4ebdeaf3ffeb9db7b885b5f
SHA256 d6a5bbdc54b52313460eaf182fd227bb6b3ead92597ca254d29e846b85f781ca
SHA512 5e645a774497898208c83ccc804eef9ea3fd672e22c691c2bdcacb1a059420eaa07c4058d1b6777955af17674d9d5db21579c19a2761a8ea39f3281730f0cf9c

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-15 22:05

Reported

2024-10-15 22:08

Platform

android-x64-arm64-20240624-en

Max time kernel

136s

Max time network

132s

Command Line

org.twisevictory.apps

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/org.twisevictory.apps/app_DynamicOptDex/nAYGaDlhczKOcdhQ.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

org.twisevictory.apps

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 incb5rp01od082rye5z7.xyz udp

Files

/data/user/0/org.twisevictory.apps/app_DynamicOptDex/nAYGaDlhczKOcdhQ.json

MD5 a7d652c0740fe775d465ccc7a2b60a7e
SHA1 1c66ddf0dac433c8ee1d1eefc5c5fc340668ded9
SHA256 f63410ed9cb8cb2146ba2dc18784f960344f2c8882d112f07399f67a6d59322f
SHA512 2ebc1849996e8ae60ffb91795ccf7ed8614af520367edd70d958242f5d3c80f9289e5573d74869711afdfa30328cdf3bc20d79cef943f5fcc7050b06812fda0a

/data/user/0/org.twisevictory.apps/app_DynamicOptDex/nAYGaDlhczKOcdhQ.json

MD5 e6f00974f78355e6e9fcce1074bd27e0
SHA1 99735a6e0cb0bb0a4cd5b41cd954d672353301fa
SHA256 e73e421ea07b1f9d4994ea94d7d3ce88e1a9a23567558802f5e7c761d8f5a531
SHA512 80951537aeaa66ed980994874e0480f2e508f44697f809fc1ad3b9d14b55e992cb048b18dc0788a8a0a6339cb24d85d02fd68c0328c49682316ef01ef5185999

/data/user/0/org.twisevictory.apps/app_DynamicOptDex/nAYGaDlhczKOcdhQ.json

MD5 6e66c9de2c10224f3cea97f276a31883
SHA1 9fc334522d9c215490e8e7f44689c54766d19f7b
SHA256 f77387dc66df6778e45f9082bf8fd5d5344d0f5e7c89db88c6dbf3ea1b450c5a
SHA512 81744b0726586b9b9b311f395599a901bc3eead36e18e1fcfe76598eaf4f09645ddacbfa8e7bdd4d4c1462dd2b03d2638222ed0fb59f0f898b0beaac7376548f

/data/user/0/org.twisevictory.apps/app_DynamicOptDex/oat/nAYGaDlhczKOcdhQ.json.cur.prof

MD5 05f0081cf3f8900e9c92ed87eb0bc243
SHA1 9fdb4d49c9c63909d01b1c3698d4f31ccf47016c
SHA256 d41a61f26a1e1d9d41ac10f376d7423bd9bce7c43ae40a7c7ae0944f9f91c936
SHA512 7bea586223c9c54829d89212b503c5c8b3afc91deb5dedfaea61bc39c75baa373970c01339fb00c9c39093e68f5a79a4fd7f05333a20e20d420672795805353f