Malware Analysis Report

2025-08-05 10:12

Sample ID 241016-2sljtaxemh
Target b96067ce0e48f1cdf3761dd18fa7a0a1b0e6f7b421dd2d9367bd5a682ea10280.bin
SHA256 b96067ce0e48f1cdf3761dd18fa7a0a1b0e6f7b421dd2d9367bd5a682ea10280
Tags
persistence collection credential_access evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b96067ce0e48f1cdf3761dd18fa7a0a1b0e6f7b421dd2d9367bd5a682ea10280

Threat Level: Shows suspicious behavior

The file b96067ce0e48f1cdf3761dd18fa7a0a1b0e6f7b421dd2d9367bd5a682ea10280.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence collection credential_access evasion

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-16 22:50

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-16 22:50

Reported

2024-10-16 22:53

Platform

android-x86-arm-20240624-en

Max time kernel

11s

Max time network

127s

Command Line

kr.or.knfa.nfct.ah

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

kr.or.knfa.nfct.ah

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 down.sinhan-bank.com udp
US 172.67.134.184:443 down.sinhan-bank.com tcp
US 1.1.1.1:53 jhjdlkjeifhsl989.na333.top udp
US 172.67.168.210:443 jhjdlkjeifhsl989.na333.top tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-16 22:50

Reported

2024-10-16 22:53

Platform

android-x64-20240624-en

Max time kernel

12s

Max time network

156s

Command Line

kr.or.knfa.nfct.ah

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

kr.or.knfa.nfct.ah

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 down.sinhan-bank.com udp
US 104.21.6.104:443 down.sinhan-bank.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 jhjdlkjeifhsl989.na333.top udp
US 104.21.38.238:443 jhjdlkjeifhsl989.na333.top tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 172.217.16.238:443 tcp
GB 216.58.204.66:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-16 22:50

Reported

2024-10-16 22:53

Platform

android-x64-arm64-20240910-en

Max time kernel

11s

Max time network

150s

Command Line

kr.or.knfa.nfct.ah

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Processes

kr.or.knfa.nfct.ah

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.238:443 www.youtube.com tcp
US 1.1.1.1:53 down.sinhan-bank.com udp
US 172.67.134.184:443 down.sinhan-bank.com tcp
US 1.1.1.1:53 jhjdlkjeifhsl989.na333.top udp
US 104.21.38.238:443 jhjdlkjeifhsl989.na333.top tcp
GB 216.58.201.110:443 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com tcp
US 216.239.36.223:443 tcp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.187.193:443 tcp
GB 216.58.201.97:443 tcp
US 216.239.34.223:443 tcp
US 216.239.34.223:443 tcp

Files

N/A