Malware Analysis Report

2025-04-03 14:12

Sample ID 241104-zbbbeaxckr
Target baf5bd5d99a20b1581db2a999a40a98a833b12fb1a6fe5eedf9ca34e8a93e8f6.apk
SHA256 baf5bd5d99a20b1581db2a999a40a98a833b12fb1a6fe5eedf9ca34e8a93e8f6
Tags
banker collection credential_access discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

baf5bd5d99a20b1581db2a999a40a98a833b12fb1a6fe5eedf9ca34e8a93e8f6

Threat Level: Shows suspicious behavior

The file baf5bd5d99a20b1581db2a999a40a98a833b12fb1a6fe5eedf9ca34e8a93e8f6.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection credential_access discovery evasion impact persistence

Makes use of the framework's Accessibility service

Obtains sensitive information copied to the device clipboard

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Performs UI accessibility actions on behalf of the user

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 20:32

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 20:32

Reported

2024-11-04 20:35

Platform

android-x64-20240624-en

Max time kernel

102s

Max time network

157s

Command Line

com.support.litework

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.support.litework

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 stealth.gstpainel.fun udp
US 104.26.9.215:443 stealth.gstpainel.fun tcp
US 104.26.9.215:443 stealth.gstpainel.fun tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
GB 216.58.213.14:443 tcp
GB 142.250.178.2:443 tcp
GB 172.217.16.227:443 tcp
BE 142.251.173.188:5228 tcp
US 1.1.1.1:53 accounts.google.com udp
GB 74.125.71.84:443 accounts.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
GB 64.233.166.84:443 accounts.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
GB 216.58.201.106:443 g.tenor.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
GB 216.58.201.110:443 android.apis.google.com tcp
US 104.26.9.215:443 stealth.gstpainel.fun tcp
US 104.26.9.215:443 stealth.gstpainel.fun tcp
US 104.26.9.215:443 stealth.gstpainel.fun tcp

Files

/data/data/com.support.litework/files/profileInstalled

MD5 833258ce694380aba4e3cf7ced9945df
SHA1 5d73f4c7dd812e786c1d9b0e067a36dafcf1d860
SHA256 6928466daeab220299655707c11ef21660383207048ae5eca7c5d8f742683576
SHA512 bd20e296bc73c1227e30629ac5383d145809a2aab975298f16c4d297802ea770c1052db0c4939569d8575e978c4075e09c34ddbad66c28b45532a398bb48b2e3

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 20:32

Reported

2024-11-04 20:35

Platform

android-x64-arm64-20240624-en

Max time network

157s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
BE 64.233.184.188:5228 tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.226:443 tcp
GB 142.250.178.3:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 108.177.15.84:443 accounts.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.212.206:443 www.youtube.com udp
GB 216.58.212.206:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 142.251.168.84:443 accounts.google.com tcp
GB 216.58.212.206:443 www.youtube.com udp
GB 216.58.212.206:443 www.youtube.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 172.217.169.74:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 stealth.gstpainel.fun udp
US 172.67.71.252:443 stealth.gstpainel.fun tcp
US 172.67.71.252:443 stealth.gstpainel.fun tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 142.250.180.3:443 update.googleapis.com tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-04 20:32

Reported

2024-11-04 20:35

Platform

android-33-x64-arm64-20240624-en

Max time kernel

143s

Max time network

159s

Command Line

com.support.litework

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.support.litework

Network

Country Destination Domain Proto
GB 142.250.200.36:443 udp
N/A 224.0.0.251:5353 udp
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 stealth.gstpainel.fun udp
US 104.26.9.215:443 stealth.gstpainel.fun tcp
US 104.26.9.215:443 stealth.gstpainel.fun tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 216.58.201.106:443 remoteprovisioning.googleapis.com tcp
US 1.1.1.1:53 voilatile-pa.googleapis.com udp
GB 216.58.212.234:443 voilatile-pa.googleapis.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.180.3:443 tcp
US 172.64.41.3:443 udp
GB 142.250.200.36:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
GB 142.250.180.3:443 udp
US 1.1.1.1:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
GB 172.217.16.238:443 play.google.com udp
US 1.1.1.1:53 play-lh.googleusercontent.com udp
GB 142.250.187.214:443 play-lh.googleusercontent.com tcp
GB 142.250.187.214:443 play-lh.googleusercontent.com tcp
GB 142.250.187.214:443 play-lh.googleusercontent.com tcp
GB 142.250.187.214:443 play-lh.googleusercontent.com tcp
GB 142.250.187.214:443 play-lh.googleusercontent.com tcp
GB 142.250.187.214:443 play-lh.googleusercontent.com tcp
US 1.1.1.1:53 ssl.gstatic.com udp
GB 216.58.204.67:443 ssl.gstatic.com tcp
US 1.1.1.1:53 i.ytimg.com udp
GB 142.250.187.246:443 i.ytimg.com tcp
GB 142.250.187.246:443 i.ytimg.com tcp
GB 142.250.187.214:443 i.ytimg.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com udp
GB 216.58.204.67:443 ssl.gstatic.com udp
US 1.1.1.1:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 1.1.1.1:53 content-autofill.googleapis.com udp
GB 142.250.187.202:443 content-autofill.googleapis.com tcp
GB 172.217.16.238:443 play.google.com udp
GB 142.250.179.228:443 www.google.com udp
US 216.239.32.36:443 region1.google-analytics.com udp
GB 172.217.16.238:443 play.google.com udp

Files

/data/data/com.support.litework/files/profileInstalled

MD5 dde37892ee72ab6357f71480b8e6220f
SHA1 6105063f107e639ee83976859af28a2564dddcc5
SHA256 1349473ebc1da38fbf2353febaa89669c3e193b602f7ae653d7dc26236b64530
SHA512 695222f72c85ddf3e66e335e97005d556fe6264bf581c1cc7a220614266278e26e589725c9fa34574611f6995f40e3ec808f36b9a8bac2c26abe14fd71f0ecd7

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-04 20:32

Reported

2024-11-04 20:35

Platform

android-x86-arm-20240624-en

Max time kernel

145s

Max time network

156s

Command Line

com.support.litework

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.support.litework

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 stealth.gstpainel.fun udp
US 104.26.9.215:443 stealth.gstpainel.fun tcp
US 104.26.9.215:443 stealth.gstpainel.fun tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 play.google.com udp
GB 142.250.178.14:443 play.google.com tcp
US 1.1.1.1:53 play-lh.googleusercontent.com udp
GB 216.58.204.86:443 play-lh.googleusercontent.com tcp
GB 216.58.204.86:443 play-lh.googleusercontent.com tcp
GB 216.58.204.86:443 play-lh.googleusercontent.com tcp
GB 216.58.204.86:443 play-lh.googleusercontent.com tcp
GB 216.58.204.86:443 play-lh.googleusercontent.com tcp
GB 216.58.204.86:443 play-lh.googleusercontent.com tcp
US 1.1.1.1:53 i.ytimg.com udp
US 1.1.1.1:53 ssl.gstatic.com udp
GB 216.58.204.67:443 ssl.gstatic.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.212.196:443 www.google.com tcp
GB 216.58.204.67:443 ssl.gstatic.com tcp
US 1.1.1.1:53 region1.google-analytics.com udp
US 216.239.34.36:443 region1.google-analytics.com tcp

Files

/data/data/com.support.litework/files/profileInstalled

MD5 b81aa1dc18aa0b026c7d86ff205f7207
SHA1 d887319054909c7637291a0ecd63f18bacc6762c
SHA256 818bd4385700b53d2c4b3e2a8cf719c6d0c200e15dc178d17361983d7714ed31
SHA512 7524514f9ecb44b25d06715fe5c6d88331e4c3336f3d43f9595bf710082db0782823acd9b3cbbebe26d2e52a199d8fb7b9bba74ac4fc59a91692246118bb3c39