Malware Analysis Report

2024-12-01 03:01

Sample ID 241107-v3f9hswgnd
Target 934c686328aea5bddc4ff31be56a9697f9b8452b24874a4228ec7fdfd094f009
SHA256 934c686328aea5bddc4ff31be56a9697f9b8452b24874a4228ec7fdfd094f009
Tags
banker discovery evasion persistence collection credential_access impact execution
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

934c686328aea5bddc4ff31be56a9697f9b8452b24874a4228ec7fdfd094f009

Threat Level: Shows suspicious behavior

The file 934c686328aea5bddc4ff31be56a9697f9b8452b24874a4228ec7fdfd094f009 was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker discovery evasion persistence collection credential_access impact execution

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Obtains sensitive information copied to the device clipboard

Queries information about running processes on the device

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Acquires the wake lock

Checks the application is allowed to request package installs through the package installer

Requests allowing to install additional applications from unknown sources.

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 17:30

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by in-call services to bind with the system. Allows apps to handle aspects of phone calls while they are in progress. android.permission.BIND_INCALL_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-07 17:30

Reported

2024-11-07 17:33

Platform

android-x86-arm-20240910-en

Max time kernel

1s

Max time network

150s

Command Line

com.sthpphbui.skbheonr

Signatures

N/A

Processes

com.sthpphbui.skbheonr

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp

Files

/data/data/com.sthpphbui.skbheonr/files/.ss/l5aeca345.so

MD5 56c0b5563c66de286062dbb9856a1b97
SHA1 260ac0dcf966a1fa741722dd555c665d078f177f
SHA256 f194f5840b65a2f88acfe57e696166c4673fdc3fdfd06e30b13760c5df27b086
SHA512 55046f16efe1eb5f5ff9147bec7695e3543cc494b6a905b8f7f39f46ef323249c07ecb2b8bea7a01298ad8e51c54df54c1bcab6dc30bacf817e271056a3a6028

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 17:30

Reported

2024-11-07 17:33

Platform

android-x86-arm-20240624-en

Max time kernel

147s

Max time network

138s

Command Line

com.kohsqtsik.kkbdgmpf

Signatures

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by in-call services to bind with the system. Allows apps to handle aspects of phone calls while they are in progress. android.permission.BIND_INCALL_SERVICE N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests allowing to install additional applications from unknown sources.

evasion
Description Indicator Process Target
Intent action android.settings.MANAGE_UNKNOWN_APP_SOURCES N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows the app to answer an incoming phone call. android.permission.ANSWER_PHONE_CALLS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kohsqtsik.kkbdgmpf

chmod 755 /data/user/0/com.kohsqtsik.kkbdgmpf/files/.ss/l2c452656.so

Network

Country Destination Domain Proto
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp

Files

/data/data/com.kohsqtsik.kkbdgmpf/files/.ss/l2c452656.so

MD5 80e35aef95212e8b988a562e2e14aae9
SHA1 8eb117537327ffd7a3aea18be1b1ec910a290238
SHA256 997717e27e59bd025221c77e74a20baaee3426ec4a37840da0d1bb5bdda4a83d
SHA512 e6a17ed6a8e4343f977526fac2aee80d496355067b37365fb0329aaf2e89008604ffaa1e8f165b8c7a0f30951f7e16bbb4acda3dca2a8516cba2f71ef37e495d

/storage/emulated/0/Download/kbyroill.apk

MD5 03c49a3572d13053d3c564b2b3c97506
SHA1 1ded708d53c143cffb6942422866dd135278450f
SHA256 e71a32170c93f257acc7276a4b0cdca025568599eba2ef9a62e141e4327f551e
SHA512 5ee920ef7006cb35435c2705557d564df5b6dc2ea0566cc386260cfb9e98ff9eb381ee63a77cc8e61b273101dd0ba1466dec9f2a127155e7411e9a69b9c9673b

/storage/emulated/0/Download/kbyroill.apk

MD5 638672db7fe864404ba9140224267b53
SHA1 4c87d93bb9346cea5496ffc84d4518dc388a2c07
SHA256 b0d56c8a2751f651a468c5b85430494ee5b17271b405869d3296da56b96aa1c3
SHA512 1303241b7cdce078508238653f9c211f281cca457d0f0a944be5370e885a0bfb7dd5bd85fe69a1934b97e74925841eaea1904add9383f04d5279f80a4f9d11bd

/storage/emulated/0/Download/kbyroill.apk

MD5 eec90db03e3c0e274ffde36d19306c4a
SHA1 3c920a1c882971d8b87cb38b393cb262231085e2
SHA256 17f7ca5c39948e2f6399aa8b85d169dc030176502552e9fba24493c833f974d0
SHA512 4a38fd257ecce4a5d1c1826f0d1f17f6e77a69e850912729e76feee299c6282c99e927485f2b947f0a80716785f3ea04dfa56c8ce7e44cf088f28c4da25bdaa3

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 17:30

Reported

2024-11-07 17:33

Platform

android-x64-20240624-en

Max time kernel

49s

Max time network

134s

Command Line

com.kohsqtsik.kkbdgmpf

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks the application is allowed to request package installs through the package installer

evasion
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.canRequestPackageInstalls N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by in-call services to bind with the system. Allows apps to handle aspects of phone calls while they are in progress. android.permission.BIND_INCALL_SERVICE N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows the app to answer an incoming phone call. android.permission.ANSWER_PHONE_CALLS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kohsqtsik.kkbdgmpf

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.232:443 ssl.google-analytics.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.179.238:443 tcp
GB 142.250.200.34:443 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 216.58.201.99:443 tcp
GB 216.58.201.99:443 tcp
GB 216.58.201.99:443 tcp
GB 142.250.187.206:443 android.apis.google.com tcp
BE 142.251.173.188:5228 tcp
US 1.1.1.1:53 accounts.google.com udp
BE 142.251.168.84:443 accounts.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.206.84:443 accounts.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
GB 216.58.204.74:443 g.tenor.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp

Files

/data/data/com.kohsqtsik.kkbdgmpf/files/.ss/l2c452656.so

MD5 d9d962bef0a619356baedbb775c66a7a
SHA1 51cfd692ae653bcaf0b378b9a8c15528b6edaddc
SHA256 84327487e57833ac0f4c5bda991dbf6f241d1742bae641fece74579b787c392a
SHA512 4b169fe255e69e4842230f361ed4aa0f2c371e0aaa49402833b85027b21b8ddddd84819a3e1f4a65fffd5f411adfbabb3aa425dd2d7e0fdd4445c680dbbf2212

/storage/emulated/0/Download/kbyroill.apk

MD5 03c49a3572d13053d3c564b2b3c97506
SHA1 1ded708d53c143cffb6942422866dd135278450f
SHA256 e71a32170c93f257acc7276a4b0cdca025568599eba2ef9a62e141e4327f551e
SHA512 5ee920ef7006cb35435c2705557d564df5b6dc2ea0566cc386260cfb9e98ff9eb381ee63a77cc8e61b273101dd0ba1466dec9f2a127155e7411e9a69b9c9673b

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-07 17:30

Reported

2024-11-07 17:33

Platform

android-x64-arm64-20240624-en

Max time kernel

92s

Max time network

159s

Command Line

com.kohsqtsik.kkbdgmpf

Signatures

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Checks the application is allowed to request package installs through the package installer

evasion
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.canRequestPackageInstalls N/A N/A

Requests allowing to install additional applications from unknown sources.

evasion
Description Indicator Process Target
Intent action android.settings.MANAGE_UNKNOWN_APP_SOURCES N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.kohsqtsik.kkbdgmpf

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 216.58.204.66:443 tcp
GB 216.58.212.206:443 tcp

Files

/data/user/0/com.kohsqtsik.kkbdgmpf/files/.ss/l2c452656.so

MD5 d9d962bef0a619356baedbb775c66a7a
SHA1 51cfd692ae653bcaf0b378b9a8c15528b6edaddc
SHA256 84327487e57833ac0f4c5bda991dbf6f241d1742bae641fece74579b787c392a
SHA512 4b169fe255e69e4842230f361ed4aa0f2c371e0aaa49402833b85027b21b8ddddd84819a3e1f4a65fffd5f411adfbabb3aa425dd2d7e0fdd4445c680dbbf2212

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-07 17:30

Reported

2024-11-07 17:33

Platform

android-x86-arm-20240910-en

Max time kernel

34s

Max time network

151s

Command Line

com.sthpphbui.skbheonr

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes2.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes2.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes2.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes2.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes2.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes2.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes2.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.sthpphbui.skbheonr

chmod 755 /data/user/0/com.sthpphbui.skbheonr/files/.ss/l5aeca345.so

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.sthpphbui.skbheonr/files/.ss/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.sthpphbui.skbheonr/files/.ss/classes2.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.sthpphbui.skbheonr/files/.ss/oat/x86/classes2.odex --compiler-filter=quicken --class-loader-context=&

com.sthpphbui.skbheonr:remote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.187.206:443 tcp
GB 142.250.180.2:443 tcp
GB 142.250.179.228:80 tcp

Files

/data/data/com.sthpphbui.skbheonr/files/.ss/l5aeca345.so

MD5 6eebc87c33ccbad69dea6f85420ad8a2
SHA1 b06d500699360c312a3c3da8ada8216cb4fdc6af
SHA256 2a57f84141082e9f22cb500b4953471cb6ded55fe8e55711583761b0b5061338
SHA512 68cced9cdd28dd795a8a0bdc5dff3327cc7efd365e34a33dfc44f1d3958a90ad23cc627d56a065c66b875ae525ea2bfa7ec66b82366bdf4e0940a754d10345ac

/data/data/com.sthpphbui.skbheonr/files/.ss/classes.dex

MD5 4dd8db19a5cd0a2c00e41f757ca9bf40
SHA1 aa5bbbbc09b9511c0d6e318e235bd10132d3346a
SHA256 63c53f08f8c885b50c83b81aa9effe2cd574f812bf29022a738d949de0213283
SHA512 89715673b52321a34f3315ed5fdaa2a59bd197f0e443f7ef18452e6c32277f44949da1999114406e356e20f5991a57e3157ea04f8ab651ba113bfce93905aa2c

/data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex

MD5 b1b4e92b867715a23496d5c299d6aab9
SHA1 7ab69d213f5a8c083cc290067bc8b762312f1b93
SHA256 ed022b38a39cbda23ce73f77ad03fce2b5b097f40075e7458dbd413f5991b069
SHA512 87c1f8e5268923018f24cb7b8c80c672627060b8bc2fe531442fae3d6e9aa113f5907ddde265a225734702039b631908f3947cbdb8c2f1e4e8c8ccc312fc98ae

/data/user/0/com.sthpphbui.skbheonr/files/.ss/classes2.dex

MD5 5f992ec85c6081de6ab2da8bcd8ac664
SHA1 79b3aa2f5de59f3e9b36f5b7861668b53e6175b3
SHA256 0afcb04334f8e55bca5d325adeaa519a32a3a1d9946346134aadc4a986a1d8ee
SHA512 1dd5efe88d59122c27d3d15920a1110da8cb7565b5722271a51d423d88b4c0e41ad6a734c157c23ffacbf11f643c916079b8703953576b33f6bac18392641f82

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-07 17:30

Reported

2024-11-07 17:33

Platform

android-x64-20240910-en

Max time kernel

35s

Max time network

150s

Command Line

com.sthpphbui.skbheonr

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes2.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes2.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes2.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes2.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes2.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes2.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.sthpphbui.skbheonr

com.sthpphbui.skbheonr:remote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp

Files

/data/data/com.sthpphbui.skbheonr/files/.ss/l5aeca345.so

MD5 eb5d37ec0d149d2fa30c7d90511e80c5
SHA1 1519e47b0e7e550608f859ab5f6833d953c01b99
SHA256 1515b1deca848a8eaa9b1178623563a7bc2ec3ee7351d34761aaaed8850800a9
SHA512 1ea3d9a9c27bf89a5187a5fdbedcba986a40998121e3755002d9f743a9d01477a3e05d58c515376e81221a97810ffd0b698acfc754e150e70f07668b0a6a10c8

/data/data/com.sthpphbui.skbheonr/files/.ss/classes.dex

MD5 4dd8db19a5cd0a2c00e41f757ca9bf40
SHA1 aa5bbbbc09b9511c0d6e318e235bd10132d3346a
SHA256 63c53f08f8c885b50c83b81aa9effe2cd574f812bf29022a738d949de0213283
SHA512 89715673b52321a34f3315ed5fdaa2a59bd197f0e443f7ef18452e6c32277f44949da1999114406e356e20f5991a57e3157ea04f8ab651ba113bfce93905aa2c

/data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex

MD5 b1b4e92b867715a23496d5c299d6aab9
SHA1 7ab69d213f5a8c083cc290067bc8b762312f1b93
SHA256 ed022b38a39cbda23ce73f77ad03fce2b5b097f40075e7458dbd413f5991b069
SHA512 87c1f8e5268923018f24cb7b8c80c672627060b8bc2fe531442fae3d6e9aa113f5907ddde265a225734702039b631908f3947cbdb8c2f1e4e8c8ccc312fc98ae

/data/user/0/com.sthpphbui.skbheonr/files/.ss/classes2.dex

MD5 5f992ec85c6081de6ab2da8bcd8ac664
SHA1 79b3aa2f5de59f3e9b36f5b7861668b53e6175b3
SHA256 0afcb04334f8e55bca5d325adeaa519a32a3a1d9946346134aadc4a986a1d8ee
SHA512 1dd5efe88d59122c27d3d15920a1110da8cb7565b5722271a51d423d88b4c0e41ad6a734c157c23ffacbf11f643c916079b8703953576b33f6bac18392641f82

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-07 17:30

Reported

2024-11-07 17:33

Platform

android-x64-arm64-20240624-en

Max time kernel

35s

Max time network

134s

Command Line

com.sthpphbui.skbheonr

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes2.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes2.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes2.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes2.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes2.dex N/A N/A
N/A /data/user/0/com.sthpphbui.skbheonr/files/.ss/classes2.dex N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.sthpphbui.skbheonr

com.sthpphbui.skbheonr:remote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/user/0/com.sthpphbui.skbheonr/files/.ss/l5aeca345.so

MD5 eb5d37ec0d149d2fa30c7d90511e80c5
SHA1 1519e47b0e7e550608f859ab5f6833d953c01b99
SHA256 1515b1deca848a8eaa9b1178623563a7bc2ec3ee7351d34761aaaed8850800a9
SHA512 1ea3d9a9c27bf89a5187a5fdbedcba986a40998121e3755002d9f743a9d01477a3e05d58c515376e81221a97810ffd0b698acfc754e150e70f07668b0a6a10c8

/data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex

MD5 4dd8db19a5cd0a2c00e41f757ca9bf40
SHA1 aa5bbbbc09b9511c0d6e318e235bd10132d3346a
SHA256 63c53f08f8c885b50c83b81aa9effe2cd574f812bf29022a738d949de0213283
SHA512 89715673b52321a34f3315ed5fdaa2a59bd197f0e443f7ef18452e6c32277f44949da1999114406e356e20f5991a57e3157ea04f8ab651ba113bfce93905aa2c

/data/user/0/com.sthpphbui.skbheonr/files/.ss/classes.dex

MD5 b1b4e92b867715a23496d5c299d6aab9
SHA1 7ab69d213f5a8c083cc290067bc8b762312f1b93
SHA256 ed022b38a39cbda23ce73f77ad03fce2b5b097f40075e7458dbd413f5991b069
SHA512 87c1f8e5268923018f24cb7b8c80c672627060b8bc2fe531442fae3d6e9aa113f5907ddde265a225734702039b631908f3947cbdb8c2f1e4e8c8ccc312fc98ae

/data/user/0/com.sthpphbui.skbheonr/files/.ss/classes2.dex

MD5 5f992ec85c6081de6ab2da8bcd8ac664
SHA1 79b3aa2f5de59f3e9b36f5b7861668b53e6175b3
SHA256 0afcb04334f8e55bca5d325adeaa519a32a3a1d9946346134aadc4a986a1d8ee
SHA512 1dd5efe88d59122c27d3d15920a1110da8cb7565b5722271a51d423d88b4c0e41ad6a734c157c23ffacbf11f643c916079b8703953576b33f6bac18392641f82