Malware Analysis Report

2024-12-01 03:00

Sample ID 241107-wsxn7axajk
Target 28b749d21484b653350f716fa90147726680a41166f248539faad6d5f6f163f1
SHA256 28b749d21484b653350f716fa90147726680a41166f248539faad6d5f6f163f1
Tags
collection credential_access discovery evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

28b749d21484b653350f716fa90147726680a41166f248539faad6d5f6f163f1

Threat Level: Likely malicious

The file 28b749d21484b653350f716fa90147726680a41166f248539faad6d5f6f163f1 was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion persistence

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Requests allowing to install additional applications from unknown sources.

Queries information about active data network

Requests disabling of battery optimizations (often used to enable hiding in the background).

Requests dangerous framework permissions

Checks the presence of a debugger

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 18:11

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 18:11

Reported

2024-11-07 18:14

Platform

android-x86-arm-20240624-en

Max time kernel

140s

Max time network

154s

Command Line

com.iavhtg.htzeu.uyghz

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A Anonymous-DexFile@0xd25cf000-0xd26607b4 N/A N/A
N/A Anonymous-DexFile@0xd1c44000-0xd1cdd270 N/A N/A
N/A /data/user/0/com.iavhtg.htzeu.uyghz/com.iavhtg.htzeu.uyghz-m-YZryPmtMEoq_NQ0b8mTA==/base.apk N/A N/A
N/A /data/user/0/com.iavhtg.htzeu.uyghz/com.iavhtg.htzeu.uyghz-m-YZryPmtMEoq_NQ0b8mTA==/base.apk N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by in-call services to bind with the system. Allows apps to handle aspects of phone calls while they are in progress. android.permission.BIND_INCALL_SERVICE N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests allowing to install additional applications from unknown sources.

evasion
Description Indicator Process Target
Intent action android.settings.MANAGE_UNKNOWN_APP_SOURCES N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows the app to answer an incoming phone call. android.permission.ANSWER_PHONE_CALLS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Checks the presence of a debugger

evasion

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.iavhtg.htzeu.uyghz

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.iavhtg.htzeu.uyghz/com.iavhtg.htzeu.uyghz-m-YZryPmtMEoq_NQ0b8mTA==/base.apk --output-vdex-fd=57 --oat-fd=58 --oat-location=/data/user/0/com.iavhtg.htzeu.uyghz/com.iavhtg.htzeu.uyghz-m-YZryPmtMEoq_NQ0b8mTA==/oat/x86/base.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 119.147.179.152:443 android.bugly.qq.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
CN 119.147.179.152:443 android.bugly.qq.com tcp
US 1.1.1.1:53 vzfcrj.com udp
US 104.21.5.61:2053 vzfcrj.com tcp
US 104.21.5.61:443 vzfcrj.com tcp
CN 14.22.7.140:443 android.bugly.qq.com tcp
US 104.21.5.61:2053 vzfcrj.com tcp
US 104.21.5.61:443 vzfcrj.com tcp
CN 14.22.7.140:443 android.bugly.qq.com tcp
CN 14.22.7.199:443 android.bugly.qq.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 104.21.5.61:443 vzfcrj.com tcp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
CN 14.22.7.199:443 android.bugly.qq.com tcp
US 104.21.5.61:443 vzfcrj.com tcp
US 104.21.5.61:443 vzfcrj.com tcp
US 104.21.5.61:443 vzfcrj.com tcp
US 1.1.1.1:53 android.bugly.qq.com udp
CN 14.22.7.140:443 android.bugly.qq.com tcp
GB 142.250.180.14:443 tcp
GB 172.217.169.34:443 tcp

Files

/data/data/com.iavhtg.htzeu.uyghz/databases/bugly_db_-journal

MD5 8f3821b89b9550f43f7feba8851cd504
SHA1 8f3b45f0a349d53cabc22994ed8498bcf577d304
SHA256 59af82a5e1e87a0512760777cc38e8da6399a66a76f67bdd5164581ee7d38ddb
SHA512 dc78b5bf8270b91f3043565c00f145bd66d86c22f736f4dbbfbfb60c379fef5848ac7e24d4d344fac38e8ae17cd09b78af8b21ee701dfdf71d8a35a891a3dfe9

/data/data/com.iavhtg.htzeu.uyghz/databases/bugly_db_

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.iavhtg.htzeu.uyghz/app_crashrecord/1004

MD5 ad85adfef0fa555ef5c3eb9631aa5cc1
SHA1 d90a6602fb1a3ac7c404db3b72ed6ffc9a9f8f0d
SHA256 f7e8378b667586bc2a23898f0e8ecb1261384cfcfd073c12bf72bfc82d818c36
SHA512 10ea14ef2a452d12852ab55cede7770a97eb3a12494dbbac75391d3f853a403f873d70f9f38fa9e17857e69312d75ebd4242b22145eb22218b4697ee36cddae1

/data/data/com.iavhtg.htzeu.uyghz/databases/bugly_db_-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.iavhtg.htzeu.uyghz/databases/bugly_db_-wal

MD5 37d326ddbd6323f9c4ecb3417835af9d
SHA1 eb420fe08540315bbbbb761d0a47e8b00c066100
SHA256 bc5b8e63c2c3a4d6aed4ff920621390096ac67e6736aa3dfb6277ea721b958cf
SHA512 1bd1a7b0dc7eb47359505bff35791b9c214867e8e9a5c96d752128355bce6fb1c72289289935ccf928368011d4ccaadd839fdc21ea11c4ee9f2a99b5055b6434

/data/data/com.iavhtg.htzeu.uyghz/app_crashrecord/1004

MD5 0d210bfb2a0e1f1b4c082a6a0f79de07
SHA1 bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256 988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512 536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

Anonymous-DexFile@0xd25cf000-0xd26607b4

MD5 434e2419edfed7e143b797ba724e6416
SHA1 0b0d244eb1511e5cdd7e02e116d40f4dd9eada08
SHA256 592ff173e0492d92e61ddb15b7610c868d82412d2f7d723ec202296eaf9f4fb0
SHA512 2ca878466b2de82360dbf3fe2b737edb22ad533465bdb42137ebe66a55e007a31195ae5d8295a7a8a6b04d8629319e4adb92b51f3cca6881c57e0a9ddc02d708

/data/data/com.iavhtg.htzeu.uyghz/files/bugly_last_us_up_tm

MD5 6505a52ca45c888d7f1cb2b2997e112f
SHA1 d848af026bcc5133b4b729df43e0d94ae3bb685c
SHA256 de38c7ea688b2c0b10b4c5b7ca8cd835a0d205905534eb87208d9946ecff956a
SHA512 3a7ab558fb475317ca11953a92ced68d551bded220df03527239d0d6aad78d0c9b4a8fa71b3f0a8ff496a2d4b61722ed069e3e7b322d3d8a3c1eb4e9d47235a2

Anonymous-DexFile@0xd1c44000-0xd1cdd270

MD5 39549363beaaa502526992067cf25a9d
SHA1 13358ed0969db9b95874df66fb462e4cb5d8ef61
SHA256 74736c6d36e8b6a0ad2b16f5f3ab25f0175fdac5fd07b77440e064d6593c3956
SHA512 3d6d006b31769df3705869437566730cf04f6f36bdb6fb4c523b63693fedc150890212136225d2bb34932661c198552c37ab39025d40562ce74a0843609f9bd5

/data/data/com.iavhtg.htzeu.uyghz/cache/emo_temp_apk_1731003118387

MD5 8344fa9281b5bd4683e9345c3e90cc0f
SHA1 7caf95d0da223df62cc933df6e8eef30294877f4
SHA256 dd39ee03e6a82e11e49b6f9a5ef77a09057f4145ddbe5aa55fc2134b190c1ea2
SHA512 d2768a4a89d31f3134f3e2600409a5fce01e16dcd329e86c4dfb82d88ff18049dff162f88229d49b2a16e3e980d6dd0769933300497fff41e97d6938318ef1d5

/data/user/0/com.iavhtg.htzeu.uyghz/com.iavhtg.htzeu.uyghz-m-YZryPmtMEoq_NQ0b8mTA==/base.apk

MD5 b6f6282d441b26685a99f26e4e4e94f6
SHA1 06d5faaa38eb59746b88c581f67578f1314f72db
SHA256 4b4a131ab5c314c38031bd3c3c8b771ee77163674b6cb4af1484f80ec70ad86c
SHA512 8a91010fd8b996e636d6b363fc5eddc65e15068aa176c3246db498c438eeab7e50a8cc9b3bf3179fbd6014fc3e15344cdc69ccbe992bcf3d2448b9f9462bb43b

/data/user/0/com.iavhtg.htzeu.uyghz/com.iavhtg.htzeu.uyghz-m-YZryPmtMEoq_NQ0b8mTA==/base.apk

MD5 38ba9bcdd54a66b2afa65473406db36c
SHA1 2be2510b221a22a1768956bdda5b13b541d4e0af
SHA256 39926a900b5334225d48755b15576a5a7bf8082793a7be9ea47e517c9cf19fb1
SHA512 4cdd32a1242f0a6d3b31c076fda0b53d80e8b6239ab3e22f35dff0e03f11123ce7c6815ad5ed470bdb3077ed51b3a29bc245e5871d2b806b610cf9a35cda2a62

/storage/emulated/0/Download/0m5zrobYBrKmlPzb.apk

MD5 0b7e0153ccf0090f91a0c51fe45e5e41
SHA1 81f1c14514a6fd71c9ccdc6d93b07951eebb4812
SHA256 2eff25bd16b760a560add76ac3c3fffcc06dd3c1713824c9c0369f513c377bfe
SHA512 36fba7f30a46bd08e19a68a135773d274a303a8d64d2e2c43de39ed3e9f78bd773d97df2d3daf9ecde5fc0108cdf61fea757af7a7d8b66ac5b3cf9d3654ae929