Malware Analysis Report

2024-11-13 17:36

Sample ID 241109-15yjgasndy
Target f9fa2307762c69e6875ea3aa1e1900e2d458dbf29b8dbe14e36b78b031f16415.bin
SHA256 f9fa2307762c69e6875ea3aa1e1900e2d458dbf29b8dbe14e36b78b031f16415
Tags
collection credential_access discovery evasion execution persistence stealth trojan impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f9fa2307762c69e6875ea3aa1e1900e2d458dbf29b8dbe14e36b78b031f16415

Threat Level: Likely malicious

The file f9fa2307762c69e6875ea3aa1e1900e2d458dbf29b8dbe14e36b78b031f16415.bin was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion execution persistence stealth trojan impact

Removes its main activity from the application launcher

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Performs UI accessibility actions on behalf of the user

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:14

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:14

Reported

2024-11-09 22:17

Platform

android-x86-arm-20240624-en

Max time kernel

148s

Max time network

137s

Command Line

com.noon.buyerapp

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.noon.buyerapp/app_DynamicOptDex/IpkXQelyF.json N/A N/A
N/A /data/user/0/com.noon.buyerapp/app_DynamicOptDex/IpkXQelyF.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.noon.buyerapp

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.noon.buyerapp/app_DynamicOptDex/IpkXQelyF.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.noon.buyerapp/app_DynamicOptDex/oat/x86/IpkXQelyF.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 incb5rp01od082rye5z7.xyz udp

Files

/data/data/com.noon.buyerapp/app_DynamicOptDex/IpkXQelyF.json

MD5 ad180edc4e766b6222ce721c96d91beb
SHA1 16d1b946d0f2b7098af632a1e56c65f2a31027f7
SHA256 73fd7fc32575ce900e97025fffc65b3974d85343998c7da8af8ae8cc6eac8988
SHA512 7d74448123077e0bf5ff49ef43168fae35c5f97d5d071f0176c2c36a3243dc71068dfe87b57fc66ce6deacb0fb3ac7b0a67715748968b1df7ca9c005e4c84362

/data/data/com.noon.buyerapp/app_DynamicOptDex/IpkXQelyF.json

MD5 ecd0efe80b9685e5bf2a027cd6b8dde2
SHA1 f1152b6fcad03bbf43867900baf25feb9dbb4ec3
SHA256 9d4c72bb65f705bfc6e47a594adaf04dfd95a1c69cc94d67f401eab1b19d8511
SHA512 d25bf2ba0cdae35881c7d59cdc1433a7c16d37caf01aa1f0966c7f4dbf2bbea0028cc8c9d6f91bb9fb27f3720d7c7e24916a3ae3cc728e4cbbeafca9d38e6d96

/data/user/0/com.noon.buyerapp/app_DynamicOptDex/IpkXQelyF.json

MD5 d556b845146c381727283bc9db68144d
SHA1 5740c92b55027ac19bb7e94bbeca6fd6641f2da4
SHA256 26703549c7d3ac20ea3f1525ad23cf7d4f038df80103c5b1e5b7132e69ee5e70
SHA512 11fbf0a50114937ee37a91f05dfca920b90a40b876644e1842c3a91e9d3406f9a0ded6da2b5692901f1c264b6d6d3891cf45ca37935feaa2a1e66511d919fcba

/data/user/0/com.noon.buyerapp/app_DynamicOptDex/IpkXQelyF.json

MD5 29f2eec247d81121b18079c7b848904f
SHA1 1c286a2ce678ccc6ed5bd1961f22ffc949badf2e
SHA256 7217221a5037895c85ca57c387738e73fee404053281d8da93288862d9bba0d2
SHA512 fd6e09510b61dd9fa7700013e743c267b94d01075fc957728ce41dbe233afc0d4d892f1bc1f75f558d15dee0a37b9a8b3dcad4a9554033d258fbd709997a6ca0

/data/data/com.noon.buyerapp/app_DynamicOptDex/oat/IpkXQelyF.json.cur.prof

MD5 549be97d2c3559606ac776dd0c098f0a
SHA1 e7758a745c17fc1ce81a2807ac37c2a402b7e774
SHA256 120e7a3754211194fa8b64a2fb7251373aac50d47a49ab840f1e7e6ead451a72
SHA512 1b58df2babe0b43a92bab496fc75c7649e90a6eac301ca7783a319af0227416aab1dc49f6dd47bd43a41f8b95fc054ad74881bd09dfd605cdf8685d3d8df4a3d

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 22:14

Reported

2024-11-09 22:17

Platform

android-x64-arm64-20240910-en

Max time kernel

132s

Max time network

150s

Command Line

com.noon.buyerapp

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.noon.buyerapp/app_DynamicOptDex/IpkXQelyF.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.noon.buyerapp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.78:443 www.youtube.com udp
GB 172.217.169.78:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 216.239.38.223:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 incb5rp01od082rye5z7.xyz udp
GB 216.58.201.97:443 tcp
GB 172.217.169.65:443 tcp
US 216.239.38.223:443 tcp
US 216.239.38.223:443 tcp

Files

/data/user/0/com.noon.buyerapp/app_DynamicOptDex/IpkXQelyF.json

MD5 ad180edc4e766b6222ce721c96d91beb
SHA1 16d1b946d0f2b7098af632a1e56c65f2a31027f7
SHA256 73fd7fc32575ce900e97025fffc65b3974d85343998c7da8af8ae8cc6eac8988
SHA512 7d74448123077e0bf5ff49ef43168fae35c5f97d5d071f0176c2c36a3243dc71068dfe87b57fc66ce6deacb0fb3ac7b0a67715748968b1df7ca9c005e4c84362

/data/user/0/com.noon.buyerapp/app_DynamicOptDex/IpkXQelyF.json

MD5 ecd0efe80b9685e5bf2a027cd6b8dde2
SHA1 f1152b6fcad03bbf43867900baf25feb9dbb4ec3
SHA256 9d4c72bb65f705bfc6e47a594adaf04dfd95a1c69cc94d67f401eab1b19d8511
SHA512 d25bf2ba0cdae35881c7d59cdc1433a7c16d37caf01aa1f0966c7f4dbf2bbea0028cc8c9d6f91bb9fb27f3720d7c7e24916a3ae3cc728e4cbbeafca9d38e6d96

/data/user/0/com.noon.buyerapp/app_DynamicOptDex/IpkXQelyF.json

MD5 d556b845146c381727283bc9db68144d
SHA1 5740c92b55027ac19bb7e94bbeca6fd6641f2da4
SHA256 26703549c7d3ac20ea3f1525ad23cf7d4f038df80103c5b1e5b7132e69ee5e70
SHA512 11fbf0a50114937ee37a91f05dfca920b90a40b876644e1842c3a91e9d3406f9a0ded6da2b5692901f1c264b6d6d3891cf45ca37935feaa2a1e66511d919fcba

/data/user/0/com.noon.buyerapp/app_DynamicOptDex/oat/IpkXQelyF.json.cur.prof

MD5 3add92aad409dab8b18acb094b34a378
SHA1 21bd68f09c9890199c732c7c2b0988c5cc916a94
SHA256 e0179ccca322b8027ee1327a9dbec8117ec454bd30a4518ad7a230f8ae142159
SHA512 3ffc81e61dc0b23bbd7151bf79a95b052e92818a5b168ff2faa4384db883698b77e1a5351b71c5a3ac6e8927e8477cf90dbdc74d4eaa6e7f8e7d9dde867da1e6