Malware Analysis Report

2024-11-13 17:37

Sample ID 241109-24c2tathqb
Target 23bda8f33e318d2f99e275817132ed2e460fa2b21ffabe45801dcf839deab266.bin
SHA256 23bda8f33e318d2f99e275817132ed2e460fa2b21ffabe45801dcf839deab266
Tags
hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

23bda8f33e318d2f99e275817132ed2e460fa2b21ffabe45801dcf839deab266

Threat Level: Known bad

The file 23bda8f33e318d2f99e275817132ed2e460fa2b21ffabe45801dcf839deab266.bin was found to be: Known bad.

Malicious Activity Summary

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook

Hook family

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries information about running processes on the device

Obtains sensitive information copied to the device clipboard

Queries the mobile country code (MCC)

Acquires the wake lock

Requests accessing notifications (often used to intercept notifications before users become aware).

Makes use of the framework's foreground persistence service

Queries information about the current Wi-Fi connection

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Declares services with permission to bind to the system

Uses Crypto APIs (Might try to encrypt user data)

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 23:07

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 23:07

Reported

2024-11-09 23:10

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

159s

Command Line

com.ihceaaxvv.yowntrhwy

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ihceaaxvv.yowntrhwy/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.ihceaaxvv.yowntrhwy/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.ihceaaxvv.yowntrhwy/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ihceaaxvv.yowntrhwy

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ihceaaxvv.yowntrhwy/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.ihceaaxvv.yowntrhwy/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
TM 91.202.233.15:80 91.202.233.15 tcp
TM 91.202.233.15:80 91.202.233.15 tcp
TM 91.202.233.15:80 91.202.233.15 tcp
TM 91.202.233.15:80 91.202.233.15 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
TM 91.202.233.15:80 91.202.233.15 tcp

Files

/data/data/com.ihceaaxvv.yowntrhwy/cache/classes.zip

MD5 77925f79abf322969f085bf5d055af7a
SHA1 2f096be494b4c0ed11dbbaa73796cf826ce6cd01
SHA256 cfc97cd575604800b2da92ee6bbb33e965cd4f27f055149bffa54a848770e8ea
SHA512 bd62a543aab769fe6d5c6531d0fecbedd92e85f40d8af80bd84eb47492e9ac1aa603c5ee5536f6f9eaf48b6282040afba53e57100e0c38fd49eaeea8ffdc2b8a

/data/data/com.ihceaaxvv.yowntrhwy/cache/classes.dex

MD5 dabbaee30deabeafdd5ca81cfb9dd400
SHA1 01ef5b1ef9f6a8e1605f2c3545a57cbf8061de40
SHA256 e7d25ba187ec52e59994cb514e74b748c46d6f8269dede61e28372461963fca8
SHA512 3107525d26c890f099acf10a1877a8c357731b4d67a27696bbe3cee2c91f1187366a718eaca943e6bf06f25c6bfb0348f76593f6652454740dfdbc80c3915a5c

/data/data/com.ihceaaxvv.yowntrhwy/app_dex/classes.dex

MD5 228aafd988ab0f0e03e7a3fc745915bb
SHA1 dbbca3c528ef4062d5e840bfb92aea9b707d7167
SHA256 4b6e3bb4038d67fc771fc1705a17bb19a320c23bb4b142ba049fdd409cecfe2f
SHA512 71b031c9d8fb196f39da20d1fcff3c7feea9b5454d93d7f4852c7c19f22154a6cce72e95700acfd25a1b3225898304f0fb1d095a71b6b7e9a904dc78f5f21655

/data/user/0/com.ihceaaxvv.yowntrhwy/app_dex/classes.dex

MD5 a25187bea7e14298d97aa40df7099d04
SHA1 74cf83d6af80a9b2f7dba088941017c6ff5ed576
SHA256 4a96e1b095653d4c2a634e4c4373545df48537544f3dea860ead0966d990fb68
SHA512 180d893727a0790aeae76de7cfcfb803408959fa5917acb2209affd39c4833cb6d6d84854fc1cd5c2e36b7e9f0dc68521b55a302011bc0bd1d1d941106518551

/data/data/com.ihceaaxvv.yowntrhwy/no_backup/androidx.work.workdb-journal

MD5 70516ab3d48acb037731b10b7a1f69d3
SHA1 67db6ed3d0c5e286237cc23bf2be5ade211a3c88
SHA256 785a857a299ac3efeb1164377ba69793fd363cb8d13f3d6aa44f235ffe9fb92a
SHA512 fca17ebb09cf8f267b041521e9d6e725e065a130916f5f5a63f0b38d584a9e9302cd1a56ba44f176433323af005dd2e0c7c9d505c37c9e05f3cfb9dd2287661f

/data/data/com.ihceaaxvv.yowntrhwy/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ihceaaxvv.yowntrhwy/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ihceaaxvv.yowntrhwy/no_backup/androidx.work.workdb-wal

MD5 5a7018d2c0239a8849b031138538da9b
SHA1 fe284951d9efbe3b18ccda683ec0ee500386214c
SHA256 74cc8867454332c5a93a90695868f36ed4f14a85cdcf5014b5bee5b7c3240682
SHA512 294fac0bf8cabeff00a387a88514cf86600e8950e46aa1ab37456dd945afce39fbcc7a1890fcdfb0b0fbf4565913e0c961abc345b14a016452fc147815e35888

/data/data/com.ihceaaxvv.yowntrhwy/no_backup/androidx.work.workdb-wal

MD5 9e2d4675157e5af9c5be9dfded1793bb
SHA1 7b82c61f871227468cd8f6d9db6c47aa1552193e
SHA256 6c21fb3f11e1ab31c65baf80eb41ea0fc30cc4301eca1283fc8148c1663d75d0
SHA512 188da6fb9ef206512d55ad88f2e53bb11a406fdd61cd599e28840ad9cbc14a6e03f41060ad6720bcd611f6c025dc1c4c4adcd64dc56e6b8c4c4bbd644cc8da2d

/data/data/com.ihceaaxvv.yowntrhwy/no_backup/androidx.work.workdb-wal

MD5 2e2d8339e12d3f10c5e31e46beaae1ab
SHA1 b5a2e4f53e8e89634051b42b1ff35ff62bab7b2e
SHA256 39485858806577f33aa93307daff30c9b1c64b2f631d228347b04739b3f8eca9
SHA512 b72cfa9d7d77e6ac9a03c872c65f993a22ce8d2abf8e3ce05407da2e9e8e0d6d9c66d494e1ba8d1249bcb44bb8463375937674def610a27fd62e321c28e15a24

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 23:07

Reported

2024-11-09 23:10

Platform

android-x64-20240624-en

Max time kernel

46s

Max time network

158s

Command Line

com.ihceaaxvv.yowntrhwy

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ihceaaxvv.yowntrhwy/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.ihceaaxvv.yowntrhwy/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ihceaaxvv.yowntrhwy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
TM 91.202.233.15:80 91.202.233.15 tcp
TM 91.202.233.15:80 91.202.233.15 tcp
TM 91.202.233.15:80 91.202.233.15 tcp
TM 91.202.233.15:80 91.202.233.15 tcp
GB 142.250.200.34:443 tcp
GB 216.58.204.78:443 tcp
GB 216.58.212.227:443 tcp
GB 216.58.212.227:443 tcp
GB 216.58.212.227:443 tcp
BE 108.177.15.188:5228 tcp
US 216.239.34.223:443 tcp
GB 142.250.179.238:443 tcp
US 216.239.34.223:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 66.102.1.84:443 accounts.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
GB 142.250.178.10:443 g.tenor.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 216.58.212.202:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 142.250.187.234:443 safebrowsing.googleapis.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.213.14:443 www.youtube.com udp
GB 216.58.213.14:443 www.youtube.com tcp
US 1.1.1.1:53 growth-pa.googleapis.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
TM 91.202.233.15:80 91.202.233.15 tcp
TM 91.202.233.15:80 91.202.233.15 tcp
TM 91.202.233.15:80 91.202.233.15 tcp
TM 91.202.233.15:80 91.202.233.15 tcp
TM 91.202.233.15:80 91.202.233.15 tcp
TM 91.202.233.15:80 91.202.233.15 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.234:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 i.ytimg.com udp
GB 142.250.180.22:443 i.ytimg.com udp
GB 142.250.180.22:443 i.ytimg.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp

Files

/data/data/com.ihceaaxvv.yowntrhwy/cache/classes.zip

MD5 77925f79abf322969f085bf5d055af7a
SHA1 2f096be494b4c0ed11dbbaa73796cf826ce6cd01
SHA256 cfc97cd575604800b2da92ee6bbb33e965cd4f27f055149bffa54a848770e8ea
SHA512 bd62a543aab769fe6d5c6531d0fecbedd92e85f40d8af80bd84eb47492e9ac1aa603c5ee5536f6f9eaf48b6282040afba53e57100e0c38fd49eaeea8ffdc2b8a

/data/data/com.ihceaaxvv.yowntrhwy/cache/classes.dex

MD5 dabbaee30deabeafdd5ca81cfb9dd400
SHA1 01ef5b1ef9f6a8e1605f2c3545a57cbf8061de40
SHA256 e7d25ba187ec52e59994cb514e74b748c46d6f8269dede61e28372461963fca8
SHA512 3107525d26c890f099acf10a1877a8c357731b4d67a27696bbe3cee2c91f1187366a718eaca943e6bf06f25c6bfb0348f76593f6652454740dfdbc80c3915a5c

/data/data/com.ihceaaxvv.yowntrhwy/app_dex/classes.dex

MD5 228aafd988ab0f0e03e7a3fc745915bb
SHA1 dbbca3c528ef4062d5e840bfb92aea9b707d7167
SHA256 4b6e3bb4038d67fc771fc1705a17bb19a320c23bb4b142ba049fdd409cecfe2f
SHA512 71b031c9d8fb196f39da20d1fcff3c7feea9b5454d93d7f4852c7c19f22154a6cce72e95700acfd25a1b3225898304f0fb1d095a71b6b7e9a904dc78f5f21655

/data/data/com.ihceaaxvv.yowntrhwy/no_backup/androidx.work.workdb-journal

MD5 96b4d18c28a0d49b9d0a0ef8ea6d93d5
SHA1 310d1ad5016cc720762fcf729988db92bffff06e
SHA256 2b6df4293df2f5f13e3d35cee0d87c81f3f9d05663b4c50d5d31be1fd5435069
SHA512 2b883608a91c97fc99db1ababb8118613abd207326f04add888b684e54d13f08a1eff0acf2d1f442af804ac635217ac16a196f6ad41ae1eb84feaa8cfc45567a

/data/data/com.ihceaaxvv.yowntrhwy/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ihceaaxvv.yowntrhwy/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ihceaaxvv.yowntrhwy/no_backup/androidx.work.workdb-wal

MD5 b170ef69ddeabffe39eba955ea2023bf
SHA1 13e5f0b681bf0bfe4707d663efa5f22b32b7ba9f
SHA256 8c92bedcf8d3d496544213a123a42880d47c5536809f9701cec58edea3d5ab26
SHA512 c8ff9231b170fafd85243bfb4d27503e3d0447e98a89246d5bbde9270f5ae4bdcc4e7878dcc22ec3b29d756baf094b60eccba62ed31dff52ff15642768cf09ea

/data/data/com.ihceaaxvv.yowntrhwy/no_backup/androidx.work.workdb-wal

MD5 2b2a2c2f6035610d7d8624ae9a5fba89
SHA1 2ae9b67ade410677bb8efab5ed20b6ceb1b9c775
SHA256 70eb37e1c5d16e63ace506b29d31079d7763bed5278d149aa13b6d37705234a8
SHA512 a12fee6a557960f09ef94f58a8094c42c9b2f233fed161f02a760e0de96fa4eb04f39ec46dbfa1bfe5498769776abb079d945c50d7572ee281728dace345960c

/data/data/com.ihceaaxvv.yowntrhwy/no_backup/androidx.work.workdb-wal

MD5 33a9305ad87deb402ee85d199ed686de
SHA1 ad61f623d9d5dc1083f9edcc3085f9e2bd026a98
SHA256 5075e79f4afd1339665ec0c93b0f807078d941cf490708d7e4d06ab235ca5ff1
SHA512 537fde135028d2b1b550da6b75d44be5d2986687cea4fd00dbfd219a4dd6f76e49be804994a25060e63de647eb12850394f7bfeda2d79dffbc05af534b3f59ff

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-09 23:07

Reported

2024-11-09 23:10

Platform

android-x64-arm64-20240624-en

Max time kernel

147s

Max time network

158s

Command Line

com.ihceaaxvv.yowntrhwy

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ihceaaxvv.yowntrhwy/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.ihceaaxvv.yowntrhwy/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ihceaaxvv.yowntrhwy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
TM 91.202.233.15:80 91.202.233.15 tcp
TM 91.202.233.15:80 91.202.233.15 tcp
TM 91.202.233.15:80 91.202.233.15 tcp
TM 91.202.233.15:80 91.202.233.15 tcp
TM 91.202.233.15:80 91.202.233.15 tcp
TM 91.202.233.15:80 91.202.233.15 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/data/com.ihceaaxvv.yowntrhwy/cache/classes.zip

MD5 77925f79abf322969f085bf5d055af7a
SHA1 2f096be494b4c0ed11dbbaa73796cf826ce6cd01
SHA256 cfc97cd575604800b2da92ee6bbb33e965cd4f27f055149bffa54a848770e8ea
SHA512 bd62a543aab769fe6d5c6531d0fecbedd92e85f40d8af80bd84eb47492e9ac1aa603c5ee5536f6f9eaf48b6282040afba53e57100e0c38fd49eaeea8ffdc2b8a

/data/data/com.ihceaaxvv.yowntrhwy/cache/classes.dex

MD5 dabbaee30deabeafdd5ca81cfb9dd400
SHA1 01ef5b1ef9f6a8e1605f2c3545a57cbf8061de40
SHA256 e7d25ba187ec52e59994cb514e74b748c46d6f8269dede61e28372461963fca8
SHA512 3107525d26c890f099acf10a1877a8c357731b4d67a27696bbe3cee2c91f1187366a718eaca943e6bf06f25c6bfb0348f76593f6652454740dfdbc80c3915a5c

/data/data/com.ihceaaxvv.yowntrhwy/app_dex/classes.dex

MD5 228aafd988ab0f0e03e7a3fc745915bb
SHA1 dbbca3c528ef4062d5e840bfb92aea9b707d7167
SHA256 4b6e3bb4038d67fc771fc1705a17bb19a320c23bb4b142ba049fdd409cecfe2f
SHA512 71b031c9d8fb196f39da20d1fcff3c7feea9b5454d93d7f4852c7c19f22154a6cce72e95700acfd25a1b3225898304f0fb1d095a71b6b7e9a904dc78f5f21655

/data/data/com.ihceaaxvv.yowntrhwy/no_backup/androidx.work.workdb-journal

MD5 40b57f01b4684e6b275b9b8aaedeee27
SHA1 df53007e85578140f25fc3978d7d8fa960ffd03c
SHA256 2e6495de18dcf285a9439db4bd0f8b61ebe0d7a9e9daa3983ee336dce6b151ae
SHA512 5b84f359c23281d16355c0b4278a14387de1b4f21c46db27133d8cecd7ce34a2ba9943155b353fe6831b3b486f233a5c07a655093c4cc5d4d6987a52e67992c4

/data/data/com.ihceaaxvv.yowntrhwy/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.ihceaaxvv.yowntrhwy/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ihceaaxvv.yowntrhwy/no_backup/androidx.work.workdb-wal

MD5 81588329b0060caadb2fafd97e1a56e7
SHA1 b67c39ef6ce9bb4684274120e4b8b8a7ed0b3438
SHA256 78277be7f1dc6afb6199002b59230e3964e93feccaae4198ec42b1d8b3629ab4
SHA512 707405830b8f902e67eade889c95c2257e1c16da7e8515e6f689222e32feae1628a9114fb9fa05033d124fe5158a8d5c9bc4d4932b2fcdb63a014c6b5fe03ca6

/data/data/com.ihceaaxvv.yowntrhwy/no_backup/androidx.work.workdb-wal

MD5 05103b6083d77a51f2702500be2c6e16
SHA1 86c8902000a4d1d36c361e626b589a1f3014cbaa
SHA256 4d2182919557c489ba663e4100cbc3650a3af9f77ba81106003dfaa1b79b287e
SHA512 c251d0f546b38f926d9a6317477064f6ee6bd1133c2123c09cf385db5161d288b06243c7869d3c03197bb740514130778f8b7c48c6b156c9d50b4cd474ac7392

/data/data/com.ihceaaxvv.yowntrhwy/no_backup/androidx.work.workdb-wal

MD5 5feb574b6b598acf4cd99a42d4dfd42f
SHA1 7b9b93563c025f611162a4f90786ab6670e3b70d
SHA256 af68c2bd066cec6356d52c17f38e8b980d4ceb52bb5f901d5ada39785388b793
SHA512 679fa85d97d2dd75e3ea1e944df588ca47570dab52dee14eda4776750fd5cd316fe891b61a82e486b6c26410dcbca82dda4b89bf1cf4431cc063fc5293ddd687