Malware Analysis Report

2024-11-13 17:37

Sample ID 241110-byfbwawhmb
Target 8916722da4fa14539c7785b8ae24570043287a20870a45b33c0c50cc8c9df2ef.bin
SHA256 8916722da4fa14539c7785b8ae24570043287a20870a45b33c0c50cc8c9df2ef
Tags
banker collection credential_access discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8916722da4fa14539c7785b8ae24570043287a20870a45b33c0c50cc8c9df2ef

Threat Level: Shows suspicious behavior

The file 8916722da4fa14539c7785b8ae24570043287a20870a45b33c0c50cc8c9df2ef.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

banker collection credential_access discovery evasion impact persistence

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Acquires the wake lock

Requests dangerous framework permissions

Attempts to obfuscate APK file format

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Requests disabling of battery optimizations (often used to enable hiding in the background).

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:32

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows the app to answer an incoming phone call. android.permission.ANSWER_PHONE_CALLS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:32

Reported

2024-11-10 01:35

Platform

android-x86-arm-20240624-en

Max time kernel

142s

Max time network

148s

Command Line

kjjff.jsjdjsdj.ssss

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

kjjff.jsjdjsdj.ssss

getprop ro.miui.ui.version.name

getprop ro.miui.ui.version.name

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 dr0id.best udp
US 193.26.115.7:443 dr0id.best tcp
US 1.1.1.1:53 ie070efc.ala.dedicated.aws.emqxcloud.com udp
US 193.26.115.7:443 dr0id.best tcp
US 1.1.1.1:53 d53823b1.ala.dedicated.aws.emqxcloud.com udp
IE 54.195.189.161:8883 d53823b1.ala.dedicated.aws.emqxcloud.com tcp
US 193.26.115.7:443 dr0id.best tcp
US 193.26.115.7:443 dr0id.best tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 193.26.115.7:443 dr0id.best tcp
US 193.26.115.7:443 dr0id.best tcp
US 193.26.115.7:443 dr0id.best tcp
US 193.26.115.7:443 dr0id.best tcp
US 193.26.115.7:443 dr0id.best tcp

Files

/data/data/kjjff.jsjdjsdj.ssss/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫

MD5 c57ec092b51247e160e49fea97b5e2e8
SHA1 b7b8047e42bd9e6247e9135d29f8fec4de508da8
SHA256 45dcff3a75b3c6fa937ff362cf510432149797b99484a35c871683f303fc3bb5
SHA512 00d695d78b43a2cc364f9c720f9dd0a11db8750768d946294865428eb1631f54c72c46ed739ee1dedfa5742540974dd12fd2198456f07d664617eecbbe58ce24

/data/data/kjjff.jsjdjsdj.ssss/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫.

MD5 76111eecd6d9f9349dbcca3aae6d1747
SHA1 9db362cbe8bf3f07201d5d6fd8c18640012c2a17
SHA256 0d9bd10397a5b9f64266841319cb6d9a72e80d33ffe17c431393847222e1f6ad
SHA512 66b33684c5a9be30095ef174c0a4c7da0cbd458e442d372dade83fadc8c4b03b8a26272d7fafc885f0212a5274b624a479a4297877019c09a655d0332476e463

/data/data/kjjff.jsjdjsdj.ssss/cache/~test.test

MD5 098f6bcd4621d373cade4e832627b4f6
SHA1 a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
SHA256 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
SHA512 ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

/data/data/kjjff.jsjdjsdj.ssss/files/mqtt_connect

MD5 86949f0b9a05afee9ef7a313d3606cb6
SHA1 a52434d5bdbe4690af9f793d62f982c0b0c3d2fe
SHA256 2995a42bee87e197104dd0d05f5688b89e126b2d6c62445ddb7bf39ae2e93616
SHA512 5075417a8d2d0d2ca73ae48bedfef823eca84222fffea0f0ca34226a6bcdaf79e671412cb6062e3a0bcfd384c3793ab04d0d08238aa898ab80e0c3f0755b7a75

/data/data/kjjff.jsjdjsdj.ssss/files/mqtt_connect

MD5 7bf30d992beb542714e0b5f907bc6053
SHA1 14c2b81d48173f9f6197cf71f087a4ba8bca608a
SHA256 b076ee9d9dd5aee6de15fe7573bcca82035f4a440863bdd2bc710b6a4df27e1b
SHA512 ac946fd13d21171a89830bc37e46bc87e00ef1c4fa80ce5b34e6931c2aaad537b95bdaff78228786b712d2d9076cbe52264bddd640b5ff9148e566f6e7e16408

/data/data/kjjff.jsjdjsdj.ssss/cache/2

MD5 4c1809c31f018f8645a2879bf6fe538a
SHA1 728a8e37f95bd1bf9ddcbd5d9345ddd4058b45ea
SHA256 f749b919effb22a4a479f08e61e22a0a1ea42233dd1bba06be0c14517775a100
SHA512 58085450e592182ea74d9fff6cf48a6fc7787153c9d71a9725c95f6bee4cd6686e47b4706c1e4754b0cdd9ee7d14685d3f12d3f9423ef1adc10e3d03509dd3c1

/data/data/kjjff.jsjdjsdj.ssss/files/INJ6662.pussy

MD5 8bd634bb8a36e5982b00cead5528b5cc
SHA1 f58d82b60c9f338648a00aa6f4fb83b39ed225eb
SHA256 d2cb49216759f2d2666a702518a34da8d2a53a6fa042992d517bec6808c833dd
SHA512 d3ca77c4be81cf0d0c62831af9417cbbaeb455098b4519364a16c79474779dd98a12f521787f6468fe7eccbc2d7a6034eb1499a60e4a95dc3d35fd0166ab52cc

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:32

Reported

2024-11-10 01:35

Platform

android-33-x64-arm64-20240624-en

Max time kernel

15s

Max time network

143s

Command Line

kjjff.jsjdjsdj.ssss

Signatures

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

kjjff.jsjdjsdj.ssss

Network

Country Destination Domain Proto
GB 216.58.201.100:443 udp
N/A 224.0.0.251:5353 udp
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 dr0id.best udp
US 193.26.115.7:443 dr0id.best tcp
US 1.1.1.1:53 ie070efc.ala.dedicated.aws.emqxcloud.com udp
US 1.1.1.1:53 d53823b1.ala.dedicated.aws.emqxcloud.com udp
IE 54.195.189.161:8883 d53823b1.ala.dedicated.aws.emqxcloud.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 193.26.115.7:443 dr0id.best tcp
US 193.26.115.7:443 dr0id.best tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 142.250.187.202:443 remoteprovisioning.googleapis.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 172.217.169.67:443 tcp
US 172.64.41.3:443 udp
GB 172.217.169.67:443 udp
GB 216.58.201.100:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp

Files

/data/data/kjjff.jsjdjsdj.ssss/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫

MD5 c57ec092b51247e160e49fea97b5e2e8
SHA1 b7b8047e42bd9e6247e9135d29f8fec4de508da8
SHA256 45dcff3a75b3c6fa937ff362cf510432149797b99484a35c871683f303fc3bb5
SHA512 00d695d78b43a2cc364f9c720f9dd0a11db8750768d946294865428eb1631f54c72c46ed739ee1dedfa5742540974dd12fd2198456f07d664617eecbbe58ce24

/data/data/kjjff.jsjdjsdj.ssss/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫.

MD5 76111eecd6d9f9349dbcca3aae6d1747
SHA1 9db362cbe8bf3f07201d5d6fd8c18640012c2a17
SHA256 0d9bd10397a5b9f64266841319cb6d9a72e80d33ffe17c431393847222e1f6ad
SHA512 66b33684c5a9be30095ef174c0a4c7da0cbd458e442d372dade83fadc8c4b03b8a26272d7fafc885f0212a5274b624a479a4297877019c09a655d0332476e463

/data/data/kjjff.jsjdjsdj.ssss/files/mqtt_connect

MD5 615889b741927c929dbd59e92bed8522
SHA1 165b1bbd413cd17c07bd4e65c1a3d1f19899dbbb
SHA256 66bbe3481ed16439ee58b015f68d234aa7d2d3ee14c2d3522c18e9fa03d41496
SHA512 2b704750052a5c375c16d858e76c550e65a39000687dac41236eb1c5ad1e48699c1180d91a642da1336edc91722317343759e6cc011594070394694b1f2e3cfe

/data/data/kjjff.jsjdjsdj.ssss/files/mqtt_connect

MD5 37cd951e9663a69e5f4998cb53952ac6
SHA1 1dea316d769fbed3138123918f46826dd308de21
SHA256 acd993e6c85a8562f9d085ac3abea7c0489692da1a8c53a05d1d04d4fea32e6f
SHA512 317dd3d5619f09c00634ceeba2ca9d07894cd34324bfca44832c3c0e785c2f469be9be543d737125ebc65f83aed32807327ab46aaf3864e52667ae51ff868ad6

/data/data/kjjff.jsjdjsdj.ssss/cache/~test.test

MD5 098f6bcd4621d373cade4e832627b4f6
SHA1 a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
SHA256 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
SHA512 ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff