Malware Analysis Report

2024-11-15 09:54

Sample ID 241110-d2zwssydrj
Target signed.apk
SHA256 6657b221083beef8c1d73e16fc553ebf05962fd812b3d1f81b8c17ddff775310
Tags
collection credential_access discovery evasion persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6657b221083beef8c1d73e16fc553ebf05962fd812b3d1f81b8c17ddff775310

Threat Level: Shows suspicious behavior

The file signed.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

collection credential_access discovery evasion persistence

Makes use of the framework's Accessibility service

Reads the content of the call log.

Reads the content of the SMS messages.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Acquires the wake lock

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 03:30

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to recognize physical activity. android.permission.ACTIVITY_RECOGNITION N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 03:30

Reported

2024-11-10 04:01

Platform

android-x86-arm-20240624-en

Max time kernel

1799s

Max time network

1803s

Command Line

com.bani.kedr.clv

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A Anonymous-DexFile@0xc9bc1000-0xc9bdfac0 N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes.dex N/A N/A
N/A Anonymous-DexFile@0xc8e4b000-0xc8e5b398 N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes1.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes1.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes1.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes4.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.bani.kedr.clv

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bani.kedr/files/Factory/Plugins/classes.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.bani.kedr/files/Factory/Plugins/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bani.kedr/files/Factory/Plugins/classes1.dex --output-vdex-fd=50 --oat-fd=51 --oat-location=/data/user/0/com.bani.kedr/files/Factory/Plugins/oat/x86/classes1.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bani.kedr/files/Factory/Plugins/classes2.dex --output-vdex-fd=50 --oat-fd=51 --oat-location=/data/user/0/com.bani.kedr/files/Factory/Plugins/oat/x86/classes2.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bani.kedr/files/Factory/Plugins/classes3.dex --output-vdex-fd=49 --oat-fd=50 --oat-location=/data/user/0/com.bani.kedr/files/Factory/Plugins/oat/x86/classes3.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bani.kedr/files/Factory/Plugins/classes4.dex --output-vdex-fd=49 --oat-fd=48 --oat-location=/data/user/0/com.bani.kedr/files/Factory/Plugins/oat/x86/classes4.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 147.45.45.127:5110 tcp
US 1.1.1.1:53 geomobileservices-pa.googleapis.com udp
GB 142.250.187.234:443 geomobileservices-pa.googleapis.com tcp
GB 142.250.187.202:443 geomobileservices-pa.googleapis.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.204.74:443 geomobileservices-pa.googleapis.com tcp
NL 147.45.45.127:5110 tcp
NL 147.45.45.127:5110 tcp
NL 147.45.45.127:5110 tcp
US 1.1.1.1:53 geomobileservices-pa.googleapis.com udp
GB 216.58.213.3:80 tcp
GB 172.217.16.228:443 tcp
GB 216.58.204.74:443 geomobileservices-pa.googleapis.com tcp
GB 142.250.179.226:443 tcp
GB 216.58.204.74:443 geomobileservices-pa.googleapis.com tcp
GB 142.250.178.14:443 tcp
GB 142.250.180.3:443 tcp
GB 142.250.180.3:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.180.3:443 tcp
GB 142.250.180.3:443 tcp
GB 216.58.204.74:443 geomobileservices-pa.googleapis.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
BE 64.233.167.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.213.4:443 www.google.com tcp
GB 142.250.179.238:443 tcp

Files

Anonymous-DexFile@0xc9bc1000-0xc9bdfac0

MD5 46fa0be21b6c8acbc6b665d481c78f97
SHA1 9da7501a290f1bc64e8099fa4cf47d7ed769c93b
SHA256 a5b9862c8187bc8677ba6f503265d68ae650314e679b636c246c12d5aab6d255
SHA512 6cb44404ed32e4b57fb6b18ba23d5aaf37cbbd3f63468a95d042dc92c15a9202773e58216d0694b84d137f73ed4652937ea36e3cf4770a9a92d81d353762f362

/data/user/0/com.bani.kedr/files/Factory/Plugins/classes.dex

MD5 2609398a3ef4fa35db724161351a775a
SHA1 3d813dbe5d37a554fe951d6a5447afded2edeb4a
SHA256 b9976886fad8dc0750c76d481cfe766b8d785e80831b373a671f5ee2b44087cf
SHA512 e771dccc46302e10a4769d58c8e7f37712de373327e9f59535fc15acf240de146572734075a8caca3aff26bbb31e34ecb2ad1d03439055609183a9c314c09e28

Anonymous-DexFile@0xc8e4b000-0xc8e5b398

MD5 0d2f45057fbd60e4990a61f945ae75d4
SHA1 89decf38cf17577be26e76b67959d18373949ff4
SHA256 7f50f81d62d1131f31d48c31c93980f5c14d318696f74295835844c7fafe4144
SHA512 a73ac905fdebe3faded9882db05619eea2f59ccd35e056ffbebdf28dd7e8bfc0571cfce973cace717a8db5b86c43a34c70b8e49783aba37a6dec0174eaf1d0df

/data/data/com.bani.kedr/files/Factory/Plugins/classes1.dex

MD5 8fa8f30cdfccbe47530250ab737af2bf
SHA1 dbf0e9e0f414be03463547581350caa17174a20d
SHA256 bd28319b7ecac8a73d0b0cb6654fc0a1cde3ce41d592a12babbffbf4f6fd48b2
SHA512 548918ac987671d698675725e123e7af5839bad48fddd7f5ececea200834f65bf7bd93c1e3d6121c7a8ffa83be65043ecd02df356184f76970d85d6dc703ab19

/data/user/0/com.bani.kedr/files/Factory/Plugins/classes1.dex

MD5 0250ff9934474769c55ece75265c3c94
SHA1 1db7e7248e6ccd2d9e1170f657a3a844c8c60566
SHA256 8d24dfce6df8006b7e0f9a3d493753de5e5cc1a772bc3dd472d13c3e7385b298
SHA512 f691a82a4c4a0fc2040885cd83ad35f71c2de8c318f5e8c544cbfddc78793d9d39cd93b1fafe48b921179fb3d03e67ec5aabfbd7d33512936d9be177b3e9244c

/data/data/com.bani.kedr/files/Factory/Plugins/classes2.dex

MD5 c037f8990c548abee13ddd75841f6e19
SHA1 b0a91adeb28877c37abaedce612514985a9bd048
SHA256 2f2af59ad907901a7697704b9c614cae33d41e3a7cbe4c12713db2a46a870ba2
SHA512 fe8a445780c7032246e25ffd7df1b86f56fc28d1dbe0d29ae7e8ebc3bfddc48e8c8ac0edc7207238cc6e2d1482cde1b4b35a8a903655f859e9f7b87293512f54

/data/user/0/com.bani.kedr/files/Factory/Plugins/classes2.dex

MD5 66f9fccc05adbcecbaefaf1328048308
SHA1 3e58ff25deab903288d54bd4ac54f82f933d8eb4
SHA256 9b9500b6abd22bff8a4e013312d46197e7c67ac52866e1a1066256fb18c5ebee
SHA512 e3486996490c72de3d2b75f7d8d62ae94f9cb195f2bd037f13919aefc8db04fa66abfd914f7b6802f9d82a96b5b6c48a1dd3ad3863f76ec4d65283ba5fa0fe13

/data/data/com.bani.kedr/files/Factory/Plugins/classes3.dex

MD5 5d0c876854c63ae1fe8a2efe6cd2de7f
SHA1 2c2bdc9a16318e420680a40c5517a544f30f0c22
SHA256 da42b5ae7c80e6526f46fa09528f30274eb115225f06574e0af3c96137645dba
SHA512 63179e2ef46be90ac80e9ac921121fbd106c93d056529aa1192da075473bca375de21cf902e0e4e0530cf7e56dacea40b6e8ece2077df7fc6ef29b4a091d72c5

/data/user/0/com.bani.kedr/files/Factory/Plugins/classes3.dex

MD5 245650322c5aaeabed6b825bb3db4296
SHA1 5d0c1a228c430248dd692d0b559c2e116245b449
SHA256 81fd3f356f6e08549c6de691e6927d3c62886f77f94ed2c330dc1028cba1341f
SHA512 e2c5618665c8facac49a83f5f95743bce029a67d18268cf124f06fdba2691b96169e2a37063baf2fcbab5092b33869bb5b33de9d7e1282cc2e33dc9a2dc4b894

/data/data/com.bani.kedr/files/Factory/Plugins/classes4.dex

MD5 c6cc207eb8351ba12c1dd9179d7e2e6a
SHA1 13437dfcdcd1b98edc2f1f5eb7518c6a3087401e
SHA256 0a78879b05450ce3427a9c661887ff1d468acc798150abbf579cc4ba723aee45
SHA512 c6bbd11f2704181636e9d60a7cbd51a01bf0ef45873264a2f1f986000233b9c2440928d0a4704d59586a714d183cabeeb9d3d02e0de5576a28192c40672eb0fd

/data/user/0/com.bani.kedr/files/Factory/Plugins/classes4.dex

MD5 e4d55779d25ac6c8590694d68171b153
SHA1 2c54417bbf253085211f4b47c04af4b2038bb561
SHA256 ad485c9580cdf64988bd663352f9b40045b4c1d5283d7d8ced52c78f528b909c
SHA512 78a83a68e0c0c2dc5ef520bb6fe32cc25aaf49e6b05e5869f1b7dc03d15d9f5f466d4ca725c85ce7e516cf8049a90c2690de0cc04146e96ff13ab258e1b817cc

/data/data/com.bani.kedr/files/Factory/Plugins/oat/classes.dex.cur.prof

MD5 cd230b4ae872e6df7e381f8a1efcab31
SHA1 27678bb061f5f573e748f6e501e17ba939eaf585
SHA256 a7416226fac639adef3c90736b442bfe8c7e2810e8042c8aa7bee94b28706fd3
SHA512 f614beb4d22c3b0c0c86b536972c80ad4829f2a0b12ef3111983838f637c9a8c42ae455404c43c6d01b7b767337d4676f922cbaac96db70d31e76528af4fee18

/data/data/com.bani.kedr/files/Factory/Plugins/oat/classes3.dex.cur.prof

MD5 4f5e80722e7dd7d260eee419f5f2e7f1
SHA1 517f1e6e43e9339bd0eef6b5c45053942068abb0
SHA256 7cb0b2b7b397b59e157e245475fb9e77a3f30abad72d7ee57418954a5225bd1b
SHA512 3d3dbbcdf753e5241769290241d2182c8d4bba48ff6689a74f90746b5769e55fb8e0c107a7e527980552c8bde6aadacbad08f2d35cd52fc50f3232b7d47cbe33

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 03:30

Reported

2024-11-10 04:01

Platform

android-x64-20240624-en

Max time kernel

1799s

Max time network

1803s

Command Line

com.bani.kedr.clv

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bani.kedr/[email protected] N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes.dex N/A N/A
N/A /data/user/0/com.bani.kedr/[email protected] N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes1.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes1.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes4.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.bani.kedr.clv

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 147.45.45.127:5110 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
GB 172.217.16.238:443 tcp
GB 216.58.201.98:443 tcp
NL 147.45.45.127:5110 tcp
NL 147.45.45.127:5110 tcp
NL 147.45.45.127:5110 tcp
GB 142.250.180.3:443 tcp
GB 142.250.180.3:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
BE 142.251.168.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 64.233.184.84:443 accounts.google.com tcp

Files

/data/user/0/com.bani.kedr/[email protected]

MD5 46fa0be21b6c8acbc6b665d481c78f97
SHA1 9da7501a290f1bc64e8099fa4cf47d7ed769c93b
SHA256 a5b9862c8187bc8677ba6f503265d68ae650314e679b636c246c12d5aab6d255
SHA512 6cb44404ed32e4b57fb6b18ba23d5aaf37cbbd3f63468a95d042dc92c15a9202773e58216d0694b84d137f73ed4652937ea36e3cf4770a9a92d81d353762f362

/data/user/0/com.bani.kedr/[email protected]

MD5 0d2f45057fbd60e4990a61f945ae75d4
SHA1 89decf38cf17577be26e76b67959d18373949ff4
SHA256 7f50f81d62d1131f31d48c31c93980f5c14d318696f74295835844c7fafe4144
SHA512 a73ac905fdebe3faded9882db05619eea2f59ccd35e056ffbebdf28dd7e8bfc0571cfce973cace717a8db5b86c43a34c70b8e49783aba37a6dec0174eaf1d0df

/data/data/com.bani.kedr/files/Factory/Plugins/classes1.dex

MD5 8fa8f30cdfccbe47530250ab737af2bf
SHA1 dbf0e9e0f414be03463547581350caa17174a20d
SHA256 bd28319b7ecac8a73d0b0cb6654fc0a1cde3ce41d592a12babbffbf4f6fd48b2
SHA512 548918ac987671d698675725e123e7af5839bad48fddd7f5ececea200834f65bf7bd93c1e3d6121c7a8ffa83be65043ecd02df356184f76970d85d6dc703ab19

/data/data/com.bani.kedr/files/Factory/Plugins/classes2.dex

MD5 c037f8990c548abee13ddd75841f6e19
SHA1 b0a91adeb28877c37abaedce612514985a9bd048
SHA256 2f2af59ad907901a7697704b9c614cae33d41e3a7cbe4c12713db2a46a870ba2
SHA512 fe8a445780c7032246e25ffd7df1b86f56fc28d1dbe0d29ae7e8ebc3bfddc48e8c8ac0edc7207238cc6e2d1482cde1b4b35a8a903655f859e9f7b87293512f54

/data/data/com.bani.kedr/files/Factory/Plugins/classes3.dex

MD5 5d0c876854c63ae1fe8a2efe6cd2de7f
SHA1 2c2bdc9a16318e420680a40c5517a544f30f0c22
SHA256 da42b5ae7c80e6526f46fa09528f30274eb115225f06574e0af3c96137645dba
SHA512 63179e2ef46be90ac80e9ac921121fbd106c93d056529aa1192da075473bca375de21cf902e0e4e0530cf7e56dacea40b6e8ece2077df7fc6ef29b4a091d72c5

/data/data/com.bani.kedr/files/Factory/Plugins/classes4.dex

MD5 c6cc207eb8351ba12c1dd9179d7e2e6a
SHA1 13437dfcdcd1b98edc2f1f5eb7518c6a3087401e
SHA256 0a78879b05450ce3427a9c661887ff1d468acc798150abbf579cc4ba723aee45
SHA512 c6bbd11f2704181636e9d60a7cbd51a01bf0ef45873264a2f1f986000233b9c2440928d0a4704d59586a714d183cabeeb9d3d02e0de5576a28192c40672eb0fd

/data/data/com.bani.kedr/files/Factory/Plugins/oat/classes.dex.cur.prof

MD5 5a13df95bdaf873b582805115114aabf
SHA1 d28e2c839965ee5b77948a045c9ba1c6c2dd2ec3
SHA256 2fbcbef054acebd29ed5518a822e15abc6e3da56be2ed94186098efa014bf0c6
SHA512 92677de3a849155221b2db88cfd2f72b9203c4f867d7b15bbaa001d66091330d2a92968b40bdf10272fd8c7bf7708f4dc330354271e4d059f527570063f988ad

/data/data/com.bani.kedr/files/Factory/Plugins/oat/classes3.dex.cur.prof

MD5 09b80dc602684e2e8da6b016f6de30c5
SHA1 4c6d43146aaf88f230db3e6d3b98fbdf643a705a
SHA256 b4a7fd194024bd382bec9abf73535273d8f16e39a6a529d60a1ee25b73a81a51
SHA512 0d90181abea7778f41309de02d10fbd7fbd9aa41fddb5d57c3498f9caf95bcab4e8105c12adfddd09496afd764076066f40c30ced3d311c32a75e20562567ac1

/data/data/com.bani.kedr/files/Factory/Plugins/oat/classes3.dex.cur.prof

MD5 34d74fa99eb532270b67086ef2042ecd
SHA1 337b388563ea5bd324fb3bf7199cdd2054979004
SHA256 95611899c7596912c4545e3aa54cb9cf0ee52bb6e3c7d11039a2794d4d4ab383
SHA512 f9a852a8887b712b75ef0fc5eeef5c3cf5f258ad66beb687fd8d3a999d93df2a13bf09a9c5f609189e0c6f080d9c384119aa70bb148192e035060a94bb106cb6

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-10 03:30

Reported

2024-11-10 04:01

Platform

android-x64-arm64-20240624-en

Max time kernel

1799s

Max time network

1804s

Command Line

com.bani.kedr.clv

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.bani.kedr/[email protected] N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes.dex N/A N/A
N/A /data/user/0/com.bani.kedr/[email protected] N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes1.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes1.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes2.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes3.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes4.dex N/A N/A
N/A /data/user/0/com.bani.kedr/files/Factory/Plugins/classes4.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Reads the content of the SMS messages.

collection
Description Indicator Process Target
URI accessed for read content://sms/ N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.bani.kedr.clv

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
NL 147.45.45.127:5110 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
NL 147.45.45.127:5110 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 encrypted-tbn0.gstatic.com udp
GB 142.250.200.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.200.14:443 encrypted-tbn0.gstatic.com tcp
NL 147.45.45.127:5110 tcp
NL 147.45.45.127:5110 tcp
GB 142.250.200.2:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
BE 142.251.168.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.213.4:443 www.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 66.102.1.84:443 accounts.google.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 216.58.201.99:443 update.googleapis.com tcp

Files

/data/user/0/com.bani.kedr/[email protected]

MD5 46fa0be21b6c8acbc6b665d481c78f97
SHA1 9da7501a290f1bc64e8099fa4cf47d7ed769c93b
SHA256 a5b9862c8187bc8677ba6f503265d68ae650314e679b636c246c12d5aab6d255
SHA512 6cb44404ed32e4b57fb6b18ba23d5aaf37cbbd3f63468a95d042dc92c15a9202773e58216d0694b84d137f73ed4652937ea36e3cf4770a9a92d81d353762f362

/data/user/0/com.bani.kedr/[email protected]

MD5 0d2f45057fbd60e4990a61f945ae75d4
SHA1 89decf38cf17577be26e76b67959d18373949ff4
SHA256 7f50f81d62d1131f31d48c31c93980f5c14d318696f74295835844c7fafe4144
SHA512 a73ac905fdebe3faded9882db05619eea2f59ccd35e056ffbebdf28dd7e8bfc0571cfce973cace717a8db5b86c43a34c70b8e49783aba37a6dec0174eaf1d0df

/data/user/0/com.bani.kedr/files/Factory/Plugins/classes1.dex

MD5 8fa8f30cdfccbe47530250ab737af2bf
SHA1 dbf0e9e0f414be03463547581350caa17174a20d
SHA256 bd28319b7ecac8a73d0b0cb6654fc0a1cde3ce41d592a12babbffbf4f6fd48b2
SHA512 548918ac987671d698675725e123e7af5839bad48fddd7f5ececea200834f65bf7bd93c1e3d6121c7a8ffa83be65043ecd02df356184f76970d85d6dc703ab19

/data/user/0/com.bani.kedr/files/Factory/Plugins/classes2.dex

MD5 c037f8990c548abee13ddd75841f6e19
SHA1 b0a91adeb28877c37abaedce612514985a9bd048
SHA256 2f2af59ad907901a7697704b9c614cae33d41e3a7cbe4c12713db2a46a870ba2
SHA512 fe8a445780c7032246e25ffd7df1b86f56fc28d1dbe0d29ae7e8ebc3bfddc48e8c8ac0edc7207238cc6e2d1482cde1b4b35a8a903655f859e9f7b87293512f54

/data/user/0/com.bani.kedr/files/Factory/Plugins/classes3.dex

MD5 5d0c876854c63ae1fe8a2efe6cd2de7f
SHA1 2c2bdc9a16318e420680a40c5517a544f30f0c22
SHA256 da42b5ae7c80e6526f46fa09528f30274eb115225f06574e0af3c96137645dba
SHA512 63179e2ef46be90ac80e9ac921121fbd106c93d056529aa1192da075473bca375de21cf902e0e4e0530cf7e56dacea40b6e8ece2077df7fc6ef29b4a091d72c5

/data/user/0/com.bani.kedr/files/Factory/Plugins/classes4.dex

MD5 c6cc207eb8351ba12c1dd9179d7e2e6a
SHA1 13437dfcdcd1b98edc2f1f5eb7518c6a3087401e
SHA256 0a78879b05450ce3427a9c661887ff1d468acc798150abbf579cc4ba723aee45
SHA512 c6bbd11f2704181636e9d60a7cbd51a01bf0ef45873264a2f1f986000233b9c2440928d0a4704d59586a714d183cabeeb9d3d02e0de5576a28192c40672eb0fd

/data/user/0/com.bani.kedr/files/Factory/Plugins/oat/classes.dex.cur.prof

MD5 b174c5d88ba603c83b9c4988db1536c7
SHA1 6305b1ff317e201fd68701aa99ea2e5a3c0472fc
SHA256 d4407ad17b4bed57ea3dfa13d51ffa2df27ad79bed0eea908e2bb00553fcce79
SHA512 0102cdd5574dedc022996854238d50ad1b67a29a2736aff5d22efd6ccdd3c74ce47e87282c9398232849d225d0dc3f53758519793924afa735422d3772625000

/data/user/0/com.bani.kedr/files/Factory/Plugins/oat/classes3.dex.cur.prof

MD5 0e1800502d1dbc94fc01131d6d41867e
SHA1 b230651e588e01bb609d6342698da86d7c9bd979
SHA256 eb31e281fb807c64f68e07f45580405f69dcaef4fc94a4dc0b6b6e85f78a6090
SHA512 1257dc3f9309cf19556854e4fa46174bbd8d1a4f59632492d47634ab77b9173ad7624a8147f1b1a6486c1c1466cbe69f0339c3c2b6ee381436582aeddeebaf01