Malware Analysis Report

2024-11-15 09:54

Sample ID 241110-gp6elazrat
Target 99a74459be10ba8604298bf34ebb8c498b671db711a980b6e6cf5e22642b4bdc.bin
SHA256 99a74459be10ba8604298bf34ebb8c498b671db711a980b6e6cf5e22642b4bdc
Tags
collection credential_access discovery evasion execution persistence stealth trojan impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

99a74459be10ba8604298bf34ebb8c498b671db711a980b6e6cf5e22642b4bdc

Threat Level: Likely malicious

The file 99a74459be10ba8604298bf34ebb8c498b671db711a980b6e6cf5e22642b4bdc.bin was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion execution persistence stealth trojan impact

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Obtains sensitive information copied to the device clipboard

Performs UI accessibility actions on behalf of the user

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 05:59

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 05:59

Reported

2024-11-10 06:02

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

133s

Command Line

com.airbnb.android

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.airbnb.android/app_DynamicOptDex/NJWYcsjzoWq.json N/A N/A
N/A /data/user/0/com.airbnb.android/app_DynamicOptDex/NJWYcsjzoWq.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.airbnb.android

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.airbnb.android/app_DynamicOptDex/NJWYcsjzoWq.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.airbnb.android/app_DynamicOptDex/oat/x86/NJWYcsjzoWq.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 incb5rp01od082rye5z7.xyz udp

Files

/data/data/com.airbnb.android/app_DynamicOptDex/NJWYcsjzoWq.json

MD5 a78706d4f94f6790fc48eb085d77f839
SHA1 4d559a1eb29706e8c59b5d97fee6a62eb4200ce7
SHA256 d230eb540ccb92f3c87da24d6e9d10bb7c16191170c71780ef912661b1a1c755
SHA512 09231b99dc278a4eb438876572743a5537134fdc1d20ff68eb3ff507aa14af7b97c16519b6b7bb490c2dd662d65a4912059e7f3e79c02bc4737b620c72fbe4b2

/data/data/com.airbnb.android/app_DynamicOptDex/NJWYcsjzoWq.json

MD5 fdaeb2de7faaab6eccae697f31589bde
SHA1 f6f174e4b0ec984498f4c7f0bd87574d85dc091c
SHA256 371ebbd6283a7b180a6b95bbb19dd3a4359d5f7908f7ee3fb93068b9ed7bb7e9
SHA512 bdc2ddb0d0ba42c9cef9b63e04bae64377f232212fddaf986937efd0848d0caf091b60238b78765562eb79f52230d3a99618ed0d2e8c5600f2fa6cea44f6ecfa

/data/user/0/com.airbnb.android/app_DynamicOptDex/NJWYcsjzoWq.json

MD5 421566823a86bc4e8a90c92e3df4da43
SHA1 1eb219c76168a70a0872d2086a1c01e9ced0d513
SHA256 706a1ae9b4f5630aa9077a3dc0489f5910fa285b3756e4bbb03e689eae422579
SHA512 872c79cbcfcd0d268aedb19adc8676a141446bbf74757646ed8cef9aaa4cb99f5d92992e0e300712ea5a0aded100397d9da4c8e6f278e0cad5ed89e734e06fd5

/data/user/0/com.airbnb.android/app_DynamicOptDex/NJWYcsjzoWq.json

MD5 4ff5effde6fcee6240d7bad355c2112c
SHA1 cc4355769fa638c3d55dfeb192f5f9d87e2b6477
SHA256 8b957055505c655aeed66c879163a6467758de3766ce26601bdb848e04603f99
SHA512 ed32c6d667e1059280c85601f5aeddcec43c521e5a0d06f5de6ff4fc27965ac86d31101b06fb1c33c635be744b8369b4809932ffabbde79d7e0cc6fa6db40b13

/data/data/com.airbnb.android/app_DynamicOptDex/oat/NJWYcsjzoWq.json.cur.prof

MD5 cbf6f191b4184b2499f80b1101ea45a9
SHA1 f2f6055ea2fbe56b8f3ed3b5225457cbba5001e0
SHA256 319d1041f22b9903db1d10a9d72cf9b7d026d423e62ad5111fd3ec0d7d3c8e5b
SHA512 5094ce54642bb4ba24043384477b13c55591e2f98291692757175cceab5168fc495ca5cae218c9c651b75edbe9d7c1f56d4dbae1e6842d8772d6c615228817a4

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 05:59

Reported

2024-11-10 06:02

Platform

android-33-x64-arm64-20240624-en

Max time kernel

102s

Max time network

134s

Command Line

com.airbnb.android

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.airbnb.android/app_DynamicOptDex/NJWYcsjzoWq.json N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.airbnb.android

Network

Country Destination Domain Proto
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 172.217.16.227:443 tcp
US 172.64.41.3:443 udp
GB 172.217.16.227:443 udp
GB 216.58.201.100:443 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 216.58.201.100:443 udp
US 1.1.1.1:53 incb5rp01od082rye5z7.xyz udp

Files

/data/user/0/com.airbnb.android/app_DynamicOptDex/NJWYcsjzoWq.json

MD5 a78706d4f94f6790fc48eb085d77f839
SHA1 4d559a1eb29706e8c59b5d97fee6a62eb4200ce7
SHA256 d230eb540ccb92f3c87da24d6e9d10bb7c16191170c71780ef912661b1a1c755
SHA512 09231b99dc278a4eb438876572743a5537134fdc1d20ff68eb3ff507aa14af7b97c16519b6b7bb490c2dd662d65a4912059e7f3e79c02bc4737b620c72fbe4b2

/data/user/0/com.airbnb.android/app_DynamicOptDex/NJWYcsjzoWq.json

MD5 fdaeb2de7faaab6eccae697f31589bde
SHA1 f6f174e4b0ec984498f4c7f0bd87574d85dc091c
SHA256 371ebbd6283a7b180a6b95bbb19dd3a4359d5f7908f7ee3fb93068b9ed7bb7e9
SHA512 bdc2ddb0d0ba42c9cef9b63e04bae64377f232212fddaf986937efd0848d0caf091b60238b78765562eb79f52230d3a99618ed0d2e8c5600f2fa6cea44f6ecfa

/data/user/0/com.airbnb.android/app_DynamicOptDex/NJWYcsjzoWq.json

MD5 421566823a86bc4e8a90c92e3df4da43
SHA1 1eb219c76168a70a0872d2086a1c01e9ced0d513
SHA256 706a1ae9b4f5630aa9077a3dc0489f5910fa285b3756e4bbb03e689eae422579
SHA512 872c79cbcfcd0d268aedb19adc8676a141446bbf74757646ed8cef9aaa4cb99f5d92992e0e300712ea5a0aded100397d9da4c8e6f278e0cad5ed89e734e06fd5

/data/user/0/com.airbnb.android/app_DynamicOptDex/oat/NJWYcsjzoWq.json.cur.prof

MD5 642e24720d6497d98501601c2f7c32c0
SHA1 955bce1c3b087a2ccdca591d23d92868185bd26c
SHA256 a114fa7e9c7da8592570dc79ad176ac26b9af2823d128ab44fcec092b02610e3
SHA512 6b11ffdb4cff3d00fad695ca0246beb07c1631bfbc6d40b203161491cd6a2901a64fd8505fe928335f7ce6e57452f6a88a1846e7385d5c20816817a72e95b3c9