Malware Analysis Report

2024-12-01 03:10

Sample ID 241111-lg4y1sxdjr
Target A87D71F1FD138258883ADFAB3A8A4E3C732222BA90451B0952CEF8567044BCC0.apk
SHA256 a87d71f1fd138258883adfab3a8a4e3c732222ba90451b0952cef8567044bcc0
Tags
banker collection credential_access discovery evasion execution impact persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a87d71f1fd138258883adfab3a8a4e3c732222ba90451b0952cef8567044bcc0

Threat Level: Likely malicious

The file A87D71F1FD138258883ADFAB3A8A4E3C732222BA90451B0952CEF8567044BCC0.apk was found to be: Likely malicious.

Malicious Activity Summary

banker collection credential_access discovery evasion execution impact persistence stealth trojan

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Performs UI accessibility actions on behalf of the user

Requests dangerous framework permissions

Requests enabling of the accessibility settings.

Declares services with permission to bind to the system

Queries information about active data network

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 09:31

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive WAP push messages. android.permission.RECEIVE_WAP_PUSH N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 09:31

Reported

2024-11-11 09:32

Platform

android-x86-arm-20240624-en

Max time kernel

36s

Max time network

40s

Command Line

unstable.reversion.robin

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/unstable.reversion.robin/code_cache/decrypted.dex N/A N/A
N/A /data/data/unstable.reversion.robin/code_cache/decrypted.dex N/A N/A
N/A /data/data/unstable.reversion.robin/code_cache/decrypted.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

unstable.reversion.robin

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/unstable.reversion.robin/code_cache/decrypted.dex --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/data/unstable.reversion.robin/code_cache/oat/x86/decrypted.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mastercardkeys.world udp
US 172.67.152.119:80 mastercardkeys.world tcp
US 1.1.1.1:53 upload.wikimedia.org udp
NL 185.15.59.240:443 upload.wikimedia.org tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp

Files

/data/data/unstable.reversion.robin/no_backup/androidx.work.workdb-journal

MD5 e3e266019ec5b6ea3fcc61a172eb9171
SHA1 1f99fa05af340a39a9d80c9e7a3a48adbcf65fd4
SHA256 611417e6f822f95891d3e18814c2931060f6cfb4a5dc257698cd8971057c9c3e
SHA512 c0cc21217e3305bd5c66e927a90a1a4e3454bb097209c055005fec31069a8114c61c0b2fa8123fd0dea36c4433f6687f92b48fe99f947ac3e7a93ce8fbb98360

/data/data/unstable.reversion.robin/no_backup/androidx.work.workdb

MD5 4f83b5b6cd19cd51e10e4e906c348ffa
SHA1 60ec19cd176465f80f929d90f34270008563d524
SHA256 5f675bd94b2f9cec3f3624b17584aab322669b83617c0d17a0cbe2c11e85ad4b
SHA512 c15290be37250c8106d15140adae3844b0905f4ccb16d378614416e89289e3f876ead508b9ba6ccdb452d7b5c4b3a22a5da8abfa9ec8c3a5221fda2c59974bcc

/data/data/unstable.reversion.robin/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/unstable.reversion.robin/no_backup/androidx.work.workdb-wal

MD5 47a97d410b31253677385d0e40820265
SHA1 e1c82965d760083d9b7e50af229e605baf5b7532
SHA256 c5d2fa0299ce5c1801f6e3160de8b3818d1f9def800b92800eef3a3471ea07da
SHA512 de267a4f0eca6524b7c70442543aee0d8261903521a7e1e89293880241d4f5da1b9ac5aa46f2f63fb60486007d003c84dcbb4a5805435ddf016bc27e2757e517

/data/data/unstable.reversion.robin/no_backup/androidx.work.workdb-wal

MD5 4b06631456832de0bfc9c35fad7983cb
SHA1 f90d512f7b02056a545b808ab81d3ba058de0e66
SHA256 d4f0402282f348f210c49768a1c92fdeee200e9c594e5528deb40940c5db5955
SHA512 52c784e1cefecb2783cdb589dd4311d42af40f9f78d85b2684ac2f8d91deafddf0da9d425d952038ca3eaf26c36f6f4302f0de215749869b3df4e4af6ca7168c

/data/data/unstable.reversion.robin/code_cache/decrypted.dex

MD5 2f4c4231a1b0e9e8375f087909196141
SHA1 637d889ed5b5f3ba5d0ba1f379200c547ae9dd2d
SHA256 20ce9f23d8ac70824e3d8f849f0f52b83ad82b4b726c2786c9dfeff384154e12
SHA512 a06aea2c2f7e09e23d9969a5746f0474ef91e0e89aeddd7ebe1aed2d39045f7fc5987ca7ccde97f9e5fa97febefca3f45d845b52ecebabe259613ed0cd8ef354

/data/data/unstable.reversion.robin/no_backup/androidx.work.workdb-wal

MD5 bd2aa9cadf9830c56538e2ea566d56bc
SHA1 43d572c09ef7535e33ecab4f50b301c472632f4d
SHA256 65f6dc55839c5ef63c02a93e04114de0b207c1bd213b616e4a00820dcf16e581
SHA512 0efd421106a931710627b196c03043ff4c4cbc38e9700c25d9adc268197bef41206f15f309d801da256ec7260fc7b3ddf7565e3d0f61b1ee7d863cc9de9f5dd9

/data/data/unstable.reversion.robin/code_cache/decrypted.dex

MD5 63099f8f5beeda9a8a99f4826d3176e9
SHA1 664a9eca214cae950e5e8825cbf09c47af9ae864
SHA256 71cced89aa71f5801814b7b15a0bb08bf39c76a0999ad371ebc1d67fdb3f4959
SHA512 610978d99e989ac2aef93ea076afc128fbc3912aa88d8bcdcc956822d68c6eeb094c206bad2e8f2956f54dcfee0fbc0e5492962b5159a2f24658ceded0b99f49

/data/data/unstable.reversion.robin/code_cache/decrypted.dex

MD5 9b84a041469561b0a1f52d6b601d67e6
SHA1 9ae607ef2fd101fef4301e349cd7a42a9bf8bf7a
SHA256 181227a19052dffc9aae90ac56587d2c417af077aa12c30477a92c5dba100474
SHA512 b82892ed987554181306c8b1620d4153d9bab06da22d675ff1f50af62a5d325d8f31f3d7a3c54afac281aacd74f96d6a2a1ccc6e9e57c8ea05192bf19ebbdb36

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 09:31

Reported

2024-11-11 09:33

Platform

android-33-x64-arm64-20240624-en

Max time kernel

4s

Max time network

134s

Command Line

unstable.reversion.robin

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/unstable.reversion.robin/code_cache/decrypted.dex N/A N/A

Processes

unstable.reversion.robin

Network

Country Destination Domain Proto
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 udp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 216.58.201.106:443 remoteprovisioning.googleapis.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 172.217.169.67:443 tcp
US 172.64.41.3:443 udp
GB 172.217.169.67:443 udp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
GB 216.58.201.100:443 udp

Files

/data/data/unstable.reversion.robin/no_backup/androidx.work.workdb-journal

MD5 5dfe9ef6e540b09a7beb9eacea27d92d
SHA1 7ddd75354e1bb5cab2d47de0ea04d677b32b78bb
SHA256 9169ddc103940caa539032f37c75e5ea4fc5f2afe60b0a80453b589c564d42a3
SHA512 139d7fec5a37ff1f6bed418a8ffd264391b5604c99db55c8be0127f4b799529e5cf890a85c43fc64abb932ac8df0f89d0d9ca0ad968628cd8ce1a0448f15b7cd

/data/data/unstable.reversion.robin/no_backup/androidx.work.workdb

MD5 0eb157e1a86d4d00aa601dd2f6ff3ee3
SHA1 fee434f784e73cc7916322e949f727caf8363102
SHA256 b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4
SHA512 b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

/data/data/unstable.reversion.robin/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/unstable.reversion.robin/no_backup/androidx.work.workdb-wal

MD5 0e65a65ed3472eea0faa134540515c0a
SHA1 7df6994b126c1b4ba085923a4dd9d67f6d47bc2c
SHA256 6964e21f491ff4b29d080f620b0d92ee41757c5ef6fc7637e7d905f3b22db369
SHA512 27d10702270b210f8e0e19b05a68c6c6ea557b8d86f9105f9fabd0de495809dbc2ed85daca6a2123c2058518901a68181df8c1d43d352536fed5835fbd4dbb66

/data/data/unstable.reversion.robin/no_backup/androidx.work.workdb-wal

MD5 14d96b188e8c2610a65eefda2676f4a4
SHA1 1b09cb23843c983a782e9d7d654350f6c33734b1
SHA256 a513e82344b8953050855f6bfb4d108ef71f7e96acc01b3c9841438454ff0ac7
SHA512 37aed7abf30d11fdb9f2bab47c4e558c6fd4ce0846885d4e5c98c794f8726bd6c0020e3728eeb92bbc1a6543160f4dd74d446c4464c7d212951c4b5f8c358758

/data/data/unstable.reversion.robin/code_cache/decrypted.dex

MD5 2f4c4231a1b0e9e8375f087909196141
SHA1 637d889ed5b5f3ba5d0ba1f379200c547ae9dd2d
SHA256 20ce9f23d8ac70824e3d8f849f0f52b83ad82b4b726c2786c9dfeff384154e12
SHA512 a06aea2c2f7e09e23d9969a5746f0474ef91e0e89aeddd7ebe1aed2d39045f7fc5987ca7ccde97f9e5fa97febefca3f45d845b52ecebabe259613ed0cd8ef354

/data/data/unstable.reversion.robin/code_cache/decrypted.dex

MD5 63099f8f5beeda9a8a99f4826d3176e9
SHA1 664a9eca214cae950e5e8825cbf09c47af9ae864
SHA256 71cced89aa71f5801814b7b15a0bb08bf39c76a0999ad371ebc1d67fdb3f4959
SHA512 610978d99e989ac2aef93ea076afc128fbc3912aa88d8bcdcc956822d68c6eeb094c206bad2e8f2956f54dcfee0fbc0e5492962b5159a2f24658ceded0b99f49