Malware Analysis Report

2024-12-01 03:10

Sample ID 241111-ln6q7a1khn
Target xManager.apk
SHA256 901eae37c506484e432c8dd3d96b8cc52063cca98dfc65e7318545d0ac90369c
Tags
collection credential_access discovery evasion impact
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

901eae37c506484e432c8dd3d96b8cc52063cca98dfc65e7318545d0ac90369c

Threat Level: Likely malicious

The file xManager.apk was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion impact

Checks if the Android device is rooted.

Loads dropped Dex/Jar

Queries information about running processes on the device

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Queries information about active data network

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 09:41

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 09:41

Reported

2024-11-11 09:47

Platform

android-x64-arm64-20240624-en

Max time kernel

296s

Max time network

301s

Command Line

com.xc3fff0e.xmanager

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xc3fff0e.xmanager/cache/1613498354782.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xc3fff0e.xmanager

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.111.133:443 gist.githubusercontent.com tcp
US 1.1.1.1:53 www.googletagservices.com udp
GB 172.217.169.66:443 www.googletagservices.com tcp
US 1.1.1.1:53 lh3.googleusercontent.com udp
GB 142.250.180.1:443 lh3.googleusercontent.com tcp
US 1.1.1.1:53 csi.gstatic.com udp
US 142.250.101.94:443 csi.gstatic.com tcp
US 142.250.101.94:443 csi.gstatic.com tcp
US 1.1.1.1:53 rr3---sn-aigl6nsd.googlevideo.com udp
GB 74.125.105.40:443 rr3---sn-aigl6nsd.googlevideo.com tcp
GB 74.125.105.40:443 rr3---sn-aigl6nsd.googlevideo.com tcp
US 1.1.1.1:53 fundingchoicesmessages.google.com udp
GB 142.250.200.46:443 fundingchoicesmessages.google.com tcp
US 1.1.1.1:53 rr1---sn-2oaig5-55.googlevideo.com udp
GB 74.125.4.193:443 rr1---sn-2oaig5-55.googlevideo.com tcp
GB 74.125.4.193:443 rr1---sn-2oaig5-55.googlevideo.com tcp
GB 142.250.200.46:443 fundingchoicesmessages.google.com tcp
GB 142.250.200.46:443 fundingchoicesmessages.google.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
US 1.1.1.1:53 rr5---sn-aigzrn7k.googlevideo.com udp
GB 173.194.139.10:443 rr5---sn-aigzrn7k.googlevideo.com tcp
GB 173.194.139.10:443 rr5---sn-aigzrn7k.googlevideo.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 static.xx.fbcdn.net udp
US 1.1.1.1:53 www.google.com udp
GB 157.240.214.11:443 static.xx.fbcdn.net tcp
GB 216.58.201.100:443 www.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
BE 66.102.1.84:443 accounts.google.com tcp
GB 216.58.201.100:443 www.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 1.1.1.1:53 encrypted-tbn0.gstatic.com udp
GB 142.250.180.14:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.180.14:443 encrypted-tbn0.gstatic.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 172.217.169.67:443 update.googleapis.com tcp
US 1.1.1.1:53 clients1.google.com udp
GB 142.250.180.14:443 clients1.google.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 216.58.212.227:443 update.googleapis.com tcp
US 1.1.1.1:53 play.google.com udp
GB 172.217.16.238:443 play.google.com tcp
US 1.1.1.1:53 ogads-pa.googleapis.com udp
US 1.1.1.1:53 consent.google.com udp
GB 142.250.187.206:443 consent.google.com tcp
US 1.1.1.1:53 open.spotify.com udp
US 151.101.67.42:443 open.spotify.com tcp
US 151.101.67.42:443 open.spotify.com tcp
US 1.1.1.1:53 encore.scdn.co udp
US 1.1.1.1:53 open.spotifycdn.com udp
US 1.1.1.1:53 www.googleoptimize.com udp
GB 2.19.117.33:443 encore.scdn.co tcp
GB 2.19.117.33:443 encore.scdn.co tcp
GB 2.19.117.33:443 encore.scdn.co tcp
GB 2.19.117.33:443 encore.scdn.co tcp
GB 2.19.117.33:443 encore.scdn.co tcp
US 199.232.214.251:443 open.spotifycdn.com tcp
US 199.232.214.251:443 open.spotifycdn.com tcp
US 199.232.214.251:443 open.spotifycdn.com tcp
US 199.232.214.251:443 open.spotifycdn.com tcp
US 199.232.214.251:443 open.spotifycdn.com tcp
GB 142.250.200.14:443 www.googleoptimize.com tcp
GB 2.19.117.33:443 encore.scdn.co tcp
US 1.1.1.1:53 support.spotify.com udp
US 35.186.224.24:443 support.spotify.com tcp
US 35.186.224.24:443 support.spotify.com tcp
US 1.1.1.1:53 support.scdn.co udp
US 199.232.210.248:443 support.scdn.co tcp
US 199.232.210.248:443 support.scdn.co tcp
US 199.232.210.248:443 support.scdn.co tcp
US 199.232.210.248:443 support.scdn.co tcp
US 199.232.210.248:443 support.scdn.co tcp
US 199.232.210.248:443 support.scdn.co tcp
US 1.1.1.1:53 support.spotifycdn.com udp
US 199.232.210.250:443 support.spotifycdn.com tcp
US 1.1.1.1:53 www.scdn.co udp
US 199.232.210.248:443 www.scdn.co tcp
US 199.232.210.248:443 www.scdn.co tcp
GB 2.19.117.33:443 encore.scdn.co tcp
US 1.1.1.1:53 cdn.ampproject.org udp
GB 142.250.179.225:443 cdn.ampproject.org tcp
GB 142.250.179.225:443 cdn.ampproject.org tcp
US 1.1.1.1:53 encrypted-vtbn0.gstatic.com udp
GB 142.250.178.14:443 encrypted-vtbn0.gstatic.com tcp
US 1.1.1.1:53 www.spotify.com udp
US 1.1.1.1:53 www-growth.scdn.co udp
US 199.232.210.248:443 www-growth.scdn.co tcp
US 199.232.210.248:443 www-growth.scdn.co tcp
US 199.232.210.248:443 www-growth.scdn.co tcp
US 199.232.210.248:443 www-growth.scdn.co tcp
US 199.232.210.248:443 www-growth.scdn.co tcp
US 199.232.210.248:443 www-growth.scdn.co tcp
US 1.1.1.1:53 apresolve.spotify.com udp
US 35.186.224.24:443 apresolve.spotify.com tcp
GB 2.19.117.33:443 encore.scdn.co tcp
US 1.1.1.1:53 cdn.cookielaw.org udp
US 104.18.86.42:443 cdn.cookielaw.org tcp
US 104.18.86.42:443 cdn.cookielaw.org tcp
US 1.1.1.1:53 geolocation.onetrust.com udp
US 104.18.32.137:443 geolocation.onetrust.com tcp
US 1.1.1.1:53 pixel-static.spotify.com udp
US 1.1.1.1:53 pixel.spotify.com udp
US 1.1.1.1:53 spotify.demdex.net udp
US 1.1.1.1:53 idsync.rlcdn.com udp
IE 18.202.12.246:443 spotify.demdex.net tcp
US 35.244.174.68:443 idsync.rlcdn.com tcp
US 1.1.1.1:53 gew1-spclient.spotify.com udp
US 1.1.1.1:53 privacyportal-de.onetrust.com udp
US 1.1.1.1:53 spotify.link udp
US 35.186.224.26:443 gew1-spclient.spotify.com tcp
US 35.186.224.26:443 gew1-spclient.spotify.com tcp
US 172.64.155.119:443 privacyportal-de.onetrust.com tcp
US 13.56.74.51:443 spotify.link tcp
US 13.56.74.51:443 spotify.link tcp
US 1.1.1.1:53 spotify.app.link udp
GB 18.239.236.30:443 spotify.app.link tcp
US 1.1.1.1:53 static.ads-twitter.com udp
US 1.1.1.1:53 sc-static.net udp
US 1.1.1.1:53 t.contentsquare.net udp
GB 146.75.72.157:443 static.ads-twitter.com tcp
US 3.163.248.4:443 sc-static.net tcp
GB 13.224.132.116:443 t.contentsquare.net tcp
US 1.1.1.1:53 platform.twitter.com udp
US 1.1.1.1:53 js.adsrvr.org udp
US 1.1.1.1:53 cdn.branch.io udp
US 172.64.155.119:443 privacyportal-de.onetrust.com tcp
GB 146.75.72.157:443 platform.twitter.com tcp
GB 99.86.116.119:443 js.adsrvr.org tcp
US 1.1.1.1:53 sb.scorecardresearch.com udp
GB 18.245.218.34:443 cdn.branch.io tcp
US 1.1.1.1:53 sp.analytics.yahoo.com udp
GB 108.156.39.121:443 sb.scorecardresearch.com tcp
GB 108.156.39.121:443 sb.scorecardresearch.com tcp
IE 54.171.122.26:443 sp.analytics.yahoo.com tcp
US 1.1.1.1:53 4721227.fls.doubleclick.net udp
GB 142.250.187.198:443 4721227.fls.doubleclick.net tcp
US 1.1.1.1:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 1.1.1.1:53 t.co udp
US 1.1.1.1:53 analytics.twitter.com udp
US 1.1.1.1:53 app.link udp
US 172.66.0.227:443 t.co tcp
US 172.66.0.227:443 t.co tcp
US 172.66.0.227:443 t.co tcp
US 104.244.42.195:443 analytics.twitter.com tcp
US 104.244.42.195:443 analytics.twitter.com tcp
US 104.244.42.195:443 analytics.twitter.com tcp
US 1.1.1.1:53 tr.snapchat.com udp
US 35.190.43.134:443 tr.snapchat.com tcp
US 35.190.43.134:443 tr.snapchat.com tcp
US 35.190.43.134:443 tr.snapchat.com tcp
US 1.1.1.1:53 insight.adsrvr.org udp
US 3.33.220.150:443 insight.adsrvr.org tcp
US 1.1.1.1:53 c.contentsquare.net udp
US 3.33.220.150:443 insight.adsrvr.org tcp
US 1.1.1.1:53 player.vimeo.com udp
IE 46.137.111.148:443 c.contentsquare.net tcp
US 162.159.128.61:443 player.vimeo.com tcp
US 1.1.1.1:53 q-aeu1.contentsquare.net udp
IE 46.137.111.148:443 c.contentsquare.net tcp
US 1.1.1.1:53 api2.branch.io udp
IE 52.211.241.127:443 q-aeu1.contentsquare.net tcp
GB 18.172.153.41:443 api2.branch.io tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
US 1.1.1.1:53 bat.bing.com udp
US 150.171.27.10:443 bat.bing.com tcp
US 1.1.1.1:53 tr6.snapchat.com udp
US 1.1.1.1:53 match.adsrvr.org udp
US 1.1.1.1:53 www.google.co.uk udp
GB 142.250.187.227:443 www.google.co.uk tcp
US 1.1.1.1:53 k-aeu1.contentsquare.net udp
IE 99.81.115.192:443 k-aeu1.contentsquare.net tcp
US 1.1.1.1:53 ib.adnxs.com udp
US 1.1.1.1:53 pixel.rubiconproject.com udp
US 1.1.1.1:53 cm.g.doubleclick.net udp
NL 185.89.210.153:443 ib.adnxs.com tcp
NL 69.173.156.148:443 pixel.rubiconproject.com tcp
US 1.1.1.1:53 region1.analytics.google.com udp
US 1.1.1.1:53 stats.g.doubleclick.net udp
BE 142.250.110.157:443 stats.g.doubleclick.net tcp
IE 99.81.115.192:443 k-aeu1.contentsquare.net tcp
GB 2.19.117.33:443 encore.scdn.co tcp
GB 172.217.16.227:443 tcp

Files

/data/user/0/com.xc3fff0e.xmanager/cache/image_manager_disk_cache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/user/0/com.xc3fff0e.xmanager/cache/1613498354782.jar

MD5 2c84bc0c28d4ac333d267f7a152b4039
SHA1 49e67f04004587ae351d5aba4da5f18644746864
SHA256 1eea5584eb2332554753b4beec7fe8e972bfb3eeadbe0c05dba33de267f25a00
SHA512 44ab6c390cac8b11bf43097293ef73bb620b1466fd671a945639198ea10dea425a0c9443b47752cc0a6689a6f5a7661b35f7a8a350ffcba30a72be60d5f18abd

/data/user/0/com.xc3fff0e.xmanager/cache/1613498354782.jar

MD5 86ce3683020b3f28f4110aac9c769ff7
SHA1 876e0686440524927639a4797b2f13b12a26ce4a
SHA256 be852340e03b169a28811d1ff41582d19638d9fc0540f237ecb960c45bd07071
SHA512 04d03a9963ba49adf5d0d26a21b57e85e21416fcc3d479ce7522149d45f5ab630ff78e590e724695fe29850b08b4dccfa5051daf5d4e4afd9384f7183f887ddc