Malware Analysis Report

2024-12-07 17:31

Sample ID 241112-k8lq3ssnak
Target shriek.mooing.juggle.irk.apk
SHA256 d5a5914de25dc220e934d8bac4323de7a5af2ca4fe60996d3acefbc3467f41e5
Tags
banker collection credential_access discovery evasion execution impact persistence stealth trojan
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

d5a5914de25dc220e934d8bac4323de7a5af2ca4fe60996d3acefbc3467f41e5

Threat Level: Likely malicious

The file shriek.mooing.juggle.irk.apk was found to be: Likely malicious.

Malicious Activity Summary

banker collection credential_access discovery evasion execution impact persistence stealth trojan

Removes its main activity from the application launcher

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Requests enabling of the accessibility settings.

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Requests dangerous framework permissions

Performs UI accessibility actions on behalf of the user

Queries information about active data network

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 09:16

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive WAP push messages. android.permission.RECEIVE_WAP_PUSH N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 09:16

Reported

2024-11-12 09:17

Platform

android-x86-arm-20240624-en

Max time kernel

38s

Max time network

42s

Command Line

shriek.mooing.juggle.irk

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/shriek.mooing.juggle.irk/code_cache/decrypted.dex N/A N/A
N/A /data/data/shriek.mooing.juggle.irk/code_cache/decrypted.dex N/A N/A
N/A /data/data/shriek.mooing.juggle.irk/code_cache/decrypted.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

shriek.mooing.juggle.irk

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/shriek.mooing.juggle.irk/code_cache/decrypted.dex --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/data/shriek.mooing.juggle.irk/code_cache/oat/x86/decrypted.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
AM 217.144.187.226:80 217.144.187.226 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 172.217.16.227:443 update.googleapis.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/shriek.mooing.juggle.irk/no_backup/androidx.work.workdb-journal

MD5 b565e0b0bd708925980f487cc015faf8
SHA1 9a65e3a2fa1e56db87d5958a6e8cbae740d71c78
SHA256 2853f6e5d271b27a3b6f4a13392fe19493e6efc0b8f3470e37b1438f0c750eb2
SHA512 5e8e3ebcf4c9fbcd549204ed96779285439712cdb66f744d5a455b7021b2f45480673204a7d33cef87e7bfc59a8b6b21b693863772dc78069037086367df258d

/data/data/shriek.mooing.juggle.irk/no_backup/androidx.work.workdb

MD5 5d672fc117cd0984d4fa842123e84875
SHA1 638ee961947eae211eeb1bf4d20e764c8b037643
SHA256 cdb2ed63e61f774434d03ad5fef3472f978239db05d63b1611e002036e40cd1b
SHA512 e06530340f62602011ae07fe8ecd6c86b2df983d959dae0dd51dfec72ddb5c384dfc41bbaafd3d427c6563ab8e583e6c7b17b3ce1e882f2740cb07bdeed2accd

/data/data/shriek.mooing.juggle.irk/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/shriek.mooing.juggle.irk/no_backup/androidx.work.workdb-wal

MD5 7da8fe22825b5478a842be2ef1327fb8
SHA1 d99280083f638321f547ecd4d8e5614bdd58887c
SHA256 7cd1505843dc78648821f49a4c9e93b806a62c3772977ea17fee5da3c0a7e355
SHA512 f39b52b7c61c931757830f1f84ffc1d4ffd7233e513107efee7fc1b641a13a5efd1124e22d702896a086f1df2419b0cb18846ae6f77d55c40c47a6afd7cd0603

/data/data/shriek.mooing.juggle.irk/no_backup/androidx.work.workdb-wal

MD5 02e26b16b7aa2d1e093af2fa5c4fc1ae
SHA1 3c30338885569dbd12599604cc9c6467664c0e08
SHA256 a994dcc3438c7366101e4b46add5ee74e9d073b86fa4debe8fbe451f3a57506d
SHA512 4bc00bf393ddefce1b2befc7960de5daf4d771c0917ea1252198e3545cc8074c57769bf2b89e9d2a3a77d9dbef5237e85b58542df7d2f0e26e67d6c503c66d88

/data/data/shriek.mooing.juggle.irk/no_backup/androidx.work.workdb-wal

MD5 2d13bee8cfafd969a220384dae4c5bfc
SHA1 4e40d4eac7dd13f5b04ef343f503b5f1ec2b9eaf
SHA256 b57715f2cee1111db0d5ade7a567fc6b7087b1ce36947295b35477b8d0dd53aa
SHA512 53ad6b72bd0cde97cc189f330b1918d4e045e8327344bd8c66c433ba860afa1d5e2d416f32474c340263327cf30b3406f55b7207f1b01df50b84bffa037943c9

/data/data/shriek.mooing.juggle.irk/code_cache/decrypted.dex

MD5 fd3fb1759e2f5eaba8d44dd31f9e5ccf
SHA1 adc257ff4df7466cd3ce1900314fc8919dc8a670
SHA256 92ac568ddfb0b89bb1d67657ad9cec2e071a361f8c28630bb81cddfa1865c1d3
SHA512 9a50d88c750a76f621032dfacf674953551589b3388db6d4e270529c96e52f3a0ace12dd4a9e1eb9bccafca53fae2e4e9fa5e46d5da8ed6868b0ed452bcccca5

/data/data/shriek.mooing.juggle.irk/code_cache/decrypted.dex

MD5 80a50796301291a5f17488fbcf787826
SHA1 bd7a63f5c263b5c8dc8402125e8102a6a0929a0e
SHA256 4cc3dedba47978209cee6280f823a9c6f7a4ac551dad834442cedd981c4540e8
SHA512 103ecbfa388306d9023154e3f5542a9dec1e650e758afcdc225f670532f51d975646acd6b08843615f82abcd2ae72873133ef0f7d7fd0ea8070ed9dbba98d0a3

/data/data/shriek.mooing.juggle.irk/code_cache/decrypted.dex

MD5 df5bc5c3b24029a53ee6f11c3f15b383
SHA1 c7bbad9b54f6ab25d94350c8fb54ef9f757b3d0c
SHA256 082cd0ec0c71c3536db53f3e1a2631bf1d34ce12f7c453525b84f66b7f25d3f4
SHA512 f0c8da2b22bab6eb738b9a4909d0b6fb743f9dcdc8d2a92261b22ca6fca49e57275006855bcfa1a1b7c8e1318a5353ead7e332b6400e42defb2c2c8d4e7908bb

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 09:16

Reported

2024-11-12 09:19

Platform

android-x64-arm64-20240624-en

Max time kernel

5s

Max time network

134s

Command Line

shriek.mooing.juggle.irk

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/shriek.mooing.juggle.irk/code_cache/decrypted.dex N/A N/A
N/A /data/data/shriek.mooing.juggle.irk/code_cache/decrypted.dex N/A N/A

Processes

shriek.mooing.juggle.irk

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/shriek.mooing.juggle.irk/no_backup/androidx.work.workdb-journal

MD5 74520e81b04e76b55aed34031e252ed2
SHA1 683b1dea7720664f45b47d21180dbd70f4d1e0f7
SHA256 eb99c05f8d7b5fe88720948f4588d2cd628802023992ac887d85a3260444783d
SHA512 a271b0fe8fec01d57a6ba536ef15ebca750911da14fbc110aaa1a7682acc07d7da04cdb3b572d4ec1b52c7b2991d7b221369e90d5813921a73a7007bcc4f8bb0

/data/data/shriek.mooing.juggle.irk/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/shriek.mooing.juggle.irk/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/shriek.mooing.juggle.irk/no_backup/androidx.work.workdb-wal

MD5 34acced45c339575795a78279d5c08d1
SHA1 c1f8e2a382d9e8ba254489b11612969624feac08
SHA256 83e1b23016c6aae14c824875092c0dbc73259b2b24a2a0b34f099f23894f80f9
SHA512 6d862b65a0bebff1a96d4af45178e14694254e34f693c75880636ffd4381c068d8731ff37101631146fe46677b75181d7313e6913e399fffc198af5262ca36d8

/data/data/shriek.mooing.juggle.irk/no_backup/androidx.work.workdb-wal

MD5 7246c54b65128f708da216a07326a5cf
SHA1 e788b30d722b65fee83aabc25432f338168d1d42
SHA256 42753cf11e26dbd088fbf280c0089ccf92e9800896cbfe4c8c7de6ffc8aefb4e
SHA512 9ffea36786579e5f3f08abb4ccc932544e9e397783d632c3db8bbbe1ede3235d9c0b062ac12e0d26216d8071ebde3d94a69f522c0df846a9696e98febc19e8c9

/data/data/shriek.mooing.juggle.irk/code_cache/decrypted.dex

MD5 fd3fb1759e2f5eaba8d44dd31f9e5ccf
SHA1 adc257ff4df7466cd3ce1900314fc8919dc8a670
SHA256 92ac568ddfb0b89bb1d67657ad9cec2e071a361f8c28630bb81cddfa1865c1d3
SHA512 9a50d88c750a76f621032dfacf674953551589b3388db6d4e270529c96e52f3a0ace12dd4a9e1eb9bccafca53fae2e4e9fa5e46d5da8ed6868b0ed452bcccca5

/data/data/shriek.mooing.juggle.irk/code_cache/decrypted.dex

MD5 80a50796301291a5f17488fbcf787826
SHA1 bd7a63f5c263b5c8dc8402125e8102a6a0929a0e
SHA256 4cc3dedba47978209cee6280f823a9c6f7a4ac551dad834442cedd981c4540e8
SHA512 103ecbfa388306d9023154e3f5542a9dec1e650e758afcdc225f670532f51d975646acd6b08843615f82abcd2ae72873133ef0f7d7fd0ea8070ed9dbba98d0a3