Malware Analysis Report

2024-12-07 19:22

Sample ID 241114-k1cs7swkes
Target xManager.apk
SHA256 901eae37c506484e432c8dd3d96b8cc52063cca98dfc65e7318545d0ac90369c
Tags
collection credential_access discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

901eae37c506484e432c8dd3d96b8cc52063cca98dfc65e7318545d0ac90369c

Threat Level: Likely malicious

The file xManager.apk was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion impact persistence

Checks if the Android device is rooted.

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Queries information about running processes on the device

Checks Android system properties for emulator presence.

Queries information about active data network

Requests dangerous framework permissions

Queries the mobile country code (MCC)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 09:03

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-14 09:03

Reported

2024-11-14 09:06

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

135s

Command Line

com.xc3fff0e.xmanager

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xc3fff0e.xmanager/cache/1613498354782.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xc3fff0e.xmanager

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 216.58.201.98:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.111.133:443 gist.githubusercontent.com tcp
GB 216.58.201.98:443 googleads.g.doubleclick.net tcp
GB 216.58.201.98:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 www.googletagservices.com udp
GB 142.250.200.34:443 www.googletagservices.com tcp
US 1.1.1.1:53 lh3.googleusercontent.com udp
GB 216.58.201.97:443 lh3.googleusercontent.com tcp
US 1.1.1.1:53 csi.gstatic.com udp
US 142.250.9.94:443 csi.gstatic.com tcp
US 142.250.9.94:443 csi.gstatic.com tcp
US 142.250.9.94:443 csi.gstatic.com tcp
US 1.1.1.1:53 rr4---sn-aigzrnsz.googlevideo.com udp
GB 74.125.175.169:443 rr4---sn-aigzrnsz.googlevideo.com tcp
GB 74.125.175.169:443 rr4---sn-aigzrnsz.googlevideo.com tcp
US 1.1.1.1:53 fundingchoicesmessages.google.com udp
GB 142.250.180.14:443 fundingchoicesmessages.google.com tcp
GB 142.250.180.14:443 fundingchoicesmessages.google.com tcp
GB 142.250.180.14:443 fundingchoicesmessages.google.com tcp
US 1.1.1.1:53 rr5---sn-aigzrnsr.googlevideo.com udp
GB 74.125.175.42:443 rr5---sn-aigzrnsr.googlevideo.com tcp
GB 74.125.175.42:443 rr5---sn-aigzrnsr.googlevideo.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 142.250.180.14:443 fundingchoicesmessages.google.com tcp
GB 142.250.200.34:443 www.googletagservices.com tcp

Files

/data/user/0/com.xc3fff0e.xmanager/cache/image_manager_disk_cache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/user/0/com.xc3fff0e.xmanager/cache/1613498354782.jar

MD5 2c84bc0c28d4ac333d267f7a152b4039
SHA1 49e67f04004587ae351d5aba4da5f18644746864
SHA256 1eea5584eb2332554753b4beec7fe8e972bfb3eeadbe0c05dba33de267f25a00
SHA512 44ab6c390cac8b11bf43097293ef73bb620b1466fd671a945639198ea10dea425a0c9443b47752cc0a6689a6f5a7661b35f7a8a350ffcba30a72be60d5f18abd

/data/user/0/com.xc3fff0e.xmanager/cache/1613498354782.jar

MD5 86ce3683020b3f28f4110aac9c769ff7
SHA1 876e0686440524927639a4797b2f13b12a26ce4a
SHA256 be852340e03b169a28811d1ff41582d19638d9fc0540f237ecb960c45bd07071
SHA512 04d03a9963ba49adf5d0d26a21b57e85e21416fcc3d479ce7522149d45f5ab630ff78e590e724695fe29850b08b4dccfa5051daf5d4e4afd9384f7183f887ddc

/data/user/0/com.xc3fff0e.xmanager/cache/oat/1613498354782.jar.cur.prof

MD5 b9c4a6d822e455bc6fc4e05268e14e1e
SHA1 3017f67d4091035504acf5f8973a2ababd9375e1
SHA256 dca1b819a5dbba71e7a3879236adb37896d083cf46d7390e094a1eb666373f6e
SHA512 6634dbeaa48d0c89ac57ea744bc93de2b7b3fca235c6222f1b6680e321bfbe564a68aa95adf22dc06ad874462fbd3f04349024e7058bf023e69c6ac6f4c0be25

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 09:03

Reported

2024-11-14 09:06

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

137s

Command Line

com.xc3fff0e.xmanager

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xc3fff0e.xmanager/cache/1613498354782.jar N/A N/A
N/A /data/user/0/com.xc3fff0e.xmanager/cache/1613498354782.jar N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xc3fff0e.xmanager

logcat -c

logcat

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xc3fff0e.xmanager/cache/1613498354782.jar --output-vdex-fd=139 --oat-fd=145 --oat-location=/data/user/0/com.xc3fff0e.xmanager/cache/oat/x86/1613498354782.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.111.133:443 gist.githubusercontent.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 fundingchoicesmessages.google.com udp
GB 142.250.200.14:443 fundingchoicesmessages.google.com tcp
US 1.1.1.1:53 www.googletagservices.com udp
GB 142.250.187.194:443 www.googletagservices.com tcp
US 1.1.1.1:53 csi.gstatic.com udp
US 1.1.1.1:53 lh3.googleusercontent.com udp
GB 142.250.179.225:443 lh3.googleusercontent.com tcp
US 142.250.80.99:443 csi.gstatic.com tcp
US 142.250.80.99:443 csi.gstatic.com tcp
US 142.250.80.99:443 csi.gstatic.com tcp
US 1.1.1.1:53 rr3---sn-aigzrn7z.googlevideo.com udp
GB 173.194.135.104:443 rr3---sn-aigzrn7z.googlevideo.com tcp
GB 173.194.135.104:443 rr3---sn-aigzrn7z.googlevideo.com tcp
GB 173.194.135.104:443 rr3---sn-aigzrn7z.googlevideo.com tcp
GB 173.194.135.104:443 rr3---sn-aigzrn7z.googlevideo.com tcp
GB 142.250.200.14:443 fundingchoicesmessages.google.com tcp
GB 142.250.200.14:443 fundingchoicesmessages.google.com tcp

Files

/data/data/com.xc3fff0e.xmanager/cache/image_manager_disk_cache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/com.xc3fff0e.xmanager/cache/1613498354782.jar

MD5 2c84bc0c28d4ac333d267f7a152b4039
SHA1 49e67f04004587ae351d5aba4da5f18644746864
SHA256 1eea5584eb2332554753b4beec7fe8e972bfb3eeadbe0c05dba33de267f25a00
SHA512 44ab6c390cac8b11bf43097293ef73bb620b1466fd671a945639198ea10dea425a0c9443b47752cc0a6689a6f5a7661b35f7a8a350ffcba30a72be60d5f18abd

/data/user/0/com.xc3fff0e.xmanager/cache/1613498354782.jar

MD5 86ce3683020b3f28f4110aac9c769ff7
SHA1 876e0686440524927639a4797b2f13b12a26ce4a
SHA256 be852340e03b169a28811d1ff41582d19638d9fc0540f237ecb960c45bd07071
SHA512 04d03a9963ba49adf5d0d26a21b57e85e21416fcc3d479ce7522149d45f5ab630ff78e590e724695fe29850b08b4dccfa5051daf5d4e4afd9384f7183f887ddc

/data/user/0/com.xc3fff0e.xmanager/cache/1613498354782.jar

MD5 e06dd4fe2e90d133b141da7b4ed16eca
SHA1 d3da2591d29fdc480cd998711e2abe67b5cf2ca8
SHA256 29777214e781973439fe2871490d1d40e84a75128a0ea9b6864ea1da6efe3496
SHA512 73f6d5feb7b72709e32292343673b00ac6131af883250fb044256526a5942fb70f30545bd275affc45a506347e7b0a1b571c914f90c46059f5401e4298b486f4

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 09:03

Reported

2024-11-14 09:06

Platform

android-x64-20240624-en

Max time kernel

20s

Max time network

157s

Command Line

com.xc3fff0e.xmanager

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.xc3fff0e.xmanager/cache/1613498354782.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.xc3fff0e.xmanager

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 gist.githubusercontent.com udp
US 185.199.110.133:443 gist.githubusercontent.com tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.googletagservices.com udp
GB 142.250.180.2:443 www.googletagservices.com tcp
US 1.1.1.1:53 lh3.googleusercontent.com udp
GB 216.58.213.1:443 lh3.googleusercontent.com tcp
US 1.1.1.1:53 csi.gstatic.com udp
US 64.233.169.120:443 csi.gstatic.com tcp
US 64.233.169.120:443 csi.gstatic.com tcp
US 1.1.1.1:53 rr5---sn-aigzrnsr.googlevideo.com udp
GB 74.125.175.42:443 rr5---sn-aigzrnsr.googlevideo.com tcp
GB 74.125.175.42:443 rr5---sn-aigzrnsr.googlevideo.com tcp
US 1.1.1.1:53 fundingchoicesmessages.google.com udp
GB 142.250.200.46:443 fundingchoicesmessages.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp

Files

/data/data/com.xc3fff0e.xmanager/cache/image_manager_disk_cache/journal.tmp

MD5 8c92de9ce46d41a22f3b20f77404cc1d
SHA1 8671a6dca00edb72be47363a7071be65cf270373
SHA256 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274
SHA512 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56

/data/data/com.xc3fff0e.xmanager/cache/1613498354782.jar

MD5 2c84bc0c28d4ac333d267f7a152b4039
SHA1 49e67f04004587ae351d5aba4da5f18644746864
SHA256 1eea5584eb2332554753b4beec7fe8e972bfb3eeadbe0c05dba33de267f25a00
SHA512 44ab6c390cac8b11bf43097293ef73bb620b1466fd671a945639198ea10dea425a0c9443b47752cc0a6689a6f5a7661b35f7a8a350ffcba30a72be60d5f18abd

/data/user/0/com.xc3fff0e.xmanager/cache/1613498354782.jar

MD5 86ce3683020b3f28f4110aac9c769ff7
SHA1 876e0686440524927639a4797b2f13b12a26ce4a
SHA256 be852340e03b169a28811d1ff41582d19638d9fc0540f237ecb960c45bd07071
SHA512 04d03a9963ba49adf5d0d26a21b57e85e21416fcc3d479ce7522149d45f5ab630ff78e590e724695fe29850b08b4dccfa5051daf5d4e4afd9384f7183f887ddc