Malware Analysis Report

2025-01-19 05:48

Sample ID 241124-1xm3rssjgw
Target 8dc420efd61e175140c215fb0f514c728312a1db2f2be48438ed1fe8a81eef0e.bin
SHA256 8dc420efd61e175140c215fb0f514c728312a1db2f2be48438ed1fe8a81eef0e
Tags
hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8dc420efd61e175140c215fb0f514c728312a1db2f2be48438ed1fe8a81eef0e

Threat Level: Known bad

The file 8dc420efd61e175140c215fb0f514c728312a1db2f2be48438ed1fe8a81eef0e.bin was found to be: Known bad.

Malicious Activity Summary

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook

Hook family

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Obtains sensitive information copied to the device clipboard

Queries information about running processes on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

Attempts to obfuscate APK file format

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Queries the mobile country code (MCC)

Acquires the wake lock

Queries information about the current Wi-Fi connection

Performs UI accessibility actions on behalf of the user

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-24 22:01

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-24 22:01

Reported

2024-11-24 22:04

Platform

android-x64-arm64-20240624-en

Max time kernel

131s

Max time network

162s

Command Line

com.muzeauuvq.consstfgr

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.muzeauuvq.consstfgr/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.muzeauuvq.consstfgr/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.muzeauuvq.consstfgr

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/data/com.muzeauuvq.consstfgr/cache/classes.zip

MD5 b003a2054e04d4cd3d0873dec66e4ec1
SHA1 2fce0eeee50bf02419aa57864cf67233e9ea5f8a
SHA256 fd7e64679ceefb7bb4e9c8b08d9997892b516ca6b2698f0f183965f946577443
SHA512 8e59945ccc15eb660dd0617d2dde7d06e073c07486c0e5ac5bc9d038780ef9f68cea3cc11c4f24ae7d0efd2159e6a40d677129960b8ecc7d34cb537d41217487

/data/data/com.muzeauuvq.consstfgr/cache/classes.dex

MD5 f227ac280380931d865e58cbfdc15752
SHA1 0bdffd65f16503727fcb0b678392150e2867ff66
SHA256 4a172f9862f44cee2068bbf6106aad4fec4b4d33327ad52a785a0e45de47f9ef
SHA512 45d328fe58bdaa47cfb260920d18278296b1741874461ff42d67a16ee1871dd113a2d6173c95bae0491d098a1a0d45700cf82d9d7f7d0498071e98d9cfc5e333

/data/data/com.muzeauuvq.consstfgr/app_dex/classes.dex

MD5 91945e8e9424b112b54c0b7d096e8140
SHA1 2a682040772ea08ee1cdaeadfa11d082c5e814a9
SHA256 65a4cb850f8259ccdd53097a96d12d6f21a63361fd4260e08740e57bebbc5a7f
SHA512 d0cd2e8c60bde9ae1251feece71d01dd02b640ee3331def50dadb82fe01eaf6eb29e99a4b8ebbf65378ad0f8e2ed6e0260e12a7994c7979ae77883d6989f5fb1

/data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb-journal

MD5 3aec06585fa534a5c09aaa0cd48ea8dd
SHA1 92ee0705d204f82b512f469f72d09b86ff1148a5
SHA256 96dcabe0d6ffa0ca336a6f66538af26836d1a00a11814b75c5b9a9bf1b631bac
SHA512 f3dba8910b9c0dd12fe0f6d49a216771d5fc47036162ef3f99923497ba0b120a9ddaa3d531195c06fa823e1c8fffd6c4fd1a2129f5eb2fea5adc584414a0a39c

/data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb-wal

MD5 239e8a78704ad72977651a1c613933c0
SHA1 d91d8a6d0babd505ed24d4834290547d5a658674
SHA256 40e23066cf988d289fbedd9c6727b4992625161f6e2daef961447b36fe996494
SHA512 a4dcd63b47f1db911a54a955d670ad5fa4c10c65251ebc520b4a43f18a94da20745c16bf8c0998df4fbabe64cb662ca3c243283a7aa4558894f29aff6278f394

/data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb-wal

MD5 54eaa0f33926ccbf5e143db428b6a067
SHA1 54e080b83667f005549dffa3af76c6515c198dbe
SHA256 f760072bc0ddf58d41e54be339044a877367f54499609c7402c6c744c2cd6fe3
SHA512 310e5e14c44e15b470a40d35a875f2f214592d9a89ad19a0d49736ea3df99195112a73dcc64a47570131dda0d685e8bc75c890fc7cd8af58cd17dda1bc29fcd7

/data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb-wal

MD5 b317480d930df23376e801b020f94908
SHA1 fd07a1f27ac80ebb0c6e83a21da7a567b4664af9
SHA256 613d1800d82087e28c9f4aac6fbca1e374e23823495fff3dc0301503b81f1ccd
SHA512 b52ab80040615e5459342306cf5ad05ca68a7be5d426c7b2fbe8465fc45b8c2e88786c9123cca76c1220568bfebf95c53fb0d217a430b796065dd07aa120765a

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-24 22:01

Reported

2024-11-24 22:04

Platform

android-x86-arm-20240624-en

Max time kernel

147s

Max time network

158s

Command Line

com.muzeauuvq.consstfgr

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.muzeauuvq.consstfgr/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.muzeauuvq.consstfgr/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.muzeauuvq.consstfgr/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.muzeauuvq.consstfgr

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.muzeauuvq.consstfgr/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.muzeauuvq.consstfgr/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp

Files

/data/data/com.muzeauuvq.consstfgr/cache/classes.zip

MD5 b003a2054e04d4cd3d0873dec66e4ec1
SHA1 2fce0eeee50bf02419aa57864cf67233e9ea5f8a
SHA256 fd7e64679ceefb7bb4e9c8b08d9997892b516ca6b2698f0f183965f946577443
SHA512 8e59945ccc15eb660dd0617d2dde7d06e073c07486c0e5ac5bc9d038780ef9f68cea3cc11c4f24ae7d0efd2159e6a40d677129960b8ecc7d34cb537d41217487

/data/data/com.muzeauuvq.consstfgr/cache/classes.dex

MD5 f227ac280380931d865e58cbfdc15752
SHA1 0bdffd65f16503727fcb0b678392150e2867ff66
SHA256 4a172f9862f44cee2068bbf6106aad4fec4b4d33327ad52a785a0e45de47f9ef
SHA512 45d328fe58bdaa47cfb260920d18278296b1741874461ff42d67a16ee1871dd113a2d6173c95bae0491d098a1a0d45700cf82d9d7f7d0498071e98d9cfc5e333

/data/data/com.muzeauuvq.consstfgr/app_dex/classes.dex

MD5 91945e8e9424b112b54c0b7d096e8140
SHA1 2a682040772ea08ee1cdaeadfa11d082c5e814a9
SHA256 65a4cb850f8259ccdd53097a96d12d6f21a63361fd4260e08740e57bebbc5a7f
SHA512 d0cd2e8c60bde9ae1251feece71d01dd02b640ee3331def50dadb82fe01eaf6eb29e99a4b8ebbf65378ad0f8e2ed6e0260e12a7994c7979ae77883d6989f5fb1

/data/user/0/com.muzeauuvq.consstfgr/app_dex/classes.dex

MD5 b9430a2b2c5bbf32bca5642e1a86c050
SHA1 83eab457c72953ca5503d956c508b868e071aaba
SHA256 0aa0e212c793277828347d736d4de9d44856d47f143a421eeb5285afb33ad3fc
SHA512 c7ad78ebafa3a55c25001ccded7c042150c4c8b09476f75f6db12b86851629e0022e3793ca685cf59699e3876151166b204ff43a2d7017a474a778fe143aa520

/data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb-journal

MD5 e1e758aaf86a13bfa08b71c86c5c6374
SHA1 9a766d4a8a6114b6c278d99585a8d6eef029b8b3
SHA256 2d91e623bcb94a9b9cf11967c5b3397dca698200f1d685a3cff87c7216ad1b77
SHA512 717c257787445e172429cbd6feb2a1824cd0c2dbfd128599a54d802da600558e52c17d14c9091175c9d036fb1ec2cb84e7c89c00879e10203def45759a3bb483

/data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb-wal

MD5 01d4fecdb2bfff7b10d4c0ae5a0af391
SHA1 485d24644731c68f59b54723fa1f403a9705e26c
SHA256 30854a92d692fda00870fcb8f069650212687b5a39404bb72fdc51253b7bed2f
SHA512 e6cd85a8c5f8cbf326ecca28a55a78ae7e0fb8decb1e8e64127a9bfba7bd260b5df336d2a884c3bd01b111e73e6c53ecd962a8c0dc4c49a61ba1e9de8bf3a9d8

/data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb-wal

MD5 95aee670571021d6b537c765c3e3078a
SHA1 3f4f171f3acc55a2a215d10904b10e7cfbf1a512
SHA256 dc922b258424b594464b6216beb39129865791f4000c75f0af6e12305bb3b0ff
SHA512 0a50b468f860273dcf2b9752dc00bf1871e175bec91a6ed079c0005e48e356d48da72bb2646725aa36f469f5d5a4ab374f74ea46b9ecdd975b4ecd92d5232d9e

/data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb-wal

MD5 5ba6200b5a9ce6cca8f24ca3999727e9
SHA1 8e9fa3d663df61a768beaeb1aee97eb4595215ab
SHA256 4e98e299be375a38d6d42fe0f4d800ced6d653c4b890f6dedbfa444be4c523f2
SHA512 228c0c1e75063ab9a2a4f5d640e86fcf07aced9701de6f601b9184553f347d07f868a512bb0da1b477d08fde2c119fa8480540cca91401a3e6f4098251d25b88

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-24 22:01

Reported

2024-11-24 22:04

Platform

android-x64-20240624-en

Max time kernel

15s

Max time network

159s

Command Line

com.muzeauuvq.consstfgr

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.muzeauuvq.consstfgr/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.muzeauuvq.consstfgr/app_dex/classes.dex N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.muzeauuvq.consstfgr

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
GB 216.58.213.14:443 tcp
GB 142.250.178.2:443 tcp
GB 172.217.16.227:443 tcp
BE 142.251.173.188:5228 tcp
US 216.239.38.223:443 tcp
US 216.239.38.223:443 tcp
GB 142.250.187.228:443 tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 64.233.184.84:443 accounts.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
GB 216.58.204.68:443 www.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
GB 216.58.212.202:443 g.tenor.com tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 172.217.169.42:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.204.78:443 www.youtube.com udp
GB 216.58.204.78:443 www.youtube.com tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 growth-pa.googleapis.com udp
GB 216.58.204.74:443 growth-pa.googleapis.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
GB 142.250.179.228:443 www.google.com tcp
US 154.216.17.184:80 154.216.17.184 tcp

Files

/data/data/com.muzeauuvq.consstfgr/cache/classes.zip

MD5 b003a2054e04d4cd3d0873dec66e4ec1
SHA1 2fce0eeee50bf02419aa57864cf67233e9ea5f8a
SHA256 fd7e64679ceefb7bb4e9c8b08d9997892b516ca6b2698f0f183965f946577443
SHA512 8e59945ccc15eb660dd0617d2dde7d06e073c07486c0e5ac5bc9d038780ef9f68cea3cc11c4f24ae7d0efd2159e6a40d677129960b8ecc7d34cb537d41217487

/data/data/com.muzeauuvq.consstfgr/cache/classes.dex

MD5 f227ac280380931d865e58cbfdc15752
SHA1 0bdffd65f16503727fcb0b678392150e2867ff66
SHA256 4a172f9862f44cee2068bbf6106aad4fec4b4d33327ad52a785a0e45de47f9ef
SHA512 45d328fe58bdaa47cfb260920d18278296b1741874461ff42d67a16ee1871dd113a2d6173c95bae0491d098a1a0d45700cf82d9d7f7d0498071e98d9cfc5e333

/data/data/com.muzeauuvq.consstfgr/app_dex/classes.dex

MD5 91945e8e9424b112b54c0b7d096e8140
SHA1 2a682040772ea08ee1cdaeadfa11d082c5e814a9
SHA256 65a4cb850f8259ccdd53097a96d12d6f21a63361fd4260e08740e57bebbc5a7f
SHA512 d0cd2e8c60bde9ae1251feece71d01dd02b640ee3331def50dadb82fe01eaf6eb29e99a4b8ebbf65378ad0f8e2ed6e0260e12a7994c7979ae77883d6989f5fb1

/data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb-journal

MD5 fb43b8097542cf43b51594ca1d9fe2c7
SHA1 aae0d8c8309e4787aa01fa24a0bc68727c5dbfb2
SHA256 1c0ddbe1d15884a42205a0630e0b85cf0d996c05267364a4b6699f8925636c8e
SHA512 0fa0216290fb930b944e1492f9c36c0dae6ccdfdd9e30fb8dde65a727b04f09285fa7bdb3f0161dc825dd7a46059e0587173784d39838c761d697f063667133f

/data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb-wal

MD5 12b857a0bd631e31b107fe1c5c9eecec
SHA1 928c6a0bfae27e6e8efb5fd70970f0ce1febb4d2
SHA256 d59a70017bad44a959be91b2b23335d713607f652d7066fe41c2febf18f784fb
SHA512 5237475fbef8f1ccb88fb235b1adff38379eae181cd665619525c1485c466b019a23f61d15f0c7983d8a84420214b50ce2ce3d9341cf66b868bf4fd2c36122be

/data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb-wal

MD5 e6615d73857b6d015919f38c94c27338
SHA1 4b2f460bab5c872808ef9746c42cf18847bc6beb
SHA256 bed84dc189e9e78e6434f41a185db13416920fd4db239530964d4bfe986908fc
SHA512 b9cc659251ce64bc835f2570b3390e83e6663f6cc11abeff9f0432d556070a0d4e87dfe58bac9d9cddab4c8dbfa6e2dd479f15843059f6ed79db2837bc36cf62

/data/data/com.muzeauuvq.consstfgr/no_backup/androidx.work.workdb-wal

MD5 8218e0c1f53922c181f61c6131c44631
SHA1 4608de7a4d1878e3af5a03554517ee0a93331c8f
SHA256 5c0ffa79f45b6f80e1d35550bbda50d0779e901a257749eff8135ea8d9bdbe56
SHA512 3727d837c6d5d83befabb0b1563f62a46994f9d183c95279876c15f6eb173ef6c78ae31c9169d1a1bc096777a8a156d722923f8f7794a92a5ff8778f40754e79