Malware Analysis Report

2025-01-19 05:48

Sample ID 241125-1xagnsyldv
Target 43da1d4910671c4f7981b4231654a397d92429120a522b42c68cce8e61fad9ab.bin
SHA256 43da1d4910671c4f7981b4231654a397d92429120a522b42c68cce8e61fad9ab
Tags
hook banker collection credential_access discovery evasion execution impact infostealer persistence rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43da1d4910671c4f7981b4231654a397d92429120a522b42c68cce8e61fad9ab

Threat Level: Known bad

The file 43da1d4910671c4f7981b4231654a397d92429120a522b42c68cce8e61fad9ab.bin was found to be: Known bad.

Malicious Activity Summary

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat stealth trojan

Hook family

Hook

Removes its main activity from the application launcher

Makes use of the framework's Accessibility service

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Queries information about running processes on the device

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Requests accessing notifications (often used to intercept notifications before users become aware).

Acquires the wake lock

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 22:01

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 22:01

Reported

2024-11-25 22:04

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

162s

Command Line

com.itydxxkhm.xkwvongzp

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.itydxxkhm.xkwvongzp/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.itydxxkhm.xkwvongzp/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.itydxxkhm.xkwvongzp/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.itydxxkhm.xkwvongzp

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.itydxxkhm.xkwvongzp/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.itydxxkhm.xkwvongzp/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 1.1.1.1:53 update.googleapis.com udp
GB 172.217.16.227:443 update.googleapis.com tcp

Files

/data/data/com.itydxxkhm.xkwvongzp/cache/classes.zip

MD5 a84dfbc1f649418fa4d07eaeb8189124
SHA1 eb3dcd69c1ee6c8563e92be87a122e3d59415b29
SHA256 76e0b06999012dd321e33daabacd4f54829114fe4cc636aa375e61a8438440bf
SHA512 58e230c8db2d137f4c414725d93a3304c3e0233779c2be5b73713f5b3bc873afdff2cea4df07a15ad173a65c2ce4284086901df3f4e657cd38811be05391273e

/data/data/com.itydxxkhm.xkwvongzp/cache/classes.dex

MD5 435f1f07b0da63a671693d5c6fe83d29
SHA1 c66b4affaef54d547519f95ced4ca9276cefaf4d
SHA256 d9f456aa73fd08ee2409d8e8094ad60b66cc06a7d3b4f96395989aad56b83ae0
SHA512 6d147615c1814d931042fec86b9dba10f04b3abe39bd2f4ba49815f794ad6ea6be879cb4a9bfb55648758fe59eacd992fb11cd77fc43defc7921da69159af57a

/data/data/com.itydxxkhm.xkwvongzp/app_dex/classes.dex

MD5 4e5da5820f3fa3385563e48c576d242c
SHA1 0d005d3a6fd947841dfa459e35abd25b4914cf42
SHA256 0b84ab8647fde050533424dd37160a3be9c4fff5850ef1a0bd8802eccf2ad797
SHA512 a6010b53520c7a70b0ca43075c9fa3d3db74961dfd950b02ab3047effa04a18a095a1635f73d61d5ed135fca7586f5e09e2b29abccbaf02550faa411d4c62d25

/data/user/0/com.itydxxkhm.xkwvongzp/app_dex/classes.dex

MD5 0e51e1617e2d679cf23a8831e479d24f
SHA1 25e61566922fa903f9168661072900d2a3d53144
SHA256 5fcdbaa67667d929f4acd2ab366e1f97ef4394efd0affafc0e4af9dfa97e7bbf
SHA512 e0bdb4abe2bc9f862fc4421a98846ed576756d96efbf3955abe0bd99075c6300a0486428b4e6f94e9e23d6abd2eba8c84bfd3cd065f95bac851e41b7f7c764fb

/data/data/com.itydxxkhm.xkwvongzp/no_backup/androidx.work.workdb-journal

MD5 c4ad2bae59920c3dd904190beb3c5025
SHA1 9f46484b0563b623a68f26d7274839ca436c0d80
SHA256 00634054016cb5c1008f441aafd0e4d7c62d7fcb8ef15e8e0e2b5d9dab9fb180
SHA512 9414c5d747e14da9fa197d82465a8faf28496a5e29af0a86afa0968a50f8705cd63f16541585e1d5c974a6b85abb6325a69b62df123a318d230d5ce4c87b29aa

/data/data/com.itydxxkhm.xkwvongzp/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.itydxxkhm.xkwvongzp/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.itydxxkhm.xkwvongzp/no_backup/androidx.work.workdb-wal

MD5 e58022028b6172a3dd6a3fdc67c80775
SHA1 0bfe5f818784ffd4c27b0ced9c23995f178507a6
SHA256 922f34997048d5e2bd2ca7745d32e093900b4fcb8c7c23f5e802fa236fce8890
SHA512 9003a4bff015c04f0458bc7555bed46894635343922f6aa988d2bdeebe78a7673d0a65f2445dd1347cb02f502f6c252fb1c7613572aac99f9dd9c8611cb83e23

/data/data/com.itydxxkhm.xkwvongzp/no_backup/androidx.work.workdb-wal

MD5 1b216de17551ef184a52c87e163149a2
SHA1 e684487ed673aeaef2c30e705020ecb0921b222b
SHA256 640a078f038485cb982805df1dbf939314f10f6daa1e10ee7b4d94cf529dbd3c
SHA512 3513b7e3e8877536915b39041e50b48e92a854f1dc6af9f41405e92b0e81307674a067fab17bf4fc2f1def24fd619bb735a2afe2f5bb49704c1c3838db796ef2

/data/data/com.itydxxkhm.xkwvongzp/no_backup/androidx.work.workdb-wal

MD5 e46c9a1648df517261808ff7c9c9fd71
SHA1 b091a2e252f64925fd22f4f71e0087b38da85fc1
SHA256 90b3491f627d33b693e1d9490e7f506652b83ea001b7b58ae5e7470816453a9d
SHA512 46d0d9763e88ce3b136aabb2329c84d2c2f6794ca676cbe55110f67c6d08668796d497630dcef69bb5742749bd4e39048b517062c4fde46f81af3b527ac67bd8

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-25 22:01

Reported

2024-11-25 22:04

Platform

android-x64-20240624-en

Max time kernel

130s

Max time network

159s

Command Line

com.itydxxkhm.xkwvongzp

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.itydxxkhm.xkwvongzp/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.itydxxkhm.xkwvongzp/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.itydxxkhm.xkwvongzp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 172.217.16.238:443 tcp
GB 216.58.204.66:443 tcp

Files

/data/data/com.itydxxkhm.xkwvongzp/cache/classes.zip

MD5 a84dfbc1f649418fa4d07eaeb8189124
SHA1 eb3dcd69c1ee6c8563e92be87a122e3d59415b29
SHA256 76e0b06999012dd321e33daabacd4f54829114fe4cc636aa375e61a8438440bf
SHA512 58e230c8db2d137f4c414725d93a3304c3e0233779c2be5b73713f5b3bc873afdff2cea4df07a15ad173a65c2ce4284086901df3f4e657cd38811be05391273e

/data/data/com.itydxxkhm.xkwvongzp/cache/classes.dex

MD5 435f1f07b0da63a671693d5c6fe83d29
SHA1 c66b4affaef54d547519f95ced4ca9276cefaf4d
SHA256 d9f456aa73fd08ee2409d8e8094ad60b66cc06a7d3b4f96395989aad56b83ae0
SHA512 6d147615c1814d931042fec86b9dba10f04b3abe39bd2f4ba49815f794ad6ea6be879cb4a9bfb55648758fe59eacd992fb11cd77fc43defc7921da69159af57a

/data/data/com.itydxxkhm.xkwvongzp/app_dex/classes.dex

MD5 4e5da5820f3fa3385563e48c576d242c
SHA1 0d005d3a6fd947841dfa459e35abd25b4914cf42
SHA256 0b84ab8647fde050533424dd37160a3be9c4fff5850ef1a0bd8802eccf2ad797
SHA512 a6010b53520c7a70b0ca43075c9fa3d3db74961dfd950b02ab3047effa04a18a095a1635f73d61d5ed135fca7586f5e09e2b29abccbaf02550faa411d4c62d25

/data/data/com.itydxxkhm.xkwvongzp/no_backup/androidx.work.workdb-journal

MD5 c44c4fd1d9066ee449c2331afd845f66
SHA1 55e5a9723bf8127741c814b4816dbf8179348598
SHA256 f9ed4755de0129b525b7f59c3a2095ea77aa4a901b1c31173b79ae151c8cd659
SHA512 321da5e4429c3d25f89a5cd9c334c6e71e71cdae7a3a918327bdc02249b5d63f8be4b7ad781d18a808eab2fb643371c9c627be103bb9098418b02c9ced513301

/data/data/com.itydxxkhm.xkwvongzp/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.itydxxkhm.xkwvongzp/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.itydxxkhm.xkwvongzp/no_backup/androidx.work.workdb-wal

MD5 54423b1c4b2366d5900440b259c9591b
SHA1 f7348047d13b247a8bb07bcedd050b2ae2ab2d56
SHA256 7e430a830614d0e71489d1ec8b2a1051e293b8ab8e6004f039ea7eecf5e28925
SHA512 deb8307691a3d84b4be5876203208f40e11c5e63a29f176952d01e29faeb9b9b9f9ef86d62d7b408d7a0db7131050875b1331a752766f3128b48c3fffb332eb4

/data/data/com.itydxxkhm.xkwvongzp/no_backup/androidx.work.workdb-wal

MD5 f9b2e5c6abaf3da76127b0af51d9caf2
SHA1 22c8fb7db16af5b2ee00b91c664881d62fa26db4
SHA256 9c444bb24bcb221807e6f5adef18cac0d74a5c31aa7032fba31b29883df85645
SHA512 0efc3277d36a3825063d6122899ebf1f76aaa2041056b4cd1e581c8ab8b4f02daf6d738f8c73820788f72ac5df4fc2a3d2ed02c61e4f28712403e59285648068

/data/data/com.itydxxkhm.xkwvongzp/no_backup/androidx.work.workdb-wal

MD5 39603b457e0c5eaf3ffe1cfec48dcf05
SHA1 396517dae613a881e57773bb2bd057bbc400a38c
SHA256 803d00d3239a512c7334e66db9c2951016810ee53dd8d66271d44849727d704f
SHA512 c5c5b13f314e76b48af497883920fa08cc83c0e742300481d5447830aa488042bb842a70629f6b42eedbe23e4b23869831e4f22bbe9a4ee52c4a15b71eb792b3

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-25 22:01

Reported

2024-11-25 22:04

Platform

android-x64-arm64-20240624-en

Max time kernel

130s

Max time network

161s

Command Line

com.itydxxkhm.xkwvongzp

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.itydxxkhm.xkwvongzp/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.itydxxkhm.xkwvongzp/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.itydxxkhm.xkwvongzp

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
US 154.216.17.184:80 154.216.17.184 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/com.itydxxkhm.xkwvongzp/cache/classes.zip

MD5 a84dfbc1f649418fa4d07eaeb8189124
SHA1 eb3dcd69c1ee6c8563e92be87a122e3d59415b29
SHA256 76e0b06999012dd321e33daabacd4f54829114fe4cc636aa375e61a8438440bf
SHA512 58e230c8db2d137f4c414725d93a3304c3e0233779c2be5b73713f5b3bc873afdff2cea4df07a15ad173a65c2ce4284086901df3f4e657cd38811be05391273e

/data/data/com.itydxxkhm.xkwvongzp/cache/classes.dex

MD5 435f1f07b0da63a671693d5c6fe83d29
SHA1 c66b4affaef54d547519f95ced4ca9276cefaf4d
SHA256 d9f456aa73fd08ee2409d8e8094ad60b66cc06a7d3b4f96395989aad56b83ae0
SHA512 6d147615c1814d931042fec86b9dba10f04b3abe39bd2f4ba49815f794ad6ea6be879cb4a9bfb55648758fe59eacd992fb11cd77fc43defc7921da69159af57a

/data/data/com.itydxxkhm.xkwvongzp/app_dex/classes.dex

MD5 4e5da5820f3fa3385563e48c576d242c
SHA1 0d005d3a6fd947841dfa459e35abd25b4914cf42
SHA256 0b84ab8647fde050533424dd37160a3be9c4fff5850ef1a0bd8802eccf2ad797
SHA512 a6010b53520c7a70b0ca43075c9fa3d3db74961dfd950b02ab3047effa04a18a095a1635f73d61d5ed135fca7586f5e09e2b29abccbaf02550faa411d4c62d25

/data/data/com.itydxxkhm.xkwvongzp/no_backup/androidx.work.workdb-journal

MD5 7879fc99387bd88c85d50e18dc00d072
SHA1 bd9978d6c7c21478f6cc505ca7ec87e35d4ab42c
SHA256 dc0b6e67d565ca33e1b0c9ced21063203243e3d67175ba129659a8ca2abadbfc
SHA512 2828986aeb7d4ea95e19b84484759aabe5ac4c251c70dfa0858b2f033594dece73411ea71439e52c8b972c7605adecd495eb6643273434620a959d5a06e217b9

/data/data/com.itydxxkhm.xkwvongzp/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.itydxxkhm.xkwvongzp/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.itydxxkhm.xkwvongzp/no_backup/androidx.work.workdb-wal

MD5 9a377bffb3c93360a0af0b28841d445d
SHA1 8f714892d5071018508b4b6550b7029e17693aa3
SHA256 a39c3a0bbd817c6626c45ac4573aad07986b2f4d95ad4f5517111828bd814823
SHA512 71b107afa0b4f9c632b482066f1298daaca670f3da4d1aec68a544cd3aaf6c27a5e31d015f7cc82679e0e6d0e1b0efe854ca4f72995a0d3833a80a84e77835a3

/data/data/com.itydxxkhm.xkwvongzp/no_backup/androidx.work.workdb-wal

MD5 3f5f8a0af8c70bfa96387ecd28ba5c0d
SHA1 fa09c2799c7df40c8e9db6703c018775ae8cbab8
SHA256 4ef220d9d56089add82aab185513772b8b3589ef8117efe28ef60369f1866e13
SHA512 47a10e1fe6a2e8abdd0db02162f38ba032eb5a10f630658ef046299475c5864f92c13e2432f6b5a483f34a6dcbf2d6640f6d6012111011b73f79187095dc961b

/data/data/com.itydxxkhm.xkwvongzp/no_backup/androidx.work.workdb-wal

MD5 36a5f71b27ad4a751b9127d392919485
SHA1 8c0a1bbe17b1321f24b768721f34671c2254c11a
SHA256 4ddf7c4949579468a9fceddbbffc10ee76a8f218762cc97680e65dd14bf43060
SHA512 e518a1d68f25f27caa73967ecbb47d274fa463aaf72ca9e697b52b6736ead123aa1eb170f2e7a3eb195aaf4e7afc299e606063ccb931b481c6cf27bee794fb0d