Malware Analysis Report

2025-01-19 05:47

Sample ID 241202-1y36da1man
Target d2faa03050cd15ad97c0108c451f00b074228ee8235dce87d546ee45846f93be.bin
SHA256 d2faa03050cd15ad97c0108c451f00b074228ee8235dce87d546ee45846f93be
Tags
hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d2faa03050cd15ad97c0108c451f00b074228ee8235dce87d546ee45846f93be

Threat Level: Known bad

The file d2faa03050cd15ad97c0108c451f00b074228ee8235dce87d546ee45846f93be.bin was found to be: Known bad.

Malicious Activity Summary

hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook

Hook family

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Queries information about running processes on the device

Obtains sensitive information copied to the device clipboard

Performs UI accessibility actions on behalf of the user

Attempts to obfuscate APK file format

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Acquires the wake lock

Queries information about the current Wi-Fi connection

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-02 22:04

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-02 22:04

Reported

2024-12-02 22:07

Platform

android-x86-arm-20240624-en

Max time kernel

148s

Max time network

158s

Command Line

com.zwuiaeqza.wxdlfyvob

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.zwuiaeqza.wxdlfyvob/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.zwuiaeqza.wxdlfyvob/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.zwuiaeqza.wxdlfyvob/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.zwuiaeqza.wxdlfyvob

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.zwuiaeqza.wxdlfyvob/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.zwuiaeqza.wxdlfyvob/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
RU 94.141.120.34:80 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp

Files

/data/data/com.zwuiaeqza.wxdlfyvob/cache/classes.zip

MD5 1bff0e8aeaf91a1cb1533ac459905f76
SHA1 159198260758dbfea33121c1974816c81da381dd
SHA256 6c633f4631ceca59a98a5071b7be36596f35211848c8f4fb07d0a2e19d446ec0
SHA512 9e5e6439f3e35f215e6a19f86594f15439191f688b03329737f15837b306aea97d1965bed623183c106a23da157d446e6602a1bb07a5b7818d12ba0540cc606b

/data/data/com.zwuiaeqza.wxdlfyvob/cache/classes.dex

MD5 5d61b8465fde28f4f65eccfe6b4b4814
SHA1 9fe6ac6e4134eb6ec160b3c6b0e887046e49bd9a
SHA256 dda4d0e0c91e06c04b16e6cf8b425d99323cdf4caade9ccdbe86decfea41bdd1
SHA512 59c407ee9e7ee97fb1424769d50863de0571839c2c8d625daabe6e4b9ba6100978720edbf0fed90646341b46364e94435f4b6c0738d842718aba0d3c3e9ceac9

/data/data/com.zwuiaeqza.wxdlfyvob/app_dex/classes.dex

MD5 dedc5af2004e162e3c8b7b1eb6c72653
SHA1 0d78a1a711fad8c620fd1ab53549545d1e858ae6
SHA256 a9f29e0b8b87d2e52c627924a98bad036f62efc59bb279e7b34193e26ff7a969
SHA512 cecfcff0abeceb4989ddb2e7e06890a7a54b4d55227fd0bb618a60f5d186ea27f2d2c39803ba78f6b45eac22ea3e317a742e8fcfb76230cc5dddca5b221cabe6

/data/user/0/com.zwuiaeqza.wxdlfyvob/app_dex/classes.dex

MD5 3ce21793b9a0778b610e1bb9ee3f1972
SHA1 8c820891bf196a717147d275bd61b0efe8e67563
SHA256 bd6955218fd0a1f1c2bd5cd396a1c7b24ee0c837c451a63cbb75f942ca11da1a
SHA512 045062c555196bb1bf0b41242a747d83b0d6f9bab20698066193fca2b818eb4437f3fd9142599a4b2b93c868accbd60f0f6efa68c21c93ccfa53de649393a5dc

/data/data/com.zwuiaeqza.wxdlfyvob/no_backup/androidx.work.workdb-journal

MD5 819a8392c8ec6e860449a83343d00703
SHA1 f0f429852b8bbebf99f7076a39e0a3dba6dc03bf
SHA256 c673567feb83d9a12ddef888133d4c7fc16b5d63f2d3d762d099c96f50bfd152
SHA512 770a09760b52fec225e89caa388778967538fa319347a03b2fe4a0f0c5bbd0a24488a17c8fe5ee22f2f73116f1294f317f9e48b3809863a2d3156685cf380ace

/data/data/com.zwuiaeqza.wxdlfyvob/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.zwuiaeqza.wxdlfyvob/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.zwuiaeqza.wxdlfyvob/no_backup/androidx.work.workdb-wal

MD5 0f2cd2f77b78dceed09a22d50d3c78af
SHA1 274011cf81e8957e4fc1c6a50dc93042700c22a5
SHA256 35e574330702cd0eb5fb856e7e36b6c129778536acda4542c49b5be267d9956c
SHA512 6ee25b70dda583e8d2aa7a69e806dfd96d752ebc4f9ec2c721700f376245b06d43db0c6666933c4ffc783f5baddd8fd4d63451d9920048841588f00956d983e5

/data/data/com.zwuiaeqza.wxdlfyvob/no_backup/androidx.work.workdb-wal

MD5 5dd73ebc6598032184e0c05fc293f6e8
SHA1 333f346e7e9d3e6104652f279c2830f197856bf4
SHA256 9204d839031f80e6ec7ce8d32cb0b9d230bce1a92342127b66d2d7429b8d698d
SHA512 a297929b2b023ffe022a1ee89814e183a367dc9cfc73a545ce7970955f9037746ee92584e92e72f64c9ed2fe5a0d669b3774e60d7ebe74ce09cda159236f41e3

/data/data/com.zwuiaeqza.wxdlfyvob/no_backup/androidx.work.workdb-wal

MD5 99b3101e5793ca19ef8f6e2bff8ad08f
SHA1 b12b825812b2478042d68168a8761c2b348f7048
SHA256 bb92face675337faf34098e47d5d17d7794c6581234fe31adfcf5aa78fda32a4
SHA512 e6b0a1848b69e483580631baf1d0bb01ec210a2416e3204fe2a558f465f5b80025adb72fe90fc01eea9fc5a58ca7212bab704bfecf2adcf3a4f0baf8468dac32

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-02 22:04

Reported

2024-12-02 22:07

Platform

android-x64-20240624-en

Max time kernel

148s

Max time network

158s

Command Line

com.zwuiaeqza.wxdlfyvob

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.zwuiaeqza.wxdlfyvob/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.zwuiaeqza.wxdlfyvob/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.zwuiaeqza.wxdlfyvob

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
RU 94.141.120.34:80 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
GB 142.250.179.238:443 tcp
GB 142.250.200.34:443 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp

Files

/data/data/com.zwuiaeqza.wxdlfyvob/cache/classes.zip

MD5 1bff0e8aeaf91a1cb1533ac459905f76
SHA1 159198260758dbfea33121c1974816c81da381dd
SHA256 6c633f4631ceca59a98a5071b7be36596f35211848c8f4fb07d0a2e19d446ec0
SHA512 9e5e6439f3e35f215e6a19f86594f15439191f688b03329737f15837b306aea97d1965bed623183c106a23da157d446e6602a1bb07a5b7818d12ba0540cc606b

/data/data/com.zwuiaeqza.wxdlfyvob/cache/classes.dex

MD5 5d61b8465fde28f4f65eccfe6b4b4814
SHA1 9fe6ac6e4134eb6ec160b3c6b0e887046e49bd9a
SHA256 dda4d0e0c91e06c04b16e6cf8b425d99323cdf4caade9ccdbe86decfea41bdd1
SHA512 59c407ee9e7ee97fb1424769d50863de0571839c2c8d625daabe6e4b9ba6100978720edbf0fed90646341b46364e94435f4b6c0738d842718aba0d3c3e9ceac9

/data/data/com.zwuiaeqza.wxdlfyvob/app_dex/classes.dex

MD5 dedc5af2004e162e3c8b7b1eb6c72653
SHA1 0d78a1a711fad8c620fd1ab53549545d1e858ae6
SHA256 a9f29e0b8b87d2e52c627924a98bad036f62efc59bb279e7b34193e26ff7a969
SHA512 cecfcff0abeceb4989ddb2e7e06890a7a54b4d55227fd0bb618a60f5d186ea27f2d2c39803ba78f6b45eac22ea3e317a742e8fcfb76230cc5dddca5b221cabe6

/data/data/com.zwuiaeqza.wxdlfyvob/no_backup/androidx.work.workdb-journal

MD5 954d7e15a9d3f71c40c5e5cf53156448
SHA1 8ed4688481e5610aa22c0cd668298a366923c170
SHA256 4dfdabb91d72ab4e8d3ced9ecde3e030f127e908534397ce401fc790d13fa148
SHA512 e6125fce70e85acade3654f42c7956af3d72463251db0c7d0219a55fe12f2b1225d0a52c1ff9c70068347d9ef5e41f5e7c336943f08b64e86422aff62ab87735

/data/data/com.zwuiaeqza.wxdlfyvob/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.zwuiaeqza.wxdlfyvob/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.zwuiaeqza.wxdlfyvob/no_backup/androidx.work.workdb-wal

MD5 64943fa64e6a037fcf08d1c37febbdc5
SHA1 89da85b227e4c2aa405aa0f631df4161dfcbfdfb
SHA256 6ae591e96da2364cb29c2d5f92e95768d743541ee9d90dfe4ac8d2154e57b294
SHA512 e6f771c04605bb4e04df404409516ee0cae0dbb864f4f5ae642ee0c6200b331960b3251cca5331f15429bd9c0cc7cbf0737304a835fa8a081756e042c527ac09

/data/data/com.zwuiaeqza.wxdlfyvob/no_backup/androidx.work.workdb-wal

MD5 9f7dc6e420eee77ef76fc7dfbbcf0848
SHA1 c8f81628bd3a4bba6aa264896655b21ab49120ee
SHA256 03b0f5d8002e1603a1516f384eda4029b21e9e709cb16031d4cf9056cb53cb99
SHA512 90f663f4ea274dba17d4e7df00d0ef09f7e7ca6ffbd373e8a5bea853ab01d97ee163007558e1361c89945907d307ccba0f0c7350eb257a6a40af5c46ca17f8be

/data/data/com.zwuiaeqza.wxdlfyvob/no_backup/androidx.work.workdb-wal

MD5 5c0a5d115cd1452f36ebd92828df284f
SHA1 1512e322e943657beb34474cb57b9b0f13208f5e
SHA256 77352620ce89fff04212ed65c0e680cffc36e1801e430936aa6afd063951b37a
SHA512 424b469fa9f3cf050ce2c77b0fd0902894b7c206047415c96878b8e3b7356ab7d14eef30147a4421819396fc985885acd4741681ef798dd62f74b566083b51f8

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-02 22:04

Reported

2024-12-02 22:07

Platform

android-x64-arm64-20240910-en

Max time kernel

149s

Max time network

160s

Command Line

com.zwuiaeqza.wxdlfyvob

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.zwuiaeqza.wxdlfyvob/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.zwuiaeqza.wxdlfyvob/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.zwuiaeqza.wxdlfyvob

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.14:443 www.youtube.com udp
GB 172.217.169.14:443 www.youtube.com tcp
GB 172.217.16.238:443 www.youtube.com tcp
US 216.239.36.223:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
RU 94.141.120.34:80 tcp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.179.225:443 tcp
GB 216.58.201.97:443 tcp
US 216.239.36.223:443 tcp

Files

/data/data/com.zwuiaeqza.wxdlfyvob/cache/classes.zip

MD5 1bff0e8aeaf91a1cb1533ac459905f76
SHA1 159198260758dbfea33121c1974816c81da381dd
SHA256 6c633f4631ceca59a98a5071b7be36596f35211848c8f4fb07d0a2e19d446ec0
SHA512 9e5e6439f3e35f215e6a19f86594f15439191f688b03329737f15837b306aea97d1965bed623183c106a23da157d446e6602a1bb07a5b7818d12ba0540cc606b

/data/data/com.zwuiaeqza.wxdlfyvob/cache/classes.dex

MD5 5d61b8465fde28f4f65eccfe6b4b4814
SHA1 9fe6ac6e4134eb6ec160b3c6b0e887046e49bd9a
SHA256 dda4d0e0c91e06c04b16e6cf8b425d99323cdf4caade9ccdbe86decfea41bdd1
SHA512 59c407ee9e7ee97fb1424769d50863de0571839c2c8d625daabe6e4b9ba6100978720edbf0fed90646341b46364e94435f4b6c0738d842718aba0d3c3e9ceac9

/data/data/com.zwuiaeqza.wxdlfyvob/app_dex/classes.dex

MD5 dedc5af2004e162e3c8b7b1eb6c72653
SHA1 0d78a1a711fad8c620fd1ab53549545d1e858ae6
SHA256 a9f29e0b8b87d2e52c627924a98bad036f62efc59bb279e7b34193e26ff7a969
SHA512 cecfcff0abeceb4989ddb2e7e06890a7a54b4d55227fd0bb618a60f5d186ea27f2d2c39803ba78f6b45eac22ea3e317a742e8fcfb76230cc5dddca5b221cabe6

/data/data/com.zwuiaeqza.wxdlfyvob/no_backup/androidx.work.workdb-journal

MD5 6b94430ff550d062c5058a82827da8e8
SHA1 4b8a3405e43eb078eb500cc75752e9672b6ec7f6
SHA256 10265dbeeac1d726e7fde8e4f2685e56c88c4556468c1379aed13e9dc374553f
SHA512 46621965ca9b4cb218251d9e367c5831d3afee9d4e93ce1c6b9388e9c1e5765821110fa4b1f2ad12673d67ad04239824768e09ff96039773561f4f5c6f17b24c

/data/data/com.zwuiaeqza.wxdlfyvob/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.zwuiaeqza.wxdlfyvob/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.zwuiaeqza.wxdlfyvob/no_backup/androidx.work.workdb-wal

MD5 8ec5748f08f28a6ac11739ea7aca9453
SHA1 2d5165fe8faa177880d2ee62d1b8c41bb5be3601
SHA256 052487d4781aba63d021bbeeb42418d73544348ba4c5d64e0e5b6b19d4cbc8b6
SHA512 eeda00ec824a0dad8125be95641af05f752f135aa7fd7eba82b652d39cb0dc9a350b21879a5661426a3e894a12223fa790ba51926f641b980b1f8a74016b893d

/data/data/com.zwuiaeqza.wxdlfyvob/no_backup/androidx.work.workdb-wal

MD5 06c11461e00857805384d55d2e69fb3d
SHA1 ab2d1d217f78bad6b64aa2a373f66466734be35a
SHA256 1f3db21ddecfc6dfd54c0723ff37d9801073b67ba8f889fa4cfdc0b34ceadc73
SHA512 fdabfa8ac27e4dd65a2658241184f53425839ebde3f262550ddc7b7d5378732930553fb3f98715a8ef059ef0e9c57d738fca3294f9ece9d48c5a44c124c52f58

/data/data/com.zwuiaeqza.wxdlfyvob/no_backup/androidx.work.workdb-wal

MD5 886cf9281f9eb048c1f387025a69fce3
SHA1 cfaf9d01238c4969a14cb4bb83a7f61398b2e8ad
SHA256 e0abf3d26d3855c149d52814babecf19e72605a4e896b04a601cb88b6c9d6139
SHA512 cbca29d4184265932c33ab69d0214762fa2a0914d009bf6371a6ac2f064f468b09d44f71cf8942ccb4174fa7f45936c025afb2bf45c3d42c25873aec3edb4e1c