Malware Analysis Report

2025-01-19 05:46

Sample ID 241203-15hs1ssndq
Target 5a98bf11ff325bf9d4c6dfbca036616b2d73c6674669b715f27a6e6d7f29a43c.bin
SHA256 5a98bf11ff325bf9d4c6dfbca036616b2d73c6674669b715f27a6e6d7f29a43c
Tags
hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5a98bf11ff325bf9d4c6dfbca036616b2d73c6674669b715f27a6e6d7f29a43c

Threat Level: Known bad

The file 5a98bf11ff325bf9d4c6dfbca036616b2d73c6674669b715f27a6e6d7f29a43c.bin was found to be: Known bad.

Malicious Activity Summary

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook

Hook family

Queries information about running processes on the device

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Declares services with permission to bind to the system

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Requests dangerous framework permissions

Requests accessing notifications (often used to intercept notifications before users become aware).

Makes use of the framework's foreground persistence service

Attempts to obfuscate APK file format

Queries information about the current Wi-Fi connection

Acquires the wake lock

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-03 22:13

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-03 22:13

Reported

2024-12-03 22:16

Platform

android-x86-arm-20240910-en

Max time kernel

149s

Max time network

152s

Command Line

com.ceweawvyw.bvvobcvtj

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ceweawvyw.bvvobcvtj/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.ceweawvyw.bvvobcvtj/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ceweawvyw.bvvobcvtj

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.74:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
GB 216.58.213.10:443 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.2:443 tcp

Files

/data/data/com.ceweawvyw.bvvobcvtj/cache/classes.zip

MD5 c8a5b4da88ac5d5d95f6331d791dc042
SHA1 9281c74e34e672c1510d02a9f50e718f2d0b63d3
SHA256 696efd3bb5d3bcb89b1f0ace63b961966864041c9253d60c82f7c14663d206a1
SHA512 2301e8ff6780377346882a804a9eb357a0a81854c90e9cf567ef280253f4e38a3fe4a2641215d260482449596564cc6e3319efe1d3e19c349bd2e4bece4226fc

/data/data/com.ceweawvyw.bvvobcvtj/cache/classes.dex

MD5 2eabd8d519c79f9ee2d761c53a4201eb
SHA1 41f54362bf8fe41d81475c6a6d7f8efb2636c2b5
SHA256 6a231aa79f4ba159d9f1df71f5f7cd4804ec862f720b0ba8eee2925b06996e06
SHA512 5df52744f274adb2b8442d81d3205f2ca12d2e790ffdf4f60d15e76794bd5576704a7d66f4f028ced507b4715a8af73bd63962cedadbd3952d96ef1de0a8e1f3

/data/data/com.ceweawvyw.bvvobcvtj/app_dex/classes.dex

MD5 704b14e851fcd5779a4e350b7dde88b3
SHA1 b617f58fd3f580a1ff6f484118e3b2805ee164ad
SHA256 0767d4bae3e4d922264a1c84638062fb938732ecaf4689ad5070568d29afad29
SHA512 e0040ffd5145ba0c02b8a7f7c9cd37274184181d5a2dca3944c209b540dde608b32077435b5dcab784ef7a207af4fa8fdd457056aebcfe1468b6cf5665bdb355

/data/data/com.ceweawvyw.bvvobcvtj/no_backup/androidx.work.workdb-journal

MD5 88df5022f5ed9048778c7109101cd903
SHA1 718de36bc9d23620d79285eca6d311ad0b07fd2f
SHA256 f1d90e9dbe0714c29c0b33ceda7cb0da0a887841fb80c9020f1fc896027cd146
SHA512 42ee4a08085b20d7297434a7f0c6ac8a2e0b2ec9f828f7585fa2103598b4ec13546127caf547e1433603c61df51061063af2c1189fcc65e6d615473494359fc9

/data/data/com.ceweawvyw.bvvobcvtj/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ceweawvyw.bvvobcvtj/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ceweawvyw.bvvobcvtj/no_backup/androidx.work.workdb-wal

MD5 a93871e7a97e568143a49aa4f1055f35
SHA1 dd14a2a321854c556dfcd085c69ed6818c316071
SHA256 2968021713c93ca7e7905e233339b897c5a7fece12e3eea148d8c846fdcad3bb
SHA512 01fd4e1c79517fd63e75e14344ba0b66787b53053daecda1c2ce3a3cd20da1676201f29869ceac879e57a679ac74121a1edecaf55f6b8488817953e39ab71bbd

/data/data/com.ceweawvyw.bvvobcvtj/no_backup/androidx.work.workdb-wal

MD5 7e1362229f1f9c54e6dfd297c1b450fc
SHA1 4317913afe12160b9bbf68f5d7ef08751ab82f7d
SHA256 4bfd65a743da746b71bb06272ffdeaa1d5f08578b6ba5416968dd5c8304c3c4d
SHA512 d8e07c94dae9cdd9977d09b2a80e2ba552239b65ddad861a1962d90b13dd16270b74f254623140ae1191f3ec942a49eb6f772a87662d6e354ae17aee44a748fb

/data/data/com.ceweawvyw.bvvobcvtj/no_backup/androidx.work.workdb-wal

MD5 6a05b337d2d22995dd9ca3d25aca5dbe
SHA1 bff066a52f7bc5cf74ccd947e090bb87c394a6ec
SHA256 347b99d365a7470a06d36666dee3e3b44ee908aa12544b5b01c9c300c67030a7
SHA512 724bc15e9356c5c604a915bd591445437567f4e652b2a61b4cc7cdcf089607565315ee88d31bc5cf7b44f017a840a3fde1237c7e6d594369a6f0503347d8a953

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-03 22:13

Reported

2024-12-03 22:16

Platform

android-x64-20240910-en

Max time kernel

149s

Max time network

152s

Command Line

com.ceweawvyw.bvvobcvtj

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ceweawvyw.bvvobcvtj/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.ceweawvyw.bvvobcvtj/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ceweawvyw.bvvobcvtj

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 216.58.213.2:443 tcp
US 154.216.20.102:80 154.216.20.102 tcp

Files

/data/data/com.ceweawvyw.bvvobcvtj/cache/classes.zip

MD5 c8a5b4da88ac5d5d95f6331d791dc042
SHA1 9281c74e34e672c1510d02a9f50e718f2d0b63d3
SHA256 696efd3bb5d3bcb89b1f0ace63b961966864041c9253d60c82f7c14663d206a1
SHA512 2301e8ff6780377346882a804a9eb357a0a81854c90e9cf567ef280253f4e38a3fe4a2641215d260482449596564cc6e3319efe1d3e19c349bd2e4bece4226fc

/data/data/com.ceweawvyw.bvvobcvtj/cache/classes.dex

MD5 2eabd8d519c79f9ee2d761c53a4201eb
SHA1 41f54362bf8fe41d81475c6a6d7f8efb2636c2b5
SHA256 6a231aa79f4ba159d9f1df71f5f7cd4804ec862f720b0ba8eee2925b06996e06
SHA512 5df52744f274adb2b8442d81d3205f2ca12d2e790ffdf4f60d15e76794bd5576704a7d66f4f028ced507b4715a8af73bd63962cedadbd3952d96ef1de0a8e1f3

/data/data/com.ceweawvyw.bvvobcvtj/app_dex/classes.dex

MD5 704b14e851fcd5779a4e350b7dde88b3
SHA1 b617f58fd3f580a1ff6f484118e3b2805ee164ad
SHA256 0767d4bae3e4d922264a1c84638062fb938732ecaf4689ad5070568d29afad29
SHA512 e0040ffd5145ba0c02b8a7f7c9cd37274184181d5a2dca3944c209b540dde608b32077435b5dcab784ef7a207af4fa8fdd457056aebcfe1468b6cf5665bdb355

/data/data/com.ceweawvyw.bvvobcvtj/no_backup/androidx.work.workdb-journal

MD5 5cd626058addc70eb8e9704da10dbc1c
SHA1 fc9456acf9b1ad54efa70ced0ea8a9c2d7ce2b7f
SHA256 080b0d4fc89497f5d329affbc60ca7f27741db0e9ae893189dc05dc5f6bdcfb2
SHA512 21e92d0254bd481cf17eff4d2a769b6049ea057a9fe2f3c0a799ebe336ba95e34886a7e3bb0373ae814631b40681ed19c243a84be850fed33aa90b74205c4f5d

/data/data/com.ceweawvyw.bvvobcvtj/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ceweawvyw.bvvobcvtj/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ceweawvyw.bvvobcvtj/no_backup/androidx.work.workdb-wal

MD5 74174d8f1f48602f1a644ea1f05828c7
SHA1 634db1a1ce642343a77811a9ae137bb068955ee2
SHA256 b5a9aab4fc9cc13f260c08895191518113683521aca612baecf0375c61104a1f
SHA512 982493e2f83987c4e37ae2a5e04d894a1663b31d95e5d03d4e2f8fa9cbe93d9491d3b422bfe561d89ef050cf2da9a7e6c2eabb7cdf382dab526c8da445479174

/data/data/com.ceweawvyw.bvvobcvtj/no_backup/androidx.work.workdb-wal

MD5 879cb8fba731683ceb95f093ba4f5352
SHA1 b575bb3ff37c4fe12d8fc184842865c3aa4b47c1
SHA256 a2ef138827de9a2f7f9693f1bcbe58e61080a1a4c6dcf7bfed5af61242a0e0c1
SHA512 fb5daa8fc1a18e9f6b0015a129cce11d471954650f22fffb1ee4bed3aff15fa42178c8147113c7cb9ac01ef841d7935133ff814e0fd7a2a68ec1966e3cd8da63

/data/data/com.ceweawvyw.bvvobcvtj/no_backup/androidx.work.workdb-wal

MD5 a50041f9c0bd655e0f0a93abcafac340
SHA1 1ef6f53f5d72c59c55e8549a1579d393137a5c8b
SHA256 8b35dee7cd3036b6bff5a81dcc4f9f4e43321906cb368fc414932436c1c0e66d
SHA512 5a8cacc21e60ef409b73e4275917e4b2ea3b4d22f863117e11aacd8a05f755f1bb3c45de65431a2a93f6a1c0442e4e39f8cc78a8ac694b9ca55d67f2d65db52a

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-03 22:13

Reported

2024-12-03 22:16

Platform

android-x64-arm64-20240910-en

Max time kernel

148s

Max time network

150s

Command Line

com.ceweawvyw.bvvobcvtj

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ceweawvyw.bvvobcvtj/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.ceweawvyw.bvvobcvtj/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ceweawvyw.bvvobcvtj

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.212.238:443 www.youtube.com udp
GB 216.58.212.238:443 www.youtube.com tcp
GB 142.250.187.206:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 142.250.180.14:443 android.apis.google.com tcp
US 216.239.38.223:443 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 216.58.201.97:443 tcp
GB 172.217.169.65:443 tcp
US 216.239.38.223:443 tcp
US 216.239.38.223:443 tcp

Files

/data/data/com.ceweawvyw.bvvobcvtj/cache/classes.zip

MD5 c8a5b4da88ac5d5d95f6331d791dc042
SHA1 9281c74e34e672c1510d02a9f50e718f2d0b63d3
SHA256 696efd3bb5d3bcb89b1f0ace63b961966864041c9253d60c82f7c14663d206a1
SHA512 2301e8ff6780377346882a804a9eb357a0a81854c90e9cf567ef280253f4e38a3fe4a2641215d260482449596564cc6e3319efe1d3e19c349bd2e4bece4226fc

/data/data/com.ceweawvyw.bvvobcvtj/cache/classes.dex

MD5 2eabd8d519c79f9ee2d761c53a4201eb
SHA1 41f54362bf8fe41d81475c6a6d7f8efb2636c2b5
SHA256 6a231aa79f4ba159d9f1df71f5f7cd4804ec862f720b0ba8eee2925b06996e06
SHA512 5df52744f274adb2b8442d81d3205f2ca12d2e790ffdf4f60d15e76794bd5576704a7d66f4f028ced507b4715a8af73bd63962cedadbd3952d96ef1de0a8e1f3

/data/data/com.ceweawvyw.bvvobcvtj/app_dex/classes.dex

MD5 704b14e851fcd5779a4e350b7dde88b3
SHA1 b617f58fd3f580a1ff6f484118e3b2805ee164ad
SHA256 0767d4bae3e4d922264a1c84638062fb938732ecaf4689ad5070568d29afad29
SHA512 e0040ffd5145ba0c02b8a7f7c9cd37274184181d5a2dca3944c209b540dde608b32077435b5dcab784ef7a207af4fa8fdd457056aebcfe1468b6cf5665bdb355

/data/data/com.ceweawvyw.bvvobcvtj/no_backup/androidx.work.workdb-journal

MD5 d9c829d5188f84fdb69b47dc25372dba
SHA1 af43548af720051d23359a9f11cf9575991a7a05
SHA256 525a00ddeff50c993b4fd6b447ed1e5af318e4b89d9224df9e408cd6fd87d588
SHA512 9feaaaf7fd4a8c3f3daac31214f754024b7865c3bb7e4ac4106a125d6a2cf8d7f79ea564faba7190a65815d52f53d576547786658d3b8ac32722061d25c85570

/data/data/com.ceweawvyw.bvvobcvtj/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.ceweawvyw.bvvobcvtj/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ceweawvyw.bvvobcvtj/no_backup/androidx.work.workdb-wal

MD5 5c0dc436fcfc17b6090ead4ab35575ab
SHA1 b50cb9b681b73786acf8935ce93c94ef0df9a369
SHA256 5efb3ebedc2865dd5d573db45999ddae1001e481110de63332f2bb322e52b079
SHA512 07212bd1d94bab369218dca5fdc2133b18e57200f9f43ab0905893ed7830a9c2e5ff26440c586229c6ce7173c0c5696e618862f17986630882fe5a83038a02c8

/data/data/com.ceweawvyw.bvvobcvtj/no_backup/androidx.work.workdb-wal

MD5 2ca103661c046393b06b842d6ba00c41
SHA1 6873592e94c20ec2c9b3c15d85805a8fcfe390ac
SHA256 077fe384c769cb00c69c4d0513d1ded30c263acad9957fcc00c7b89958a5d5e2
SHA512 ce6d44c7d6f40c6531868bc457ee51f953d9eafe78c954b202ee1590a1519c95338316849a6ef7fe3b37ba4763082c67141852401c4500d6ddb42ea975f42f21

/data/data/com.ceweawvyw.bvvobcvtj/no_backup/androidx.work.workdb-wal

MD5 c8e533d7ffa19628a1a961b1f36aab1a
SHA1 a6b20e3eca29ac54b443c0e75dc1e0ffd09d2ef0
SHA256 2e73de327b72e7e795095591e25286aff2f40da3e628d2c19181b40c445a03b6
SHA512 8b3508f5ee1b462202ed3e800bd502ab135331a9ecdbc48bbaf52e6711936000602a2af8d5bf12bf45ad2b2826104c51f0ab4ebdbdf21c6b17073ff2683c9acd