Malware Analysis Report

2025-01-19 05:47

Sample ID 241205-1x59catpe1
Target b70a063fb4ef21ea9adbcf18bd601f5358207ccc491d7e05bb638288282a8649.bin
SHA256 b70a063fb4ef21ea9adbcf18bd601f5358207ccc491d7e05bb638288282a8649
Tags
hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b70a063fb4ef21ea9adbcf18bd601f5358207ccc491d7e05bb638288282a8649

Threat Level: Known bad

The file b70a063fb4ef21ea9adbcf18bd601f5358207ccc491d7e05bb638288282a8649.bin was found to be: Known bad.

Malicious Activity Summary

hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook

Hook family

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Queries information about running processes on the device

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Reads information about phone network operator.

Performs UI accessibility actions on behalf of the user

Requests dangerous framework permissions

Declares services with permission to bind to the system

Declares broadcast receivers with permission to handle system events

Makes use of the framework's foreground persistence service

Acquires the wake lock

Queries the mobile country code (MCC)

Queries information about the current Wi-Fi connection

Attempts to obfuscate APK file format

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-05 22:02

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-05 22:02

Reported

2024-12-05 22:05

Platform

android-x64-arm64-20240910-en

Max time kernel

148s

Max time network

159s

Command Line

com.jiuogyqli.wownkjdpn

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.jiuogyqli.wownkjdpn/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.jiuogyqli.wownkjdpn/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.jiuogyqli.wownkjdpn

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.169.46:443 www.youtube.com udp
GB 172.217.169.46:443 www.youtube.com tcp
GB 142.250.200.14:443 www.youtube.com tcp
US 216.239.32.223:443 tcp
US 154.216.17.184:80 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
GB 142.250.187.193:443 tcp
US 216.239.32.223:443 tcp
GB 216.58.204.65:443 tcp
US 216.239.32.223:443 tcp

Files

/data/data/com.jiuogyqli.wownkjdpn/cache/classes.zip

MD5 d3b4012025bb1cb9bf8ef3c037394133
SHA1 60554398feab97d2091ca04ee30111e1e3795525
SHA256 93587959381b442412c4d9b5b0693e42661c29be12c6a779d572fc44c638db82
SHA512 e88dd48b64252dc6b95b2d34219f1275034bac59c5fbd9400b1bbc884950c85710cce7f81a8b8b664c241ba4c30433324111239b92e65df0cbfda3c42f15c58a

/data/data/com.jiuogyqli.wownkjdpn/cache/classes.dex

MD5 86e18fc698b0eaecaccf05c893614e64
SHA1 9a7aea94d6b07f02742e19be56e40d6814a5ec15
SHA256 69d617fdd3c9a033f6afbaba0574d970a60eb0e60a271852538e2d8cb4d8ae55
SHA512 e2b87b651308eb6b3ca181ce75e7ae6ef106e2885e23c40c0f9c0359f08e3f5020a4f1b2b415186878666c6bcc40a10509e56c37350693cb7ec5b73461d178ac

/data/data/com.jiuogyqli.wownkjdpn/app_dex/classes.dex

MD5 768396fd05be9fa92bc613e0b2be5bb1
SHA1 9bf331746784e1556f40d277bf2ace4422d0f5a3
SHA256 434f9df3feefd7799922db5535018627c1cceddb24a5c37ddaba82d7d59efbda
SHA512 88247b1ec58e58b3ec3ac53620e0cc799dc7955033cb1c0805208a340d2734ca28afb1507280794306b4151f9461d132c11c761b62e34ced756b570f31b4b7bb

/data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb-journal

MD5 ee3476ea4c7b9ed30e0a8c89ab00851e
SHA1 248f7e8dcc9051ccf57a673f5f0050c75679d430
SHA256 e9ce54bd0c9ae2eae679ac976150636627090fbedab41ac8d8bd1f527ed36868
SHA512 13d0fda63ae429e73fa601c64ba825d7e44d683115ca7188bdd7944214fcc8b27b626c82442c5cacc19aa5ade2d2e369f5e5ec8fb34964b182cad91dd51a2d92

/data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb-wal

MD5 5472135df2fe8b58629899a3c169c114
SHA1 3063282b53ed4308b42194c47eca368a3ab54a94
SHA256 95dc7d7a75cdc90cc9458caf5c4b4b1731db7161b042bfaf897c9c518e68670d
SHA512 9d8ed4eb218be2778dab07b0aa2e52325ff0659eb736096bfbd232daafb1c620493200134541a9308a6f0adba69f4c4d64a7e9695e19ee35b05a36125d007a07

/data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb-wal

MD5 c80f25378e2f597ba9de3dcf8e98ca43
SHA1 02a0e0371e2c9c4c6bd4f878c9e1470919dcc1a0
SHA256 b471a29f9395c1538f83e896b638b5944be35141b24188c18682fff231e61117
SHA512 819237ae0acd2d3ccac02b23bd98f071fb3cb0e831ae724912a012d3d48d93a7b653e79fcb16cf20b10b6f5b7ecba382a59d5eb354073f7b68cc9c52aebe3502

/data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb-wal

MD5 6ea456ab99b5ee58472eed5dac32877d
SHA1 dba7c5afb5dd8557a029d871394acb53168bc3ef
SHA256 44a0eae102d930921da54d78e9513cc89ce76b5a5e59867180ce1c4941f17ed7
SHA512 cef17e37c089fa26cfd75772ad03acd9b2297d33c5ad561c400264f10930a7b2e1eb1b3d4b085102a1cfc5ce290358154bc3d6cf655a0589d158f059e83c715f

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-05 22:02

Reported

2024-12-05 22:05

Platform

android-x86-arm-20240910-en

Max time kernel

147s

Max time network

162s

Command Line

com.jiuogyqli.wownkjdpn

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.jiuogyqli.wownkjdpn/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.jiuogyqli.wownkjdpn/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.jiuogyqli.wownkjdpn/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.jiuogyqli.wownkjdpn

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.jiuogyqli.wownkjdpn/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.jiuogyqli.wownkjdpn/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
GB 142.250.178.14:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 172.217.169.74:443 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/com.jiuogyqli.wownkjdpn/cache/classes.zip

MD5 d3b4012025bb1cb9bf8ef3c037394133
SHA1 60554398feab97d2091ca04ee30111e1e3795525
SHA256 93587959381b442412c4d9b5b0693e42661c29be12c6a779d572fc44c638db82
SHA512 e88dd48b64252dc6b95b2d34219f1275034bac59c5fbd9400b1bbc884950c85710cce7f81a8b8b664c241ba4c30433324111239b92e65df0cbfda3c42f15c58a

/data/data/com.jiuogyqli.wownkjdpn/cache/classes.dex

MD5 86e18fc698b0eaecaccf05c893614e64
SHA1 9a7aea94d6b07f02742e19be56e40d6814a5ec15
SHA256 69d617fdd3c9a033f6afbaba0574d970a60eb0e60a271852538e2d8cb4d8ae55
SHA512 e2b87b651308eb6b3ca181ce75e7ae6ef106e2885e23c40c0f9c0359f08e3f5020a4f1b2b415186878666c6bcc40a10509e56c37350693cb7ec5b73461d178ac

/data/data/com.jiuogyqli.wownkjdpn/app_dex/classes.dex

MD5 768396fd05be9fa92bc613e0b2be5bb1
SHA1 9bf331746784e1556f40d277bf2ace4422d0f5a3
SHA256 434f9df3feefd7799922db5535018627c1cceddb24a5c37ddaba82d7d59efbda
SHA512 88247b1ec58e58b3ec3ac53620e0cc799dc7955033cb1c0805208a340d2734ca28afb1507280794306b4151f9461d132c11c761b62e34ced756b570f31b4b7bb

/data/user/0/com.jiuogyqli.wownkjdpn/app_dex/classes.dex

MD5 21384cc7d4d51665e44ed01d0dfded51
SHA1 9204592113178c31751a584d6536de1c1fb7be10
SHA256 a1130d60dddc740b2868973c6e23b46a931461ce37c73544ec38d7ccd15fbacf
SHA512 1154096277236ed5f98fad266f3f9b66e211c671b7b44e23f7dc1c94c7bc117782aaa47fd54835fdcad336f77543018e0009db012d9e2014a0885a4536b37fa1

/data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb-journal

MD5 e36e754f77956207e749533f874a6c45
SHA1 3fbf1c4349faa94b45689c45ff261fcc8524dbcd
SHA256 d204596cda0eff29179102c1994e86941be7056c202825be18caa4866b268751
SHA512 2e1cde2fd90dae8f592a825c58192f1514f6758185e9270fb4df5c41cbd6ab7aaca57a2cf53d5b5ed03e3646b0287cfe0952f681f7ed859ad7105b5f5ed4d5ee

/data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb-wal

MD5 1b70a87a1c51e5013fc23ecdb39bfb7b
SHA1 18c17f80f704715d91a39c966c0aee2a870e3717
SHA256 5d0d0d6507e4110844e89db26f351a08c9e6c157aac1d7065f17325a5737b934
SHA512 4e6055216b88fdf7b66e45facb4c168236e1ece1d3a744c350201e3db3a26e547e6a2a04eec792099d6e366c930da9cadc9272b1b8834202582e79362e508a89

/data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb-wal

MD5 c63a850e14ed0b88e22dd73be03fd212
SHA1 40bdd9c6c76f1afc5858c14d24d45df6961f5d75
SHA256 7c1f17413c7eedf2069d706935a27319f9725e255f48d6bb933a837744c12b98
SHA512 8d993ac0694ea1dadd9e88c34292645fb59f428ab5396baa3a856941e2cb5bcc4fa8fe9120e829ee622e1929711d33469b46b82e215bbb3df425ea3a3883f467

/data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb-wal

MD5 54a50b18c0ce345f95df9f01621f3a64
SHA1 690ac600e03ccce8324d6bad78a36f67b1a4ce5f
SHA256 87779e4e811196d3733b40c078eb8321ec339109aa8f3db458de2edadff508fa
SHA512 260c5cb3828a519f1236549bc1d3956876ae610831948e44c07b90e59bbebc43f60a6a7943e42d3195dc432598957952420f7d31b3484c1d21fe4bebe2d05194

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-05 22:02

Reported

2024-12-05 22:05

Platform

android-x64-20240910-en

Max time kernel

148s

Max time network

153s

Command Line

com.jiuogyqli.wownkjdpn

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.jiuogyqli.wownkjdpn/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.jiuogyqli.wownkjdpn/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.jiuogyqli.wownkjdpn

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.187.234:443 tcp
US 154.216.17.184:80 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp

Files

/data/data/com.jiuogyqli.wownkjdpn/cache/classes.zip

MD5 d3b4012025bb1cb9bf8ef3c037394133
SHA1 60554398feab97d2091ca04ee30111e1e3795525
SHA256 93587959381b442412c4d9b5b0693e42661c29be12c6a779d572fc44c638db82
SHA512 e88dd48b64252dc6b95b2d34219f1275034bac59c5fbd9400b1bbc884950c85710cce7f81a8b8b664c241ba4c30433324111239b92e65df0cbfda3c42f15c58a

/data/data/com.jiuogyqli.wownkjdpn/cache/classes.dex

MD5 86e18fc698b0eaecaccf05c893614e64
SHA1 9a7aea94d6b07f02742e19be56e40d6814a5ec15
SHA256 69d617fdd3c9a033f6afbaba0574d970a60eb0e60a271852538e2d8cb4d8ae55
SHA512 e2b87b651308eb6b3ca181ce75e7ae6ef106e2885e23c40c0f9c0359f08e3f5020a4f1b2b415186878666c6bcc40a10509e56c37350693cb7ec5b73461d178ac

/data/data/com.jiuogyqli.wownkjdpn/app_dex/classes.dex

MD5 768396fd05be9fa92bc613e0b2be5bb1
SHA1 9bf331746784e1556f40d277bf2ace4422d0f5a3
SHA256 434f9df3feefd7799922db5535018627c1cceddb24a5c37ddaba82d7d59efbda
SHA512 88247b1ec58e58b3ec3ac53620e0cc799dc7955033cb1c0805208a340d2734ca28afb1507280794306b4151f9461d132c11c761b62e34ced756b570f31b4b7bb

/data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb-journal

MD5 1cbb27c274987fff72229e67aa59dcbc
SHA1 4e011132a3d8688c70e2844ffba8b3f34bec8794
SHA256 06e8046f2e324c8276416dd8b68b74112044e51133b1b054ba0c9668c585f2b0
SHA512 99221f78952862ad1e98264072ffa252f5fa829821c7bf4faef54e2a9bf3bcc57c2006b1130d78df05d1dd495f567585321b81c34fc432315b8a34274ef8f43e

/data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb-wal

MD5 935d9c1a49dacf7cf1f191f01edd4def
SHA1 39494ee88366506af36216beda2e9f2b8ca1d21b
SHA256 93de6aafb7a3c7c74514dfe0bfdf452ba97d99cf37915dfa8210d5c8fe12b9b8
SHA512 5d4627f44c6723e12b16e6fc17dd597769e17eafbaacd0d5c8a9f50d061059bc3db8edf758b72c2dee0d3e606b48cab23943e241cbbc76e2e5b41a9e4e22c820

/data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb-wal

MD5 469fcd7357d9cb4c68c393f51814a73c
SHA1 479f95aed10e5cda7bac8f616f7adbb46415ab48
SHA256 718428ea17993dbab2ba42be409b28d73a5869f05a7902be785c09bc07602ba0
SHA512 8057766c6c53d59cf247941fc85e54b752527bf2665d04cd0c3288802098561251f42529186a9d1862d563b0996fa03af8b49a4a509a38d2f665359754186111

/data/data/com.jiuogyqli.wownkjdpn/no_backup/androidx.work.workdb-wal

MD5 b0811931490b35c16cd5a2ab214e7ed6
SHA1 982d82cbc099ac3ca1d271c18be79e9d4c7ed3f9
SHA256 79dcaf12dacc6213cb03517578c8c840ef296da94beeed817c473bbd03d237fd
SHA512 48e3254282b808ad62806039058252a4f8f4ececd944750c83af7d592641edaecc0412a18e0467e2972af36ca75de97ac640a24d5c4532c57f0aeba64c51ed00