Malware Analysis Report

2025-01-19 05:47

Sample ID 241206-12p3xszpbt
Target 5bf6e5ee66b8f0c600a7c099f66d75d79693f4f231c7929a0faf00ac5567bdd7.bin
SHA256 5bf6e5ee66b8f0c600a7c099f66d75d79693f4f231c7929a0faf00ac5567bdd7
Tags
hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5bf6e5ee66b8f0c600a7c099f66d75d79693f4f231c7929a0faf00ac5567bdd7

Threat Level: Known bad

The file 5bf6e5ee66b8f0c600a7c099f66d75d79693f4f231c7929a0faf00ac5567bdd7.bin was found to be: Known bad.

Malicious Activity Summary

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook

Hook family

Queries information about running processes on the device

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Performs UI accessibility actions on behalf of the user

Requests dangerous framework permissions

Acquires the wake lock

Requests accessing notifications (often used to intercept notifications before users become aware).

Reads information about phone network operator.

Queries the mobile country code (MCC)

Queries information about the current Wi-Fi connection

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Attempts to obfuscate APK file format

Makes use of the framework's foreground persistence service

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-06 22:08

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-06 22:08

Reported

2024-12-06 22:11

Platform

android-x86-arm-20240910-en

Max time kernel

147s

Max time network

150s

Command Line

com.ujnbvtkci.ldtxwwziz

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ujnbvtkci.ldtxwwziz/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.ujnbvtkci.ldtxwwziz/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.ujnbvtkci.ldtxwwziz/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ujnbvtkci.ldtxwwziz

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ujnbvtkci.ldtxwwziz/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.ujnbvtkci.ldtxwwziz/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.187.196:443 tcp

Files

/data/data/com.ujnbvtkci.ldtxwwziz/cache/classes.zip

MD5 6e7f2b32d24bdbc38688152b3bb30f59
SHA1 094085a821097a41b493ae4f3b7c43664ff13336
SHA256 44982c18dbab6bce0917f69a922506e42d310c786181fe8cf1d1ecc41fd0e427
SHA512 cd40f4996e4dda437221e491c9f3c28dd28e11daeddabc12b12a115fbee6b0afb56f1ddaabf845052d1be2318da5767a11cac7a21e6b49da7896c9a2a2b60c71

/data/data/com.ujnbvtkci.ldtxwwziz/cache/classes.dex

MD5 8d69d4a4d1cf4913cf0bd8bcc6564785
SHA1 1330c26e6d296693d43905716ade27f4647a33ec
SHA256 92ef8018946c1985952e24e10fa1153612c2f4373b0d6069b3bd8960b2c48b66
SHA512 2021fa58cfd84a53584598f478af1ae03bc2307d8d7872eba139b5175fa4c8f623763013df8157116e61ff676449fe53ae889c936447558ec82d14df8a85d785

/data/data/com.ujnbvtkci.ldtxwwziz/app_dex/classes.dex

MD5 4a53c5d0d6a728140207b424f0f4f485
SHA1 0d70a59478f8e9ad047f44a398b2c82cb5d3d02f
SHA256 e206aaf7f5caa1d56dcab5f9317eca51576c4799f9c41cf49e2f60dd2eeaf5d0
SHA512 3b2193513d1c4703e59c7ee8322983c688f61fd1ba53cdde4380b3fd33925f1276a55cf36fc113458cfd826d7f9d653249d9a45ae082d73c41a56e7316248aeb

/data/user/0/com.ujnbvtkci.ldtxwwziz/app_dex/classes.dex

MD5 84c3103d5d1e32565663ae93a99135e8
SHA1 0bd400e4f35534ab1ea908a76468793b0fab5894
SHA256 7d5774fe5e9eed64f8c85d531bcf9d527a036a0d0c12336660812208c159f25d
SHA512 3380d83edf253e3c3c4b59e6512f2ea8ee6fe3491b1dd3df205517c81d08e9d2008ac113c15e5dde78401787ac5fcfe7053d0316a80ef09385f415cf14280fc0

/data/data/com.ujnbvtkci.ldtxwwziz/no_backup/androidx.work.workdb-journal

MD5 4721ce5771acd2584ae7a5857f5413da
SHA1 e94a47ceefd3a903a4d8d2ddd8e437210a4f6ac0
SHA256 6c8173f52bee4c7042024b533a005f737605003db0ad44abea9456b094ddcc31
SHA512 6758e46e82f0e8fd3315957edb06170c1d1de195cc6510883987673956fee3e0998a36d4c5c3b628174cde24d23c55ab74d69ba6a2312957eb09085dfb1a57bd

/data/data/com.ujnbvtkci.ldtxwwziz/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ujnbvtkci.ldtxwwziz/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ujnbvtkci.ldtxwwziz/no_backup/androidx.work.workdb-wal

MD5 01563ede9b94b29638baad29772a6d88
SHA1 d0ced5fa9152172a57703079ca47ca63a2c2d0d2
SHA256 03f12c66a5ed3950a1c8bbb3c095e83dafc8c2ebce8674f21988fe18bf29a107
SHA512 e8c0b088736720e7f48736cd6d7f27d11db548e702bf8512c07e4ca84229a2fc17a3ba5255bf9d95577eae5a74efb7304a0f6d76d5f800927eed213ce9adece1

/data/data/com.ujnbvtkci.ldtxwwziz/no_backup/androidx.work.workdb-wal

MD5 ddc5c586fa1db67dc248942f40a13e18
SHA1 616b30ccb7422c3f7dc0f4c94aed088def725e3d
SHA256 9c269f7f6a80eb61af29de472dbf12968cc264614e131176fe360f6f45e9447c
SHA512 40e2706ada11be6dbd2875ac787492259e674d4c489946abbb536caee8562d25ac533cfac5d285c4b7fa4a8be1d7cb58d6239266b19043cd7c155eae1f909c24

/data/data/com.ujnbvtkci.ldtxwwziz/no_backup/androidx.work.workdb-wal

MD5 ef12b29a2986e81deefe24223de3d98f
SHA1 bfde39c04b28965870f2de153bcab6c5f3785e7d
SHA256 7f3beeff805f636ad1e1b04fb6dc2bfb5d39551a8f238297a88cf3197268b8bd
SHA512 0f49b2a0e30a97da444fc10c72f91dbb7c90dfa57f0cf7509ad2bca0b7661debc4a0d16c12a7f42bc6fe2e28f8df35f71446a2a2e6a066c8617920a04f9ec562

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-06 22:08

Reported

2024-12-06 22:11

Platform

android-x64-20240910-en

Max time kernel

148s

Max time network

152s

Command Line

com.ujnbvtkci.ldtxwwziz

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ujnbvtkci.ldtxwwziz/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.ujnbvtkci.ldtxwwziz/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ujnbvtkci.ldtxwwziz

Network

Country Destination Domain Proto
GB 216.58.201.106:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 154.216.19.93:80 154.216.19.93 tcp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.178.14:443 tcp
GB 216.58.201.98:443 tcp

Files

/data/data/com.ujnbvtkci.ldtxwwziz/cache/classes.zip

MD5 6e7f2b32d24bdbc38688152b3bb30f59
SHA1 094085a821097a41b493ae4f3b7c43664ff13336
SHA256 44982c18dbab6bce0917f69a922506e42d310c786181fe8cf1d1ecc41fd0e427
SHA512 cd40f4996e4dda437221e491c9f3c28dd28e11daeddabc12b12a115fbee6b0afb56f1ddaabf845052d1be2318da5767a11cac7a21e6b49da7896c9a2a2b60c71

/data/data/com.ujnbvtkci.ldtxwwziz/cache/classes.dex

MD5 8d69d4a4d1cf4913cf0bd8bcc6564785
SHA1 1330c26e6d296693d43905716ade27f4647a33ec
SHA256 92ef8018946c1985952e24e10fa1153612c2f4373b0d6069b3bd8960b2c48b66
SHA512 2021fa58cfd84a53584598f478af1ae03bc2307d8d7872eba139b5175fa4c8f623763013df8157116e61ff676449fe53ae889c936447558ec82d14df8a85d785

/data/data/com.ujnbvtkci.ldtxwwziz/app_dex/classes.dex

MD5 4a53c5d0d6a728140207b424f0f4f485
SHA1 0d70a59478f8e9ad047f44a398b2c82cb5d3d02f
SHA256 e206aaf7f5caa1d56dcab5f9317eca51576c4799f9c41cf49e2f60dd2eeaf5d0
SHA512 3b2193513d1c4703e59c7ee8322983c688f61fd1ba53cdde4380b3fd33925f1276a55cf36fc113458cfd826d7f9d653249d9a45ae082d73c41a56e7316248aeb

/data/data/com.ujnbvtkci.ldtxwwziz/no_backup/androidx.work.workdb-journal

MD5 d1452d6a45bb732f2374be05ae099fa7
SHA1 8421d295a1933ecf8b698206a2456d908673b2e5
SHA256 2978f503eb70efa79bc78ddebf11bf49f514a546653c68d0501d9bc00fab6ef9
SHA512 9bd28e86a4d1c23a20b252d770124263cdf89ca83adfb958e455aa305f9f5ec07b8a070f20cd270bc3b69341bcab094f87f4c4cd9c8b19353eaa24ca16df4842

/data/data/com.ujnbvtkci.ldtxwwziz/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ujnbvtkci.ldtxwwziz/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ujnbvtkci.ldtxwwziz/no_backup/androidx.work.workdb-wal

MD5 b6206312483dae392cb72f7a27a58812
SHA1 491be6a5435e79f1381d96802770817486194492
SHA256 b72e7835a4a38848058f135e063688ba1e35ad472397fb5be506663f0a317406
SHA512 22d4bf3a0cbb720066b79d2ec0df531cf0e081142dc8926688ed795a621fc2013a64833c7ab34a5cf32d8dc4023c7895265f53312331cbb927e66de2564ecee6

/data/data/com.ujnbvtkci.ldtxwwziz/no_backup/androidx.work.workdb-wal

MD5 dca1bf2cd2b8da3b264b48cad60849bb
SHA1 d33f00888b0e29eee108bcef3c514fbccb4d8fea
SHA256 99fa51bcfd1fd0d01fd950b6069a83b3a312e7ec7f656c34fb14cd7c13d71d73
SHA512 d15daf6791cfc25b48762ff1591c68ba7b256e4634c45990ac7dc76c2f54863c38954fda08a080153e285aeae2defd246a5e47b8fefcc71ed33c52fc4180b3bc

/data/data/com.ujnbvtkci.ldtxwwziz/no_backup/androidx.work.workdb-wal

MD5 838ec550588f97aa05c15557f38dfee7
SHA1 7a375be4e049bbfeda17d673962416f97e2394e3
SHA256 1b1c1e63a05870c66595ebb82d0b3acd8337791088e0e79f14a4e03bb97e2f32
SHA512 344faf09b7c4bc600818eb9892b45d425fe0184b08f97d7dfcadcba401b9422bbdb4f1fd0df754603ee6aaed8eb1ca3c281fec99efa7cefa70ca795d262c8aa9

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-06 22:08

Reported

2024-12-06 22:11

Platform

android-x64-arm64-20240910-en

Max time kernel

148s

Max time network

151s

Command Line

com.ujnbvtkci.ldtxwwziz

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ujnbvtkci.ldtxwwziz/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.ujnbvtkci.ldtxwwziz/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ujnbvtkci.ldtxwwziz

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.212.234:443 tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com tcp
GB 216.58.201.110:443 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com tcp
GB 216.58.212.234:443 tcp
US 216.239.32.223:443 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 172.217.16.238:443 www.youtube.com tcp
GB 142.250.187.225:443 tcp
US 216.239.32.223:443 tcp
GB 142.250.178.1:443 tcp
US 216.239.32.223:443 tcp

Files

/data/data/com.ujnbvtkci.ldtxwwziz/cache/classes.zip

MD5 6e7f2b32d24bdbc38688152b3bb30f59
SHA1 094085a821097a41b493ae4f3b7c43664ff13336
SHA256 44982c18dbab6bce0917f69a922506e42d310c786181fe8cf1d1ecc41fd0e427
SHA512 cd40f4996e4dda437221e491c9f3c28dd28e11daeddabc12b12a115fbee6b0afb56f1ddaabf845052d1be2318da5767a11cac7a21e6b49da7896c9a2a2b60c71

/data/data/com.ujnbvtkci.ldtxwwziz/cache/classes.dex

MD5 8d69d4a4d1cf4913cf0bd8bcc6564785
SHA1 1330c26e6d296693d43905716ade27f4647a33ec
SHA256 92ef8018946c1985952e24e10fa1153612c2f4373b0d6069b3bd8960b2c48b66
SHA512 2021fa58cfd84a53584598f478af1ae03bc2307d8d7872eba139b5175fa4c8f623763013df8157116e61ff676449fe53ae889c936447558ec82d14df8a85d785

/data/data/com.ujnbvtkci.ldtxwwziz/app_dex/classes.dex

MD5 4a53c5d0d6a728140207b424f0f4f485
SHA1 0d70a59478f8e9ad047f44a398b2c82cb5d3d02f
SHA256 e206aaf7f5caa1d56dcab5f9317eca51576c4799f9c41cf49e2f60dd2eeaf5d0
SHA512 3b2193513d1c4703e59c7ee8322983c688f61fd1ba53cdde4380b3fd33925f1276a55cf36fc113458cfd826d7f9d653249d9a45ae082d73c41a56e7316248aeb

/data/data/com.ujnbvtkci.ldtxwwziz/no_backup/androidx.work.workdb-journal

MD5 a12dbc433162c60d3d30ab2a40e60c72
SHA1 1663ba6450a165b76e1140f9cb77bf46d72a88f8
SHA256 3cd7168a9153a19a6f31b9fb60180676b7855f5374b369398e398607dc2beaf7
SHA512 c0b6608d1394591d4d319429fd33754d4b26862c8e64143e614aae4878a320cb64e48a35a7816bdcb77ddf61fae446b6d47c8871249c5489342263c58e868dcc

/data/data/com.ujnbvtkci.ldtxwwziz/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.ujnbvtkci.ldtxwwziz/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ujnbvtkci.ldtxwwziz/no_backup/androidx.work.workdb-wal

MD5 9796aa5db9a7de59132927e55ec1ca7e
SHA1 066e0ff0a27db9559c0dac45b0d1e6b4ee41427e
SHA256 7c7ef59e727d3a6df0e47d8216376ce4700a8e5e521479aeba74e6b7622104da
SHA512 c56754fcf0f0b532cc6009190602babc878bbcbb97a9d03840c71848b593805f3320fa2e7e70881d17d2a6b2d35e5b1269c68b2140604ed9fc5809b80e1fe15c

/data/data/com.ujnbvtkci.ldtxwwziz/no_backup/androidx.work.workdb-wal

MD5 830124fff4dab9c0e212471cc1b1c12e
SHA1 ea0fc625de47c317aec9296f1b29c84066415c1e
SHA256 9aedd0efddc8da63e525201cedd767727b4affd22bbac062ef644e61e12813c3
SHA512 107623a1e2f26f81fb9e8066c7a228687cd47f0d0dc6f6c75ddaec0a4db0dbe6726207f193310ab67016ff812a350d1a36e74ecf39bea28f9aa3159096152fe7

/data/data/com.ujnbvtkci.ldtxwwziz/no_backup/androidx.work.workdb-wal

MD5 fb8a0ad16a8d637f6e5906f13272c7b0
SHA1 2afda8088b8270deeca6c980bd5eb629609e2e76
SHA256 300d8600745f39331f0c517dca7a1aca5a67e9f20d42f0c8ea02aaa9ffeef569
SHA512 c0d094969f83ca610838f44fcad83bb0c073912434eaff4b906f3b929e1d9ae1dfe97937b83959ffb533fd2f2d54433e9af605afbc5aa4d403b829583c8bb2f6