Malware Analysis Report

2025-01-19 05:48

Sample ID 241206-12zx5azpcy
Target 3de88fcda6bbb1a8cf75eea3707ec9193b0fe4ddb374416f2c96339d01060f88.bin
SHA256 3de88fcda6bbb1a8cf75eea3707ec9193b0fe4ddb374416f2c96339d01060f88
Tags
hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3de88fcda6bbb1a8cf75eea3707ec9193b0fe4ddb374416f2c96339d01060f88

Threat Level: Known bad

The file 3de88fcda6bbb1a8cf75eea3707ec9193b0fe4ddb374416f2c96339d01060f88.bin was found to be: Known bad.

Malicious Activity Summary

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook

Hook family

Queries information about running processes on the device

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Declares broadcast receivers with permission to handle system events

Reads information about phone network operator.

Queries the mobile country code (MCC)

Declares services with permission to bind to the system

Queries information about the current Wi-Fi connection

Makes use of the framework's foreground persistence service

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests dangerous framework permissions

Performs UI accessibility actions on behalf of the user

Attempts to obfuscate APK file format

Acquires the wake lock

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-06 22:09

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-06 22:09

Reported

2024-12-06 22:12

Platform

android-x86-arm-20240910-en

Max time kernel

149s

Max time network

153s

Command Line

com.hzljikjfv.kdjbyjhjv

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.hzljikjfv.kdjbyjhjv/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.hzljikjfv.kdjbyjhjv/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.hzljikjfv.kdjbyjhjv/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.hzljikjfv.kdjbyjhjv

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.hzljikjfv.kdjbyjhjv/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.hzljikjfv.kdjbyjhjv/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp

Files

/data/data/com.hzljikjfv.kdjbyjhjv/cache/classes.zip

MD5 2aa3fec8d84197e2a7b85dadb56b6e74
SHA1 5edbd30497824afb33cbdf330b6e03cfe47e2ad5
SHA256 2690839d69a166db73c1a06852fc5bc7f6df25e710c3a50c4f8b1fce3b0c91fb
SHA512 69c23d27070a66268e10355f959b52b8476c17eb4b853abe2a75e7813fb0ea205b5baef7cac909a03c7c1ae22885fafbd42b8b0c5ef7ad2b7c7e55ad53efebd8

/data/data/com.hzljikjfv.kdjbyjhjv/cache/classes.dex

MD5 22974556ec49f63c08c5c74d95849d8b
SHA1 8325b0d31662476920cdbc26dee22bea6b7bb993
SHA256 fe4454a4addc793af6e9b607852cc2da199b1dc03d4be21bc8ab7e2e113bea73
SHA512 d13a510aee6395c7b936ac7385748385ae67d722a4e4110545dffd27b60d5b8fa7dc1f51e61e6832f2f77ac1abaa77cb42f1f4985656392c0dab3727d99d8626

/data/data/com.hzljikjfv.kdjbyjhjv/app_dex/classes.dex

MD5 ed14af8b8ba5743b4fd30e59711aaa07
SHA1 aa87fc75c04cb3def8ef553a0e830b99178ae918
SHA256 ce042cad56e916a027ca6497209262094150685f77e9c348e983f1bbcac59512
SHA512 4f81587e7140098b0d6e6861c1a344b6c5085bf3d6dda3daffec7b6755d98c12ee1a69e2b7ae647a71adb4a6cf0e968adaa058dfbe2a35e625861f4b2b6faf1b

/data/user/0/com.hzljikjfv.kdjbyjhjv/app_dex/classes.dex

MD5 8dad112ecb818009c729fec36b950192
SHA1 6f24320c3383d942b99073cea198fceebd0f359f
SHA256 ed753cc57e25ef7deff48304bcdf287470320377f1f8d6611b0e9a2fde6799ea
SHA512 7be65afadcfb5726a99acca30bde33fdd3e94541c3e320f1aad58b92c9c62701598d13c3c15db2e31062143aaae61e7e22f8e00aaf5cff96825a0e1c996a85d7

/data/data/com.hzljikjfv.kdjbyjhjv/no_backup/androidx.work.workdb-journal

MD5 ddd424fbcdb441a20daa20b79495487e
SHA1 90a6816535d45fe49ab350392787f1b58c0ad0d1
SHA256 211ca1b7cd646723079ce9a785d4c97be091bb796261916db6fc58a62f91f196
SHA512 03ea46831fa1bd39060ecc60f85f682587d0ce8000c735cb0ed58b7d7fd2f3f59ad45a2892298dcfa7486f2ed18e01c9fdcb868091e67f837f72bd9b748a8b3b

/data/data/com.hzljikjfv.kdjbyjhjv/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.hzljikjfv.kdjbyjhjv/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.hzljikjfv.kdjbyjhjv/no_backup/androidx.work.workdb-wal

MD5 18e28ba6a3b5f13188732dfc39f4f285
SHA1 c769ca753cfb34be0d9baa24fb940ef49350be65
SHA256 5b5f84ba9931626016889ea6279591c2337a18fed6853835e0150e6555cd398a
SHA512 eac3bf3e7e450c9b173f0a4a73028e125121724ecd27022ba2e190512aa126d741f879d40757498c85b865c4a8fe53ba7d25643abe73543e9b541c3c1c240648

/data/data/com.hzljikjfv.kdjbyjhjv/no_backup/androidx.work.workdb-wal

MD5 a57f1f1023fe0605d6de59a8f419d7b9
SHA1 309f2f609bef058a32c02e8a4bbae1e9adaa005d
SHA256 a3590515891da4cdbc100f685614bcf465ccb20cdc35515ab5b308e282c05f58
SHA512 50cdc8f0cb41d5eba855d48643dc1382840670d613d38b10f05b44a5f2dbadc9faa92cf64e2e7c68d14c74d6861535e41c58d67affd393279ad92dd94b27f50c

/data/data/com.hzljikjfv.kdjbyjhjv/no_backup/androidx.work.workdb-wal

MD5 aa49b120ffb85af68a25d047aaac68eb
SHA1 2d2e4e1759be7d68e88d65eeb6a884ae338d5900
SHA256 f4a0228cd99e46bc27181aaac95b1eafe64ad2fc453cca3925d4fb7a2f5b220e
SHA512 744d8cd40cf036630a09d06486c115a598a372e91c73c8ca1cfbf74239ac696eaa5e324a68733553808ea58ad2ec3f463f1786d16e4d7ea54138cb3cd4d606d2

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-06 22:09

Reported

2024-12-06 22:12

Platform

android-x64-20240624-en

Max time kernel

14s

Max time network

160s

Command Line

com.hzljikjfv.kdjbyjhjv

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.hzljikjfv.kdjbyjhjv/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.hzljikjfv.kdjbyjhjv/app_dex/classes.dex N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.hzljikjfv.kdjbyjhjv

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.200.34:443 tcp
GB 216.58.204.78:443 tcp
GB 216.58.212.227:443 tcp
GB 216.58.212.227:443 tcp
GB 216.58.212.227:443 tcp
BE 108.177.15.188:5228 tcp
US 216.239.34.223:443 tcp
US 216.239.34.223:443 tcp
GB 142.250.179.228:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 g.tenor.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
GB 64.233.166.84:443 accounts.google.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 216.58.201.106:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 216.58.204.74:443 safebrowsing.googleapis.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.42:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com tcp
US 1.1.1.1:53 www.google.com udp
GB 172.217.169.4:443 www.google.com tcp
US 1.1.1.1:53 growth-pa.googleapis.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
GB 74.125.71.84:443 accounts.google.com tcp

Files

/data/data/com.hzljikjfv.kdjbyjhjv/cache/classes.zip

MD5 2aa3fec8d84197e2a7b85dadb56b6e74
SHA1 5edbd30497824afb33cbdf330b6e03cfe47e2ad5
SHA256 2690839d69a166db73c1a06852fc5bc7f6df25e710c3a50c4f8b1fce3b0c91fb
SHA512 69c23d27070a66268e10355f959b52b8476c17eb4b853abe2a75e7813fb0ea205b5baef7cac909a03c7c1ae22885fafbd42b8b0c5ef7ad2b7c7e55ad53efebd8

/data/data/com.hzljikjfv.kdjbyjhjv/cache/classes.dex

MD5 22974556ec49f63c08c5c74d95849d8b
SHA1 8325b0d31662476920cdbc26dee22bea6b7bb993
SHA256 fe4454a4addc793af6e9b607852cc2da199b1dc03d4be21bc8ab7e2e113bea73
SHA512 d13a510aee6395c7b936ac7385748385ae67d722a4e4110545dffd27b60d5b8fa7dc1f51e61e6832f2f77ac1abaa77cb42f1f4985656392c0dab3727d99d8626

/data/data/com.hzljikjfv.kdjbyjhjv/app_dex/classes.dex

MD5 ed14af8b8ba5743b4fd30e59711aaa07
SHA1 aa87fc75c04cb3def8ef553a0e830b99178ae918
SHA256 ce042cad56e916a027ca6497209262094150685f77e9c348e983f1bbcac59512
SHA512 4f81587e7140098b0d6e6861c1a344b6c5085bf3d6dda3daffec7b6755d98c12ee1a69e2b7ae647a71adb4a6cf0e968adaa058dfbe2a35e625861f4b2b6faf1b

/data/data/com.hzljikjfv.kdjbyjhjv/no_backup/androidx.work.workdb-journal

MD5 a7ac4144a9ce629eb028e996fc59e48e
SHA1 d14083260c0aa181208dce324eaef68b527af7d1
SHA256 659101e0cfefb01a7403a389272c46366a3b663859d7f5fb718cbca2984b8dca
SHA512 164184e05d598957c404af3ed705ff30384416abb6b97599fc1d59cc557c47acb1470e61fe8455bba3df40ecc0631035db66d87bcee201637c3e9d897906fdd5

/data/data/com.hzljikjfv.kdjbyjhjv/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.hzljikjfv.kdjbyjhjv/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.hzljikjfv.kdjbyjhjv/no_backup/androidx.work.workdb-wal

MD5 830060b9e8fee9b0e4808eb086bb2e63
SHA1 8a17c73157fff92ab189771974d5522836c91bb9
SHA256 8edf8aeac91fc279cf47243398b69dc821a2c25345b10029043aec8bdd30e95c
SHA512 3f0cf81429b0eea289c560d2ad1ad2aad3209500a97f215ae956491ddafa719676e75395c4ddfedac06fad390e4c3f73c1888f8e6a143eb11c46e50bf396941f

/data/data/com.hzljikjfv.kdjbyjhjv/no_backup/androidx.work.workdb-wal

MD5 22c148a6676ab3f844aa20f90b8aaf1e
SHA1 55214528cf27851c6bda1e21acee82d27fb0eb37
SHA256 e5c2f8233b36f9c9ba92bbf8a6d07cc3668c7c8d64d99c3e4c9bdda5dd08b2d8
SHA512 98f846c5bad173fdf8f8978a8b620e7778cfcc86982d0e353444dc21cff67b259871b4d120f0a5bf57240c81c759bd0503b2871bf012bafa9c9ae9eb2149c0fb

/data/data/com.hzljikjfv.kdjbyjhjv/no_backup/androidx.work.workdb-wal

MD5 7bbc6d0cac0be18c364c16e29fa7e759
SHA1 046e4d38742b679462cb390b6aa8b57d7d2c908e
SHA256 65cbe4d72ac73926d35b70b812d21001151243626b1c139550a425bb8b697116
SHA512 cdec957e231433d18993aa97ed7958fb373acc25285106a9467c22924f0c98aa2dff326209665339ea23489e1c6bf6376144a696c7b73ed053edf806876df2e6

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-06 22:09

Reported

2024-12-06 22:12

Platform

android-x64-arm64-20240910-en

Max time kernel

148s

Max time network

155s

Command Line

com.hzljikjfv.kdjbyjhjv

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.hzljikjfv.kdjbyjhjv/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.hzljikjfv.kdjbyjhjv/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.hzljikjfv.kdjbyjhjv

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.200.14:443 android.apis.google.com tcp
US 216.239.38.223:443 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 142.250.187.238:443 www.youtube.com tcp
GB 216.58.212.193:443 tcp
GB 142.250.187.225:443 tcp
US 216.239.38.223:443 tcp

Files

/data/data/com.hzljikjfv.kdjbyjhjv/cache/classes.zip

MD5 2aa3fec8d84197e2a7b85dadb56b6e74
SHA1 5edbd30497824afb33cbdf330b6e03cfe47e2ad5
SHA256 2690839d69a166db73c1a06852fc5bc7f6df25e710c3a50c4f8b1fce3b0c91fb
SHA512 69c23d27070a66268e10355f959b52b8476c17eb4b853abe2a75e7813fb0ea205b5baef7cac909a03c7c1ae22885fafbd42b8b0c5ef7ad2b7c7e55ad53efebd8

/data/data/com.hzljikjfv.kdjbyjhjv/cache/classes.dex

MD5 22974556ec49f63c08c5c74d95849d8b
SHA1 8325b0d31662476920cdbc26dee22bea6b7bb993
SHA256 fe4454a4addc793af6e9b607852cc2da199b1dc03d4be21bc8ab7e2e113bea73
SHA512 d13a510aee6395c7b936ac7385748385ae67d722a4e4110545dffd27b60d5b8fa7dc1f51e61e6832f2f77ac1abaa77cb42f1f4985656392c0dab3727d99d8626

/data/data/com.hzljikjfv.kdjbyjhjv/app_dex/classes.dex

MD5 ed14af8b8ba5743b4fd30e59711aaa07
SHA1 aa87fc75c04cb3def8ef553a0e830b99178ae918
SHA256 ce042cad56e916a027ca6497209262094150685f77e9c348e983f1bbcac59512
SHA512 4f81587e7140098b0d6e6861c1a344b6c5085bf3d6dda3daffec7b6755d98c12ee1a69e2b7ae647a71adb4a6cf0e968adaa058dfbe2a35e625861f4b2b6faf1b

/data/data/com.hzljikjfv.kdjbyjhjv/no_backup/androidx.work.workdb-journal

MD5 a715efc9a6727eb0d5950afe8625d532
SHA1 e9be658b3ba7e49b08c04339e5c4f2043f3bf1ab
SHA256 1079fc477cc80398d94008ae37f6a84dc12bba23a6cb5f989d6081a58b2adc7b
SHA512 960fbc2f299bf67c1c171d82e80cdd4230d96fc143958ae4e91a99b1f05ebffa230c97aae9c493fd11a87b7a5e013938f62ed7bccdaf1175c02087f136334b7c

/data/data/com.hzljikjfv.kdjbyjhjv/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.hzljikjfv.kdjbyjhjv/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.hzljikjfv.kdjbyjhjv/no_backup/androidx.work.workdb-wal

MD5 5e6bf8aa8bb1c19b67613cd39d4c4681
SHA1 101eec00fce03b43da4d9a5262abb42e75e2e0fb
SHA256 196787c87e0efd963279df8bb3a287b55e93fb26da831d03177ad5017e525239
SHA512 75ad85c2340bc42f80f7a16974b749128a06ec18b2a781b384bfcbd04b425e03551cbfd7734f3553c8b9e28fca9f6b6c6e9ca8f03864855ad7ecafe7a64bb4db

/data/data/com.hzljikjfv.kdjbyjhjv/no_backup/androidx.work.workdb-wal

MD5 f8ce20b79f07390d890aba2d347bc6f6
SHA1 1a6a5fa07e310908918aa01d3fbcbb8d73d9614e
SHA256 a4e34788e7db3e4fd70d70c36d83ae49d19b70cd1644b432234835ded0bd5b8d
SHA512 2cf3dbb43be4e439c501d864df23dad4f2023cb0b1b8198c707107999bdc77cb6566cbab5fcb76fb7efa36b075d68b05870f1decb2a5c6078370f32a5104f7e5

/data/data/com.hzljikjfv.kdjbyjhjv/no_backup/androidx.work.workdb-wal

MD5 ab9714767cc153cf00344ef728eb7342
SHA1 bc14e40fec831b6631ec90e988ad2e6482f3fad2
SHA256 fbd69b87ce53c5937ff599199641bcd736a8c94b7c96fbdf7f642b16a2436c5b
SHA512 c4718f96cc3f44b1e1c0b7fc1c283453288201c0dd632d267c45689c42738b5d9cdf57e6eccf7c244b7da016aff7284a000190e91556d9648284b7e6fc48dc00