Malware Analysis Report

2025-01-19 05:46

Sample ID 241206-1xwd5szmaw
Target 43d99fbc73071af6db75add0b1ca3bb80bdc1e1aebbee49eb1a8c69794762818.bin
SHA256 43d99fbc73071af6db75add0b1ca3bb80bdc1e1aebbee49eb1a8c69794762818
Tags
hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43d99fbc73071af6db75add0b1ca3bb80bdc1e1aebbee49eb1a8c69794762818

Threat Level: Known bad

The file 43d99fbc73071af6db75add0b1ca3bb80bdc1e1aebbee49eb1a8c69794762818.bin was found to be: Known bad.

Malicious Activity Summary

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook family

Hook

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Obtains sensitive information copied to the device clipboard

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Declares broadcast receivers with permission to handle system events

Attempts to obfuscate APK file format

Acquires the wake lock

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Reads information about phone network operator.

Queries information about the current Wi-Fi connection

Requests accessing notifications (often used to intercept notifications before users become aware).

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-06 22:02

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-06 22:02

Reported

2024-12-06 22:04

Platform

android-x64-arm64-20240910-en

Max time kernel

149s

Max time network

152s

Command Line

com.fbqjyztvx.uruslmkka

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.fbqjyztvx.uruslmkka/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.fbqjyztvx.uruslmkka/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.fbqjyztvx.uruslmkka

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
US 216.239.38.223:443 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 216.239.38.223:443 tcp
GB 142.250.200.14:443 www.youtube.com tcp
GB 172.217.169.33:443 tcp
GB 216.58.201.97:443 tcp
US 216.239.38.223:443 tcp
US 216.239.38.223:443 tcp

Files

/data/data/com.fbqjyztvx.uruslmkka/cache/classes.zip

MD5 0345c76ebf2c3c65ecf70b50d8662185
SHA1 0380ad1732b14c77384506b4681f9d243025cf8c
SHA256 53e5dd67af46cb6c04ae9a47d4f493b56830a972abd14e9eb25d8eb9d4abec22
SHA512 dd764ee83e7fbd5f84dbf81cfddc85bf978f7453baaff7fc0f8384969140975a10d4dd76d6c952c808634dbeb6305989e31aa89a83997567c61bbc13830c52a2

/data/data/com.fbqjyztvx.uruslmkka/cache/classes.dex

MD5 8c7682ec7a4c343d5a2099775e7c5d33
SHA1 78bca32530e64ae857dafb37ecc4b6ab30534b71
SHA256 faaf420b9eebb4c446f4818c9cf44c18aa9ba1b23c93107722fbb3dd35de066e
SHA512 41f3fba83260e414abe73780286a0741aac14e151c080a7e8dc31627c75f639d88afd49f7bc476e349140fa943b312c9ecaf2a9c2af79d8d66c8dc6a8346f085

/data/data/com.fbqjyztvx.uruslmkka/app_dex/classes.dex

MD5 2345529d97253d2a31ad86a39c1c9f29
SHA1 e155f4b905ce192f7fc61913eca217df76cf7e45
SHA256 31b1df5858bd93e0dae4f2695c10d7e763ccc5e1908e902b2838a0058bf2b70c
SHA512 30cae0ee5a1edcd019a38be806b734eb224845bbaa723eddb516c360cddc7492a35089a59ac515e487b3a659298c55f2b38cf7a91c598d5053d2b244446d9ec9

/data/data/com.fbqjyztvx.uruslmkka/no_backup/androidx.work.workdb-journal

MD5 3086e28187f8239df8b5acced0e25bc4
SHA1 cf795288188794c9800e38ccc93759716b7726e8
SHA256 2801b6273b925c3c28d45298a30653a538b77bf93b4dbc6d03a85fd3a75ec3a0
SHA512 fe9411720ff262cd56dfd00e6b74ae66b9aac85d5482ff72a3956a8c30e5fe557c9289f10fb36453b787e38abfb972e248b5abc251a6b32e171f4d9cfa5862fb

/data/data/com.fbqjyztvx.uruslmkka/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.fbqjyztvx.uruslmkka/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.fbqjyztvx.uruslmkka/no_backup/androidx.work.workdb-wal

MD5 60c8f16a46c42ff74a12adf7169964d4
SHA1 7b54a6a2d5b85b6343a9aa8de873d090c058697a
SHA256 a8dfae1a6aa527a3b4a8b10d422ca98e9517c445c0a08f4d3532be0ab99047cd
SHA512 f0ee7274cec27fd9f504b35d7742ddbae8e6e2c99bef661709777a81e5046684724ba42347ece0168b13c4f9f61f73329f8e178df020c51b0676b8e5053bf33f

/data/data/com.fbqjyztvx.uruslmkka/no_backup/androidx.work.workdb-wal

MD5 bfce9698897772c6bb0e01ce45301ddd
SHA1 a1bbe80d8680852f33eb2ab3124635bb88a956af
SHA256 632a34c3b37b581616a3f1b0455bb9fc0f7d5576d13fa80cfa1f236c78cf2ed1
SHA512 0f3ba8360d93120d241b29746342d2b7c988d55ed2e229d7f15c49a6565f72d85191b1873bd547bf7e2ca2f0b86cf6faa9c40985a68e63f6bda96de5d044c0ca

/data/data/com.fbqjyztvx.uruslmkka/no_backup/androidx.work.workdb-wal

MD5 2ef8a007f188b16f5fd3b66ed7b8c60c
SHA1 dd705768e63dcf276aedf1efc75a0c40726298a4
SHA256 591dea5fc667f19381c53ef31d882fbb2e080820622a474197707e190c595b28
SHA512 004a1783ca84e8db4a72c2dd9367c425481d2b021740b0ef2e4584c4406a1fda6ae7478fe96de8631ae0ac385c83b9cfc98ae23eb888c29db727c0e6955efb74

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-06 22:02

Reported

2024-12-06 22:04

Platform

android-x86-arm-20240910-en

Max time kernel

149s

Max time network

152s

Command Line

com.fbqjyztvx.uruslmkka

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.fbqjyztvx.uruslmkka/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.fbqjyztvx.uruslmkka/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.fbqjyztvx.uruslmkka/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.fbqjyztvx.uruslmkka

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.fbqjyztvx.uruslmkka/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.fbqjyztvx.uruslmkka/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.196:80 tcp
GB 142.250.178.4:443 tcp
GB 142.250.187.195:80 tcp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.fbqjyztvx.uruslmkka/cache/classes.zip

MD5 0345c76ebf2c3c65ecf70b50d8662185
SHA1 0380ad1732b14c77384506b4681f9d243025cf8c
SHA256 53e5dd67af46cb6c04ae9a47d4f493b56830a972abd14e9eb25d8eb9d4abec22
SHA512 dd764ee83e7fbd5f84dbf81cfddc85bf978f7453baaff7fc0f8384969140975a10d4dd76d6c952c808634dbeb6305989e31aa89a83997567c61bbc13830c52a2

/data/data/com.fbqjyztvx.uruslmkka/cache/classes.dex

MD5 8c7682ec7a4c343d5a2099775e7c5d33
SHA1 78bca32530e64ae857dafb37ecc4b6ab30534b71
SHA256 faaf420b9eebb4c446f4818c9cf44c18aa9ba1b23c93107722fbb3dd35de066e
SHA512 41f3fba83260e414abe73780286a0741aac14e151c080a7e8dc31627c75f639d88afd49f7bc476e349140fa943b312c9ecaf2a9c2af79d8d66c8dc6a8346f085

/data/data/com.fbqjyztvx.uruslmkka/app_dex/classes.dex

MD5 2345529d97253d2a31ad86a39c1c9f29
SHA1 e155f4b905ce192f7fc61913eca217df76cf7e45
SHA256 31b1df5858bd93e0dae4f2695c10d7e763ccc5e1908e902b2838a0058bf2b70c
SHA512 30cae0ee5a1edcd019a38be806b734eb224845bbaa723eddb516c360cddc7492a35089a59ac515e487b3a659298c55f2b38cf7a91c598d5053d2b244446d9ec9

/data/user/0/com.fbqjyztvx.uruslmkka/app_dex/classes.dex

MD5 1663120cb442632823f0ce5fbfaa6366
SHA1 96d8ca2a7428ae880443639b535ea8f74d749a01
SHA256 4de2a26ece0947bcab3e813415f7de29db13f69ff74455bd0f00fb6d0255784b
SHA512 073f22b9c53cd4fe029056473be2d6d3414b8a89fc1f3d21bd60be496b2a7569b820de8c7ea320a1f16490cc127c8716a547a6c61e65ae6395b66ec1757c8f14

/data/data/com.fbqjyztvx.uruslmkka/no_backup/androidx.work.workdb-journal

MD5 7934166cd74ba05cdc00db4a41272d12
SHA1 a4a40fb890cb3df814b34fad75dcec7918e29d1e
SHA256 32a898fee73cbd7e48135c12de998c9f4f9528fdf5c50b44a4d5c86dfcde9057
SHA512 4ccb2186fc42ec60525dc74b788e459e25be8937357b45bf4bd7a821c08fc4a9e62ac29a1a644720e52dd1845ccbe4eb9e8390ea39b94cfffefe0a067e3fda2b

/data/data/com.fbqjyztvx.uruslmkka/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.fbqjyztvx.uruslmkka/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.fbqjyztvx.uruslmkka/no_backup/androidx.work.workdb-wal

MD5 7f757d6ca9895c7d4c225ac1035b6b27
SHA1 982788561e6522a391c9dc5920339d658b7fc3ca
SHA256 1d19c60c09cde278955a82c92368485e6c4a9c233c99cb332a8cca59bc02e927
SHA512 fd747ee462db9248ef881b1f3da7ddcbc179ada25a40b0e21d3ad89e05e950046a641538155c568237d036b40df85554ea2364a939ae9162ce95f56e6e29cd56

/data/data/com.fbqjyztvx.uruslmkka/no_backup/androidx.work.workdb-wal

MD5 c9389f2d9c118200811a68b76b21ad3c
SHA1 5e42de5fecf4e18a5cc519df1af90664c9f34e8f
SHA256 d1ed326ff6b0e9a83013ee0916a856344af374b9bd53cc15100385554a5118e9
SHA512 4b11905bb11134f9713a11f570b693591548c944f3fe07b8f5af532ceedbe36bb6bdcb39fca7325c47625f43919e90dea728bae5ced1d71064c2e7512a03b924

/data/data/com.fbqjyztvx.uruslmkka/no_backup/androidx.work.workdb-wal

MD5 d73a5322fd5a0cf73583a47af96ecd30
SHA1 44891e507e344ddfdd0b34078f23b671c80bea8a
SHA256 93e8475953e585e7e711322f0bb96cc73103935a498b2bc4d3f76dbe24ec02fe
SHA512 49cbbdaeb34531f74b5b4e28905b01cc367dc9954fad34ebeb6825ca81ef1b41ae15551a1b6c110da0e8aeb6ae0824309ac8c3ecc88c0fbfd26c75fedfbe3737

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-06 22:02

Reported

2024-12-06 22:04

Platform

android-x64-20240910-en

Max time kernel

148s

Max time network

152s

Command Line

com.fbqjyztvx.uruslmkka

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.fbqjyztvx.uruslmkka/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.fbqjyztvx.uruslmkka/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.fbqjyztvx.uruslmkka

Network

Country Destination Domain Proto
GB 142.250.200.10:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 216.58.204.74:443 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 154.216.19.93:80 154.216.19.93 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 154.216.19.93:80 154.216.19.93 tcp
GB 216.58.201.98:443 tcp

Files

/data/data/com.fbqjyztvx.uruslmkka/cache/classes.zip

MD5 0345c76ebf2c3c65ecf70b50d8662185
SHA1 0380ad1732b14c77384506b4681f9d243025cf8c
SHA256 53e5dd67af46cb6c04ae9a47d4f493b56830a972abd14e9eb25d8eb9d4abec22
SHA512 dd764ee83e7fbd5f84dbf81cfddc85bf978f7453baaff7fc0f8384969140975a10d4dd76d6c952c808634dbeb6305989e31aa89a83997567c61bbc13830c52a2

/data/data/com.fbqjyztvx.uruslmkka/cache/classes.dex

MD5 8c7682ec7a4c343d5a2099775e7c5d33
SHA1 78bca32530e64ae857dafb37ecc4b6ab30534b71
SHA256 faaf420b9eebb4c446f4818c9cf44c18aa9ba1b23c93107722fbb3dd35de066e
SHA512 41f3fba83260e414abe73780286a0741aac14e151c080a7e8dc31627c75f639d88afd49f7bc476e349140fa943b312c9ecaf2a9c2af79d8d66c8dc6a8346f085

/data/data/com.fbqjyztvx.uruslmkka/app_dex/classes.dex

MD5 2345529d97253d2a31ad86a39c1c9f29
SHA1 e155f4b905ce192f7fc61913eca217df76cf7e45
SHA256 31b1df5858bd93e0dae4f2695c10d7e763ccc5e1908e902b2838a0058bf2b70c
SHA512 30cae0ee5a1edcd019a38be806b734eb224845bbaa723eddb516c360cddc7492a35089a59ac515e487b3a659298c55f2b38cf7a91c598d5053d2b244446d9ec9

/data/data/com.fbqjyztvx.uruslmkka/no_backup/androidx.work.workdb-journal

MD5 54e206d7151c3e9fcab0a2ea4024fc2e
SHA1 d907acbf7dac7731cfe1e725f971d8a44ec7b0f7
SHA256 64dd287cf8687a049f60c8e48f197f0366ff71b49231524e927def4d1932a9c8
SHA512 8ce881e02860e20d139675d8cc6eea52cf0425edc4e54bbc609618afc10aca82442efea824243fc6738d89988444a97a9760d051660d88c5d24b14e03856759e

/data/data/com.fbqjyztvx.uruslmkka/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.fbqjyztvx.uruslmkka/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.fbqjyztvx.uruslmkka/no_backup/androidx.work.workdb-wal

MD5 51be9864439c2e746c49af43d011b92f
SHA1 a7f9ed09d4b35af12521d5730533168d9be20b7e
SHA256 1e91e3598eed763e907c65d6cfee123a6f8d74b0208ea15c635a0d3ed6cc56c1
SHA512 fb82600315e88f463ea09855091f29491b0bba422c2719a4558e1956ccd0ed0e92da1ac800d3e47ff182cdbfcc2d3d10a6a723f6ddc69668a5350afddcf36981

/data/data/com.fbqjyztvx.uruslmkka/no_backup/androidx.work.workdb-wal

MD5 93f311c93bfa4124d5201b308befa591
SHA1 376c00662dcf4bcf78f987c07c71d540f84bbbfd
SHA256 8c6e432945eca9c95235fda15b742eb17bcb5f182ab1224fc564abdf60882f9d
SHA512 aec3fabf9a5585274f54a90fe3ba261bd8c94fdfd2b9713ed2ff96daffb5d84ce85cf5c06468a298590e848783d40dbf87956f500bc9d222d4820329ca0b5c1c

/data/data/com.fbqjyztvx.uruslmkka/no_backup/androidx.work.workdb-wal

MD5 7d24e5afc6d540db410f02b1a44989c3
SHA1 1e583e5403a1a3c05737d7d2dfbd5257f1092aa0
SHA256 510a15af9c221f3d2c575730aa00414e0a8c4077fdf0e8a62f900a14af514708
SHA512 1c8d6d06d2009b68ec5f5fbe0668bab51e745f5519b8a4fbbc4713091e166189db374b75da4d14ed264d3c6f7932885830e620de4dc1f7d860d4c3a7ee19b483