Malware Analysis Report

2025-01-19 05:48

Sample ID 241206-fzvkeaskaz
Target olsera-pos-v.1.8.17.12-stagingRelease-main.apk
SHA256 d672cabf04369c152207eb3a2a588b28ed7a72b4634cc3807d689f1a6ef4a0a5
Tags
axbanker discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d672cabf04369c152207eb3a2a588b28ed7a72b4634cc3807d689f1a6ef4a0a5

Threat Level: Known bad

The file olsera-pos-v.1.8.17.12-stagingRelease-main.apk was found to be: Known bad.

Malicious Activity Summary

axbanker discovery evasion persistence

Axbanker family

Checks if the Android device is rooted.

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-06 05:19

Signatures

Axbanker family

axbanker

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to advertise to nearby Bluetooth devices. android.permission.BLUETOOTH_ADVERTISE N/A N/A
Required to be able to discover and pair nearby Bluetooth devices. android.permission.BLUETOOTH_SCAN N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Required to be able to advertise to nearby Bluetooth devices. android.permission.BLUETOOTH_ADVERTISE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-06 05:19

Reported

2024-12-06 05:22

Platform

android-x86-arm-20240624-en

Max time kernel

7s

Max time network

131s

Command Line

com.olserapratama.pos.staging

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /sbin/su N/A N/A
N/A /system/bin/su N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.olserapratama.pos.staging

which su

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 sessions.bugsnag.com udp
US 35.190.88.7:443 sessions.bugsnag.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/com.olserapratama.pos.staging/files/device-id

MD5 917d0e38361551a4fb7d7315701ebcbd
SHA1 af2723813256ffe2149f94ccc987dd27aaf6b055
SHA256 2b7a53d21c23e8f79988e401c296cc430db9476ff4fb41b9758d66dc4ee8f88e
SHA512 d87da44783d1ffaa3d6dfa2dfeecd7b24b6e4170dcc2277997f58663891cf22494144962dc3ccc6f7d223b0a9abb500f6d15aed3efe77f8eaf4b237987451585

/data/data/com.olserapratama.pos.staging/files/internal-device-id

MD5 1ba2f32afd14f3afec84b5095863048d
SHA1 98bfabb85accc90dff63eaf82cae69a2c68d039e
SHA256 2cc133283f5cbc525efa9fd50047215ecd8f67c33c8ac258b286b14d5a124675
SHA512 0c63c5f8e5ff98d7aa1694de38620afa67837040bf7e1313398127894f9930363309ef01c6b4c6742cd9d771c3c0ef4f27c9bdece18ec0f6daa7eaeab3d0a892

/data/data/com.olserapratama.pos.staging/cache/last-run-info

MD5 94e10e850bf39b9d0a6fef9969739ad4
SHA1 5a9424345b6455d1b84ed73ecdde7eeab7f83ac9
SHA256 da731d687400934bea5e647ed90766710215d2e224d53fd2912f6acbea356d5d
SHA512 8cb6f99259a95a259d7b3d15cd39f8973de6da14ef8691d77e320c71519921da6d8708f7d278b974e2bf5ea5e0854fbd16c31f44462cc36d4b93f9930a4768f0

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-06 05:19

Reported

2024-12-06 05:22

Platform

android-x64-20240624-en

Max time kernel

7s

Max time network

131s

Command Line

com.olserapratama.pos.staging

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.olserapratama.pos.staging

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 sessions.bugsnag.com udp
US 35.190.88.7:443 sessions.bugsnag.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/com.olserapratama.pos.staging/files/device-id

MD5 93b68d5c98aaccb756dce1fbbe9d7936
SHA1 699dde1323dd71a35cf7fbf766ea74cec9bbf3ec
SHA256 dcc5e9624b58729df0deeb6a347dd10b84fb59d1d688b10f059ad8f61aec8296
SHA512 393fcae43dc6e30843d9f4521a21c734c969b6549144a06157af6c71de49804ecaa7e2414a4c42574bf67d39bc4ee94ff68e116502e9edc5f6379aa5605c09d7

/data/data/com.olserapratama.pos.staging/files/internal-device-id

MD5 aa9f4032fab366a4cdfead54382e3b6c
SHA1 e51b2cb5615bf3cddd0e29b896a752ae28b86cdd
SHA256 2cfbaabb91d4e66002ac167f1982a51e24493db45eef56d0fd51c992a6aada67
SHA512 8bbfc7ee2a4aa206c8dd5ccf32b72dc598ede6005ef444ac1da68206fb7eacd54fe4129f5148bd269ad785fdc13ec4dac7942515f6d4a2971945f65654cf27be

/data/data/com.olserapratama.pos.staging/cache/last-run-info

MD5 94e10e850bf39b9d0a6fef9969739ad4
SHA1 5a9424345b6455d1b84ed73ecdde7eeab7f83ac9
SHA256 da731d687400934bea5e647ed90766710215d2e224d53fd2912f6acbea356d5d
SHA512 8cb6f99259a95a259d7b3d15cd39f8973de6da14ef8691d77e320c71519921da6d8708f7d278b974e2bf5ea5e0854fbd16c31f44462cc36d4b93f9930a4768f0