Analysis Overview
SHA256
1d000ef8d964ba22acf820debd2c24222ff34353c145d69e4266eb2cc7588ba3
Threat Level: Known bad
The file build.s.apk was found to be: Known bad.
Malicious Activity Summary
Ahmyth family
Removes its main activity from the application launcher
Obtains sensitive information copied to the device clipboard
Declares services with permission to bind to the system
Requests dangerous framework permissions
Requests accessing notifications (often used to intercept notifications before users become aware).
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-06 15:37
Signatures
Ahmyth family
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. | android.permission.BIND_NOTIFICATION_LISTENER_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-06 15:37
Reported
2024-12-06 15:39
Platform
android-x86-arm-20240624-en
Max time kernel
7s
Max time network
133s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Requests accessing notifications (often used to intercept notifications before users become aware).
| Description | Indicator | Process | Target |
| Intent action | android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS | N/A | N/A |
Processes
com.etechd.l3mon
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| IN | 139.59.55.116:22222 | 139.59.55.116 | tcp |
| IN | 139.59.55.116:22222 | 139.59.55.116 | tcp |
| GB | 216.58.201.110:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-06 15:37
Reported
2024-12-06 15:39
Platform
android-x64-20240624-en
Max time kernel
7s
Max time network
155s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Processes
com.etechd.l3mon
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| IN | 139.59.55.116:22222 | 139.59.55.116 | tcp |
| IN | 139.59.55.116:22222 | 139.59.55.116 | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.178.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.180.14:443 | android.apis.google.com | tcp |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-06 15:37
Reported
2024-12-06 15:39
Platform
android-x64-arm64-20240910-en
Max time kernel
6s
Max time network
151s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Requests accessing notifications (often used to intercept notifications before users become aware).
| Description | Indicator | Process | Target |
| Intent action | android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS | N/A | N/A |
Processes
com.etechd.l3mon
Network
| Country | Destination | Domain | Proto |
| US | 216.239.38.223:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | www.youtube.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | www.youtube.com | udp |
| GB | 172.217.16.238:443 | www.youtube.com | tcp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| IN | 139.59.55.116:22222 | 139.59.55.116 | tcp |
| IN | 139.59.55.116:22222 | 139.59.55.116 | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.232:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.200.46:443 | www.youtube.com | tcp |
| GB | 142.250.200.33:443 | tcp | |
| US | 216.239.38.223:443 | tcp | |
| GB | 216.58.204.65:443 | tcp | |
| US | 216.239.38.223:443 | tcp |