Malware Analysis Report

2025-01-19 05:48

Sample ID 241207-d1sq4atmez
Target d672cabf04369c152207eb3a2a588b28ed7a72b4634cc3807d689f1a6ef4a0a5.apk
SHA256 d672cabf04369c152207eb3a2a588b28ed7a72b4634cc3807d689f1a6ef4a0a5
Tags
axbanker discovery persistence evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d672cabf04369c152207eb3a2a588b28ed7a72b4634cc3807d689f1a6ef4a0a5

Threat Level: Known bad

The file d672cabf04369c152207eb3a2a588b28ed7a72b4634cc3807d689f1a6ef4a0a5.apk was found to be: Known bad.

Malicious Activity Summary

axbanker discovery persistence evasion

Axbanker family

Loads dropped Dex/Jar

Requests dangerous framework permissions

Queries the unique device ID (IMEI, MEID, IMSI)

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-07 03:29

Signatures

Axbanker family

axbanker

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Required to be able to advertise to nearby Bluetooth devices. android.permission.BLUETOOTH_ADVERTISE N/A N/A
Required to be able to discover and pair nearby Bluetooth devices. android.permission.BLUETOOTH_SCAN N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Required to be able to advertise to nearby Bluetooth devices. android.permission.BLUETOOTH_ADVERTISE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-07 03:28

Reported

2024-12-07 03:32

Platform

android-x86-arm-20240624-en

Max time kernel

7s

Max time network

131s

Command Line

com.olserapratama.pos.staging

Signatures

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.olserapratama.pos.staging

which su

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 sessions.bugsnag.com udp
US 35.190.88.7:443 sessions.bugsnag.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/data/com.olserapratama.pos.staging/files/device-id

MD5 38f81e2310cbea94de5a95ad022697cc
SHA1 7f60e4b4695c486bf1852e1bd548332362a80f7a
SHA256 102a87f893297ab300385cc63decb2f49e35df17824d9b46ac7b49d770c89220
SHA512 0e3d9373bb04e7d025e417ebbef80d7ce882b5f4b97cd734bcf43c3907079797825314a22b7664ce24479698325612d4ef4bcd5b4b993e0eae6ec59c955313d6

/data/data/com.olserapratama.pos.staging/files/internal-device-id

MD5 fe4fc73fdcbcf783a43821b60cff2f5e
SHA1 7f754c5dd2c444a0e064e9f1f4b574f178f13837
SHA256 baa70ce2ef927b1042f81f50a28e2af899828ba615dcdc95cd723232a7a2e578
SHA512 226cdf6ec0eda906042b9b6a6640132acac5dd34e0d0381fe0491f33a1750b2afcb3c3d668f23ff0cf256f3df0e5846bd2b70127b7ddaeef8bf1e662313689b8

/data/data/com.olserapratama.pos.staging/cache/last-run-info

MD5 94e10e850bf39b9d0a6fef9969739ad4
SHA1 5a9424345b6455d1b84ed73ecdde7eeab7f83ac9
SHA256 da731d687400934bea5e647ed90766710215d2e224d53fd2912f6acbea356d5d
SHA512 8cb6f99259a95a259d7b3d15cd39f8973de6da14ef8691d77e320c71519921da6d8708f7d278b974e2bf5ea5e0854fbd16c31f44462cc36d4b93f9930a4768f0

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-07 03:28

Reported

2024-12-07 03:32

Platform

android-x64-arm64-20240624-en

Max time kernel

7s

Max time network

132s

Command Line

com.olserapratama.pos.staging

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A

Processes

com.olserapratama.pos.staging

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 sessions.bugsnag.com udp
US 35.190.88.7:443 sessions.bugsnag.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/system_ext/framework/androidx.window.sidecar.jar

MD5 bdf3529e80318eb14e53a5bf3720c10d
SHA1 25c9ace4b1af6e80ebb2572345972c56505969ba
SHA256 bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b
SHA512 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b

/data/data/com.olserapratama.pos.staging/files/device-id

MD5 7b8a2db46f005d4321f19ca96a2b3577
SHA1 3eeb2305f9b4231966962c06fa2bf3dbb9e05d9d
SHA256 cbe7689c361e737e87873124fbaf8c5d9c967cc75fea8ffa8b06caf46272756e
SHA512 226ee98cb695151120daf1b0ba5d73da33f2c0cb0cbb6b5a4df6ea319ee758b51f8b9f1fbef1c1ae0e16e99a1e47a8ef50988b2d40a1520195e962270827a7a0

/data/data/com.olserapratama.pos.staging/files/internal-device-id

MD5 69c01963a750d3e68cbce50a5157aab9
SHA1 01d8cb0e998335b69b5e309392a15c70b9d856dc
SHA256 14bf4e7dad6c334e3dea709b54897fc2bc3e8e048601b5de535a608c3fa04b6b
SHA512 401179d96f0ed74fffdcd7db042a5cc9bf30f796ec32196d990be30fc58892cd145bc7c3d0d84ba91f3d13fb5edee2b023dfc00285e1d9f406bb8924b0af5ab7

/data/data/com.olserapratama.pos.staging/cache/last-run-info

MD5 94e10e850bf39b9d0a6fef9969739ad4
SHA1 5a9424345b6455d1b84ed73ecdde7eeab7f83ac9
SHA256 da731d687400934bea5e647ed90766710215d2e224d53fd2912f6acbea356d5d
SHA512 8cb6f99259a95a259d7b3d15cd39f8973de6da14ef8691d77e320c71519921da6d8708f7d278b974e2bf5ea5e0854fbd16c31f44462cc36d4b93f9930a4768f0