Analysis Overview
SHA256
bce898587f683c70ea12b8612dd9dc1f791fa748e7c1f4584f4afb2009a1e135
Threat Level: Known bad
The file bce898587f683c70ea12b8612dd9dc1f791fa748e7c1f4584f4afb2009a1e135.apk was found to be: Known bad.
Malicious Activity Summary
Ahmyth family
Removes its main activity from the application launcher
Obtains sensitive information copied to the device clipboard
Requests accessing notifications (often used to intercept notifications before users become aware).
Declares services with permission to bind to the system
Requests dangerous framework permissions
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-07 03:15
Signatures
Ahmyth family
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. | android.permission.BIND_NOTIFICATION_LISTENER_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-07 03:15
Reported
2024-12-07 03:18
Platform
android-x86-arm-20240624-en
Max time kernel
7s
Max time network
137s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Requests accessing notifications (often used to intercept notifications before users become aware).
| Description | Indicator | Process | Target |
| Intent action | android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS | N/A | N/A |
Processes
com.etechd.l3mon
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.213.10:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | weeb.rocks | udp |
| US | 198.199.74.62:22222 | weeb.rocks | tcp |
| US | 198.199.74.62:22222 | weeb.rocks | tcp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-07 03:15
Reported
2024-12-07 03:18
Platform
android-x64-20240624-en
Max time kernel
7s
Max time network
135s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Processes
com.etechd.l3mon
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | weeb.rocks | udp |
| US | 198.199.74.62:22222 | weeb.rocks | tcp |
| US | 198.199.74.62:22222 | weeb.rocks | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.178.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-07 03:15
Reported
2024-12-07 03:18
Platform
android-x64-arm64-20240624-en
Max time kernel
13s
Max time network
136s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Requests accessing notifications (often used to intercept notifications before users become aware).
| Description | Indicator | Process | Target |
| Intent action | android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS | N/A | N/A |
Processes
com.etechd.l3mon
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.14:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | weeb.rocks | udp |
| US | 198.199.74.62:22222 | weeb.rocks | tcp |
| US | 198.199.74.62:22222 | weeb.rocks | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.200.36:443 | tcp | |
| GB | 142.250.200.36:443 | tcp |