Analysis Overview
SHA256
f14401a7900d0f1ea431c4046bdb39c3685ea4d909dd97b135c3f9ee919ad35a
Threat Level: Known bad
The file 5d75e747ee6c22e97bb8b6583c613c89.bin was found to be: Known bad.
Malicious Activity Summary
Ahmyth family
Removes its main activity from the application launcher
Obtains sensitive information copied to the device clipboard
Requests accessing notifications (often used to intercept notifications before users become aware).
Declares services with permission to bind to the system
Requests dangerous framework permissions
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-08 01:20
Signatures
Ahmyth family
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. | android.permission.BIND_NOTIFICATION_LISTENER_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-08 01:20
Reported
2024-12-08 01:23
Platform
android-x86-arm-20240624-en
Max time kernel
7s
Max time network
133s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Requests accessing notifications (often used to intercept notifications before users become aware).
| Description | Indicator | Process | Target |
| Intent action | android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS | N/A | N/A |
Processes
com.etechd.l3mon
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.202:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| SE | 51.20.2.165:3001 | 51.20.2.165 | tcp |
| SE | 51.20.2.165:3001 | 51.20.2.165 | tcp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| GB | 216.58.201.106:443 | semanticlocation-pa.googleapis.com | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-08 01:20
Reported
2024-12-08 01:23
Platform
android-x64-20240624-en
Max time kernel
7s
Max time network
156s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Processes
com.etechd.l3mon
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| SE | 51.20.2.165:3001 | 51.20.2.165 | tcp |
| SE | 51.20.2.165:3001 | 51.20.2.165 | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.201.104:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.179.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| GB | 142.250.200.36:443 | tcp | |
| GB | 142.250.200.36:443 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-08 01:20
Reported
2024-12-08 01:23
Platform
android-x64-arm64-20240624-en
Max time kernel
13s
Max time network
136s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Requests accessing notifications (often used to intercept notifications before users become aware).
| Description | Indicator | Process | Target |
| Intent action | android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS | N/A | N/A |
Processes
com.etechd.l3mon
Network
| Country | Destination | Domain | Proto |
| GB | 216.58.212.238:443 | tcp | |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.169.46:443 | android.apis.google.com | tcp |
| SE | 51.20.2.165:3001 | 51.20.2.165 | tcp |
| SE | 51.20.2.165:3001 | 51.20.2.165 | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.228:443 | tcp | |
| GB | 142.250.187.228:443 | tcp |