Malware Analysis Report

2025-01-19 05:48

Sample ID 241209-15dt3atkcy
Target 66145c6b08f24572a5008caf842ec07c31f9d3db35b019df18438b693222e171.bin
SHA256 66145c6b08f24572a5008caf842ec07c31f9d3db35b019df18438b693222e171
Tags
hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

66145c6b08f24572a5008caf842ec07c31f9d3db35b019df18438b693222e171

Threat Level: Known bad

The file 66145c6b08f24572a5008caf842ec07c31f9d3db35b019df18438b693222e171.bin was found to be: Known bad.

Malicious Activity Summary

hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook

Hook family

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Acquires the wake lock

Makes use of the framework's foreground persistence service

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-09 22:13

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-09 22:13

Reported

2024-12-09 22:16

Platform

android-x86-arm-20240624-en

Max time kernel

42s

Max time network

128s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 uninstallerplg.cloud udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 09aa12d15729938bffeb7b4ef71d8aaf
SHA1 0d3ef0bf1d62c67e49d7ba5951bd728c6a30112f
SHA256 639b319e183c246eac09113dc25d78a373302c03072405b79ddc5c4d6848e02b
SHA512 10429738d552e9edef347aab2708288d14195f689b6d3b2532d8d950be9149ceec24a7b61d2108cabe34b73ccd812d7ab99ad33a0d443d7bfad1607dc39ab415

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 e1595d89439d098f748485ef9edd2e90
SHA1 85a4c5d060108087e6b6e6b420429a390b6298d0
SHA256 f2b701058070a8c9ab726744a923f6effe018791da2880a78600319614e96efd
SHA512 af0567067a0cc54bb5babd00ec7adb6f1a2417f9b1413e5f5cde6e5020f932580e81db8824f8dc8cce7ab450c1260d003c3d7fe5dd4ff481b4f1e9d79671832b

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 36f4dc56548a76f758795ab7775cb2db
SHA1 1623b86abd6e0c3ebf564a951221b774be5a5c8b
SHA256 0628c511a69ed54fd8ab073df46183d83867d57389eb03bd84b5d959f75dbf17
SHA512 a21bb9e07ded84d9b41563920a95d1a1c7dc607c2bd4b05807e761f43b366d31b523222b5d81e35715df6ca3265c239f1e5e632b511d6951f4e7666d665404e2

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 ded2892c6b5f09359952471e9e3509b2
SHA1 7d1869ecec33048e048c22ea8df169de462d5dd5
SHA256 bb9acaf063b0a8cb5c10148ec69a113ff53b66dc2ea3fed14b205c41bb37db8b
SHA512 45d0a764ed4692c3cfec8fab74ad3e330a8c6ec0b6019f0e66af143dbb2054a929e87173c7bcc19cb40b9be3d71ff6e3929bc4b445f67d499455168d5fa4ecf2