Malware Analysis Report

2025-01-19 05:47

Sample ID 241209-15eflatkcz
Target df7c0d32700a5a419de885a2c7a044cbb40d4768b6d8dc5a00f00bcdb7148826.bin
SHA256 df7c0d32700a5a419de885a2c7a044cbb40d4768b6d8dc5a00f00bcdb7148826
Tags
impact hook collection credential_access discovery evasion execution infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

df7c0d32700a5a419de885a2c7a044cbb40d4768b6d8dc5a00f00bcdb7148826

Threat Level: Known bad

The file df7c0d32700a5a419de885a2c7a044cbb40d4768b6d8dc5a00f00bcdb7148826.bin was found to be: Known bad.

Malicious Activity Summary

impact hook collection credential_access discovery evasion execution infostealer persistence rat trojan

Hook

Hook family

Queries the phone number (MSISDN for GSM devices)

Makes use of the framework's Accessibility service

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

Attempts to obfuscate APK file format

Acquires the wake lock

Queries information about the current Wi-Fi connection

Queries the mobile country code (MCC)

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-09 22:13

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-09 22:13

Reported

2024-12-09 22:16

Platform

android-x64-20240910-en

Max time kernel

5s

Max time network

150s

Command Line

com.appd.instll.load

Signatures

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.appd.instll.load

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 216.58.213.2:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-09 22:13

Reported

2024-12-09 22:16

Platform

android-x64-arm64-20240624-en

Max time kernel

11s

Max time network

131s

Command Line

com.appd.instll.load

Signatures

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.appd.instll.load

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-09 22:13

Reported

2024-12-09 22:16

Platform

android-x86-arm-20240910-en

Max time kernel

41s

Max time network

151s

Command Line

com.tencent.mm

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 uninstallerplg.cloud udp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
GB 172.217.16.228:80 tcp
GB 172.217.16.228:443 tcp
GB 142.250.200.35:80 tcp

Files

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-journal

MD5 7c14c89927ef61d7b8893fccfbd04409
SHA1 4d20d8ec171279de4c7c31df5fa3d3610da3cb34
SHA256 e6e116275600995760693d95cae2d0d657709b97b3d957950bc7dee33798ae5e
SHA512 0fef1a2bdf44c60e78a175d1a8e4aa82c30b4295285734b8fada6a3b0d098630e65754bef4bf9413e3d9675570c52e81bebb3a9bd0f46a98715617c26381989f

/data/data/com.tencent.mm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 552a0f1fdc3d0ce9bdd230b92e7bd4c8
SHA1 256574bdc3dbb205321cdb609c61ad894160770c
SHA256 4caba9bfccb365d0ca22cfc25a8d625c4657fa6e49ec58f1c2f881873ed74181
SHA512 10567a6cf80686910f41d31453de675ddeced7c5ebce41bbda6fd1950817f44cf8e12b64a07603a277365f33d8dac76e609d6b07a6424d795a0baa7b3e954e0c

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 d315a46c569b86a4d7ea23dfdd2db10d
SHA1 f5cdd30cf03f7b78567f6a1b1c444025f1983afe
SHA256 d73c6099ac646c415e26f17b674360d0d5b1f40da8c1ce0d6676741bdf5ce27c
SHA512 d81cfeb27ead789303a1033d95dfe06bab3ecb9741d6ef0bc675ab98bc8230fe2dcdffabf8cfb0cb667c2627d6a64d21cc7c96a4e5c8bf3cf7756d8af29b2ec8

/data/data/com.tencent.mm/no_backup/androidx.work.workdb-wal

MD5 1bbee5960f55f9196321fce2621745ac
SHA1 3f3304ff5f67453f0c54b7c09ceb6766c5b4e96f
SHA256 2304ad34d58a9c19439941de370d67ebf1b68db0ea5e7daebb1e9a99f6ee637e
SHA512 9611d3d3a2215d5881b6442c70d27a04b09b4a03967b40b00d10af8da8a41dd7d3ad4b813dc66472e392868f67441c68fc097f906b7fd4e683d235805abfa907

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-09 22:13

Reported

2024-12-09 22:16

Platform

android-x86-arm-20240910-en

Max time kernel

6s

Max time network

151s

Command Line

com.appd.instll.load

Signatures

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.appd.instll.load

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.187.226:443 tcp

Files

N/A