Malware Analysis Report

2025-01-19 05:47

Sample ID 241216-npt5wszmak
Target deper.apk
SHA256 2da377529967c57cf738206ad5a1414485658daf7c26e66a6c474b165442f1b6
Tags
hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2da377529967c57cf738206ad5a1414485658daf7c26e66a6c474b165442f1b6

Threat Level: Known bad

The file deper.apk was found to be: Known bad.

Malicious Activity Summary

hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook family

Hook

Makes use of the framework's Accessibility service

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries the phone number (MSISDN for GSM devices)

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Acquires the wake lock

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Attempts to obfuscate APK file format

Queries information about the current Wi-Fi connection

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-16 11:34

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-16 11:34

Reported

2024-12-16 11:37

Platform

android-x86-arm-20240624-en

Max time kernel

25s

Max time network

132s

Command Line

com.ygkaxidkh.ffldaorgq

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ygkaxidkh.ffldaorgq/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.ygkaxidkh.ffldaorgq/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.ygkaxidkh.ffldaorgq/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ygkaxidkh.ffldaorgq

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ygkaxidkh.ffldaorgq/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.ygkaxidkh.ffldaorgq/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 rocketstylebuildinftoday.online udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 rocketstylebuildinftoday.xyz udp
US 1.1.1.1:53 rocketstylebuildinftoday.icu udp
US 1.1.1.1:53 rocketstylebuildinftoday.live udp
NL 178.62.201.34:80 rocketstylebuildinftoday.live tcp
US 1.1.1.1:53 rocketstylebuildinftoday.shop udp
NL 178.62.201.34:80 rocketstylebuildinftoday.shop tcp
NL 178.62.201.34:80 rocketstylebuildinftoday.shop tcp
NL 178.62.201.34:80 rocketstylebuildinftoday.shop tcp
NL 178.62.201.34:80 rocketstylebuildinftoday.shop tcp

Files

/data/data/com.ygkaxidkh.ffldaorgq/cache/classes.zip

MD5 8d6918c1f9765d4336e429c8841de7bc
SHA1 a66e74297ba0f5ab1a9c8be19b2f112660336b77
SHA256 5573a9c320c20a51fb4431999efd0b937b3ea8daa1c98c4b21be87f71a2a9a31
SHA512 bdd2a3376f6b4626ebaab50f61da77e6881e1f1548afb4c7e49bd8dad475b8b9675ffe9d3182a66e05ad7bad0e198950983a50434ad2d0e7d591c3a51b4b2897

/data/data/com.ygkaxidkh.ffldaorgq/cache/classes.dex

MD5 5ea9b6336fb131fdae456fb6601d2eae
SHA1 1f6478804f427703db8fce112b02ecaf8d64499c
SHA256 62aaeb31eeaaef03a9c60c2b97d3190baadba125919e337fe1dd6a75432d6e9a
SHA512 1bf6daa3ac921f86ae75505963e3d4dc9ea312ddccdb5caf0dc4b9965d449263d1f84cbbc68397d362a71ed931b7fda8360d5afd1271b1b26e782dadf1dfa5fc

/data/data/com.ygkaxidkh.ffldaorgq/app_dex/classes.dex

MD5 44723267c98402b080805eaac5c75a44
SHA1 7be7566788529318eeee233078e881f7616ca414
SHA256 4a22f11437441381266c2fd88b640502a3ee25415983a16c8eab1eab326fa272
SHA512 da8ac124a46d08eb8bb88eedc1f83e586c93c8ffeab07467260d07429cafb8b0b4a42e068e2c6170d6f252116866e8048e4920ceeee9c032ac751cf1d720c9ae

/data/user/0/com.ygkaxidkh.ffldaorgq/app_dex/classes.dex

MD5 28a8307458132e752ec9ce8f8d9297be
SHA1 821ac94bef3ba258f681428fdf6bf17c8f37d73e
SHA256 c0d8414d2795ad75df3215aa88e09bbc6b2a3e041fea168e9d6376a7b48c5608
SHA512 411c46b1c3b9a7405f40e0aa5decd099cc130d10d89bdd48fda3decc8e3b9c41e3dc8b1ccbb38f3699493a86daebcfeec85286efae17742c5f5bc480509ed3d6

/data/data/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb-journal

MD5 00b46982425df8615de19478111a7040
SHA1 93a27b0359b0444fb53ec60e7af6437c5fe3f775
SHA256 da41caa08a27faf6467f092eacd30b2f3ae4cbdb56f213ee6b04b52b11986b6d
SHA512 db2cd960f839acc7322fb1a836689bdafcef9b6e9818d7ac4085c8e7df63952c4a86a47518fbf47414a686b98b3a8060242cdbe927ae2edc0cd5c44995307f50

/data/data/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb-wal

MD5 569103149ef2779e10a8cf4755888dc8
SHA1 3489666d2c831676fd0a3fa063ad8722157a5b9e
SHA256 be827140e0c7fbb79e7b94b3963cad97a754edfea32a0e12b181986da2cbb017
SHA512 cd1ea40234f1fb9648dbe6587c7d0bc2ecfec8de17999bce571d25f9ca0064accb9b260a8a5660e620c53daa14bef3a8a6f8ffa0a64235ef6f110d3760b7e10d

/data/data/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb-wal

MD5 a6fa82bc1a85a88f23eb452a7cbd88ba
SHA1 1f201ec8106fbcb2fe75d144af3c0e5fdc2cf8ca
SHA256 3379dc9ab48e250586504ddafbe846434d615e98f44f9a33202d521bef906ede
SHA512 bccac8969973b21bf3ef35644d185c6c04dbe85e963d85d55e009441dddc906ef95f2c743c9b618cd9334a67a4bcea64240e04f2d997bd673bdf8ae3a2491027

/data/data/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb-wal

MD5 c9578752cacfb32d848e04775f1b7268
SHA1 7bc94c64c1c2d32cbd7509e07d46a029aff0b320
SHA256 0d18287935182b178c243bbba44cb6a7b3febf39669cee9526b7140d35b7699d
SHA512 331e1e72a8dc2a2d2313fb915d546fdf1eb451b518f120e90f2aff2299f8c1ee64109610a2c8e2b9293048234213bc7b63cd2601becf2fbfa5753d8eef59abf9

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-16 11:34

Reported

2024-12-16 11:37

Platform

android-x64-20240624-en

Max time kernel

23s

Max time network

156s

Command Line

com.ygkaxidkh.ffldaorgq

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ygkaxidkh.ffldaorgq/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.ygkaxidkh.ffldaorgq/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ygkaxidkh.ffldaorgq

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 rocketstylebuildinftoday.online udp
US 1.1.1.1:53 rocketstylebuildinftoday.xyz udp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 rocketstylebuildinftoday.icu udp
US 1.1.1.1:53 rocketstylebuildinftoday.live udp
US 104.131.68.180:80 rocketstylebuildinftoday.live tcp
US 1.1.1.1:53 rocketstylebuildinftoday.shop udp
SG 45.77.249.79:80 rocketstylebuildinftoday.shop tcp
SG 45.77.249.79:80 rocketstylebuildinftoday.shop tcp
SG 45.77.249.79:80 rocketstylebuildinftoday.shop tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 104.131.68.180:80 rocketstylebuildinftoday.shop tcp

Files

/data/data/com.ygkaxidkh.ffldaorgq/cache/classes.zip

MD5 8d6918c1f9765d4336e429c8841de7bc
SHA1 a66e74297ba0f5ab1a9c8be19b2f112660336b77
SHA256 5573a9c320c20a51fb4431999efd0b937b3ea8daa1c98c4b21be87f71a2a9a31
SHA512 bdd2a3376f6b4626ebaab50f61da77e6881e1f1548afb4c7e49bd8dad475b8b9675ffe9d3182a66e05ad7bad0e198950983a50434ad2d0e7d591c3a51b4b2897

/data/data/com.ygkaxidkh.ffldaorgq/cache/classes.dex

MD5 5ea9b6336fb131fdae456fb6601d2eae
SHA1 1f6478804f427703db8fce112b02ecaf8d64499c
SHA256 62aaeb31eeaaef03a9c60c2b97d3190baadba125919e337fe1dd6a75432d6e9a
SHA512 1bf6daa3ac921f86ae75505963e3d4dc9ea312ddccdb5caf0dc4b9965d449263d1f84cbbc68397d362a71ed931b7fda8360d5afd1271b1b26e782dadf1dfa5fc

/data/data/com.ygkaxidkh.ffldaorgq/app_dex/classes.dex

MD5 44723267c98402b080805eaac5c75a44
SHA1 7be7566788529318eeee233078e881f7616ca414
SHA256 4a22f11437441381266c2fd88b640502a3ee25415983a16c8eab1eab326fa272
SHA512 da8ac124a46d08eb8bb88eedc1f83e586c93c8ffeab07467260d07429cafb8b0b4a42e068e2c6170d6f252116866e8048e4920ceeee9c032ac751cf1d720c9ae

/data/data/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb-journal

MD5 65763332930ba87ca750b82d68a91ac6
SHA1 a8422badb9bb8e5b4ae11507639e799cdf3981e8
SHA256 99d2912ba74e36f102070df499870da078158226aa42792517d2de34760ebcf1
SHA512 62a62c4718b5722638f36d590c52c9bef7080849668b4c4f37e3f55e1ecdb1edac00a17a50dec8f61df69fa401d5e011b9a61a346bf3eb71870036e5d4516b10

/data/data/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb-wal

MD5 623c01bfcd8562e92593751b6bfb3ce1
SHA1 fde53d743808a125dcf5e9111dd4c1ae0159e220
SHA256 f574406953903cdc18c5a1cea542a6bbbfeb8e5e768040fe133cce001d95e719
SHA512 76124bd25c059a6c2e05bacdcd0f4a4d1580208b986fdb92e490360b74ff7851766cb4db011cd8089e89174d9c88dfc3d282464b0964c91d5042ea39a07e30dd

/data/data/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb-wal

MD5 da9d13cb199a6949209239865afcddd4
SHA1 b3b0fb000bfb314686165d097bedfec67742c7e1
SHA256 2797ae697f81b28ed041ac56e96fbecaafeb9770c2087ad179a805525ea4ac37
SHA512 54636b6ddadd8390d1c0476934229d3254449293dac7d46c352ed5e087165d6bcb7b2bcbab1cb41a188e708ea44f65e8849344a5f5227c8fedb9fb14698b5852

/data/data/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb-wal

MD5 0464417efe4615b2b92d615495f4bd71
SHA1 5765c9f66a1bbffb35dd7c9a0bc4b0d15bf03d0d
SHA256 4dfd57634486c130d46b784b2bff3a996c7329ecb58217a0d935018dd588e82b
SHA512 41ee72b34747dbc2f8a223d8ea95c66d175196a970a0f57351d3e0ebf910fbb06e8a02fcc2192a7dc02c6c32e04b3af8492cadc5d5b27ea31dcf4e15cfa86299

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-16 11:34

Reported

2024-12-16 11:37

Platform

android-x64-arm64-20240624-en

Max time kernel

22s

Max time network

132s

Command Line

com.ygkaxidkh.ffldaorgq

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ygkaxidkh.ffldaorgq/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.ygkaxidkh.ffldaorgq/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ygkaxidkh.ffldaorgq

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 rocketstylebuildinftoday.online udp
US 1.1.1.1:53 rocketstylebuildinftoday.xyz udp
US 1.1.1.1:53 rocketstylebuildinftoday.icu udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 rocketstylebuildinftoday.live udp
SG 45.77.249.79:80 rocketstylebuildinftoday.live tcp
US 1.1.1.1:53 rocketstylebuildinftoday.shop udp
NL 178.62.201.34:80 rocketstylebuildinftoday.shop tcp
NL 178.62.201.34:80 rocketstylebuildinftoday.shop tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
NL 178.62.201.34:80 rocketstylebuildinftoday.shop tcp
SG 45.77.249.79:80 rocketstylebuildinftoday.shop tcp

Files

/data/user/0/com.ygkaxidkh.ffldaorgq/cache/classes.zip

MD5 8d6918c1f9765d4336e429c8841de7bc
SHA1 a66e74297ba0f5ab1a9c8be19b2f112660336b77
SHA256 5573a9c320c20a51fb4431999efd0b937b3ea8daa1c98c4b21be87f71a2a9a31
SHA512 bdd2a3376f6b4626ebaab50f61da77e6881e1f1548afb4c7e49bd8dad475b8b9675ffe9d3182a66e05ad7bad0e198950983a50434ad2d0e7d591c3a51b4b2897

/data/user/0/com.ygkaxidkh.ffldaorgq/cache/classes.dex

MD5 5ea9b6336fb131fdae456fb6601d2eae
SHA1 1f6478804f427703db8fce112b02ecaf8d64499c
SHA256 62aaeb31eeaaef03a9c60c2b97d3190baadba125919e337fe1dd6a75432d6e9a
SHA512 1bf6daa3ac921f86ae75505963e3d4dc9ea312ddccdb5caf0dc4b9965d449263d1f84cbbc68397d362a71ed931b7fda8360d5afd1271b1b26e782dadf1dfa5fc

/data/user/0/com.ygkaxidkh.ffldaorgq/app_dex/classes.dex

MD5 44723267c98402b080805eaac5c75a44
SHA1 7be7566788529318eeee233078e881f7616ca414
SHA256 4a22f11437441381266c2fd88b640502a3ee25415983a16c8eab1eab326fa272
SHA512 da8ac124a46d08eb8bb88eedc1f83e586c93c8ffeab07467260d07429cafb8b0b4a42e068e2c6170d6f252116866e8048e4920ceeee9c032ac751cf1d720c9ae

/data/user/0/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb-journal

MD5 3c45e574498f998537dbf0e1ea849e20
SHA1 be4228a8ebf0f9204092d31ead30fbc01d532b74
SHA256 73aa4ad06461dcc9bbe3eb2689c3d94d36c93e80ae1da9cbd34c4e84682e30c0
SHA512 e4589d5ab00b22bf800d7620a77ee106edfee859e5d2cc4aaad97cbea7dd79bd84fc48151c2d836425e4dfd98103a8192b9dbe90794b3a893d80806daecbb225

/data/user/0/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb-wal

MD5 96c9f749a6a545ad93d384bc85c6ab61
SHA1 7752f6094e173a038b77275ce0aec3c50d3d921b
SHA256 5cdf2b13ea53f34384e8b9fb85856929412ffaf259050dff7490f8030bd18ba5
SHA512 c3c71fb0dcb7b6edf837336a00e438d46caf665a225798a7192278366f85cfb2160559d560a499bc6a27d2e887b0a78875d1988a4fc10680db5a33df8f9934f5

/data/user/0/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb-wal

MD5 fd67c29c1fe443d29531c3cbc83cabee
SHA1 f69b34f9f69249d07fa34e418ffcac06779b37b8
SHA256 b19ae9ac9605e14dce6f2c11d90546a889378db69b3bf4e38308e33a09f3895b
SHA512 a392273e39e207280114fc870ab3de7e913cd714e05330a0ad9d8c1abd54969b5f1cb35e064857f9e049db54b6069c5e58cd8eaf223c7cbb4832ec461af5061e

/data/user/0/com.ygkaxidkh.ffldaorgq/no_backup/androidx.work.workdb-wal

MD5 2e9715a98823afb5a1d147062f82ec00
SHA1 00a550e7c650f569e84894e88e1caa57070231ce
SHA256 1b9db5cc9f23ff58b92094d16c1191feb40f552269c4368272134382198b0820
SHA512 d3f09c6dc658d0eafcf8803b4afebdb899a3b92b71695c37e72213da129586fd39d5955ead60c22d8e640d1535c69076d8b8a84d4cadff19cb889631196abade