Malware Analysis Report

2025-01-19 05:47

Sample ID 241217-12p3xszlgs
Target 18209e2ed12689cdfe0caf5bc69eead832d1c260c4c99728ab3eed8773d9e091.bin
SHA256 18209e2ed12689cdfe0caf5bc69eead832d1c260c4c99728ab3eed8773d9e091
Tags
hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

18209e2ed12689cdfe0caf5bc69eead832d1c260c4c99728ab3eed8773d9e091

Threat Level: Known bad

The file 18209e2ed12689cdfe0caf5bc69eead832d1c260c4c99728ab3eed8773d9e091.bin was found to be: Known bad.

Malicious Activity Summary

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook family

Hook

Obtains sensitive information copied to the device clipboard

Queries the phone number (MSISDN for GSM devices)

Queries information about running processes on the device

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Acquires the wake lock

Reads information about phone network operator.

Requests accessing notifications (often used to intercept notifications before users become aware).

Declares services with permission to bind to the system

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Queries the mobile country code (MCC)

Queries information about the current Wi-Fi connection

Attempts to obfuscate APK file format

Makes use of the framework's foreground persistence service

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-17 22:08

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-17 22:08

Reported

2024-12-17 22:11

Platform

android-x86-arm-20240910-en

Max time kernel

148s

Max time network

151s

Command Line

com.epaxlsgbr.dbpiiqbqz

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.epaxlsgbr.dbpiiqbqz/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.epaxlsgbr.dbpiiqbqz/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.epaxlsgbr.dbpiiqbqz/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.epaxlsgbr.dbpiiqbqz

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.epaxlsgbr.dbpiiqbqz/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.epaxlsgbr.dbpiiqbqz/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.16.228:80 tcp
GB 172.217.16.228:443 tcp
GB 142.250.200.35:80 tcp
GB 216.58.212.234:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.epaxlsgbr.dbpiiqbqz/cache/classes.zip

MD5 277acb9778a712320c2b655c731a7cfb
SHA1 777466164a773448e6e387492d9379196cd0e8f9
SHA256 21c3bd41ac971c107b5c336ecc6d3c1ea27a5dfd06c01da65df9285121a8f734
SHA512 8c9a43e1b9da5acacbb5846727b8cfa081b7d849214c3d9e08916c189f0e7aade531e2ab957b4ece9724646d9bda55874a06302173a30bf97b8d1167e381da55

/data/data/com.epaxlsgbr.dbpiiqbqz/cache/classes.dex

MD5 fbaa4aa67f09f8b99c7bf08eb1280f6a
SHA1 da963c27cb851c3d6f99d3e3a7eaa13dc1f7cb05
SHA256 7b7b1b5cabb863d0c4122ba8ff23ac2d165e0613ab31e75dcd39ef53d9f353f3
SHA512 0f7592e3e1fbb8bc70cbf0fa483a186a508125bbd0afa2645c2de607227e1dca813699fb66ad730a15f3baf57e2041430fa954c657ee9721c3734a93ed22c746

/data/data/com.epaxlsgbr.dbpiiqbqz/app_dex/classes.dex

MD5 156efaa0656d97258862de885fc860b4
SHA1 8dea4d6e1ab8a2ff6c0335364ce57d1c4599bc56
SHA256 78885a17420c20d122863509d89914e591611b99a312348feefdd9795c31bc69
SHA512 8552e73f678314bb1f13524e1c5e040bddfacf81c5230b53677cec3aec64677abf958fb5a982e5c144728eaa56d11cc0501326f160d7126d6f053cdc2b3757a9

/data/user/0/com.epaxlsgbr.dbpiiqbqz/app_dex/classes.dex

MD5 0257aa2a922a6e220cc84be976d2cac5
SHA1 585dc50717715301923fa747a7d28b6ab3c783f7
SHA256 3558e827df0c549d9a9777a61d23957389f74208ce71779235dde2150f0753a4
SHA512 a0958ee1620df5fc612d311191b20adba965bcd4ad80ec7a9f2a6c4d58af6384a0022203b44e06fd494bc6a7f850f8fa7ba21f71f3c0b28653105575117fe856

/data/data/com.epaxlsgbr.dbpiiqbqz/no_backup/androidx.work.workdb-journal

MD5 15a348fd01e1b1cb8ae239ad11b97af1
SHA1 dd5c9cf8d1570a95c135293b9b1fd1848d515251
SHA256 3d295da44715fd180c4a00154368fd4317c069edb2ab693d68080a29ac3966e9
SHA512 5ada2d5e76be977b568b5e84c5286ee95e21968fee5c5acc6f4b9fdca65830b06215f235bdcbda4fba8ea88ba6b584385e2dcec6340bb6fffdf2da8dae65da9f

/data/data/com.epaxlsgbr.dbpiiqbqz/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.epaxlsgbr.dbpiiqbqz/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.epaxlsgbr.dbpiiqbqz/no_backup/androidx.work.workdb-wal

MD5 b43a92eb453cc13dcffce9f01d7bf987
SHA1 83ddba54eb314ad0ec5b764375e2ef9534123324
SHA256 2574710586102be9820e535086e104bc0830f6536790401776bae599e3968cb9
SHA512 9f290c71340d4a84e15c85fd4483f9509ff623d580bb3cfeb94848a468e6fd0d1d264495f8db4087ec77974fca98be6a71a2400ea40e15dbc11c756f5d280734

/data/data/com.epaxlsgbr.dbpiiqbqz/no_backup/androidx.work.workdb-wal

MD5 f6b57adea3b9413cb63303998ac86496
SHA1 c4eb985809a79ba71c133323d298d8fb33f40191
SHA256 0a4e0c9caf5ea0f74fd24bdd0ac5890ada19b627c23a9fedd2ec7832aa4c6ce1
SHA512 93230f2b5a8c9fc228e488db899a834671088170b0de267b430669c39a7371a6138c8b68a073d0e5a95aff5154c4a1bc254a614693ead52fad571c4e6583f45f

/data/data/com.epaxlsgbr.dbpiiqbqz/no_backup/androidx.work.workdb-wal

MD5 c8f04d777276559c554d1747953c78e8
SHA1 9f7bc751faabc938998ec2d7a3f886c5d1d0ea1b
SHA256 758d6ddaf6676842a224f909521850dc786d02cdd9358697080edbc2de324192
SHA512 64cba61db22b8636d1b33e0725fc93ca10cdd42bcb6fd448bba0d01ce3a463beeeb6d654cd29f79ee63291019d20d038095184ddd2e7588b231fc159048ee38d

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-17 22:08

Reported

2024-12-17 22:11

Platform

android-x64-20240910-en

Max time kernel

37s

Max time network

158s

Command Line

com.epaxlsgbr.dbpiiqbqz

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.epaxlsgbr.dbpiiqbqz/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.epaxlsgbr.dbpiiqbqz/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.epaxlsgbr.dbpiiqbqz

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 216.58.212.206:443 tcp
GB 216.58.212.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.187.194:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 g.tenor.com udp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp

Files

/data/data/com.epaxlsgbr.dbpiiqbqz/cache/classes.zip

MD5 277acb9778a712320c2b655c731a7cfb
SHA1 777466164a773448e6e387492d9379196cd0e8f9
SHA256 21c3bd41ac971c107b5c336ecc6d3c1ea27a5dfd06c01da65df9285121a8f734
SHA512 8c9a43e1b9da5acacbb5846727b8cfa081b7d849214c3d9e08916c189f0e7aade531e2ab957b4ece9724646d9bda55874a06302173a30bf97b8d1167e381da55

/data/data/com.epaxlsgbr.dbpiiqbqz/cache/classes.dex

MD5 fbaa4aa67f09f8b99c7bf08eb1280f6a
SHA1 da963c27cb851c3d6f99d3e3a7eaa13dc1f7cb05
SHA256 7b7b1b5cabb863d0c4122ba8ff23ac2d165e0613ab31e75dcd39ef53d9f353f3
SHA512 0f7592e3e1fbb8bc70cbf0fa483a186a508125bbd0afa2645c2de607227e1dca813699fb66ad730a15f3baf57e2041430fa954c657ee9721c3734a93ed22c746

/data/data/com.epaxlsgbr.dbpiiqbqz/app_dex/classes.dex

MD5 156efaa0656d97258862de885fc860b4
SHA1 8dea4d6e1ab8a2ff6c0335364ce57d1c4599bc56
SHA256 78885a17420c20d122863509d89914e591611b99a312348feefdd9795c31bc69
SHA512 8552e73f678314bb1f13524e1c5e040bddfacf81c5230b53677cec3aec64677abf958fb5a982e5c144728eaa56d11cc0501326f160d7126d6f053cdc2b3757a9

/data/data/com.epaxlsgbr.dbpiiqbqz/no_backup/androidx.work.workdb-journal

MD5 c97f143a6651f7b8ca73d51d8cdb5ba0
SHA1 ac021f3ddc543a2cc32d61ae18699f096c47db21
SHA256 ac5457598bfaf7da5470128bf933c71ddae5bf47abad32e2ead70f3c588a1227
SHA512 7e2ffc0c55fe0c1b604d863e58eafb487aae44e1390969e20246e92484ca472295037668787bf0d2451d751aa94cc67a04aac07c9a92820d608a7f0215487eb5

/data/data/com.epaxlsgbr.dbpiiqbqz/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.epaxlsgbr.dbpiiqbqz/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.epaxlsgbr.dbpiiqbqz/no_backup/androidx.work.workdb-wal

MD5 2ada4ccc3e480e36e2f300f22569d18e
SHA1 a42be3c9536ae2e184272b6e535272ed7a934333
SHA256 2290ec9124219ac09e51392d85ec866a8a21289bf041c3e3a6fd97f9f7085e9b
SHA512 0a2f0ea1f57a19362a40a8809ea239051a9c710617f02707b5dbd47ad933f5467642f0754f79fd9cf3d53e6873ab1afbf80369294cc35ea82f6945e63c256918

/data/data/com.epaxlsgbr.dbpiiqbqz/no_backup/androidx.work.workdb-wal

MD5 834c6d7acdffe2e825cfccc780779ee4
SHA1 5a920f4f9ddb7580665b4f38f4392c584d902fc3
SHA256 ab96bd27e45df4fdd00da7b8647edd64dea95a8c2a9a2f019bfdaa0b2457d3e5
SHA512 d57e0de41bda609dc63c4e7a16164f4ec30c20bead6679775565986b3acfcb4556ba219c68c27f52b8275ef1137da8232cf844319d495befdfa79160fb9bc623

/data/data/com.epaxlsgbr.dbpiiqbqz/no_backup/androidx.work.workdb-wal

MD5 4de5511892816a938b0e61563c5f58e2
SHA1 155da88019621624b07208b8a28065348df15a0c
SHA256 d81a4d85a3950ac211841b905ef8c1f9ca717a60885aa6c80053e90768f41146
SHA512 866bf724162016c0a9ed7399b6a710adc4ea598a17caff07c2986df8053776b3a4b6efd8a7d7c5b4b5959ad4a17eab915626dfcb688b832f5fccbd288512da99

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-17 22:08

Reported

2024-12-17 22:11

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

159s

Command Line

com.epaxlsgbr.dbpiiqbqz

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.epaxlsgbr.dbpiiqbqz/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.epaxlsgbr.dbpiiqbqz/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.epaxlsgbr.dbpiiqbqz

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/data/com.epaxlsgbr.dbpiiqbqz/cache/classes.zip

MD5 277acb9778a712320c2b655c731a7cfb
SHA1 777466164a773448e6e387492d9379196cd0e8f9
SHA256 21c3bd41ac971c107b5c336ecc6d3c1ea27a5dfd06c01da65df9285121a8f734
SHA512 8c9a43e1b9da5acacbb5846727b8cfa081b7d849214c3d9e08916c189f0e7aade531e2ab957b4ece9724646d9bda55874a06302173a30bf97b8d1167e381da55

/data/data/com.epaxlsgbr.dbpiiqbqz/cache/classes.dex

MD5 fbaa4aa67f09f8b99c7bf08eb1280f6a
SHA1 da963c27cb851c3d6f99d3e3a7eaa13dc1f7cb05
SHA256 7b7b1b5cabb863d0c4122ba8ff23ac2d165e0613ab31e75dcd39ef53d9f353f3
SHA512 0f7592e3e1fbb8bc70cbf0fa483a186a508125bbd0afa2645c2de607227e1dca813699fb66ad730a15f3baf57e2041430fa954c657ee9721c3734a93ed22c746

/data/data/com.epaxlsgbr.dbpiiqbqz/app_dex/classes.dex

MD5 156efaa0656d97258862de885fc860b4
SHA1 8dea4d6e1ab8a2ff6c0335364ce57d1c4599bc56
SHA256 78885a17420c20d122863509d89914e591611b99a312348feefdd9795c31bc69
SHA512 8552e73f678314bb1f13524e1c5e040bddfacf81c5230b53677cec3aec64677abf958fb5a982e5c144728eaa56d11cc0501326f160d7126d6f053cdc2b3757a9

/data/data/com.epaxlsgbr.dbpiiqbqz/no_backup/androidx.work.workdb-journal

MD5 161d7dbc47f1ce958d8ce19bf33b0fd3
SHA1 e73852ab096fc5f7b7f78677533d351d0736fd02
SHA256 f4f2ec75d3bc366264618db216f8154030b8f3636dbbfa1ad7e7dd1ad2ccde47
SHA512 c55e2b16c306acc0698c5490589f673133fe9a0b778ad5089b56d942aea06393e2e35374501c74c5491f1cc86820eb64329364fb9b8057d761128626b1a45cfd

/data/data/com.epaxlsgbr.dbpiiqbqz/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.epaxlsgbr.dbpiiqbqz/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.epaxlsgbr.dbpiiqbqz/no_backup/androidx.work.workdb-wal

MD5 93e97a4fe4345f5483da557f8f403cac
SHA1 799ee4d054df44491e25a41b9adecec5643a8cfd
SHA256 6ce9f380aea6b410efada2a7be32daec2e54a4ac46b4050ce50825c18ba1a751
SHA512 e78164dd10277d407a76484f72da74177a1aeff15a3764813d5d6264645119816a897148b437a896a79623483702c969622ab3fddcc12a8de089a69db2817b99

/data/data/com.epaxlsgbr.dbpiiqbqz/no_backup/androidx.work.workdb-wal

MD5 357202f981b6e49cb92403f595972179
SHA1 dd070dfadd4d5e0201da7b82337ebcc732ba4796
SHA256 2ea18baff93d567cca65bd368d61dccf326ee792d5386fc3b4b8b5795ef33ee3
SHA512 392630442cbb43657a52818f1a574aaf1d8d9f7a3d5a3c9212abf3dd88b57167fbded71046b0aa600390d2361f902620b5b246bb6135eea0f4a39036fcace034

/data/data/com.epaxlsgbr.dbpiiqbqz/no_backup/androidx.work.workdb-wal

MD5 c53a7179b42921e50b37d670c825fa75
SHA1 473c91ce86bebb2d84de20ddff81329ad371cb54
SHA256 3890ce18748e2798bebd3a3f51d720263eba7d3f6a364141d19798f2fb786172
SHA512 dae5e59bd3f6b9a03f8300101dd68a3f89862080d96267404951262a88bdae03512bcb363965e8eaa502f07fad7a80c084baf1e73bf9aa59a0f936224e657a93