Malware Analysis Report

2025-01-19 05:47

Sample ID 241217-12sh2szlgx
Target 03a758801e93a014043a1732a3076dce76c3ecbaa71c098f232524128e4453c1.bin
SHA256 03a758801e93a014043a1732a3076dce76c3ecbaa71c098f232524128e4453c1
Tags
hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

03a758801e93a014043a1732a3076dce76c3ecbaa71c098f232524128e4453c1

Threat Level: Known bad

The file 03a758801e93a014043a1732a3076dce76c3ecbaa71c098f232524128e4453c1.bin was found to be: Known bad.

Malicious Activity Summary

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook family

Hook

Queries the phone number (MSISDN for GSM devices)

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries information about running processes on the device

Makes use of the framework's Accessibility service

Queries the mobile country code (MCC)

Queries information about the current Wi-Fi connection

Performs UI accessibility actions on behalf of the user

Attempts to obfuscate APK file format

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares broadcast receivers with permission to handle system events

Acquires the wake lock

Reads information about phone network operator.

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-17 22:09

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-17 22:09

Reported

2024-12-17 22:11

Platform

android-x64-20240910-en

Max time kernel

148s

Max time network

150s

Command Line

com.vytusqlaw.wtturvshm

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.vytusqlaw.wtturvshm/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.vytusqlaw.wtturvshm/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.vytusqlaw.wtturvshm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 142.250.180.14:443 tcp
GB 216.58.213.2:443 tcp
BE 108.177.15.188:5228 tcp
US 216.239.36.223:443 tcp
GB 216.58.213.4:443 tcp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.4:443 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
GB 142.250.180.10:443 g.tenor.com tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
GB 216.58.204.74:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 safebrowsing.googleapis.com udp
GB 172.217.16.234:443 safebrowsing.googleapis.com tcp
GB 142.250.187.234:443 mdh-pa.googleapis.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.204.78:443 www.youtube.com udp
GB 216.58.204.78:443 www.youtube.com tcp
US 1.1.1.1:53 growth-pa.googleapis.com udp
GB 172.217.169.42:443 growth-pa.googleapis.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 108.177.15.84:443 accounts.google.com tcp
US 1.1.1.1:53 i.ytimg.com udp
GB 142.250.179.246:443 i.ytimg.com udp
GB 142.250.179.246:443 i.ytimg.com tcp
US 154.216.20.102:80 154.216.20.102 tcp

Files

/data/data/com.vytusqlaw.wtturvshm/cache/classes.zip

MD5 5fdc48f2638bbdcdc5946e2f1c9a1cd8
SHA1 622fd43cf3544cb5d2cdae750be2624ef91aa9b2
SHA256 046492636e7fd3b83a3aed0df3ea02d380761ed0c039b039dfa6a50d03f48f6c
SHA512 36e5ba8ba5679c0806d839384092c4adbb2de3c64fce62ed1f378c4a71c85d78bdcfefa9210b35d828a2d10186d75e4a7725f3241681215901114b9261aed349

/data/data/com.vytusqlaw.wtturvshm/cache/classes.dex

MD5 a7539a5d97b36c5ca88cdf27811d9df6
SHA1 75022e3cb773a8468fd3f7ae667af0528238132e
SHA256 b4289a3e49d9ee358655d84753e9d1d0ce0621fa22b0f268f212ecbb43d7cac5
SHA512 e565b942e89f2a4fce6f0745e21c079d62c44c18fdfb39a68f9d343dc82080d814be1ecf8b420ca6cca6668555b4a3a5b0751cbfd700d3d0436f0ef4ab29759e

/data/data/com.vytusqlaw.wtturvshm/app_dex/classes.dex

MD5 f5dd38975edc733e1a10e2a4feff3644
SHA1 6c15fe1b8bb694108b1a18a36845e4b376d1df75
SHA256 db8535c796c327c2198cc6ba0fb3f79965838d8ddfb8e80a20aa858ac95eb564
SHA512 7742a24646cf73b069cdd6ed910491b0ccec1b26c1550d3bd544fd01ed5f00f60fc29cdf4416af9cde9f7df463efb0b333f1583a9ce9b7ac4b80d0543afe586b

/data/data/com.vytusqlaw.wtturvshm/no_backup/androidx.work.workdb-journal

MD5 669b1b4816802cfc4cf2e9df4361538f
SHA1 d941342df68c173362992ec85f713bb96898c3b0
SHA256 8a2b6bb85a16c1c1226f0bd84a1665fce8b43daea241b0b9f1db44584157b5cc
SHA512 578fd44704efcaa357ff7a383438c1ead889e11d13cd56890f9cc5ed8575a5612a5f404ec15912e626da40f3ef3f962ff62d0de88376ed98aad19fece1862054

/data/data/com.vytusqlaw.wtturvshm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.vytusqlaw.wtturvshm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.vytusqlaw.wtturvshm/no_backup/androidx.work.workdb-wal

MD5 1e795df690c68ccfe5b8bcd3e9037c97
SHA1 78cf912b46f5d544ade75361c4f8983e63356224
SHA256 c799a776f46a6720fc54049231b7d93c54dae33017736ef7435657a4a0368257
SHA512 76d7d4f8d11e5407ffc04854a976abaf3d84bc84bda1354f540e2921e47832c31cbddd9b3a39d0d06a0ea008c8df5635bed3f990bd440c205763a19e3b18a219

/data/data/com.vytusqlaw.wtturvshm/no_backup/androidx.work.workdb-wal

MD5 0d34214507a9595de60353b84d1b14a4
SHA1 17abba7746dfb37b92e9dffa04740a34109770a8
SHA256 0f5541bf303ff89f6e607fa68935344af944cd2b6da41668304a3fd873b61d3d
SHA512 f27218e5b18ad3ca460cdff19318ce85400aca83d43f2aacc82b6b3dddbd25ff49d8b5820b672bcc2dfa3695e6833b48dc0f297f01c15cadbaf9e46d44f12556

/data/data/com.vytusqlaw.wtturvshm/no_backup/androidx.work.workdb-wal

MD5 21d1515725a1b7112f87f2cc12a30629
SHA1 e7c92f7f305140af084f1ae558dd7350036ec6af
SHA256 036e3e7a04b9627e8096f24a6e15912d552ea227877d18208a84a44f9793d5d5
SHA512 ad6ba6c30c0dfa0eede6078bfc71d1b7693586bd47d9d55e6d784d57205347eedca5246f00af0125adb46f8109d576caa7ad30bf06d5ceaba34b54d61bdf76f6

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-17 22:09

Reported

2024-12-17 22:11

Platform

android-x64-arm64-20240624-en

Max time kernel

131s

Max time network

160s

Command Line

com.vytusqlaw.wtturvshm

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.vytusqlaw.wtturvshm/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.vytusqlaw.wtturvshm/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.vytusqlaw.wtturvshm

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/com.vytusqlaw.wtturvshm/cache/classes.zip

MD5 5fdc48f2638bbdcdc5946e2f1c9a1cd8
SHA1 622fd43cf3544cb5d2cdae750be2624ef91aa9b2
SHA256 046492636e7fd3b83a3aed0df3ea02d380761ed0c039b039dfa6a50d03f48f6c
SHA512 36e5ba8ba5679c0806d839384092c4adbb2de3c64fce62ed1f378c4a71c85d78bdcfefa9210b35d828a2d10186d75e4a7725f3241681215901114b9261aed349

/data/data/com.vytusqlaw.wtturvshm/cache/classes.dex

MD5 a7539a5d97b36c5ca88cdf27811d9df6
SHA1 75022e3cb773a8468fd3f7ae667af0528238132e
SHA256 b4289a3e49d9ee358655d84753e9d1d0ce0621fa22b0f268f212ecbb43d7cac5
SHA512 e565b942e89f2a4fce6f0745e21c079d62c44c18fdfb39a68f9d343dc82080d814be1ecf8b420ca6cca6668555b4a3a5b0751cbfd700d3d0436f0ef4ab29759e

/data/data/com.vytusqlaw.wtturvshm/app_dex/classes.dex

MD5 f5dd38975edc733e1a10e2a4feff3644
SHA1 6c15fe1b8bb694108b1a18a36845e4b376d1df75
SHA256 db8535c796c327c2198cc6ba0fb3f79965838d8ddfb8e80a20aa858ac95eb564
SHA512 7742a24646cf73b069cdd6ed910491b0ccec1b26c1550d3bd544fd01ed5f00f60fc29cdf4416af9cde9f7df463efb0b333f1583a9ce9b7ac4b80d0543afe586b

/data/data/com.vytusqlaw.wtturvshm/no_backup/androidx.work.workdb-journal

MD5 981d214fbe8c35f0b7c0835ee4f916a5
SHA1 683893e7943e46d652dd6b09087f97d2ad7b871f
SHA256 81ef628c755bb479b191958bed7f2265ed728d4684f8bde308e54f4c1d98aadf
SHA512 93c12ea89c901d48dfc3f01dc19c6fb3eb70ea93bb73ca6beb7e9fa4ba3a0309d02f4e9d78116cd0196289fe852586b5e777e095d9e084ba84ef6d6c0618edf4

/data/data/com.vytusqlaw.wtturvshm/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.vytusqlaw.wtturvshm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.vytusqlaw.wtturvshm/no_backup/androidx.work.workdb-wal

MD5 cac6365f83bbce27d7bf1ec621813b03
SHA1 9801cdc1217e936b4a3b95f94d8e0ab40b9542cd
SHA256 a3d36ff47a0e6a71f3b426ec5b5cb78bf182e0727464ebf12006962a0b2dced7
SHA512 9d23978d4c9b585db3bba3180c6aaee01bb5c36d49cbc64663e18bdd7d7bb15588a1c78f91d2fbb26598462be37e102116c886c552d1a5bb89c888521827dd06

/data/data/com.vytusqlaw.wtturvshm/no_backup/androidx.work.workdb-wal

MD5 9d1886c50491c90f12831d93560e3edb
SHA1 f9cac3a35f712b12a0867c540c5147f21a68b3bf
SHA256 b32a48ec951527ee0403829c9891c4a61e5fd944f3a049cf5953c23e90ca1c47
SHA512 9a53e5b26c717fc0f60e1c7940fb1aa0b1fb99739ad4bab3f53fbc028005d180199ce33ea4a5380b0dda6891ddf1caf98184182ec8278acce2a5973495110a2e

/data/data/com.vytusqlaw.wtturvshm/no_backup/androidx.work.workdb-wal

MD5 e5048eebcd8ed16afff79e96e9814e82
SHA1 7a1a5fc7917b349bb21037ec92f0dfacf38d9cce
SHA256 0d7cc21509852eeae4382f68ab2dc44b419355db05bb79e970a4a96d5e249695
SHA512 704e394bd20c0003d066702c2a22dd563b54b305c40db1ac49564f1d207825132f20271bfa26195f5bb9a0dbb881000880b896bf0dba1f59e36de9b5131dfb2a

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-17 22:09

Reported

2024-12-17 22:11

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

156s

Command Line

com.vytusqlaw.wtturvshm

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.vytusqlaw.wtturvshm/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.vytusqlaw.wtturvshm/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.vytusqlaw.wtturvshm/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.vytusqlaw.wtturvshm

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.vytusqlaw.wtturvshm/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.vytusqlaw.wtturvshm/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 216.58.213.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.vytusqlaw.wtturvshm/cache/classes.zip

MD5 5fdc48f2638bbdcdc5946e2f1c9a1cd8
SHA1 622fd43cf3544cb5d2cdae750be2624ef91aa9b2
SHA256 046492636e7fd3b83a3aed0df3ea02d380761ed0c039b039dfa6a50d03f48f6c
SHA512 36e5ba8ba5679c0806d839384092c4adbb2de3c64fce62ed1f378c4a71c85d78bdcfefa9210b35d828a2d10186d75e4a7725f3241681215901114b9261aed349

/data/data/com.vytusqlaw.wtturvshm/cache/classes.dex

MD5 a7539a5d97b36c5ca88cdf27811d9df6
SHA1 75022e3cb773a8468fd3f7ae667af0528238132e
SHA256 b4289a3e49d9ee358655d84753e9d1d0ce0621fa22b0f268f212ecbb43d7cac5
SHA512 e565b942e89f2a4fce6f0745e21c079d62c44c18fdfb39a68f9d343dc82080d814be1ecf8b420ca6cca6668555b4a3a5b0751cbfd700d3d0436f0ef4ab29759e

/data/data/com.vytusqlaw.wtturvshm/app_dex/classes.dex

MD5 f5dd38975edc733e1a10e2a4feff3644
SHA1 6c15fe1b8bb694108b1a18a36845e4b376d1df75
SHA256 db8535c796c327c2198cc6ba0fb3f79965838d8ddfb8e80a20aa858ac95eb564
SHA512 7742a24646cf73b069cdd6ed910491b0ccec1b26c1550d3bd544fd01ed5f00f60fc29cdf4416af9cde9f7df463efb0b333f1583a9ce9b7ac4b80d0543afe586b

/data/user/0/com.vytusqlaw.wtturvshm/app_dex/classes.dex

MD5 db23162d504e43a3878bd93747018fd3
SHA1 db15a691821ba6d93a0506d5de343f8bc564a3b8
SHA256 d2f89c433281435dbe824310a58b4d3c7d29916f91c5a99ae5ee392069d3e2e4
SHA512 b11631cf4448f378ad022431ad4912dac525aa40fbc7045aa268433a9105f7b0e6265d7894446169fe8f4571b9116e96e48bbd2f633dad5ae2eb681ee24674e6

/data/data/com.vytusqlaw.wtturvshm/no_backup/androidx.work.workdb-journal

MD5 d61b531633124ccb05bee7dce4ace5c9
SHA1 ede6e53e7777c0ffe7f19ada3c841e0980efd7c2
SHA256 1566ed7effb9550a0a3cc21982306d063b0ebcbddffef53c04079631c3ca5ce6
SHA512 7af72111be164cb287e017696461fee3c38384f69a4d7ae9e8879044331a71344f4034ebc0c3f700d7ec938d0d558ab7fdd4b6730320f1a69832bb1167c3a2d7

/data/data/com.vytusqlaw.wtturvshm/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.vytusqlaw.wtturvshm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.vytusqlaw.wtturvshm/no_backup/androidx.work.workdb-wal

MD5 2d65c908b4f9e063cb10f6e1da4cc868
SHA1 b6173bc28535484ecf61f475aadc8d3445645a0b
SHA256 13e64f862a8b83a1b97aa5717b52cd41f359828ce30f3bc06f05a2c6bef584ab
SHA512 5811f4292e550ea7584c5bea2d0b8e9ab0bb2d14fca8fcf658069e1d875814dd2b8516d63163ce236c669758bab5442f6655ccf60c2e75e629320f261b15abd6

/data/data/com.vytusqlaw.wtturvshm/no_backup/androidx.work.workdb-wal

MD5 412dfc59f62418ab288751d3e9afbf83
SHA1 40cb3b8150ddf4ee5c482205e665c7a7c8193655
SHA256 212cb7295272a122fa8e56d4c48bcb63cbabe22ace065068c6f8759721d0e1ad
SHA512 da6ae08e2a66edcbf191e443075c8837bd9eb3351ac247aee74ebd6a0e564a31c37520ecf77756d9324d4c45d257b1b7043124ab6411ff6b60659ec4a4e3967f

/data/data/com.vytusqlaw.wtturvshm/no_backup/androidx.work.workdb-wal

MD5 879dadcbb6e52a74696233c5349bbe3b
SHA1 e5fc1a9200de27c7dd4499b5e16067cf9902e5da
SHA256 424db42521f8dd3cfcd6684271bd37df959ae3af7de1fd1bf2c3f3d2c36e64b4
SHA512 c121776a45a0287fbda061460932b7caef07a5622db86e49ac6d824b415f3fb283a17d5aa25326eda604fcd0a33191087f7b891468854b2c1171837aeea79c7d