Malware Analysis Report

2025-01-19 05:47

Sample ID 241217-1z69eszlaz
Target 7c4c942aa07f3896745dd542d7816dddb964ceca373b3f4df034cc53157abe3f.bin
SHA256 7c4c942aa07f3896745dd542d7816dddb964ceca373b3f4df034cc53157abe3f
Tags
hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c4c942aa07f3896745dd542d7816dddb964ceca373b3f4df034cc53157abe3f

Threat Level: Known bad

The file 7c4c942aa07f3896745dd542d7816dddb964ceca373b3f4df034cc53157abe3f.bin was found to be: Known bad.

Malicious Activity Summary

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook

Hook family

Queries information about running processes on the device

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Reads information about phone network operator.

Acquires the wake lock

Requests accessing notifications (often used to intercept notifications before users become aware).

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Declares services with permission to bind to the system

Queries information about the current Wi-Fi connection

Attempts to obfuscate APK file format

Schedules tasks to execute at a specified time

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-17 22:06

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-17 22:06

Reported

2024-12-17 22:09

Platform

android-x64-arm64-20240624-en

Max time kernel

129s

Max time network

159s

Command Line

com.zglqnizqi.qlygymgcx

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.zglqnizqi.qlygymgcx/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.zglqnizqi.qlygymgcx/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.zglqnizqi.qlygymgcx

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.zglqnizqi.qlygymgcx/cache/classes.zip

MD5 2cddef70031c013b8a454fb26017a216
SHA1 68a4df5dcdf99796b01d1a520abbe4dc7e65d80b
SHA256 7a42b16b2ad1920bf37eff6b4c108841ac532b24fb4ab939a66d7399f8718fdf
SHA512 99d0bd24094ece0004dd5e9bcc46da106e752414bfe6ce4d0d1eed3c3e4a463dde6bf40e8ab428bb96677a9768862560c4ce231b487952ebb35d4dda2254165b

/data/data/com.zglqnizqi.qlygymgcx/cache/classes.dex

MD5 f3f1e127a7cc0a0ea29cb4e80533abe0
SHA1 3de58cfbff05455fdd4b6c8430d260fb55486641
SHA256 bb68d169253ba1774539a1419fb591ec0d58625b44d61cbb66db2d93262efea2
SHA512 3a0a36eb663a34e4b89e0dad62e54ea6291f49de3695e9d6ce1394f653655150ea769f39c71e2690678565547e565402de6d1a256ad98a13e3e330b58c35e00f

/data/data/com.zglqnizqi.qlygymgcx/app_dex/classes.dex

MD5 51823137275d6086fcc555a6a212797a
SHA1 eb9fd48a75a66f0e65b41a88015e00fcd774a03f
SHA256 de6bad00bf58f600b8927fe9633a42e312ad735aa3593afb191a07be0a388fec
SHA512 959596191184ff56eefbafc5688dc36fe971793d60158ed7d9f4da94e800a27471b09660bcd04e5175cb35e5a689aade47dc619c55041a33e3d0a30b9d170a64

/data/data/com.zglqnizqi.qlygymgcx/no_backup/androidx.work.workdb-journal

MD5 e6244787843afb806d20ed49a4f13423
SHA1 93edba0de16e75ba3f5a6c82e44e8c57bb251582
SHA256 8a94717c7cc3b0e13badcc205dd4ccb4196036f57430caab9118d2b8a604de39
SHA512 8b1f5e8ff34b90e878b5f1dc29f4d6fb65d8bc91650b74cf0e4aaf4f2569c7f45572b4fd44eb370cc3e5a7d70432cf112a3897c2dbed35220d3a86e044cd8e16

/data/data/com.zglqnizqi.qlygymgcx/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.zglqnizqi.qlygymgcx/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.zglqnizqi.qlygymgcx/no_backup/androidx.work.workdb-wal

MD5 12d19f1fb94320b0ca6691e6c4dc1efe
SHA1 4120101685550ff09014154e99249a55179489a9
SHA256 59c7a2478844a15e576b464a6f20fc72803b77502565c665ac060865d252d994
SHA512 4e87654388b71075e3f845be59c504555366bc0afd2bf506d230986e33f09932c3a134aa4fb2ecaac1cf80ffdeb59045bacb90ef3b6164e4b6e3885b22883f2e

/data/data/com.zglqnizqi.qlygymgcx/no_backup/androidx.work.workdb-wal

MD5 b2e5953a9063853761206cfd4778b356
SHA1 f00e50e3547b05e072fed57b6070d1fd01f207bd
SHA256 ba3666b5a1b157de47fc30c74c72900f995e4bccad6f62094a44b2c1bcaab28f
SHA512 858e92ead471aa5669d1b1ec2b0cadeda2bfd547e1188c58bc93ea83d8130164ccca9d74db9905e541a6fc3a0c63c13e45287d785ed99ab6560dc41b40d54ffb

/data/data/com.zglqnizqi.qlygymgcx/no_backup/androidx.work.workdb-wal

MD5 692787ea1dfb9a9162bf492942ebc4b7
SHA1 65130c59132648f0262ce829e236e8cea0039ecc
SHA256 4dc32dde6f7891ad1574d660d794bdf62e02773b199de2f4528aa9195e74acd9
SHA512 5520e6576c6d8baef1bcc1dbd3cf821a5ce301c1ea57e8f690b9be80448ad90a0c4197773e32e282ad6438b3e9f05b2d866c8c880634539b1e20bc2558bd4657

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-17 22:06

Reported

2024-12-17 22:08

Platform

android-x86-arm-20240624-en

Max time kernel

147s

Max time network

156s

Command Line

com.zglqnizqi.qlygymgcx

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.zglqnizqi.qlygymgcx/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.zglqnizqi.qlygymgcx/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.zglqnizqi.qlygymgcx/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.zglqnizqi.qlygymgcx

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.zglqnizqi.qlygymgcx/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.zglqnizqi.qlygymgcx/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.zglqnizqi.qlygymgcx/cache/classes.zip

MD5 2cddef70031c013b8a454fb26017a216
SHA1 68a4df5dcdf99796b01d1a520abbe4dc7e65d80b
SHA256 7a42b16b2ad1920bf37eff6b4c108841ac532b24fb4ab939a66d7399f8718fdf
SHA512 99d0bd24094ece0004dd5e9bcc46da106e752414bfe6ce4d0d1eed3c3e4a463dde6bf40e8ab428bb96677a9768862560c4ce231b487952ebb35d4dda2254165b

/data/data/com.zglqnizqi.qlygymgcx/cache/classes.dex

MD5 f3f1e127a7cc0a0ea29cb4e80533abe0
SHA1 3de58cfbff05455fdd4b6c8430d260fb55486641
SHA256 bb68d169253ba1774539a1419fb591ec0d58625b44d61cbb66db2d93262efea2
SHA512 3a0a36eb663a34e4b89e0dad62e54ea6291f49de3695e9d6ce1394f653655150ea769f39c71e2690678565547e565402de6d1a256ad98a13e3e330b58c35e00f

/data/data/com.zglqnizqi.qlygymgcx/app_dex/classes.dex

MD5 51823137275d6086fcc555a6a212797a
SHA1 eb9fd48a75a66f0e65b41a88015e00fcd774a03f
SHA256 de6bad00bf58f600b8927fe9633a42e312ad735aa3593afb191a07be0a388fec
SHA512 959596191184ff56eefbafc5688dc36fe971793d60158ed7d9f4da94e800a27471b09660bcd04e5175cb35e5a689aade47dc619c55041a33e3d0a30b9d170a64

/data/user/0/com.zglqnizqi.qlygymgcx/app_dex/classes.dex

MD5 ab473b6ceb7bb4ae4eb3af43f264be66
SHA1 c2ecde2159a61ea835ffeae63708031fc016cfa1
SHA256 722e2a67659fc510ed638cf790e140498b34461aeab5a9fabf683626fef9b3b8
SHA512 061eefe8384cbf0ac11f41da1f98f3ebcae771f6eb2cb85c52de510da3f76286a946ec0a9c0e8fb06164bb0ff89f168dd9aba42b2af870f41655dec1fe0cb35a

/data/data/com.zglqnizqi.qlygymgcx/no_backup/androidx.work.workdb-journal

MD5 7c34139b85d8f08163fd5d20fed9b991
SHA1 162a5c83664834d9cb548c5668d60eab35df8c2d
SHA256 bdefab62caea1e74990e818dc4f16fb858c05adee7932d0c54af2daf0cb52ebd
SHA512 97b883514f85c836359fd882df903ec0fceb9b36c1827de758d9dfe9b38d24455f84196537ae2be17423a211291e1a4d5f887b478713a4ff6a680df79629421c

/data/data/com.zglqnizqi.qlygymgcx/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.zglqnizqi.qlygymgcx/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.zglqnizqi.qlygymgcx/no_backup/androidx.work.workdb-wal

MD5 3da426a6223f39ae2352acfe8b9f46e7
SHA1 02eaa496ba6ea18a03b30e3b5d77707aa1147aa2
SHA256 c8ed3eaf4eb8ba7b01402b193df909529e24f9e0505821975f5c15a007836c8f
SHA512 7a5144d38c10216504586d79959487ad30ecd9cd7d4f78decbecc400d1abe957bd405bad885343e6ae3741009a06d3992483495517deb68600bd6253084711f4

/data/data/com.zglqnizqi.qlygymgcx/no_backup/androidx.work.workdb-wal

MD5 c41981db966227b4ec76b97e7ac35e2f
SHA1 2cead8a38f8c7174a15a4d4ab56e86032586d660
SHA256 d05d37d9dad84e194cee3bbcb826379424f8dece4e93899d8286c51dee1b36c1
SHA512 cad28ff323eba13095475f6b37e086aa45ebf89eb956be7c1cd038e4392d26e1c8d29329e8b4de010cbf0210cc1611a3fb5a876b98e98167808351de206f52b5

/data/data/com.zglqnizqi.qlygymgcx/no_backup/androidx.work.workdb-wal

MD5 7925da16c23c343881b3c30cfb727e53
SHA1 3dbe4f4463f59ece9925bc60635afe9d9fd462d6
SHA256 13ca1b5b4a64e9a1cd7320b05a733b18569483af46830dbda7e316f749bf6826
SHA512 c8b66b901c48ba6336653b8b062776975347f71e00aeb24f854a8c3dd42e707d43b5f18619c8c8fdc917252a5d80474de55dca7d71a45b76b964b8d9f06f873b

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-17 22:06

Reported

2024-12-17 22:09

Platform

android-x64-20240624-en

Max time kernel

128s

Max time network

157s

Command Line

com.zglqnizqi.qlygymgcx

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.zglqnizqi.qlygymgcx/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.zglqnizqi.qlygymgcx/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.zglqnizqi.qlygymgcx

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 216.58.213.14:443 tcp
GB 142.250.178.2:443 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp

Files

/data/data/com.zglqnizqi.qlygymgcx/cache/classes.zip

MD5 2cddef70031c013b8a454fb26017a216
SHA1 68a4df5dcdf99796b01d1a520abbe4dc7e65d80b
SHA256 7a42b16b2ad1920bf37eff6b4c108841ac532b24fb4ab939a66d7399f8718fdf
SHA512 99d0bd24094ece0004dd5e9bcc46da106e752414bfe6ce4d0d1eed3c3e4a463dde6bf40e8ab428bb96677a9768862560c4ce231b487952ebb35d4dda2254165b

/data/data/com.zglqnizqi.qlygymgcx/cache/classes.dex

MD5 f3f1e127a7cc0a0ea29cb4e80533abe0
SHA1 3de58cfbff05455fdd4b6c8430d260fb55486641
SHA256 bb68d169253ba1774539a1419fb591ec0d58625b44d61cbb66db2d93262efea2
SHA512 3a0a36eb663a34e4b89e0dad62e54ea6291f49de3695e9d6ce1394f653655150ea769f39c71e2690678565547e565402de6d1a256ad98a13e3e330b58c35e00f

/data/data/com.zglqnizqi.qlygymgcx/app_dex/classes.dex

MD5 51823137275d6086fcc555a6a212797a
SHA1 eb9fd48a75a66f0e65b41a88015e00fcd774a03f
SHA256 de6bad00bf58f600b8927fe9633a42e312ad735aa3593afb191a07be0a388fec
SHA512 959596191184ff56eefbafc5688dc36fe971793d60158ed7d9f4da94e800a27471b09660bcd04e5175cb35e5a689aade47dc619c55041a33e3d0a30b9d170a64

/data/data/com.zglqnizqi.qlygymgcx/no_backup/androidx.work.workdb-journal

MD5 0e341f5186b56c5d9f86afafe0e70ea5
SHA1 7cc9667221e8c71b2cb56cf7618c851b5bc709ed
SHA256 ae372b04e9c39d801e74fe78484452ab45ff685ebd9a018ff4cc9660cc582299
SHA512 3cd20c74f81ba90894ece0916aa621b9e6c59fb76272388d6a4e44accf59f8f21229e1c358ff6d6398081e70c609cd0ad5b96117a691fa468629354f085eb40e

/data/data/com.zglqnizqi.qlygymgcx/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.zglqnizqi.qlygymgcx/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.zglqnizqi.qlygymgcx/no_backup/androidx.work.workdb-wal

MD5 afa5a28457dd3b17972d37fa4c022c32
SHA1 b9263e64526a522379ad365dee179fa1313134c4
SHA256 2a7653d9ec9dad97249d111c8750b2fb63c72b56b60b1248c3e82e7b5544c85e
SHA512 6652c977defd70e280d76d4dfccb13e415a713b1e5f338dadf90717187031b17e773048fba05056c304fdd655a1fa6b27604a381202536fec508d3511d46cd74

/data/data/com.zglqnizqi.qlygymgcx/no_backup/androidx.work.workdb-wal

MD5 1afc514b1123dbf6817280ac8ddf1de2
SHA1 5155cdf769389fb2ad8294e5efa7bb2924d45444
SHA256 0f0380a80806b26965f90bcdefe8ba9ad2661f121a59ea6b7585519aa573f1bf
SHA512 96edc1181a2fac0a0ceb80aebe27931ad4256a854b0ad95a10c2bfd872c575a312c6bedbfbfa0b7f3b775409154ddf34127a2ad50383acca20300a17084384d7

/data/data/com.zglqnizqi.qlygymgcx/no_backup/androidx.work.workdb-wal

MD5 ec1a74bf302944bb62e93d30663398a6
SHA1 1b4ef4750d2298ec772a76380751af4f480b7bdf
SHA256 7d93337c7b4a337782ab17f190715491c8e59ecfb841b699b4189c0f97b03c8b
SHA512 be78e382446967cce93881c1d57e2da0dd77281874ab475a8e3ed25a786904ee3a56730ba6157a85f268d75e45b9e5756bb8df0b458ce179d00eaf24ecda013b