Malware Analysis Report

2025-01-19 05:47

Sample ID 241221-159aza1qgp
Target a1cb4730227e27f7d6bd7b6782a31908d885df663cd13e2899b7bda43ec846ba.bin
SHA256 a1cb4730227e27f7d6bd7b6782a31908d885df663cd13e2899b7bda43ec846ba
Tags
hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1cb4730227e27f7d6bd7b6782a31908d885df663cd13e2899b7bda43ec846ba

Threat Level: Known bad

The file a1cb4730227e27f7d6bd7b6782a31908d885df663cd13e2899b7bda43ec846ba.bin was found to be: Known bad.

Malicious Activity Summary

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook family

Hook

Obtains sensitive information copied to the device clipboard

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Queries information about running processes on the device

Loads dropped Dex/Jar

Makes use of the framework's Accessibility service

Attempts to obfuscate APK file format

Acquires the wake lock

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Requests accessing notifications (often used to intercept notifications before users become aware).

Queries the mobile country code (MCC)

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-21 22:15

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-21 22:15

Reported

2024-12-21 22:17

Platform

android-x86-arm-20240910-en

Max time kernel

149s

Max time network

151s

Command Line

com.pzvoxzxip.lxaqztnyy

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.pzvoxzxip.lxaqztnyy/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.pzvoxzxip.lxaqztnyy/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.pzvoxzxip.lxaqztnyy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.200.2:443 tcp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.pzvoxzxip.lxaqztnyy/cache/classes.zip

MD5 98271965746cab6898a39acb0dbfe86d
SHA1 4e04abe94c3969fa52b702cecda02bba9f6bcd68
SHA256 5aa8e63f609805ed76ab1778cb66a4cd4b6d7d918b9fa182b2f8651a377de41c
SHA512 de0dc4384269a25430d6d12725f9d91c8a862543695f6f820424dcdebc3f0d3c4499b0884164e3b910efc779f6abe2d4656a63ab2859d8148bb747e975aff73a

/data/data/com.pzvoxzxip.lxaqztnyy/cache/classes.dex

MD5 913964c71b809c94b494db6b94bc56ec
SHA1 3191a872bada4c0910aa79b27337eceb2ac06127
SHA256 6f83e35e4b0b5bb8001d6d0e097b6ffae7911c36d59467206d9d589ee2a28067
SHA512 f632004c155babdc6799f5b2d9ca888819d3967df2d8e629fb2a71458c5d3150e33331d8f1566c575f0d9b4e3255fb8d212da58a0b9534edcb673c70686b8fac

/data/data/com.pzvoxzxip.lxaqztnyy/app_dex/classes.dex

MD5 c5f2d438a38147bd5039b536bb820c61
SHA1 e43c6378765fdf298ff5c01332004492f2916077
SHA256 66ab822f0ca23ddb477e6e5c8e4aeed9fc18d6ea5fd17951b55930956108267e
SHA512 e234916c9f9a4ed6f86f86c640734bc2ec1c620d67f69df624148d313254064c7da3b888a7919bc5723e2e782fe229b3e52da4113348d3cb99e0f8d76be49849

/data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb-journal

MD5 af2a705a6b3b042050ba72fc9265ce77
SHA1 28ab19735cf2d7b57fc4ca666b72bc9fd5c64b2a
SHA256 ce88274c7d19ae97928dd25efe7cbf9a76b042a02038bd2811fa4c63a1a88a4e
SHA512 df8e2583d00edbbad3728581925b4219b929b19b52cf2c82a9b8f7dd917269076a32b1ccb4218a9501e08e29a125a6b86ea6ef7f763e5840e68a9bff35339300

/data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb-wal

MD5 3c46828ff6ce604c9c69c9bf37890f24
SHA1 e4301980d8934a6a903c0b15b155d99185b717ae
SHA256 89f97d96217704f5ee9e298e8f4812a7f917462e5e9a766b8b306c930f3c65df
SHA512 01609cf5a663a11d4a67b66cf4cc70cb45116262e49ce254dbba49818e4855cae443ad7e05885b5390b8a9e08fb56304640a2826cea027f20c7aa1e144d9f8f0

/data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb-wal

MD5 723a4f3744380630d6756a423f75aeef
SHA1 bb94647618e004613ff6817e5be98b4375a4a20d
SHA256 2f21b2bd5d19445f70c652700815dea542b95226c55f2ca73deac643e649eedf
SHA512 2d39a74d799994bf122e49e583441aa55beeb4b34d0c73ad1e987547378f6c6292d8a2d0ac212a10431325da3b73103e3e39d946c090f2a065ee7570e2a44152

/data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb-wal

MD5 c413b1386e04741b3b75e29950982137
SHA1 a8a3d7cd9f2c123fd88881dadded625c32a0f815
SHA256 0f1b46c12ee24cf5672af2254eab65f9658c1ddb4b49e38e41c1371d1b026b41
SHA512 36070d7b4cd95f533a749b7c2f8b9d6d31940ed69d76b49a04a9a8f539aaddce494c37b64babf747c033cd8b73aeace8ff6df397eda895c845befbce5729e92a

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-21 22:15

Reported

2024-12-21 22:17

Platform

android-x64-20240910-en

Max time kernel

37s

Max time network

151s

Command Line

com.pzvoxzxip.lxaqztnyy

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.pzvoxzxip.lxaqztnyy/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.pzvoxzxip.lxaqztnyy/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.pzvoxzxip.lxaqztnyy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.206:443 tcp
GB 216.58.212.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.213.8:443 ssl.google-analytics.com tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 142.250.187.194:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 g.tenor.com udp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp

Files

/data/data/com.pzvoxzxip.lxaqztnyy/cache/classes.zip

MD5 98271965746cab6898a39acb0dbfe86d
SHA1 4e04abe94c3969fa52b702cecda02bba9f6bcd68
SHA256 5aa8e63f609805ed76ab1778cb66a4cd4b6d7d918b9fa182b2f8651a377de41c
SHA512 de0dc4384269a25430d6d12725f9d91c8a862543695f6f820424dcdebc3f0d3c4499b0884164e3b910efc779f6abe2d4656a63ab2859d8148bb747e975aff73a

/data/data/com.pzvoxzxip.lxaqztnyy/cache/classes.dex

MD5 913964c71b809c94b494db6b94bc56ec
SHA1 3191a872bada4c0910aa79b27337eceb2ac06127
SHA256 6f83e35e4b0b5bb8001d6d0e097b6ffae7911c36d59467206d9d589ee2a28067
SHA512 f632004c155babdc6799f5b2d9ca888819d3967df2d8e629fb2a71458c5d3150e33331d8f1566c575f0d9b4e3255fb8d212da58a0b9534edcb673c70686b8fac

/data/data/com.pzvoxzxip.lxaqztnyy/app_dex/classes.dex

MD5 c5f2d438a38147bd5039b536bb820c61
SHA1 e43c6378765fdf298ff5c01332004492f2916077
SHA256 66ab822f0ca23ddb477e6e5c8e4aeed9fc18d6ea5fd17951b55930956108267e
SHA512 e234916c9f9a4ed6f86f86c640734bc2ec1c620d67f69df624148d313254064c7da3b888a7919bc5723e2e782fe229b3e52da4113348d3cb99e0f8d76be49849

/data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb-journal

MD5 868709ae725323ddc326eda4b1ef15d9
SHA1 3f32dbd0293a6c282857bef36bfa2651c35f9b0f
SHA256 e76c7f57a29be7e7249e07c680f538a31187d8e886b1ad9ff32f4deb1401d8ee
SHA512 18e59fe46ab3329816ce4b25eb8fc0253391273b92c94937559d4853aa3cc289d9a76cf82beeaf9953e879b05d3ebf9c7b46fb8df1abbfabe01b248607da0107

/data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb-wal

MD5 b7d0fd3556c8680cf7facf2e4f7ccac6
SHA1 8ff22841b622209480e7ceb056d4ebfb9a60e98b
SHA256 0df33684175141d291a8c548212191647a6579b6b1b618e985722e68779f08b3
SHA512 d2807b23d1f1e1801ba01aedf288a1ac7e08b521f30e570c5a1fe88054f8d4477b97d040a1ba7075584ec2b8f6d51c30459d3628e8ea33fcc872eaf3e25db303

/data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb-wal

MD5 1a31ba81cabb6abf2fa789bb756abdda
SHA1 7f1572f0a4562983f77da6df67a56d466eff4740
SHA256 48f04815f0ffc8ba52577d9c60d8f7e442cd65bf03cee53fd712ec5bbf0f1ab8
SHA512 94c0bcae5ff7f0a96643df62e194315cfdf6f718b821bbf4755b4c8d1bd634f72ca4d1779c251019819d258ddb091f8259bef09d9bd097bdd2ede3551cd00013

/data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb-wal

MD5 d0ddc8eda967804b5b64c02a145f12fa
SHA1 4661dd00aa7c088de8486978a764183d6f58faf8
SHA256 6a6c7dcd145f5526aae29d6ee74bef35245b2297382c2c79cd76b7ea7c59d6b8
SHA512 56b890d0c3880cc0eff8a8ac54c9f5a7630afdde79e909b9bd27b81b17c4163ff215a51fc14e1ac22e7cd5295f4cade4e791ec6c42833e6486e9ca2ff2940f29

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-21 22:15

Reported

2024-12-21 22:17

Platform

android-x64-arm64-20240624-en

Max time kernel

129s

Max time network

158s

Command Line

com.pzvoxzxip.lxaqztnyy

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.pzvoxzxip.lxaqztnyy/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.pzvoxzxip.lxaqztnyy/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.pzvoxzxip.lxaqztnyy

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/com.pzvoxzxip.lxaqztnyy/cache/classes.zip

MD5 98271965746cab6898a39acb0dbfe86d
SHA1 4e04abe94c3969fa52b702cecda02bba9f6bcd68
SHA256 5aa8e63f609805ed76ab1778cb66a4cd4b6d7d918b9fa182b2f8651a377de41c
SHA512 de0dc4384269a25430d6d12725f9d91c8a862543695f6f820424dcdebc3f0d3c4499b0884164e3b910efc779f6abe2d4656a63ab2859d8148bb747e975aff73a

/data/data/com.pzvoxzxip.lxaqztnyy/cache/classes.dex

MD5 913964c71b809c94b494db6b94bc56ec
SHA1 3191a872bada4c0910aa79b27337eceb2ac06127
SHA256 6f83e35e4b0b5bb8001d6d0e097b6ffae7911c36d59467206d9d589ee2a28067
SHA512 f632004c155babdc6799f5b2d9ca888819d3967df2d8e629fb2a71458c5d3150e33331d8f1566c575f0d9b4e3255fb8d212da58a0b9534edcb673c70686b8fac

/data/data/com.pzvoxzxip.lxaqztnyy/app_dex/classes.dex

MD5 c5f2d438a38147bd5039b536bb820c61
SHA1 e43c6378765fdf298ff5c01332004492f2916077
SHA256 66ab822f0ca23ddb477e6e5c8e4aeed9fc18d6ea5fd17951b55930956108267e
SHA512 e234916c9f9a4ed6f86f86c640734bc2ec1c620d67f69df624148d313254064c7da3b888a7919bc5723e2e782fe229b3e52da4113348d3cb99e0f8d76be49849

/data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb-journal

MD5 ccfe87b09f7a8a0ba271f095cb04ab27
SHA1 81f19dc8f284be641dbf5972399a9df667ed4424
SHA256 0d76e389afe67b57f98789768c2bb90c47f2a1d6218f38ec8ba2da0e032fb3f8
SHA512 5d2dba5aeedfcd3e4b19b58ed5ec606b3561d69bea902116c93f80561498ce4f37924aff7cb2c7402928add21affcec104946267ea6273f89d0a6fca1460c48d

/data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb-wal

MD5 823f213253cb4c51228834281fbd37c6
SHA1 3542d55c018e8f79961170ce8c4586b0f306af37
SHA256 be2475f51f6ae3ed10d796fa3031a4f452427b83e744e7045e6c8a18feff462c
SHA512 67f862080754883bede8bf7d7b6061bc07412153b3a37c1e09a36e6e36f0d5dcfb6bcc3be2fc9613e1112b9d9e64a696d93904d6bcd04db692e92f5238c38f35

/data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb-wal

MD5 556c179ead33fd83daaf88c78cf5c817
SHA1 b4eaa7768d65090344ff6d301c277dec6ed6261f
SHA256 bec865ff6aa9525578e6d2df7036111d7990e0d1fcc0ebce72fcbb03abf17809
SHA512 66409cf5d0c3a1e68359db7185cafce1a4b0183d28786c4c72d54a06456db4ac8b204c5c5a34ca55d4670edd5652faacdf7b4b0e0eb46b1ea079291f9649721f

/data/data/com.pzvoxzxip.lxaqztnyy/no_backup/androidx.work.workdb-wal

MD5 b690cc1cb92a2fc72065a76b6d6a23c6
SHA1 d105a4420a5f52c0972014903a74c8c94778061f
SHA256 cd5c6976113739add311b0537e88f979f286ce5066b1eea5859ffe37cac12b8e
SHA512 8685c375e170b0c9f06317454288c39555a3e338a29bc69735ea53089ebcf857791382f368dbe98cfa83172e5908d9a14f81d3c3a4fef1635dc0e23f2eedf31f