Malware Analysis Report

2025-01-19 05:47

Sample ID 241224-11dcqsymfw
Target 5cc82c445bd3caa9da02fdd8e6f9d06211a823db9f39f94ee201e0ab47ee55fa.bin
SHA256 5cc82c445bd3caa9da02fdd8e6f9d06211a823db9f39f94ee201e0ab47ee55fa
Tags
hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5cc82c445bd3caa9da02fdd8e6f9d06211a823db9f39f94ee201e0ab47ee55fa

Threat Level: Known bad

The file 5cc82c445bd3caa9da02fdd8e6f9d06211a823db9f39f94ee201e0ab47ee55fa.bin was found to be: Known bad.

Malicious Activity Summary

hook banker collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook

Hook family

Obtains sensitive information copied to the device clipboard

Makes use of the framework's Accessibility service

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Loads dropped Dex/Jar

Queries information about running processes on the device

Queries the phone number (MSISDN for GSM devices)

Attempts to obfuscate APK file format

Makes use of the framework's foreground persistence service

Requests accessing notifications (often used to intercept notifications before users become aware).

Acquires the wake lock

Queries information about the current Wi-Fi connection

Declares broadcast receivers with permission to handle system events

Queries the mobile country code (MCC)

Requests dangerous framework permissions

Reads information about phone network operator.

Declares services with permission to bind to the system

Performs UI accessibility actions on behalf of the user

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-24 22:06

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-24 22:06

Reported

2024-12-24 22:09

Platform

android-x86-arm-20240910-en

Max time kernel

147s

Max time network

158s

Command Line

com.nwybcynna.hukmpcfas

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nwybcynna.hukmpcfas/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.nwybcynna.hukmpcfas/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.nwybcynna.hukmpcfas/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Requests accessing notifications (often used to intercept notifications before users become aware).

collection credential_access
Description Indicator Process Target
Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.nwybcynna.hukmpcfas

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.nwybcynna.hukmpcfas/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.nwybcynna.hukmpcfas/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 142.250.187.227:80 tcp
GB 142.250.179.228:443 tcp
US 154.216.20.102:80 tcp

Files

/data/data/com.nwybcynna.hukmpcfas/cache/classes.zip

MD5 400eb1ea3f0c5e3b8953b4d2203d117d
SHA1 0f95e89686033b44baba9439a1d9ad8441bf18a7
SHA256 ffe6105f59b7e3f44f578df8fb563ee6c17fc19a2d945dcc3e097283fbd9d3f9
SHA512 2d548f80b351c4921761eb7658a8233f92fb7719ff9e6035fa54300073ec59dba5f68b6205ee3cf502a0daf2a35cef535922882c96c2050773edf1ce6ba8c662

/data/data/com.nwybcynna.hukmpcfas/cache/classes.dex

MD5 d6dc3bd7afc7c7110661697f450b3d36
SHA1 729429de933755ad7a06382e0b43f50163d0f986
SHA256 80cd42115a61ad9bb1d0a6e6431bbb5fa3500c2862a04e52fc107f8d81090c1c
SHA512 25c1a21cbab20a4e045da5968e20b188d207109fbdb385196ca64cd16d9f49c5542453d30ab2d1bfc1040487e0046fa0e5c908b423ec0dbf986f76449586a804

/data/data/com.nwybcynna.hukmpcfas/app_dex/classes.dex

MD5 a5f6abd47e42ea2ffbe99d78fda1ad4f
SHA1 39a0109499ee5cc44accbfefd80bb192058e571e
SHA256 7c3d47dfd938e2f38e782bbe82ea7f484660034f62f6fb4ddea0b891b3991019
SHA512 d3efe6f2a3454700db6ff2b02d4b765d3e3e0e7764854cabb68166e6c5b85086f80643698394177577a1c3aa6f4203989f98d94ddbebb95809773cefd4c90b5e

/data/user/0/com.nwybcynna.hukmpcfas/app_dex/classes.dex

MD5 6da1a8b7bb5ba8b21a4b6a14bf6199b3
SHA1 80ab9939b3c3da496f7c4bc4fd4fb4e1edd32678
SHA256 d79305fd375bccaca41583cd10f3ddaad0301002f25f356a12596f19c30ceac6
SHA512 df0daaa8a9dbab299305abdfbefc16cfe8ce3d72d3c0a3c9e6c807fe644f0ef0e5641f8bf7de33957266b978e071adcaf93e5e7a2257ff4daadbafe8d3f71fe8

/data/data/com.nwybcynna.hukmpcfas/no_backup/androidx.work.workdb-journal

MD5 2d51c16fde032bfaf2c66b0a9890cdc0
SHA1 5be5ab0ca3d315153877ed9b14581fbe231e30f1
SHA256 4a315978760450bfc819e117e937578e15718adc95ae7273af7971af44c04329
SHA512 9f3c7ba1306cfb03ca98cffd0dcb7767db4470afacdbcb70982b18eba455e75a44a38dfe95dd451961142f5414d97261e7666b2d547cafc8e020e0bee5771060

/data/data/com.nwybcynna.hukmpcfas/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.nwybcynna.hukmpcfas/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.nwybcynna.hukmpcfas/no_backup/androidx.work.workdb-wal

MD5 77f743c657a6c8368e5a464f9e20fdee
SHA1 ce41a6d75b6eb127abab1a4a201a3cf613a86dbb
SHA256 a45e4cc65b73bded3dd38e4f0f32e247b657c5ffdb7e09e759260e26a3a5fbd7
SHA512 d4f96cae703b869b2b7504943b2dc4bfd65ed658366f6fef750868aa30b68d372d18a7ba30a9fe663523fec804dcc28649e878b0f3fb60a49670130c48e2be01

/data/data/com.nwybcynna.hukmpcfas/no_backup/androidx.work.workdb-wal

MD5 c892dec6f1f87709b124b91276641f0a
SHA1 ea2b9d6567897ca99261d74b691c3fdd328a4cbc
SHA256 941bf46993d7b7062be66f80624dc72b09e32f3392070b86024a6f312c7f17e5
SHA512 a4ba068fbb1e9647229d6efb7a2dda77dc286fb3c5bb6692d648b55a172ae6f65360990a71bfacc38210420b4033b32b99bb959a67705dd42ad05f370cabbb82

/data/data/com.nwybcynna.hukmpcfas/no_backup/androidx.work.workdb-wal

MD5 82f4289b41546a7a836b49d645fcb318
SHA1 1755857432fdb63ac8e6699fedd40388e71d884a
SHA256 d392a89bfa8422119bb73eacab5d08cd91f8296ebe54b5e3eded2a50e50c39f1
SHA512 80d5081f0bf5cec15a86c6a6571d9fe3b2733c4b5de61fedadf7fd3b4a36ed724f203cfb6deca70acbf9d9d311a8026ead0896bbef4911683d9fa4fb1a6ec65b

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-24 22:06

Reported

2024-12-24 22:09

Platform

android-x64-20240910-en

Max time kernel

37s

Max time network

152s

Command Line

com.nwybcynna.hukmpcfas

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nwybcynna.hukmpcfas/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.nwybcynna.hukmpcfas/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.nwybcynna.hukmpcfas

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.187.234:443 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 142.250.178.14:443 tcp
GB 216.58.201.98:443 tcp
US 1.1.1.1:53 g.tenor.com udp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 142.250.187.234:443 g.tenor.com tcp

Files

/data/data/com.nwybcynna.hukmpcfas/cache/classes.zip

MD5 400eb1ea3f0c5e3b8953b4d2203d117d
SHA1 0f95e89686033b44baba9439a1d9ad8441bf18a7
SHA256 ffe6105f59b7e3f44f578df8fb563ee6c17fc19a2d945dcc3e097283fbd9d3f9
SHA512 2d548f80b351c4921761eb7658a8233f92fb7719ff9e6035fa54300073ec59dba5f68b6205ee3cf502a0daf2a35cef535922882c96c2050773edf1ce6ba8c662

/data/data/com.nwybcynna.hukmpcfas/cache/classes.dex

MD5 d6dc3bd7afc7c7110661697f450b3d36
SHA1 729429de933755ad7a06382e0b43f50163d0f986
SHA256 80cd42115a61ad9bb1d0a6e6431bbb5fa3500c2862a04e52fc107f8d81090c1c
SHA512 25c1a21cbab20a4e045da5968e20b188d207109fbdb385196ca64cd16d9f49c5542453d30ab2d1bfc1040487e0046fa0e5c908b423ec0dbf986f76449586a804

/data/data/com.nwybcynna.hukmpcfas/app_dex/classes.dex

MD5 a5f6abd47e42ea2ffbe99d78fda1ad4f
SHA1 39a0109499ee5cc44accbfefd80bb192058e571e
SHA256 7c3d47dfd938e2f38e782bbe82ea7f484660034f62f6fb4ddea0b891b3991019
SHA512 d3efe6f2a3454700db6ff2b02d4b765d3e3e0e7764854cabb68166e6c5b85086f80643698394177577a1c3aa6f4203989f98d94ddbebb95809773cefd4c90b5e

/data/data/com.nwybcynna.hukmpcfas/no_backup/androidx.work.workdb-journal

MD5 cbab5dccc3edb40efdb434594b2f1f25
SHA1 a3ea3cdf6ca5b4c101818362bf59a03b64ed8a6f
SHA256 06178ca21c56fb93b8396993d208230a9e37b114499ca541fd9e63c334e05d56
SHA512 3a71977316312b3fdb20a4153522e8fbabec3341172068eb85bcda04558f4289d1cd0171184c7474ac25d1305ba87d59b79d672de0aef4de2b42fe16593123b0

/data/data/com.nwybcynna.hukmpcfas/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.nwybcynna.hukmpcfas/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.nwybcynna.hukmpcfas/no_backup/androidx.work.workdb-wal

MD5 a46078cde4e304ca44806defb64c42ae
SHA1 7154b08f9155b0ba27fb79027ca6d22d0b4f891c
SHA256 d56e5e835a4e2cbc8882b5962f9690fadfd3322717e13589561b5f9f77bb3d18
SHA512 e3687b52d5e96f121793ac4bdf12dc95ff407a21476e056412a752b73e19558be86f69756835bb6bfaafbf07d4b9a25b830eea30fc61dab1c8a42544bf1fcc67

/data/data/com.nwybcynna.hukmpcfas/no_backup/androidx.work.workdb-wal

MD5 8d3e2e6241fe0256d1a6cf87ea5fe34e
SHA1 820437ce17e2c23c2f45c3ec95b77cb9bd4a4465
SHA256 9f31868d9315b00207af2ce8b227e93f7704566c89f161ed0db765c9a001fc50
SHA512 17fb6eb373c4656c93a3a1c16a342ec68100d2e4b02e045af8197860fce74a92aff7a0d435852e55da3b186acaa0b74de60bad4f54d86f566c280f06788cb003

/data/data/com.nwybcynna.hukmpcfas/no_backup/androidx.work.workdb-wal

MD5 323f615925c3ca608a4e410c719438ba
SHA1 cb38e926890ddcdba51298e6e46edf47d3ddee67
SHA256 8246c986dd61eb4de9bbcd49765a8e55a480622c35356a5fc7c6e29d2168a77e
SHA512 66c4eaf9180d1509b888489402634cd243345cdbc7ecfbbc636c8eca8b60556210bc55bc1a61fe2cd45ea449f8570eb0e014ff808b6f05d80b067c4e35ac5706

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-24 22:06

Reported

2024-12-24 22:09

Platform

android-x64-arm64-20240624-en

Max time kernel

131s

Max time network

159s

Command Line

com.nwybcynna.hukmpcfas

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.nwybcynna.hukmpcfas/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.nwybcynna.hukmpcfas/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.nwybcynna.hukmpcfas

Network

Country Destination Domain Proto
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
US 154.216.20.102:80 154.216.20.102 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/data/com.nwybcynna.hukmpcfas/cache/classes.zip

MD5 400eb1ea3f0c5e3b8953b4d2203d117d
SHA1 0f95e89686033b44baba9439a1d9ad8441bf18a7
SHA256 ffe6105f59b7e3f44f578df8fb563ee6c17fc19a2d945dcc3e097283fbd9d3f9
SHA512 2d548f80b351c4921761eb7658a8233f92fb7719ff9e6035fa54300073ec59dba5f68b6205ee3cf502a0daf2a35cef535922882c96c2050773edf1ce6ba8c662

/data/data/com.nwybcynna.hukmpcfas/cache/classes.dex

MD5 d6dc3bd7afc7c7110661697f450b3d36
SHA1 729429de933755ad7a06382e0b43f50163d0f986
SHA256 80cd42115a61ad9bb1d0a6e6431bbb5fa3500c2862a04e52fc107f8d81090c1c
SHA512 25c1a21cbab20a4e045da5968e20b188d207109fbdb385196ca64cd16d9f49c5542453d30ab2d1bfc1040487e0046fa0e5c908b423ec0dbf986f76449586a804

/data/data/com.nwybcynna.hukmpcfas/app_dex/classes.dex

MD5 a5f6abd47e42ea2ffbe99d78fda1ad4f
SHA1 39a0109499ee5cc44accbfefd80bb192058e571e
SHA256 7c3d47dfd938e2f38e782bbe82ea7f484660034f62f6fb4ddea0b891b3991019
SHA512 d3efe6f2a3454700db6ff2b02d4b765d3e3e0e7764854cabb68166e6c5b85086f80643698394177577a1c3aa6f4203989f98d94ddbebb95809773cefd4c90b5e

/data/data/com.nwybcynna.hukmpcfas/no_backup/androidx.work.workdb-journal

MD5 26b9a932b0c0a0a905273f57280d8bf7
SHA1 2b3d882a81056b560fbe35efbb25e3eba4c2a8a8
SHA256 75dae1ef61e94d6f1b1b71636d49964a6d23fda118288e1bae624541262c0882
SHA512 03c5ac214f8518491a294d25c4c398fb34559722804d4ba9fa04007ef486d1158914dbd51153fe480f691b14c701816d53a394c793831134d046ec3e6138fcf8

/data/data/com.nwybcynna.hukmpcfas/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.nwybcynna.hukmpcfas/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.nwybcynna.hukmpcfas/no_backup/androidx.work.workdb-wal

MD5 5d2951454734381b8477976c0d4a5c07
SHA1 2f42eeef998c15bedbec916bdefa9db7210263f9
SHA256 4418c3d16a158485fdf98a9f2f4c76f77ee61df2d4ef87e9965a16cfa013f7d5
SHA512 71caf255ce55c8f40ef63c55b6e5c64cce58fd4bb029bfe6c292f8a0c5e2c926711b01f12649dd25515a148dabfdc39c581412d671676bf1c546562e5dec7956

/data/data/com.nwybcynna.hukmpcfas/no_backup/androidx.work.workdb-wal

MD5 b7082981b2f0fb4a89700ca5c71dcf83
SHA1 cc678fb346bb16b4a36259e1a90279ece925152a
SHA256 5eed3833960647a1bb05a7fa27a7abdd9d16b047d52e0f9daf8b4c9f8d28a380
SHA512 bb07f92b307759d51fc7a84be52c7989c6c20d1e98326862b0c961104c05dadd6f92770dc5bdb66f80169c3b06a2a03065abf16a6a551e6efa10447d3ebf4c86

/data/data/com.nwybcynna.hukmpcfas/no_backup/androidx.work.workdb-wal

MD5 902971985dd54f80ee4697df4e83ab35
SHA1 0c6ff707a22f81272e84284d2fbff534ccfd3cce
SHA256 2cc034079eb73e89557a488a724d99a0c764aa1f0b08e669a0d7820c29339390
SHA512 463dac4e296ac8decabbc99dc5b656fb70fc69d27126c8938acedcfff06917f51143b6fc2c0e5d1c60fddd5e12788b51becb9be31bbf47d2ef5489a2798f7185