Malware Analysis Report

2025-01-19 05:47

Sample ID 241224-1x8dpsyndp
Target 73bd9f60a034796bd96424c277ed9543fb614b4009ca28fbd65e8d6c23310518.bin
SHA256 73bd9f60a034796bd96424c277ed9543fb614b4009ca28fbd65e8d6c23310518
Tags
hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

73bd9f60a034796bd96424c277ed9543fb614b4009ca28fbd65e8d6c23310518

Threat Level: Known bad

The file 73bd9f60a034796bd96424c277ed9543fb614b4009ca28fbd65e8d6c23310518.bin was found to be: Known bad.

Malicious Activity Summary

hook collection credential_access discovery evasion execution impact infostealer persistence rat trojan

Hook

Hook family

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Queries information about running processes on the device

Makes use of the framework's Accessibility service

Queries the phone number (MSISDN for GSM devices)

Acquires the wake lock

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Reads information about phone network operator.

Queries the mobile country code (MCC)

Performs UI accessibility actions on behalf of the user

Queries information about the current Wi-Fi connection

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

Attempts to obfuscate APK file format

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Schedules tasks to execute at a specified time

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-24 22:02

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-24 22:02

Reported

2024-12-24 22:05

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

160s

Command Line

com.eeoyiyvtz.tutthssxv

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.eeoyiyvtz.tutthssxv/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.eeoyiyvtz.tutthssxv/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.eeoyiyvtz.tutthssxv/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.eeoyiyvtz.tutthssxv

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.eeoyiyvtz.tutthssxv/app_dex/classes.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.eeoyiyvtz.tutthssxv/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp

Files

/data/data/com.eeoyiyvtz.tutthssxv/cache/classes.zip

MD5 d03b24a9657793230f9055e245d06a30
SHA1 a0c05cea109d11bd07b45d91a91d94a341c04778
SHA256 2c35d680c4b36bb510b2e8cd64c7a2af7e951229ec7e02490f179b0de32a18d2
SHA512 4bb3721da6823842456ce9155c7122d660bde9f71ce83d0b3957e5d98750053d6db4df18bda41ff326e9042622786dc1055a7e9b981780b95753a272f7611a1f

/data/data/com.eeoyiyvtz.tutthssxv/cache/classes.dex

MD5 a369acb5fa00c07f9ae1b56045f62655
SHA1 a6c1b306ecdc076e36aace7aecbf028de19b0903
SHA256 9b7421f98ccafaae04ca86c6341ae9ccfbeb6f1721852c06e9f594af8d4d7844
SHA512 3bcb8ac256ac18ddebd6ae18062e8fe046a6ff888b306c9e6767fa2e5c617eaf97ec02e4c09667c3d22adda36e385eb64a18ef2ca06630b0e7efdbfdec9f67b2

/data/data/com.eeoyiyvtz.tutthssxv/app_dex/classes.dex

MD5 a39806df00e73cd4bdd63b778b462140
SHA1 9c90d1b2d5fecadc49795fcdd35e81f7698ec9c6
SHA256 c288139f5ef9ce09a50073f73bf9996142d4f31cf31694fdc5be9896c5b786b8
SHA512 19e15304005b47cd670a394f11bf64c3443ef2a3b72ed79758b1fdf756b0a774fc42a2fbeb37dde5289836c83991feb2d7ac843d88bce91a8593a2461ebbc835

/data/user/0/com.eeoyiyvtz.tutthssxv/app_dex/classes.dex

MD5 d05829ebfe32484cdd2de5027faefd77
SHA1 e185347bbc6be4ec0512fd801ab18f82872f247a
SHA256 4cf2aa6fb9e500457c01ec7f828fd9681cd2ea15ccdae9552b0bd78f1efafdd5
SHA512 8a340040900c0b0e7d1cec9c96a931e9f5988f78cb694107807fc2a1b752b34ba37eea90b85078d0b4ac543518f46270d796292acb273a3e9da37f0c989dc97c

/data/data/com.eeoyiyvtz.tutthssxv/no_backup/androidx.work.workdb-journal

MD5 300d82095d31aa01797b8343af8abe5b
SHA1 e2f20e6f53a17a9bce1e10607fb58b27b6aa034b
SHA256 87a51226d63e3a5b5fdafbd10f22b9291686eddebc2e0a0da2219866e4ef289a
SHA512 3da6f3e3bdf7f3e7b415679578ac2ac18afa46afa4be0f3f6d360bffb2dd65728437b4ab8bee1ae414493b905a6e96fb14c36c5ed728e7219c8f4f66e8030ffb

/data/data/com.eeoyiyvtz.tutthssxv/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.eeoyiyvtz.tutthssxv/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.eeoyiyvtz.tutthssxv/no_backup/androidx.work.workdb-wal

MD5 bd1c7e67bc3dbc06ddffbe13c524e61e
SHA1 ae0e5476617929300b8bd714c423c421dbcf6f1f
SHA256 b024e4d06c5ecf04f94cceb353bb75b98c4d5a7121764b11d657875598286ca0
SHA512 080bd93f82c396667845fa7f67e54ce32f44a291ae62b66cb082c2009df37357197fefae401552498353ae52343fca4fa264f94584b88e4ddc4dad27122589e8

/data/data/com.eeoyiyvtz.tutthssxv/no_backup/androidx.work.workdb-wal

MD5 8ef42c5cc8159a0a5bb759f44ff2ad27
SHA1 c7a806568a710b4e88ffc9898ee62a1ff7f7de37
SHA256 cfadbb8395501be556f7033dc18675adc5e6d86401f5c7c27889da7b35c94243
SHA512 ac84edfc390d3f5042bc29001a0fbec805ff15cd904817ad745ec9995e4252240a89abf3d86e83ab16f67e5b56a974bdc39cd3a1b9c5fc65ff0912fac98ff388

/data/data/com.eeoyiyvtz.tutthssxv/no_backup/androidx.work.workdb-wal

MD5 0ba2164ced538a447baed312822bfd99
SHA1 a8d53b548cd0cc0ec94ef907e670e4b446547705
SHA256 2386222eb2856cb49770d7d236ec525407bb22109bbc750ad67b0c431cd390e5
SHA512 933528167b0dfaaf6ed191cd2a8bfcce7a92f9a69c63e4738bbda709c14c8ef7590c1ac2869f12df2cefbd33deeaccad5b079b86b14bcecfbe0d0ec5371d4ef0

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-24 22:02

Reported

2024-12-24 22:05

Platform

android-x64-20240624-en

Max time kernel

145s

Max time network

160s

Command Line

com.eeoyiyvtz.tutthssxv

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.eeoyiyvtz.tutthssxv/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.eeoyiyvtz.tutthssxv/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.eeoyiyvtz.tutthssxv

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 154.216.17.184:80 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
GB 216.58.212.206:443 tcp
GB 142.250.200.2:443 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp

Files

/data/data/com.eeoyiyvtz.tutthssxv/cache/classes.zip

MD5 d03b24a9657793230f9055e245d06a30
SHA1 a0c05cea109d11bd07b45d91a91d94a341c04778
SHA256 2c35d680c4b36bb510b2e8cd64c7a2af7e951229ec7e02490f179b0de32a18d2
SHA512 4bb3721da6823842456ce9155c7122d660bde9f71ce83d0b3957e5d98750053d6db4df18bda41ff326e9042622786dc1055a7e9b981780b95753a272f7611a1f

/data/data/com.eeoyiyvtz.tutthssxv/cache/classes.dex

MD5 a369acb5fa00c07f9ae1b56045f62655
SHA1 a6c1b306ecdc076e36aace7aecbf028de19b0903
SHA256 9b7421f98ccafaae04ca86c6341ae9ccfbeb6f1721852c06e9f594af8d4d7844
SHA512 3bcb8ac256ac18ddebd6ae18062e8fe046a6ff888b306c9e6767fa2e5c617eaf97ec02e4c09667c3d22adda36e385eb64a18ef2ca06630b0e7efdbfdec9f67b2

/data/data/com.eeoyiyvtz.tutthssxv/app_dex/classes.dex

MD5 a39806df00e73cd4bdd63b778b462140
SHA1 9c90d1b2d5fecadc49795fcdd35e81f7698ec9c6
SHA256 c288139f5ef9ce09a50073f73bf9996142d4f31cf31694fdc5be9896c5b786b8
SHA512 19e15304005b47cd670a394f11bf64c3443ef2a3b72ed79758b1fdf756b0a774fc42a2fbeb37dde5289836c83991feb2d7ac843d88bce91a8593a2461ebbc835

/data/data/com.eeoyiyvtz.tutthssxv/no_backup/androidx.work.workdb-journal

MD5 4bf22232e4558d386dff2b03e9cd2a80
SHA1 f3298279c19381c4045fae34ee508174174c2b3a
SHA256 a8d89e416021f06ec9fc29418a79ffb52e70d24a94fec364dfb6c9d1bf1e12cf
SHA512 fd2243d8998f609cdc810de5a2f3d8cf005f260ec4e010252bb87e7fc542698c0c23b0cb69400e30b39f5705c0db64a365d071241e81c3b719f3818ea354fa16

/data/data/com.eeoyiyvtz.tutthssxv/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.eeoyiyvtz.tutthssxv/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.eeoyiyvtz.tutthssxv/no_backup/androidx.work.workdb-wal

MD5 37e265534b9b5267dc1761bc478cdb3d
SHA1 3401f20557a6c6c3a91afd50777b321549ad9bd1
SHA256 dbaca669e6923ff99e1e03982e7f1d2b49bb8ae57902693868569d16e4133334
SHA512 0c731ca995a6b9457f1746496a61c8525184a5fbf850a47d3eb3c94aa17d05fd7f2b5b623112787ba4d9b59991db82755ecd6a7c52843b4aac3eb47faa6aecf8

/data/data/com.eeoyiyvtz.tutthssxv/no_backup/androidx.work.workdb-wal

MD5 65ab99262dc5e12c8fc403aad8f62eb1
SHA1 f9030ba1800edb2bfeeb3fe8371512899ebc4d63
SHA256 5474f88582e442501f0c7e1b79b31531568c2192b7cd62950e82c66abc0bc2c2
SHA512 407c92fe3f7ec4af6c63a868e3c4360abc4acfdd3023a7564060dee635e3bd0be25374b0a79ee01f3b7bf83a04a4ae81011583c101a590173f4d67328d0733b0

/data/data/com.eeoyiyvtz.tutthssxv/no_backup/androidx.work.workdb-wal

MD5 36901c1ecfaed8a190652f2568a145bc
SHA1 adad0ee93c917f0a9e01b676409f9e050d46c1c8
SHA256 4f15198eb77278bb19a3afd8d098f4729b9af5442490ba393a838968c6766eb5
SHA512 b368280066c9e65791eef467cc024bad5580d4d8af64d8342b93ce5fab6334fbfb9fd4913093a49a4b09fe14f60cb36a2d597dff7f118d2ee0b6b10304c135b3

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-24 22:02

Reported

2024-12-24 22:05

Platform

android-x64-arm64-20240624-en

Max time kernel

144s

Max time network

159s

Command Line

com.eeoyiyvtz.tutthssxv

Signatures

Hook

rat trojan infostealer hook

Hook family

hook

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.eeoyiyvtz.tutthssxv/app_dex/classes.dex N/A N/A
N/A /data/user/0/com.eeoyiyvtz.tutthssxv/app_dex/classes.dex N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Reads information about phone network operator.

discovery

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.eeoyiyvtz.tutthssxv

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
GB 142.250.200.36:443 tcp
US 154.216.17.184:80 tcp
GB 142.250.200.36:443 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp
US 154.216.17.184:80 tcp

Files

/data/data/com.eeoyiyvtz.tutthssxv/cache/classes.zip

MD5 d03b24a9657793230f9055e245d06a30
SHA1 a0c05cea109d11bd07b45d91a91d94a341c04778
SHA256 2c35d680c4b36bb510b2e8cd64c7a2af7e951229ec7e02490f179b0de32a18d2
SHA512 4bb3721da6823842456ce9155c7122d660bde9f71ce83d0b3957e5d98750053d6db4df18bda41ff326e9042622786dc1055a7e9b981780b95753a272f7611a1f

/data/data/com.eeoyiyvtz.tutthssxv/cache/classes.dex

MD5 a369acb5fa00c07f9ae1b56045f62655
SHA1 a6c1b306ecdc076e36aace7aecbf028de19b0903
SHA256 9b7421f98ccafaae04ca86c6341ae9ccfbeb6f1721852c06e9f594af8d4d7844
SHA512 3bcb8ac256ac18ddebd6ae18062e8fe046a6ff888b306c9e6767fa2e5c617eaf97ec02e4c09667c3d22adda36e385eb64a18ef2ca06630b0e7efdbfdec9f67b2

/data/data/com.eeoyiyvtz.tutthssxv/app_dex/classes.dex

MD5 a39806df00e73cd4bdd63b778b462140
SHA1 9c90d1b2d5fecadc49795fcdd35e81f7698ec9c6
SHA256 c288139f5ef9ce09a50073f73bf9996142d4f31cf31694fdc5be9896c5b786b8
SHA512 19e15304005b47cd670a394f11bf64c3443ef2a3b72ed79758b1fdf756b0a774fc42a2fbeb37dde5289836c83991feb2d7ac843d88bce91a8593a2461ebbc835

/data/data/com.eeoyiyvtz.tutthssxv/no_backup/androidx.work.workdb-journal

MD5 7561b8fe3d7a6ecf7129e554de530efb
SHA1 7890a80454a5fc9bc85d28a75b4a546e89719e35
SHA256 fb3d8d1fb0db32ca10c3e83cc8fc8f5d977f5891133b465d75155e66f4bc16cd
SHA512 8a9e8c3113a10405c6a90d747c07aad0f41985a8682c1b3185b9125378320edec409c42fe6c095faa7eaffc96db62e42cc850fbcc433f55a6dc84547645960cb

/data/data/com.eeoyiyvtz.tutthssxv/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.eeoyiyvtz.tutthssxv/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.eeoyiyvtz.tutthssxv/no_backup/androidx.work.workdb-wal

MD5 8b6ec24bd3304ebeca137567d53bdb92
SHA1 cffc3d2c957f8a84c12536bf9d565ae88a389a49
SHA256 c31390f71df964fe4c0d720f43c401ad108913884ebce1321aaf45e77063f374
SHA512 c05cdff83e239aef68d4b1dc64b2470eb08653c7f4ea9de3aea0445210968f3fed137ad07b4613e4178d2785058e6f02a49bc2446315bb4430ed473d1d5e96c5

/data/data/com.eeoyiyvtz.tutthssxv/no_backup/androidx.work.workdb-wal

MD5 bedf9da5894189e73bcbef6be472aed8
SHA1 d99d3be48c5013a18536112cc6ce4ab48a97cf52
SHA256 85061e71c9551bbf3aa6d496abd833307ec13c4f2a03b3081bf79c7307a2233d
SHA512 ffeed0ab4bd63551cb9db629cd3327c9435d6fe4405ac4cb96e0b89bf1060c5c16ef01e363f2575927765f8ffe0ab29b91c519001c5c5b335d4c7c68e1997199

/data/data/com.eeoyiyvtz.tutthssxv/no_backup/androidx.work.workdb-wal

MD5 82ee793107d3a511730b1bdd2c091814
SHA1 faceee19fff8f4338c72e137de36f1083e310b9f
SHA256 f2c026123a576c3829180a56e22c2cae963a650a4bd8cfc91892ac04425a8a78
SHA512 01d28c2e5d7d5a967ac34df369f1bdb85d8264193fedd81b51bde638b35126edcb30563349ad2aeb99ac025d2eb369a9caf6b7e928eea5f275c5924bf0dd2485