a397ccb187460fe8790147ee81c8147838ce5ca8a55f33d822a8a8332e8173c7

Analysis

max time kernel
149s
max time network
151s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
26/03/2025, 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19278db5549027a224f9436c45ffdf0a0dc5ac630335fb2d9ff9d44da0f267b0.apk
Size

3.9MB
MD5

9d6c50c4103251cd45f93b380bb48bd6
SHA1

1990d07867ec04fd0fb791bd347e2b410da5d114
SHA256

19278db5549027a224f9436c45ffdf0a0dc5ac630335fb2d9ff9d44da0f267b0
SHA512

35cad8d62c1d12bdfd499aa5720474df34d6ebf4bb577c5f5205c2e13012fb401c33605ae63119b5fff1bf86ce30e22faa9e038d06913a345831365b7bfc4c03
SSDEEP

98304:CVyFi2cpk0uuKmiiaiAOFO4O4sbrrLOrGvIej4OAizcP9mtz:syqH/apOFO4C2r1extcP9mtz

Score

8^/10

defense_evasion discovery evasion persistence stealth trojan

Malware Config

Signatures

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
5243	com.xsyhwp

Checks known Qemu pipes. 1 TTPs 2 IoCs

Checks for known pipes used by the Android emulator to communicate with the host.

defense_evasion

System Checks

T1633.001

ioc	Process
/dev/socket/qemud	com.xsyhwp
/dev/qemu_pipe	com.xsyhwp

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.xsyhwp/cache/payload.jar	5243	com.xsyhwp

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.xsyhwp

Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.xsyhwp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.xsyhwp
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.xsyhwp

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.xsyhwp

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.xsyhwp

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.xsyhwp

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.xsyhwp

com.xsyhwp
1⤵
- Removes its main activity from the application launcher
- Checks known Qemu pipes.
- Loads dropped Dex/Jar
- Acquires the wake lock
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
PID:5243

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.xsyhwp/cache/oat/payload.jar.cur.prof

Filesize
3KB

MD5
cdf2a8795348e58a296b44d8e4534799

SHA1
7e1df3626682a71e36d20027adce5198b591e82c

SHA256
24c285313122dd1f7d379fb7ca7b121866f81d44d4c06e574f2e4b85561fc023

SHA512
2dbcc03fe0c4ab73041f6ee7f45fd04bb363a6a824c050361bb148502e22906063dbb5d36ede5b3a1d4eeba1b7de2247f6fa9b216248e753b25efb1fd9e6d213

Download Submit
/data/data/com.xsyhwp/cache/payload.jar

Filesize
472KB

MD5
9f093ab21f4efa18069addd51279bd06

SHA1
591062cbc092b10742e16f3451bae479679f27fe

SHA256
a8b4c1ceb5f1a3de7c998c12b8bc26f9cbe2ee8bcac522b7c54e9d49505774d1

SHA512
3da3ec9b7d5d00373894a198170fcdec9e80d25615677c24b6e57f79bda1a603db44ac875c59aa87aab67017d6da4c273bd65f62d3ee559d54b33bf4a8edbf74

Download Submit
/data/user/0/com.xsyhwp/cache/payload.jar

Filesize
1.1MB

MD5
42bd2141a746ab06dcddcbc993b8a1c9

SHA1
1583c437e5aa6eb628f6afca10bddee38a501451

SHA256
5e10c8dcba719cab710ec6d9c0626569af7664527247d50e29e1f758b745d1a8

SHA512
2d946e368b008ed309481c78d802ba2c04b87e38c9b0506144e1b6212036617007d1adb180c590df178c91fdd74e4d3c1d713b3119ddd7f921352a81d44d4c56

Download Submit
/storage/emulated/0/Android/data/com.xsyhwp/files/uu.dd

Filesize
36B

MD5
b25895beea380b49a0ec5f9cdd2d124f

SHA1
9eabede25dafbec652d1e929f24ff0ead97116c7

SHA256
9d3251919cfb3aaf587ff16355f256b407a9abbff921ebde490d1ad00378d399

SHA512
b7b94c336b2d52374d94626d1c4b4dc8e8b8f7bf365a18060609fb0815f4630a6f0375490a10328f0776743ed1544a070856210d2c421bbbcc33b006a6cf4dea

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads