ca0989544a1511c773cf4f9da165e77a3be6d3b86a7b5484558b274ddc79a4b1

General

Target

ca0989544a1511c773cf4f9da165e77a3be6d3b86a7b5484558b274ddc79a4b1.apk
Size

1.1MB
MD5

26f529d46558a35cd93b3f6dc85a213f
SHA1

f3c68a5859d92d3048169dd28da19bb105aa0da5
SHA256

ca0989544a1511c773cf4f9da165e77a3be6d3b86a7b5484558b274ddc79a4b1
SHA512

56173d3d3ff48ef7a43428ae66a1187a83a2064d0cf3fdb6def5f917e9bc050998a347c131ee88b18750e8ce12689a46adad482e5f0735bba91bec93d024c5ed
SSDEEP

24576:wqJONrJCTE3x0yCcmMvJO4kc1NWEz1T7hwRq4OaNF:wqJOlt3GyCivJoUII1HhQvOGF

Score

8^/10

banker collection discovery evasion impact privilege_escalation stealth trojan

Malware Config

Signatures

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4369	com.qzhaswptmd.abtjut

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.qzhaswptmd.abtjut/app_yobqpj/veujwlbpb.jar	4397	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qzhaswptmd.abtjut/app_yobqpj/veujwlbpb.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.qzhaswptmd.abtjut/app_yobqpj/oat/x86/veujwlbpb.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.qzhaswptmd.abtjut/app_yobqpj/veujwlbpb.jar	4369	com.qzhaswptmd.abtjut

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Reads the content of SMS inbox messages. 1 TTPs 1 IoCs

collection

SMS Messages

T1636.004

description	ioc	Process
URI accessed for read	content://sms/inbox	com.qzhaswptmd.abtjut

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.qzhaswptmd.abtjut

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.qzhaswptmd.abtjut

Tries to add a device administrator. 2 TTPs 1 IoCs

privilege_escalation impact

Device Administrator Permissions

T1626.001

Account Access Removal

T1640

description	ioc	Process
Intent action	android.app.action.ADD_DEVICE_ADMIN	com.qzhaswptmd.abtjut

com.qzhaswptmd.abtjut
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Reads the content of SMS inbox messages.
- Acquires the wake lock
- Queries information about active data network
- Tries to add a device administrator.
PID:4369
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.qzhaswptmd.abtjut/app_yobqpj/veujwlbpb.jar --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.qzhaswptmd.abtjut/app_yobqpj/oat/x86/veujwlbpb.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4397

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1626

Device Administrator Permissions

1

T1626.001

Defense Evasion

Download New Code at Runtime

1

T1407

Hide Artifacts

1

T1628

Suppress Application Icon

1

T1628.001

Credential Access

Discovery

Software Discovery

1

T1418

Security Software Discovery

1

T1418.001

System Network Configuration Discovery

1

T1422

System Network Connections Discovery

1

T1421

Lateral Movement

Collection

Protected User Data

1

T1636

SMS Messages

1

T1636.004

Command and Control

Exfiltration

Impact

Account Access Removal

1

T1640

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.qzhaswptmd.abtjut/app_yobqpj/oat/veujwlbpb.jar.cur.prof

Filesize
366B

MD5
13cf3216a1603d3ac1f09b5ffbe2fb7b

SHA1
b64edb192ce28e0ca44538684f85e9a6bf502837

SHA256
136bc74741fc630ae5dc3603ddd7724cf083be50ff068c6cafa2f24839ef0460

SHA512
c5092afd6f95ced28106ea5903b5fa9f5f8f9248da740aefce1a80dda31938a1529d10fa781c6fa7524bd9ee9016fe51a1051a87a02a6964587e467458b9c7be

Download Submit
/data/data/com.qzhaswptmd.abtjut/app_yobqpj/veujwlbpb.jar

Filesize
505KB

MD5
f77218ce087763a9a0f915d5066f7518

SHA1
13b8b5605769af72050d2966fe81fa6cd7eebdb8

SHA256
cd66b669be1a99c16d32d8c488a702c3dab660ccd45164ca0f8a27aabe1f30e6

SHA512
f3cfc241807143fd74f7d618fb0dc0bca9c898f36d2184140e6bebe8af1382d92360fc3fbf7568b80737994bd926fa087f0da065012b933f303d7d12742d0b63

Download Submit
/data/user/0/com.qzhaswptmd.abtjut/app_yobqpj/veujwlbpb.jar

Filesize
1.2MB

MD5
d6b31eb36c94db5a959a5257cab637f6

SHA1
57859ddb41176886a14ebd0a851d9965007fe852

SHA256
55fb234a687f462ad632cded85a17578965ea569a4be4028d1a11607013f7110

SHA512
1eba6543eeaddbb4ee0034d594afcfc0de9faa0fa6540df6635c712a2568037c577113be7337e3c505e6a10e0137b8428103852cd16eb9197ebea9ff62787495

Download Submit
/data/user/0/com.qzhaswptmd.abtjut/app_yobqpj/veujwlbpb.jar

Filesize
1.2MB

MD5
1f90763017fe68888d0e983cda56002b

SHA1
92e039e1d7e880b42a559fa4fcf5da19e1b264b2

SHA256
37a018553f0fd9b1304cc400f5d566a7ff6606943fc2f1f98c8465054bdfee2a

SHA512
9d1e4c757b0edd4dfc03db55aeeedf17cfe84f9026b6c18391b87b3422745ae53e1440f571bb722ddf61dddce0cfbdde155783d9944c9935709494f4923eebfc

Download Submit

Analysis

Sharing