1794ea2b91487fb130c9568b9ee301cbd097d3d5ef294fab69c1ecb9ef354494 | Triage

Analysis

max time kernel
7s
max time network
128s
platform
android-10_x64
resource
android-x64-20240910-en
resource tags

arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
submitted
07/04/2025, 22:25

Sharing

Report Analysis Logs

General

Target

1794ea2b91487fb130c9568b9ee301cbd097d3d5ef294fab69c1ecb9ef354494.apk
Size

3.5MB
MD5

fc2cddd695703c2803cbae0c17765758
SHA1

675e261902686cad8595d4c425178b45e72e31e1
SHA256

1794ea2b91487fb130c9568b9ee301cbd097d3d5ef294fab69c1ecb9ef354494
SHA512

b3cad164c17fc1d2a85f92bd1f96674d3a3df965bd8ba5d2f8750b2880f4f636ea8ad30e8fcd6215adcfe7f6dd263f157aa5aace4a307b130fd3b9931b4d205a
SSDEEP

98304:zy8qgP+VJP/XiawvIFWXYzMjHpBUpF5sr8Tgkbi:2keiawvIfaHCnTdbi

Score

8^/10

banker defense_evasion discovery persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 2 IoCs

defense_evasion

System Information Discovery

ioc	Process
/system/bin/su	ru.cbqtzewa.wnyrcynct
/system/xbin/su	ru.cbqtzewa.wnyrcynct

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 20 IoCs

Web Service

flow	ioc
46	sites.google.com
51	sites.google.com
52	sites.google.com
31	sites.google.com
35	sites.google.com
43	sites.google.com
44	sites.google.com
50	sites.google.com
37	sites.google.com
42	sites.google.com
45	sites.google.com
49	sites.google.com
53	sites.google.com
93	sites.google.com
33	sites.google.com
36	sites.google.com
41	sites.google.com
48	sites.google.com
32	sites.google.com
34	sites.google.com

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

Broadcast Receivers

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	ru.cbqtzewa.wnyrcynct

ru.cbqtzewa.wnyrcynct
1⤵
- Checks if the Android device is rooted.
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

Broadcast Receivers

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Software Discovery

Security Software Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/ru.cbqtzewa.wnyrcynct/databases/PackagesDB

Filesize
548KB

MD5
def5408b130f51fe0e935260c5838862

SHA1
cc5ecb8b9050d187a673433deb755207b0d38be3

SHA256
1d8f1f3f129c8fe269f39530ce9f19516de6e3bd1d064c6732acfe91e7fa3fb3

SHA512
dbc096cd4d99dab5b27b8d0928e024962e84750d70d6f69cacfd96830166934b39e58b2809ba4336e1562d34c5bae8bf5016a2aafd4952e260cbafad52481670

Download Submit
/data/data/ru.cbqtzewa.wnyrcynct/databases/PackagesDB-journal

Filesize
512B

MD5
c26825a6a1024e0e00ae81428c2df68b

SHA1
9da025e2d8c618b1bed563707ea4fd594aeb0085

SHA256
e0edf899f5f152673b23576171ff304c96c83218529ad930d5028252d0795a81

SHA512
7f9c50d77ae7fb565e919843ecaf83f73b0d8d83c54bd51997a5b690d3eb48dc17e54cb0065c821c6eb138281fcb54926e3c7cae1e34e229049e402619863a0e

Download Submit
/data/data/ru.cbqtzewa.wnyrcynct/databases/PackagesDB-journal

Filesize
8KB

MD5
49651c4dfa4b95a9a4b1a58409a829d5

SHA1
1a869edba27ac0613ebd1bc16df24f10f4a8c09e

SHA256
289664209188d08cd2749fb29438fb4794e60d0e048f2617c2a673602ac44a0e

SHA512
552d2a57e1f2a13658c3c5faff97a691e79314e7873cee3b568dc110c3076188e1d6ef0b032dd0a7de00fd12cf8854dd48f8a61e16ae587a1943cc9d2f3081a8

Download Submit
/data/data/ru.cbqtzewa.wnyrcynct/databases/PackagesDB-journal

Filesize
8KB

MD5
639c67e319b73e27fa6d5a2b56a49e9a

SHA1
8c5b47e75bd8edc515987b9321e7ebb6389e568a

SHA256
d48fdaf2bfd1a1ab77c7ac49a7e3d1d3e3bc362c1770e351fabe34496713edb1

SHA512
9b44450a84d8ec01d1385a0e24ee8c5d24f937ea397c4fae8221745277e6ebfabfce36498ad4114c2425e57d5f03fd3b269a99ff6c3a6b964bc5417da1578bb2

Download Submit
/data/data/ru.cbqtzewa.wnyrcynct/databases/PackagesDB-journal

Filesize
12KB

MD5
f8eb117f7be2cdf001fe4f8cfe3b58b7

SHA1
7358ef60e4415ac4a3f7ee9b7d7b96a3e93ce77b

SHA256
4ebcf93b8e48b7d7e29dd646a9420f60c1ba872daf20df4ac832bc72340e1f61

SHA512
1ef3ef7a8061c7790d79dae210b409d0da7dcd8b127be332017c7bf7f4e58ed4fb09a04c93b1e7a1b31f414c50fb5d9dac48257cc6332a47cf096cbae0df081e

Download Submit
/data/data/ru.cbqtzewa.wnyrcynct/databases/PackagesDB-journal

Filesize
12KB

MD5
e0db753101bb12d1726a157d23f8f1ab

SHA1
224612d76429922033043a42caa291759e46a844

SHA256
81d7c13f26a755a8094eb4f40a7c6dc54d8d6f93780a70d868b57b5cc13adf81

SHA512
3dfe21233b2fa4cbba15e7a8ba1666c16fbbc255e12cec3e772230f0cbe28622826b7588a652fe18ccd6369161aa49a301b2e6df1c92c2970d2339ead094c453

Download Submit
/data/data/ru.cbqtzewa.wnyrcynct/databases/PackagesDB-journal

Filesize
28KB

MD5
768fccd6b938fefa01059c243355bf57

SHA1
5b223a6e5af61ae458458d31986595dd0538058a

SHA256
ce3be58ffbf41189c2a4006ceb0a74e3d28469120a968e0b012679901af095f2

SHA512
400ab9ca2dbc254f9032c6e3db8b192f41394e3673d4942af3db3096bc33075320d4289c529c6490a8895deb5cf94bf7d9d77bf10bf12fe2b611b445473f635a

Download Submit
/data/data/ru.cbqtzewa.wnyrcynct/files/busybox

Filesize
209KB

MD5
8c63ca86e6f030fd7a11fa739a319fd3

SHA1
c4ea94cf652af134c451dbed0d794ef7ab9937dc

SHA256
145ad43b8aaed463ad4333b71b464e44efed3803713846b974abb7a4925b8d16

SHA512
7db10d4da18917b098630c304ccdfad0090add058364a4724c9a69d94266e540f1ba1728f12ec62e0010842eb967bcd04f2c1145ef9bbcf9991a67fa56b80126

Download Submit
/storage/emulated/0/Android/data/ru.cbqtzewa.wnyrcynct/files/LuckyPatcher/AdsBlockList.txt

Filesize
1KB

MD5
634ab5e3e49b830079f88825c88d7f80

SHA1
cabe4068d07d52c60f5b9f840fd887051748a3aa

SHA256
2824000ad496be920c29d0a78589c72935288b40ce44b44c5fae672fbfe87fe4

SHA512
ffc893fcad8d81f6ca272cf03737ab466eafd135599e6f6f20285d7f4c3454bedde4de5929dbb1be5010192747f5f11d86166509f24bfbf778f949762e47ef72

Download Submit
/storage/emulated/0/Android/data/ru.cbqtzewa.wnyrcynct/files/LuckyPatcher/AdsBlockList_user_edit.txt

Filesize
29B

MD5
302f7b6d9a4ffeccdda9ef94184c8326

SHA1
d4038ca0629f57b7e5c4056e74a395e5598aa16a

SHA256
5b36134b695f0a9a32f570b08cc3ef74e0687a0d2aa228853bc0346f77bffebe

SHA512
299fda4936acf6479e22f9166d545976d5d99ba6fe7a5b7298cb336cf730eb7790524e4569fe64bc03c598c7e4117f163ddffc2e2889439f709c4d80ff665039

Download Submit