Malware Analysis Report

2025-06-16 00:52

Sample ID 250609-kclq7sbp4t
Target certificado.apk
SHA256 e9f2f6e47e071ed2a0df5c75e787b2512ba8a601e55c91ab49ea837fd7a0fc85
Tags
defense_evasion collection credential_access discovery evasion impact persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e9f2f6e47e071ed2a0df5c75e787b2512ba8a601e55c91ab49ea837fd7a0fc85

Threat Level: Shows suspicious behavior

The file certificado.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion collection credential_access discovery evasion impact persistence

Makes use of the framework's Accessibility service

Obtains sensitive information copied to the device clipboard

Checks the application is allowed to request package installs through the package installer

Queries the mobile country code (MCC)

Declares broadcast receivers with permission to handle system events

Requests dangerous framework permissions

Makes use of the framework's foreground persistence service

Performs UI accessibility actions on behalf of the user

Declares services with permission to bind to the system

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-09 08:27

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2025-06-09 08:27

Reported

2025-06-09 08:36

Platform

android-33-x64-arm64-20240910-en

Max time kernel

7s

Max time network

159s

Command Line

com.support.litework

Signatures

Checks the application is allowed to request package installs through the package installer

defense_evasion
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.canRequestPackageInstalls N/A N/A

Processes

com.support.litework

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
AU 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
AU 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
GB 172.217.169.78:443 android.apis.google.com udp
AU 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 216.58.204.74:443 remoteprovisioning.googleapis.com tcp
AU 1.1.1.1:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
AU 1.1.1.1:53 www.google.com udp
GB 142.250.178.4:443 www.google.com udp
AU 1.1.1.1:53 www.google.com udp
GB 172.217.169.68:443 www.google.com tcp
GB 216.58.204.70:80 tcp
GB 216.58.201.110:443 tcp
GB 142.250.180.2:443 tcp
US 216.239.32.36:443 tcp
GB 142.250.187.193:443 tcp
GB 216.58.204.65:443 tcp
GB 216.58.204.65:443 tcp
GB 216.58.204.65:443 tcp
GB 216.58.204.65:443 tcp
GB 142.250.179.227:443 tcp
GB 216.58.204.65:443 tcp

Files

/data/data/com.support.litework/files/profileInstalled

MD5 4e8db162a70cee035c387497571738af
SHA1 3925da441ade5c83363fabe821a9db834dd41441
SHA256 d3c18cf52a3b34d66455d1cb7b30d30e465ce174f48304dc80f8bbb1ca9d463f
SHA512 4bd97664ee5ed3632aad506de276af3ce59aa84fbc91767de6e8062eb3b8a5809dc2058faac2424b6a97be1361e25ee03b4533ecc8d052122c701a50a7a5b951

Analysis: behavioral4

Detonation Overview

Submitted

2025-06-09 08:27

Reported

2025-06-09 08:36

Platform

android-x86-arm-20240910-en

Max time kernel

7s

Max time network

161s

Command Line

com.support.litework

Signatures

N/A

Processes

com.support.litework

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
AU 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
GB 142.250.187.227:80 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.support.litework/files/profileInstalled

MD5 6e53b9eaae33697055db0c8b06cff924
SHA1 889bdec3dfc953dfccf183cf8ebe883a343ddda1
SHA256 bccc63177bbac3de0d79b7b88d2adca811276bfda1ed69dab5f6b8799aa74b69
SHA512 683e233dcf6a851c7b2b046f1b8f16fc61e268155581cd644b72aa1ed8c28331c35a743826d40e53423b1d575e9cf6c04ec469c216502e59af5b5c03714733d1

Analysis: behavioral5

Detonation Overview

Submitted

2025-06-09 08:27

Reported

2025-06-09 08:36

Platform

android-x64-20240910-en

Max time kernel

125s

Max time network

130s

Command Line

com.support.litework

Signatures

Makes use of the framework's Accessibility service

collection defense_evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Makes use of the framework's foreground persistence service

defense_evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.support.litework

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
GB 216.58.212.238:443 tcp
GB 142.250.180.14:443 tcp
GB 216.58.212.206:443 tcp
AU 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
AU 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
AU 1.1.1.1:53 stealth.gstpainel.fun udp

Files

/data/data/com.support.litework/files/profileInstalled

MD5 7afa7a2d215cfbc469dd6187c52e203e
SHA1 a79201a548adf8928cecf887c085d1f9a737d065
SHA256 d2e91b935430b7c9b10a5ec2943373014d46e97bffe4f7218bf243da940d7a2b
SHA512 43cefbc810449c8c8e2709b5007087183c99169c809846fd76516f4678ac049d905321d4f93428c9b3795e9f8a9fee7b4985677789c62103f884b542aa71acc2

Analysis: behavioral7

Detonation Overview

Submitted

2025-06-09 08:27

Reported

2025-06-09 08:36

Platform

android-33-x64-arm64-20240910-en

Max time kernel

45s

Max time network

160s

Command Line

com.support.litework

Signatures

Makes use of the framework's Accessibility service

collection defense_evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Makes use of the framework's foreground persistence service

defense_evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.support.litework

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
AU 1.1.1.1:53 stealth.gstpainel.fun udp
AU 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 216.58.201.106:443 remoteprovisioning.googleapis.com tcp
AU 1.1.1.1:53 voilatile-pa.googleapis.com udp
AU 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
AU 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
GB 172.217.169.46:443 android.apis.google.com udp
GB 172.217.16.228:443 tcp
AU 1.1.1.1:53 www.google.com udp
GB 216.58.213.4:443 www.google.com udp
AU 1.1.1.1:53 www.google.com udp
GB 172.217.169.4:443 www.google.com tcp
GB 216.58.204.70:80 tcp
GB 142.250.187.194:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.194:443 tcp
US 216.239.32.36:443 tcp
GB 216.58.204.65:443 tcp
GB 172.217.169.33:443 tcp
GB 216.58.204.70:443 tcp
GB 216.58.204.66:443 tcp

Files

/data/data/com.support.litework/files/profileInstalled

MD5 face346ea626ec88592b6fdc9e836de3
SHA1 b85912bbd3afb67c32e418f2962f283b78006a76
SHA256 9cfb02587c562f40b10c5aa7610b52cfa3812040ae84f9adcb1facef9a87b2fb
SHA512 a653f2b155807bfe5d736acf39a689a9d7329cb8a26859fe88ae9c9243a1f6deae790c03105259144f5a4a1914f3e45c954762c32c767b5eef33afcc99beb6e8

Analysis: behavioral8

Detonation Overview

Submitted

2025-06-09 08:27

Reported

2025-06-09 08:36

Platform

android-x86-arm-20240910-en

Max time kernel

86s

Max time network

152s

Command Line

com.support.litework

Signatures

Makes use of the framework's Accessibility service

collection defense_evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Makes use of the framework's foreground persistence service

defense_evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.support.litework

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
AU 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
AU 1.1.1.1:53 stealth.gstpainel.fun udp
AU 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.179.227:80 tcp
GB 142.250.179.228:80 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.support.litework/files/profileInstalled

MD5 1b15bf14dde4c8e9635f99171be889d0
SHA1 653dab5abced60b56eb3a9e9ad5b3c5e3201ca64
SHA256 bfa2423d4295fb6aa116988ca0853263c35e6b2dc0a42aa0ab71d5857b582dd2
SHA512 3d195e5e429b30811d88ff7e8cfcb77a60a51c894042dfbea0dd578af6ef556f240f83be9085b320c402a916ee37b5ec1b2a7b34387226b4d882fee2e18d52f4

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-09 08:27

Reported

2025-06-09 08:36

Platform

android-x64-20240910-en

Max time kernel

7s

Max time network

160s

Command Line

com.support.litework

Signatures

Checks the application is allowed to request package installs through the package installer

defense_evasion
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.canRequestPackageInstalls N/A N/A

Processes

com.support.litework

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.212.206:443 tcp
AU 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
AU 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 216.58.204.66:443 tcp

Files

/data/data/com.support.litework/files/profileInstalled

MD5 cd8ffdb40a14c737001af162bc79d7c2
SHA1 b817ffde86dffec183feff0c66b22875cf999703
SHA256 69e5e175ec7fa2c4d2e37a6b88c44536899f332ca6d2853ddb299e6b6e5721ba
SHA512 9c674550c107a8a50e5510be2158e17444445a92c2cc6a4f47a51a128996ea430cfe7a8ff2b9f140b6e670e23531ece73efc964acc1f3a6170ec4896dd4d8cc8

Analysis: behavioral2

Detonation Overview

Submitted

2025-06-09 08:27

Reported

2025-06-09 08:36

Platform

android-x64-arm64-20240910-en

Max time kernel

6s

Max time network

152s

Command Line

com.support.litework

Signatures

Checks the application is allowed to request package installs through the package installer

defense_evasion
Description Indicator Process Target
Framework service call android.content.pm.IPackageManager.canRequestPackageInstalls N/A N/A

Processes

com.support.litework

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
AU 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
AU 1.1.1.1:53 www.youtube.com udp
GB 142.250.180.14:443 www.youtube.com udp
GB 142.250.180.14:443 www.youtube.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
US 216.239.32.223:443 tcp
AU 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
GB 142.250.187.193:443 tcp
US 216.239.32.223:443 tcp
GB 216.58.204.65:443 tcp
US 216.239.32.223:443 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2025-06-09 08:27

Reported

2025-06-09 08:36

Platform

android-x64-arm64-20240910-en

Max time kernel

138s

Max time network

152s

Command Line

com.support.litework

Signatures

Makes use of the framework's Accessibility service

collection defense_evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Makes use of the framework's foreground persistence service

defense_evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.support.litework

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
AU 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 android.apis.google.com tcp
AU 1.1.1.1:53 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com tcp
AU 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
AU 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
AU 1.1.1.1:53 stealth.gstpainel.fun udp
US 216.239.36.223:443 tcp
US 216.239.36.223:443 tcp
GB 142.250.200.1:443 tcp
GB 216.58.212.193:443 tcp
US 216.239.36.223:443 tcp
US 216.239.36.223:443 tcp

Files

N/A