Android.Banker.5388

Technical information

Malicious functions:

Executes code of the following detected threats:

Android.Banker.5138
Android.Banker.630.origin

Network activity:

Connects to:

UDP(DNS) <Google DNS>
UDP(DNS) 8####.8.4.4:53
TCP(HTTP/1.1) connect####.gst####.com:80
TCP(TLS/1.0) pla####.google####.com:443
TCP(TLS/1.0) connect####.gst####.com:443
TCP(TLS/1.0) and####.a####.go####.com:443
TCP(TLS/1.0) rr18---####.g####.com:443
TCP(TLS/1.0) sqs.ap-nort####.amazo####.com:443
TCP(TLS/1.0) p####.google####.com:443
TCP(TLS/1.0) and####.google####.com:443
TCP(TLS/1.0) rr2---s####.g####.com:443
TCP(TLS/1.2) www.go####.com:443
UDP p####.google####.com:443

DNS requests:

and####.a####.go####.com
and####.google####.com
connect####.gst####.com
gmscomp####.google####.com
m####.go####.com
p####.google####.com
pla####.google####.com
rr18---####.g####.com
rr2---s####.g####.com
sqs.ap-nort####.amazo####.com
www.go####.com
www.google####.com

HTTP POST requests:

sqs.ap-nort####.amazo####.com:443/664144478517/report_queue_svc

File system changes:

Creates the following files:

/data/data/####/.com_prehdf_prphdf.meta
/data/data/####/0OO2IJ2GZTRPN7D54MK3H7X4TGO45WQ.dex (deleted)
/data/data/####/0OO2IJ2GZTRPN7D54MK3H7X4TGO45WQ.dex.flock (deleted)
/data/data/####/0OO2IJ2GZTRPN7D54MK3H7X4TGO45WQ.zip
/data/data/####/150035
/data/data/####/19
/data/data/####/2023-12-17AM044537.rt
/data/data/####/2023-12-17AM044537.str
/data/data/####/2023-12-17AM044549.so.rt
/data/data/####/2023-12-17AM044559.so.rt
/data/data/####/2023-12-17AM044608.so.rt
/data/data/####/2023-12-17AM044617.so.rt
/data/data/####/2023-12-17AM044624.so.rt
/data/data/####/2023-12-17AM044631.so.rt
/data/data/####/2023-12-17AM044638.so.rt
/data/data/####/2023-12-17AM044645.so.rt
/data/data/####/2023-12-17AM044652.so.rt
/data/data/####/250035
/data/data/####/29
/data/data/####/6KVI4R406M91ESWDFUJC3RBOJOMHZ1O.dex (deleted)
/data/data/####/6KVI4R406M91ESWDFUJC3RBOJOMHZ1O.dex.flock (deleted)
/data/data/####/6KVI4R406M91ESWDFUJC3RBOJOMHZ1O.zip
/data/data/####/8MX06TEQGSBRS6MF5OXIXTXY9MSRPZM.dex (deleted)
/data/data/####/8MX06TEQGSBRS6MF5OXIXTXY9MSRPZM.dex.flock (deleted)
/data/data/####/8MX06TEQGSBRS6MF5OXIXTXY9MSRPZM.zip
/data/data/####/95DBZG75GQWMW0Q6XJ9G2K65UXTDIXB.dex (deleted)
/data/data/####/95DBZG75GQWMW0Q6XJ9G2K65UXTDIXB.dex.flock (deleted)
/data/data/####/95DBZG75GQWMW0Q6XJ9G2K65UXTDIXB.zip
/data/data/####/AppKey.xml
/data/data/####/AppKey.xml.bak
/data/data/####/BAMPE2C14DI5PVQ03QKR462WT76U7UNC.dex
/data/data/####/BAMPE2C14DI5PVQ03QKR462WT76U7UNC.dex.flock (deleted)
/data/data/####/DPXQDR8AOW2HZZFX41X3R4EUTSZ6O0V8.dex
/data/data/####/DPXQDR8AOW2HZZFX41X3R4EUTSZ6O0V8.dex.flock (deleted)
/data/data/####/EGN6KF4C26TTAGKXNI3SVN3CZ0QX7LW.dex (deleted)
/data/data/####/EGN6KF4C26TTAGKXNI3SVN3CZ0QX7LW.dex.flock (deleted)
/data/data/####/EGN6KF4C26TTAGKXNI3SVN3CZ0QX7LW.zip
/data/data/####/K0CQUN2CVH71BJ15W6C75ZH89G0KHKM.dex (deleted)
/data/data/####/K0CQUN2CVH71BJ15W6C75ZH89G0KHKM.dex.flock (deleted)
/data/data/####/K0CQUN2CVH71BJ15W6C75ZH89G0KHKM.zip
/data/data/####/N5G7ELPY298XF8XAXZF1FVITB3XWG3WS.dex
/data/data/####/N5G7ELPY298XF8XAXZF1FVITB3XWG3WS.dex.flock (deleted)
/data/data/####/R7ZTLMXR2W6SEUGOBPVQWU838JJBCVP.dex (deleted)
/data/data/####/R7ZTLMXR2W6SEUGOBPVQWU838JJBCVP.dex.flock (deleted)
/data/data/####/R7ZTLMXR2W6SEUGOBPVQWU838JJBCVP.zip
/data/data/####/RVB59IXV6OQGAISOJPNMSMOZS3RVK7T.dex
/data/data/####/RVB59IXV6OQGAISOJPNMSMOZS3RVK7T.dex (deleted)
/data/data/####/RVB59IXV6OQGAISOJPNMSMOZS3RVK7T.dex.flock (deleted)
/data/data/####/RVB59IXV6OQGAISOJPNMSMOZS3RVK7T.zip
/data/data/####/SELOIXEMC0R3W2AFHOPMLLH292K7HNY.dex (deleted)
/data/data/####/SELOIXEMC0R3W2AFHOPMLLH292K7HNY.dex.flock (deleted)
/data/data/####/SELOIXEMC0R3W2AFHOPMLLH292K7HNY.zip
/data/data/####/TPSLWVWHV68E8YUZ0OG8LTDZTKOHZ7MI.dex
/data/data/####/TPSLWVWHV68E8YUZ0OG8LTDZTKOHZ7MI.dex.flock (deleted)
/data/data/####/UALNWM1QS2JOL9QFZW555X8POGBPBY5E.dex
/data/data/####/UALNWM1QS2JOL9QFZW555X8POGBPBY5E.dex.flock (deleted)
/data/data/####/WO82272SB9Z5R3DPSIC71FDSH4SSTC6.dex (deleted)
/data/data/####/WO82272SB9Z5R3DPSIC71FDSH4SSTC6.dex.flock (deleted)
/data/data/####/WO82272SB9Z5R3DPSIC71FDSH4SSTC6.zip
/data/data/####/YK2LN6MTYGZGG3OX9O3I48OQYVDEH08K.dex
/data/data/####/YK2LN6MTYGZGG3OX9O3I48OQYVDEH08K.dex.flock (deleted)
/data/data/####/com.prehdf.prphdf_preferences.xml
/data/data/####/empty_classes.dex
/data/data/####/empty_classes.zip
/data/data/####/lastReportSendTimeFile
/data/data/####/proc_auxv
/data/data/####/sealed1.obk
/data/data/####/sealed2.obk
/data/data/####/sealed3.obk
/data/data/####/sealed4.obk
/data/data/####/sealed5.obk
/data/data/####/sealeh.bdc
/data/data/####/stat1
/data/data/####/stat2
/data/data/####/stat3
/data/data/####/stat4
/data/data/####/stat5
/data/data/####/working

Miscellaneous:

Executes the following shell scripts:

chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/0OO2IJ2GZTRPN7D54MK3H7X4TGO45WQ.zip.cur.prof
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/6KVI4R406M91ESWDFUJC3RBOJOMHZ1O.zip.cur.prof
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/8MX06TEQGSBRS6MF5OXIXTXY9MSRPZM.zip.cur.prof
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/95DBZG75GQWMW0Q6XJ9G2K65UXTDIXB.zip.cur.prof
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/EGN6KF4C26TTAGKXNI3SVN3CZ0QX7LW.zip.cur.prof
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/K0CQUN2CVH71BJ15W6C75ZH89G0KHKM.zip.cur.prof
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/R7ZTLMXR2W6SEUGOBPVQWU838JJBCVP.zip.cur.prof
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/RVB59IXV6OQGAISOJPNMSMOZS3RVK7T.zip.cur.prof
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/SELOIXEMC0R3W2AFHOPMLLH292K7HNY.zip.cur.prof
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/WO82272SB9Z5R3DPSIC71FDSH4SSTC6.zip.cur.prof
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/arm/0OO2IJ2GZTRPN7D54MK3H7X4TGO45WQ.odex
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/arm/0OO2IJ2GZTRPN7D54MK3H7X4TGO45WQ.vdex
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/arm/6KVI4R406M91ESWDFUJC3RBOJOMHZ1O.vdex
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/arm/8MX06TEQGSBRS6MF5OXIXTXY9MSRPZM.odex
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/arm/8MX06TEQGSBRS6MF5OXIXTXY9MSRPZM.vdex
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/arm/95DBZG75GQWMW0Q6XJ9G2K65UXTDIXB.odex
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/arm/95DBZG75GQWMW0Q6XJ9G2K65UXTDIXB.vdex
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/arm/EGN6KF4C26TTAGKXNI3SVN3CZ0QX7LW.odex
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/arm/EGN6KF4C26TTAGKXNI3SVN3CZ0QX7LW.vdex
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/arm/K0CQUN2CVH71BJ15W6C75ZH89G0KHKM.odex
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/arm/K0CQUN2CVH71BJ15W6C75ZH89G0KHKM.vdex
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/arm/R7ZTLMXR2W6SEUGOBPVQWU838JJBCVP.odex
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/arm/R7ZTLMXR2W6SEUGOBPVQWU838JJBCVP.vdex
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/arm/RVB59IXV6OQGAISOJPNMSMOZS3RVK7T.odex
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/arm/RVB59IXV6OQGAISOJPNMSMOZS3RVK7T.vdex
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/arm/SELOIXEMC0R3W2AFHOPMLLH292K7HNY.odex
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/arm/SELOIXEMC0R3W2AFHOPMLLH292K7HNY.vdex
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/arm/WO82272SB9Z5R3DPSIC71FDSH4SSTC6.odex
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/arm/WO82272SB9Z5R3DPSIC71FDSH4SSTC6.vdex
dex2oat --dex-file=/data/user/0/<Package>/app_payload_lib/<Package>/BAMPE2C14DI5PVQ03QKR462WT76U7UNC.dex --oat-file=/data/user/0/<Package>/cache/<Package>/BAMPE2C14DI5PVQ03QKR462WT76U7UNC.dex --compiler-filter=verify-none --instruction-set=x86
dex2oat --dex-file=/data/user/0/<Package>/app_payload_lib/<Package>/DPXQDR8AOW2HZZFX41X3R4EUTSZ6O0V8.dex --oat-file=/data/user/0/<Package>/cache/<Package>/DPXQDR8AOW2HZZFX41X3R4EUTSZ6O0V8.dex --compiler-filter=verify-none --instruction-set=x86
dex2oat --dex-file=/data/user/0/<Package>/app_payload_lib/<Package>/N5G7ELPY298XF8XAXZF1FVITB3XWG3WS.dex --oat-file=/data/user/0/<Package>/cache/<Package>/N5G7ELPY298XF8XAXZF1FVITB3XWG3WS.dex --compiler-filter=verify-none --instruction-set=x86
dex2oat --dex-file=/data/user/0/<Package>/app_payload_lib/<Package>/TPSLWVWHV68E8YUZ0OG8LTDZTKOHZ7MI.dex --oat-file=/data/user/0/<Package>/cache/<Package>/TPSLWVWHV68E8YUZ0OG8LTDZTKOHZ7MI.dex --compiler-filter=verify-none --instruction-set=x86
dex2oat --dex-file=/data/user/0/<Package>/app_payload_lib/<Package>/UALNWM1QS2JOL9QFZW555X8POGBPBY5E.dex --oat-file=/data/user/0/<Package>/cache/<Package>/UALNWM1QS2JOL9QFZW555X8POGBPBY5E.dex --compiler-filter=verify-none --instruction-set=x86
dex2oat --dex-file=/data/user/0/<Package>/app_payload_lib/<Package>/YK2LN6MTYGZGG3OX9O3I48OQYVDEH08K.dex --oat-file=/data/user/0/<Package>/cache/<Package>/YK2LN6MTYGZGG3OX9O3I48OQYVDEH08K.dex --compiler-filter=verify-none --instruction-set=x86
getprop ro.dalvik.vm.isa.arm
getprop ro.dalvik.vm.isa.arm64
sh -c dex2oat --dex-file=/data/user/0/<Package>/app_payload_lib/<Package>/BAMPE2C14DI5PVQ03QKR462WT76U7UNC.dex --oat-file=/data/user/0/<Package>/cache/<Package>/BAMPE2C14DI5PVQ03QKR462WT76U7UNC.dex --compiler-filter=verify-none --instruction-set=x86
sh -c dex2oat --dex-file=/data/user/0/<Package>/app_payload_lib/<Package>/DPXQDR8AOW2HZZFX41X3R4EUTSZ6O0V8.dex --oat-file=/data/user/0/<Package>/cache/<Package>/DPXQDR8AOW2HZZFX41X3R4EUTSZ6O0V8.dex --compiler-filter=verify-none --instruction-set=x86
sh -c dex2oat --dex-file=/data/user/0/<Package>/app_payload_lib/<Package>/N5G7ELPY298XF8XAXZF1FVITB3XWG3WS.dex --oat-file=/data/user/0/<Package>/cache/<Package>/N5G7ELPY298XF8XAXZF1FVITB3XWG3WS.dex --compiler-filter=verify-none --instruction-set=x86
sh -c dex2oat --dex-file=/data/user/0/<Package>/app_payload_lib/<Package>/TPSLWVWHV68E8YUZ0OG8LTDZTKOHZ7MI.dex --oat-file=/data/user/0/<Package>/cache/<Package>/TPSLWVWHV68E8YUZ0OG8LTDZTKOHZ7MI.dex --compiler-filter=verify-none --instruction-set=x86
sh -c dex2oat --dex-file=/data/user/0/<Package>/app_payload_lib/<Package>/UALNWM1QS2JOL9QFZW555X8POGBPBY5E.dex --oat-file=/data/user/0/<Package>/cache/<Package>/UALNWM1QS2JOL9QFZW555X8POGBPBY5E.dex --compiler-filter=verify-none --instruction-set=x86
sh -c dex2oat --dex-file=/data/user/0/<Package>/app_payload_lib/<Package>/YK2LN6MTYGZGG3OX9O3I48OQYVDEH08K.dex --oat-file=/data/user/0/<Package>/cache/<Package>/YK2LN6MTYGZGG3OX9O3I48OQYVDEH08K.dex --compiler-filter=verify-none --instruction-set=x86

Loads the following dynamic libraries:

libcovault-appsec

Uses special library to hide executable bytecode.

Gets information about network.

Gets information about active device administrators.

Gets information about installed apps.

Displays its own windows over windows of other apps.

Appears corrupted in a way typical for malicious files.

Technologies

Begriffe

Schulung und Training

Mythen

Technical information

Curing recommendations

Free trial