Android.BankBot.14988

Добавлен в вирусную базу Dr.Web: 2024-01-25

Описание добавлено: 2024-01-25

Technical information

Malicious functions:

Executes code of the following detected threats:

Android.BankBot.970.origin

Removes app icon from the screen.

Network activity:

Connects to:

UDP(DNS) <Google DNS>
TCP(HTTP/1.1) connect####.gst####.com:80
TCP(TLS/1.0) pla####.google####.com:443
TCP(TLS/1.0) 64.2####.161.94:443
TCP(TLS/1.0) rr18---####.g####.com:443
TCP(TLS/1.0) p####.google####.com:443
TCP(TLS/1.0) sqs.ap-nort####.amazo####.com:443
TCP(TLS/1.0) rr9---s####.g####.com:443
TCP(TLS/1.0) rr2---s####.g####.com:443
TCP(TLS/1.0) md####.google####.com:443
TCP(TLS/1.2) connect####.gst####.com:443
TCP(TLS/1.2) www.go####.com:443
TCP(TLS/1.2) md####.google####.com:443
TCP(TLS/1.2) 64.2####.161.94:443
TCP(TLS/1.2) 64.2####.161.102:443
UDP md####.google####.com:443
UDP p####.google####.com:443

DNS requests:

connect####.gst####.com
m####.go####.com
md####.google####.com
p####.google####.com
pla####.google####.com
rr18---####.g####.com
rr2---s####.g####.com
rr9---s####.g####.com
sqs.ap-nort####.amazo####.com
www.go####.com

HTTP POST requests:

sqs.ap-nort####.amazo####.com:443/664144478517/crash_queue_svc
sqs.ap-nort####.amazo####.com:443/664144478517/report_queue_svc

File system changes:

Creates the following files:

/data/data/####/.com_jakedegivuwuwe_yewo.meta
/data/data/####/120046
/data/data/####/19
/data/data/####/2024-01-25AM044910.str
/data/data/####/2024-01-25AM044930.hkr
/data/data/####/20240125T044911.dmp.asi
/data/data/####/20240125T044919.dmp.asi
/data/data/####/20240125T044934.dmp.asi
/data/data/####/29
/data/data/####/BP7U8ZFYNDCPT0TYADONDXLV70IVMXXP.dex
/data/data/####/BP7U8ZFYNDCPT0TYADONDXLV70IVMXXP.dex.flock (deleted)
/data/data/####/HJ1ONP015RRMIBP1QSRW1KCSL85NIC2.dex
/data/data/####/HJ1ONP015RRMIBP1QSRW1KCSL85NIC2.dex.flock (deleted)
/data/data/####/HJ1ONP015RRMIBP1QSRW1KCSL85NIC2.zip
/data/data/####/JP0ZDWL9V366NDDQG7ODGKSHSPB20EH.dex
/data/data/####/JP0ZDWL9V366NDDQG7ODGKSHSPB20EH.dex.flock (deleted)
/data/data/####/JP0ZDWL9V366NDDQG7ODGKSHSPB20EH.zip
/data/data/####/YNZNDXQ9FEWE8IYW0B1BYWYO70RJNWN.dex
/data/data/####/YNZNDXQ9FEWE8IYW0B1BYWYO70RJNWN.dex.flock (deleted)
/data/data/####/YNZNDXQ9FEWE8IYW0B1BYWYO70RJNWN.zip
/data/data/####/empty_classes.dex
/data/data/####/empty_classes.zip
/data/data/####/lastReportSendTimeFile
/data/data/####/proc_auxv
/data/data/####/sealed1.obk
/data/data/####/sealeh.bdc
/data/data/####/settings.xml
/data/data/####/stat1
/data/data/####/working
/drw/ssl_dumps/ssl_dump_3421.pcap

Miscellaneous:

Executes the following shell scripts:

chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/HJ1ONP015RRMIBP1QSRW1KCSL85NIC2.zip.cur.prof
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/arm/HJ1ONP015RRMIBP1QSRW1KCSL85NIC2.odex
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/arm/HJ1ONP015RRMIBP1QSRW1KCSL85NIC2.vdex
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/arm/JP0ZDWL9V366NDDQG7ODGKSHSPB20EH.odex
chmod 777 /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/oat/arm/JP0ZDWL9V366NDDQG7ODGKSHSPB20EH.vdex
cp /data/user/0/<Package>/app_payload_lib/empty_classes.dex /data/user/0/<Package>/app_payload_lib/<Package>/BP7U8ZFYNDCPT0TYADONDXLV70IVMXXP.dex
cp /data/user/0/<Package>/app_payload_lib/empty_classes.zip /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/HJ1ONP015RRMIBP1QSRW1KCSL85NIC2.zip
cp /data/user/0/<Package>/app_payload_lib/empty_classes.zip /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/JP0ZDWL9V366NDDQG7ODGKSHSPB20EH.zip
cp /data/user/0/<Package>/app_payload_lib/empty_classes.zip /data/user/0/<Package>/app_payload_lib/<Package>_empty_classes/YNZNDXQ9FEWE8IYW0B1BYWYO70RJNWN.zip
dex2oat --dex-file=/data/user/0/<Package>/app_payload_lib/<Package>/BP7U8ZFYNDCPT0TYADONDXLV70IVMXXP.dex --oat-file=/data/user/0/<Package>/cache/<Package>/BP7U8ZFYNDCPT0TYADONDXLV70IVMXXP.dex --compiler-filter=verify-none --instruction-set=x86
getprop ro.dalvik.vm.isa.arm
getprop ro.dalvik.vm.isa.arm64
sh -c dex2oat --dex-file=/data/user/0/<Package>/app_payload_lib/<Package>/BP7U8ZFYNDCPT0TYADONDXLV70IVMXXP.dex --oat-file=/data/user/0/<Package>/cache/<Package>/BP7U8ZFYNDCPT0TYADONDXLV70IVMXXP.dex --compiler-filter=verify-none --instruction-set=x86

Loads the following dynamic libraries:

libcovault-appsec

Uses the following algorithms to decrypt data:

AES-CBC-PKCS5Padding

Uses special library to hide executable bytecode.

Gets information about network.

Gets information about active device administrators.

Gets information about installed apps.

Adds tasks to the system scheduler.

Displays its own windows over windows of other apps.

Requests the system alert window permission.

Appears corrupted in a way typical for malicious files.

Технологии

Термины

Обучение и просвещение

Мифы

Technical information

Рекомендации по лечению

Демо бесплатно на 14 дней