029b12a42ea00701c0a6f08636500fe2bdf99519becc695a4e8d2f2e380ffad7 | Triage

Analysis

max time kernel
4021322s
max time network
134s
platform
android_x86_64
resource
android-x86_64_arm64
submitted
20-04-2021 14:27

Sharing

Report Analysis Logs

General

Target

029b12a42ea00701c0a6f08636500fe2bdf99519becc695a4e8d2f2e380ffad7.apk
Size

3.3MB
MD5

b1d2f996a166c72651e6f6f932de4017
SHA1

550a3af0927c82007c215f00db68d7ce0ebfd1b3
SHA256

029b12a42ea00701c0a6f08636500fe2bdf99519becc695a4e8d2f2e380ffad7
SHA512

09c3e95de3a611cfcc60e542fa9a8687292a1c57d20c776cd8460fc5f3cf8bbc3614d1a65f734984fe7da6600c6615f21db46718012a338378887b996ad8c3b2

Score

10^/10

obfuscation stealth trojan

Malware Config

Extracted

ARC4_key

Signatures

Removes its main activity from the application launcher 1 IoCs
stealth trojan

Processes:

us.mobiletest.bank

pid process

4140 us.mobiletest.bank

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

us.mobiletest.bank

ioc	pid	process
/data/user/0/us.mobiletest.bank/cache/of87oaufaldjawdjkw.dex	4140	us.mobiletest.bank
/data/user/0/us.mobiletest.bank/cache/of87oaufaldjawdjkw.dex	4140	us.mobiletest.bank

Requests enabling of the accessibility settings. 1 IoCs

Processes:

us.mobiletest.bank

description ioc process

Intent action android.settings.ACCESSIBILITY_SETTINGS us.mobiletest.bank

Uses reflection 10 IoCs

Processes:

us.mobiletest.bank

description	pid	process
Invokes method dalvik.system.CloseGuard.get	4140	us.mobiletest.bank
Invokes method dalvik.system.CloseGuard.open	4140	us.mobiletest.bank
Invokes method com.android.org.conscrypt.ConscryptEngineSocket.setUseSessionTickets	4140	us.mobiletest.bank
Invokes method com.android.org.conscrypt.ConscryptEngineSocket.setHostname	4140	us.mobiletest.bank
Invokes method com.android.org.conscrypt.OpenSSLSocketImpl.setAlpnProtocols	4140	us.mobiletest.bank
Invokes method com.android.org.conscrypt.OpenSSLSocketImpl.getAlpnSelectedProtocol	4140	us.mobiletest.bank
Invokes method dalvik.system.CloseGuard.get	4140	us.mobiletest.bank
Invokes method dalvik.system.CloseGuard.open	4140	us.mobiletest.bank
Invokes method dalvik.system.CloseGuard.get	4140	us.mobiletest.bank
Invokes method dalvik.system.CloseGuard.open	4140	us.mobiletest.bank

us.mobiletest.bank
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Uses reflection
PID:4140

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...