9e945ebd56d1ec80f1ea98cd16ff40ece788e4c51f11152a17943051ba5a2ffd

Analysis

max time kernel
2200166s
max time network
130s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
19/12/2023, 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32add2fcb6364cc8b3c2343b3940f98d.apk
Size

999KB
MD5

32add2fcb6364cc8b3c2343b3940f98d
SHA1

b01ff05841555d1a9724011b0dd62eb3cbea14af
SHA256

9e945ebd56d1ec80f1ea98cd16ff40ece788e4c51f11152a17943051ba5a2ffd
SHA512

c0c2bbaa9b9f7f043a5125f3fdeb38c7514c72d885d02f2490debeacbdb4479ba13cf69fec5ddaf8c51e99032b0713fa893f642fbf49abadb9fe857d9a39fe6b
SSDEEP

24576:Wa2uW+MI4hJQJpkUf1WKi/8+eAX/QlKloxsL9ddS5YrIvn:CuWfbhJQj/f1KU+Y4loxgS5Y8/

Score

8^/10

evasion stealth trojan

Malware Config

Signatures

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.xocvwnowpqn.vbswxt
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.xocvwnowpqn.vbswxt

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4250	com.xocvwnowpqn.vbswxt

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.xocvwnowpqn.vbswxt/app_files/iwuhnajbdo.jar	4277	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xocvwnowpqn.vbswxt/app_files/iwuhnajbdo.jar --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.xocvwnowpqn.vbswxt/app_files/oat/x86/iwuhnajbdo.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.xocvwnowpqn.vbswxt/app_files/iwuhnajbdo.jar	4250	com.xocvwnowpqn.vbswxt

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.xocvwnowpqn.vbswxt

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.xocvwnowpqn.vbswxt

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.xocvwnowpqn.vbswxt

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.xocvwnowpqn.vbswxt

com.xocvwnowpqn.vbswxt
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4250
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xocvwnowpqn.vbswxt/app_files/iwuhnajbdo.jar --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.xocvwnowpqn.vbswxt/app_files/oat/x86/iwuhnajbdo.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4277

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.xocvwnowpqn.vbswxt/app_files/iwuhnajbdo.jar

Filesize
185KB

MD5
91838b3b4c7d4ad37cb91ae57a0766a2

SHA1
49374763ee0931e93d6d1917e7f4c0fa4cc10f8b

SHA256
4289b4fee1d94b55410a6d88a4a253533d36f5c29d639f44a3bc59100bf6d91e

SHA512
234907ae67bf52114e5dc33640d6755f2cb05aa6cb93f20e4d056a0e091a4c414d43eb72c20af80bb1e3f39a1af67d2be6e2d0ee54a9eb5715d5b627f5f6383c

Download Submit
/data/data/com.xocvwnowpqn.vbswxt/app_files/oat/iwuhnajbdo.jar.cur.prof

Filesize
258B

MD5
2a2c15da1d238792743c6aa3d73c344f

SHA1
1cc945bf8cbca9ee8decd1836d5634383642c5fb

SHA256
2f0058617183e15ab8715256b6f762224ac4a3c46f586aace2973aab5e2c19fe

SHA512
28cca32ba17c2d44381eff5322e53961e56dd2ee143293a979b1771479bf8a4444b9fbb979a0bb9059a07b2ac34df15427a3aa7d5f4aa7f33d866cdd32b61149

Download Submit
/data/user/0/com.xocvwnowpqn.vbswxt/app_files/iwuhnajbdo.jar

Filesize
370KB

MD5
8a88ffbd2cdd7210cb3aae8a3aea4004

SHA1
82552202669e8073980c37617311765d7cae3d82

SHA256
760b17c29d16d9fd63eeee654dafc293d2d5ec133ac4491421bbadb8525f015e

SHA512
34ae6792ab6ace3b49044f953a8d0b95f97f83e80202f870373dd7b92f64678ecef3e1c6113b5bd93d3fec8455a8851b9a13cc365d6b03f9b1ba338abd80e83f

Download Submit
/data/user/0/com.xocvwnowpqn.vbswxt/app_files/iwuhnajbdo.jar

Filesize
370KB

MD5
e407c09bba6612a7ec9de47b0888a3c1

SHA1
b10704316e55e70e6ec9ed752f9a519939897080

SHA256
e8e0ccc403bbdd14f33bb919af6dafbfb141ec5d8cf074b5301c287360f198c3

SHA512
8bcbc0f298574412058caaf746c3fc27d1d8db74bd24d34063d5056635216fa56871c2e7d8cc0c22a278e8e7431b99e9e00308f8ad5738079f690bab5767efe7

Download Submit