Analysis
-
max time kernel
2314613s -
max time network
158s -
platform
android_x86 -
resource
android-x86-arm-20231215-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system -
submitted
20-12-2023 01:27
Static task
static1
Behavioral task
behavioral1
Sample
78d6dc4d6388e1a92a5543b80c038ac66430c7cab3b877eeb0a834bce5cb7c25.apk
Resource
android-x86-arm-20231215-en
Behavioral task
behavioral2
Sample
78d6dc4d6388e1a92a5543b80c038ac66430c7cab3b877eeb0a834bce5cb7c25.apk
Resource
android-x64-20231215-en
General
-
Target
78d6dc4d6388e1a92a5543b80c038ac66430c7cab3b877eeb0a834bce5cb7c25.apk
-
Size
4.8MB
-
MD5
23d92d04a25f2bfea3d2f147cd79be8e
-
SHA1
956308322bd9d64e9258986d9c5f64439a2c23a3
-
SHA256
78d6dc4d6388e1a92a5543b80c038ac66430c7cab3b877eeb0a834bce5cb7c25
-
SHA512
3dcd00d0eeed37f3a912922146cc867de568545ac721257d405154fb05628793f8fa13f340ece6c70a4dd982e95ba53a8b5a83dd17e98cc17be156a7839c17b2
-
SSDEEP
98304:y4zbjHHYuxJ8GfFaqFGYrVPl7ybvuGP3IpwK98g8ovvSWWZiW:yq3Yuxy4LGYRdun3IpwoV5qWWL
Malware Config
Signatures
-
FluBot
FluBot is an android banking trojan that uses overlays.
-
FluBot payload 1 IoCs
resource yara_rule behavioral1/memory/4265-0.dex family_flubot -
Makes use of the framework's Accessibility service 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.snda.wifilocating Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.snda.wifilocating Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.snda.wifilocating -
pid Process 4236 com.snda.wifilocating -
Loads dropped Dex/Jar 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.snda.wifilocating/g7fHirjfgj/ggghgg8gTgIrjge/base.apk.8ghjkfs1.geg 4265 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.snda.wifilocating/g7fHirjfgj/ggghgg8gTgIrjge/base.apk.8ghjkfs1.geg --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.snda.wifilocating/g7fHirjfgj/ggghgg8gTgIrjge/oat/x86/base.apk.8ghjkfs1.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.snda.wifilocating/g7fHirjfgj/ggghgg8gTgIrjge/base.apk.8ghjkfs1.geg 4236 com.snda.wifilocating -
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS com.snda.wifilocating -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.snda.wifilocating -
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.snda.wifilocating
Processes
-
com.snda.wifilocating1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4236 -
/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.snda.wifilocating/g7fHirjfgj/ggghgg8gTgIrjge/base.apk.8ghjkfs1.geg --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.snda.wifilocating/g7fHirjfgj/ggghgg8gTgIrjge/oat/x86/base.apk.8ghjkfs1.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4265
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.snda.wifilocating/g7fHirjfgj/ggghgg8gTgIrjge/tmp-base.apk.8ghjkfs4911499899686830301.geg
Filesize244KB
MD55ba70249045ff699b0043cd0104ce366
SHA1787317edeec33df25737dfff640a901e05813530
SHA25694c71d2f7a6954eb848bfa85ea4c88b213054b6bbe4347f8f17f88e63a46f96a
SHA512cc1245e6a108c9a1f441375e3637f964ba7bcf1d85fcc159adc359fadf97cb348785d72a1d631d9c7284107361440aec7d832dd2cd133e0c644c08013b183142
-
Filesize
2.0MB
MD588b801e20e638b2477b2afeb558d1f12
SHA13899575ed8d71e86a138018551e3517b06b318b6
SHA256298a2c754226c4c631c718c436be8d352037a85499b754b5a89865b6c40854b6
SHA51234a5bacb591332049242de85c34aae63f923fe87e4e27de2fb8a92db5a29d5726ade581bb08015ccc8169545484c8a9fc6ccedf104fe581f4b8291d0c8eb10cb