Analysis

  • max time kernel
    2314613s
  • max time network
    158s
  • platform
    android_x86
  • resource
    android-x86-arm-20231215-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
  • submitted
    20-12-2023 01:27

General

  • Target

    78d6dc4d6388e1a92a5543b80c038ac66430c7cab3b877eeb0a834bce5cb7c25.apk

  • Size

    4.8MB

  • MD5

    23d92d04a25f2bfea3d2f147cd79be8e

  • SHA1

    956308322bd9d64e9258986d9c5f64439a2c23a3

  • SHA256

    78d6dc4d6388e1a92a5543b80c038ac66430c7cab3b877eeb0a834bce5cb7c25

  • SHA512

    3dcd00d0eeed37f3a912922146cc867de568545ac721257d405154fb05628793f8fa13f340ece6c70a4dd982e95ba53a8b5a83dd17e98cc17be156a7839c17b2

  • SSDEEP

    98304:y4zbjHHYuxJ8GfFaqFGYrVPl7ybvuGP3IpwK98g8ovvSWWZiW:yq3Yuxy4LGYRdun3IpwoV5qWWL

Malware Config

Signatures

  • FluBot

    FluBot is an android banking trojan that uses overlays.

  • FluBot payload 1 IoCs
  • Makes use of the framework's Accessibility service 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Removes its main activity from the application launcher 1 IoCs
  • Loads dropped Dex/Jar 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Requests enabling of the accessibility settings. 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.snda.wifilocating
    1⤵
    • Makes use of the framework's Accessibility service
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Requests enabling of the accessibility settings.
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4236
    • /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.snda.wifilocating/g7fHirjfgj/ggghgg8gTgIrjge/base.apk.8ghjkfs1.geg --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.snda.wifilocating/g7fHirjfgj/ggghgg8gTgIrjge/oat/x86/base.apk.8ghjkfs1.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4265

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.snda.wifilocating/g7fHirjfgj/ggghgg8gTgIrjge/tmp-base.apk.8ghjkfs4911499899686830301.geg

    Filesize

    244KB

    MD5

    5ba70249045ff699b0043cd0104ce366

    SHA1

    787317edeec33df25737dfff640a901e05813530

    SHA256

    94c71d2f7a6954eb848bfa85ea4c88b213054b6bbe4347f8f17f88e63a46f96a

    SHA512

    cc1245e6a108c9a1f441375e3637f964ba7bcf1d85fcc159adc359fadf97cb348785d72a1d631d9c7284107361440aec7d832dd2cd133e0c644c08013b183142

  • /data/user/0/com.snda.wifilocating/g7fHirjfgj/ggghgg8gTgIrjge/base.apk.8ghjkfs1.geg

    Filesize

    2.0MB

    MD5

    88b801e20e638b2477b2afeb558d1f12

    SHA1

    3899575ed8d71e86a138018551e3517b06b318b6

    SHA256

    298a2c754226c4c631c718c436be8d352037a85499b754b5a89865b6c40854b6

    SHA512

    34a5bacb591332049242de85c34aae63f923fe87e4e27de2fb8a92db5a29d5726ade581bb08015ccc8169545484c8a9fc6ccedf104fe581f4b8291d0c8eb10cb