967502662c5ccef3ff369bbe27277109423dc11f25488afa55177fb68d0263a5

Analysis

max time kernel
2449583s
max time network
132s
platform
android_x64
resource
android-x64-arm64-20231215-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20231215-enlocale:en-usos:android-11-x64system
submitted
20-12-2023 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

967502662c5ccef3ff369bbe27277109423dc11f25488afa55177fb68d0263a5.apk
Size

2.0MB
MD5

a1800ec38cb5fd1e3f6c2c68dda0af40
SHA1

c224e3174163a1c0cf77491bfcaf3606bdb107c3
SHA256

967502662c5ccef3ff369bbe27277109423dc11f25488afa55177fb68d0263a5
SHA512

a1e1363a26765658d006f40943d2183c0b39057a634de0a4f89ec98933970c789cbce9eadd843cb7c2a62857ed5d1671deda5e6bdfaa3911db0db81d93c10bd4
SSDEEP

49152:4otKpG00BlMSgYK72V9fWW4lJKcdZBKlcvp4cyDzwLRJB9:FKHiK22g9fWLlJlZBKmvpESrz

Score

8^/10

evasion stealth trojan

Malware Config

Signatures

Makes use of the framework's Accessibility service 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.flash.bird
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.flash.bird

Removes its main activity from the application launcher 1 IoCs

stealth trojan

pid	Process
4618	com.flash.bird

Loads dropped Dex/Jar 4 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.flash.bird/app_DynamicOptDex/tDSfRtr.json	4618	com.flash.bird
/data/user/0/com.flash.bird/app_DynamicOptDex/tDSfRtr.json	4618	com.flash.bird
/data/user/0/com.flash.bird/app_DynamicOptDex/tDSfRtr.json	4618	com.flash.bird
/data/user/0/com.flash.bird/app_DynamicOptDex/tDSfRtr.json	4618	com.flash.bird

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	com.flash.bird

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.flash.bird

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 IoCs

evasion

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.flash.bird

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.flash.bird

com.flash.bird
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Requests enabling of the accessibility settings.
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4618

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.flash.bird/app_DynamicOptDex/tDSfRtr.json

Filesize
366KB

MD5
a27ad58d5b83684e0ca01b73f4a9e008

SHA1
e586b7fcf899dc4b4adee3b619d546df5f9c6138

SHA256
ea7a3ef8b1230794297967286e3d93ab555bd23135d01a244fbcb1b4e2e63ef6

SHA512
4fe03acd50917211192f95207940876c3c7888ba1d8322d0392af7b72c9cfc62f5ad2a315968222bc43bdae021c4cee01f80641e15acff95c431a61bd26162ac

Download Submit
/data/user/0/com.flash.bird/app_DynamicOptDex/tDSfRtr.json

Filesize
366KB

MD5
8dbb4a33f20f3f226205e5687455ddd2

SHA1
783bc056ad1b4be7f5a29a126d1448bcb04ed1e1

SHA256
b1b30b14c56c7fb94fe9cccf082e81c013083e44c54ab6270a7e4285bb893cb2

SHA512
15638d6eff668639b6dc05e3114cc796e886e0115310b4aebb597454c8fb1d14920ee4a2df98ed0446032d4ce0f77ce2274d514c731d18dcb78a754b8b1d7e0d

Download Submit