e9c660be3f11421e5bd1532c9d78281153f4d3eba34003ce556018e1a88c519f

Analysis

max time kernel
150s
max time network
130s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
10/03/2024, 22:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e9c660be3f11421e5bd1532c9d78281153f4d3eba34003ce556018e1a88c519f.apk
Size

315KB
MD5

9cdd0ca60b067daa7d9175319a08d7e4
SHA1

60e5d3fa7b938d59eb4629baeecce3b1a507494f
SHA256

e9c660be3f11421e5bd1532c9d78281153f4d3eba34003ce556018e1a88c519f
SHA512

7a154a45c486f8ea9c98b9c367acf783922ddf9c4264b3c3d6141b021ebbe8e75db32e85011c1aadae92a17a6e258c9babc0c1b4fa15b34ed5c0c65f50714231
SSDEEP

6144:hFH9BO3GkGYWfTrtobxDDHAlRUMpjgulikgmPaogdMDGN4h:hFH9BO3GfKNDg7UuHbaof6N4h

Score

8^/10

collection evasion stealth trojan

Malware Config

Signatures

Makes use of the framework's Accessibility service 2 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	wcqrucdpzh.otstodvvsm.vrbnjqrsrr
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	wcqrucdpzh.otstodvvsm.vrbnjqrsrr

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4284	wcqrucdpzh.otstodvvsm.vrbnjqrsrr

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	wcqrucdpzh.otstodvvsm.vrbnjqrsrr

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	wcqrucdpzh.otstodvvsm.vrbnjqrsrr

wcqrucdpzh.otstodvvsm.vrbnjqrsrr
1⤵
- Makes use of the framework's Accessibility service
- Removes its main activity from the application launcher
- Acquires the wake lock
- Uses Crypto APIs (Might try to encrypt user data)
PID:4284

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Input Injection

T1516

Credential Access

Discovery

Lateral Movement

Collection

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads