a40c7cabf874517f5d3d069e0377fa9348e10344000e39717c1a6571939ba7c0

Analysis

max time kernel
47s
max time network
137s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
10-04-2024 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a40c7cabf874517f5d3d069e0377fa9348e10344000e39717c1a6571939ba7c0.apk
Size

29.1MB
MD5

54a85378f28085923115ee44f540ff8a
SHA1

2e40f7fd49fa8538879f90a85300247fbf2f8f67
SHA256

a40c7cabf874517f5d3d069e0377fa9348e10344000e39717c1a6571939ba7c0
SHA512

853d315b460f899c3b4e7e2d6e071763dea1f4c58f8ea1547d8a234eda12e7ee8a1b2c4c5f51f7f4074061f3c50dc5e1892e33520d0b7eec3a82e3f1c4c74917
SSDEEP

393216:bjd8b3Stod1v3uFwCPwmSPk3biaOhECW1Fypl+W9ESATkXQY0/rBxqHoyvc2IG6a:ZbKhE3cYQAYA/q3Qq2w2AA+1Aphm

Score

8^/10

collection discovery evasion persistence

Malware Config

Signatures

Makes use of the framework's Accessibility service 2 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion

Input Injection

T1516

Screen Capture

T1513

Processes:

com.secure.vpn

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.secure.vpn

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

com.secure.vpn

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground com.secure.vpn
Queries information about running processes on the device. 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

Process Discovery
T1424

Processes:

com.secure.vpn

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses com.secure.vpn
Reads the contacts stored on the device. 1 TTPs 1 IoCs
collection

Contact List
T1636.003

Processes:

com.secure.vpn

description ioc process

URI accessed for read content://com.android.contacts/contacts com.secure.vpn
Reads the content of the call log. 1 TTPs 1 IoCs
collection

Call Log
T1636.002

Processes:

com.secure.vpn

description ioc process

URI accessed for read content://call_log/calls com.secure.vpn
Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes:

com.secure.vpn

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.secure.vpn

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	com.secure.vpn

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.secure.vpn

description	ioc	process
URI accessed for read	content://com.android.contacts/contacts	com.secure.vpn

description	ioc	process
URI accessed for read	content://call_log/calls	com.secure.vpn

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.secure.vpn

com.secure.vpn
1⤵
- Makes use of the framework's Accessibility service
- Makes use of the framework's foreground persistence service
- Queries information about running processes on the device.
- Reads the contacts stored on the device.
- Reads the content of the call log.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4242

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Foreground Persistence

T1541

Input Injection

T1516

Credential Access

Discovery

Process Discovery

T1424

Lateral Movement

Collection

Protected User Data

T1636

Call Log

T1636.002

Contact List

T1636.003

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.secure.vpn/cache/rndseq

Filesize
48B

MD5
00efe599e2fb55cfa3286a61a580725a

SHA1
dbe8a31de8bc383b59713a70087352a1f192a091

SHA256
17527a66bcc2424c13c7ae8a7e7e26947cdc97011451cdbceec25032a4a2423d

SHA512
ddffa6e5fae1f40bef37b4c5d347d51a127de3fd74748079bcd958a1dd00841df5d12eb6bc8bd399df5788ef4f40a19e79725066ac278f84eb5c492208ffa618

Download Submit
/data/data/com.secure.vpn/databases/MonDB

Filesize
140KB

MD5
11cdae334eb513f8d7c83c3d9f9eba3a

SHA1
a5923d603aab35b7bc8c02c2a9c5fa7ec9a29842

SHA256
49541eab2d57c17fc70c9df7a664f4fced4b4a687fcdf85e75a086aafed7b934

SHA512
a31802a38a6611902974eea67c9fb975a7bc589f670ea3052ddcbd196a3e8af17e5b5e8ea711b931b641aa8c890a7fa51423d7e121b270f1f911f820dfdcdbfc

Download Submit
/data/data/com.secure.vpn/databases/MonDB-journal

Filesize
512B

MD5
ca71da855d9c09a19bf938268b04c544

SHA1
ab45bdfecfc241e38cf46df25553795a2f500617

SHA256
01efb3f923e372b5ca402b3ff0a2d97294722403d746495ea06b18fc3723b3aa

SHA512
22807ce91d7f08811c10420a67e1299572478759523668150bc06f3e4cbec56c22b82bbf17da146328b0422dc9e272de1c80e6f9f54a441f7a336d7345d0dd6b

Download Submit
/data/data/com.secure.vpn/databases/MonDB-wal

Filesize
16KB

MD5
dcda0e5930d3e65b3da789567704a071

SHA1
ebd4380771a0cf67379b436889c31efb1121dd0a

SHA256
c752f93152089320832a8c02f7ceb12a04d367b27f9d9df59064a7afeac67650

SHA512
a36908728321c67ece6c93c4b2c924b7129d7260ab3c231a3c3cdaf1321a3365afd1212d9c1bbd83f846cbf39d1861ce4ef2a4a2c193fe4dcf735f4c23cdd38a

Download Submit
/data/data/com.secure.vpn/databases/MonDB-wal

Filesize
152KB

MD5
6924dcc99fe5f555a26bc8e9c03d7bcb

SHA1
1748682d4f9209335963559e28ad39c05f3b915c

SHA256
671e1d623571520077cfad3105215d4f4a07ee5f77bf8b95a23c76d2ed887f4b

SHA512
b75b46f18497b3603f305a4d88e197aedeccce084bd729e922dad40fa8c57c481190990cf82291841df8927afeff8a74cd1b013137bdbe6fc9efd9c2eb98d323

Download Submit
/data/data/com.secure.vpn/databases/MonDB-wal

Filesize
410KB

MD5
42c482efbe8fef74df374a8dabd868e5

SHA1
cf7762c7d1c81a55f862700d50f0ee6552217b14

SHA256
037471f622e6c9c53111b7a5ceeea7edbb96738f5027bf0ce3c17515055004a1

SHA512
8763681ad43c71a0f67ef0112168bffeed19bff993b5b440accffe9975b19a6c727dfaa819459ba298e6a6207b03ca44158867b7a2cd9c7a067e29d9f0a25397

Download Submit
/data/data/com.secure.vpn/databases/anchorfree-ucr.db-journal

Filesize
512B

MD5
b2050282e978646845cfe280ffc7b543

SHA1
500aa76a36f5a7d47b53bdc39b38edf98641d147

SHA256
cf8a0433fa03bb9ff2a27c3a895cfa0296399422faa6dfef18b1fbe3b1a8d47c

SHA512
6ecb5094fa959fe9337fa07870f1a318ed77c27ff58b59aa26db840ca8c6d9e0bfc07e0b96ae8f4c508763f6bfb3c4067c31f33c56160f5f5524bce50f869d24

Download Submit
/data/data/com.secure.vpn/databases/anchorfree-ucr.db-wal

Filesize
32KB

MD5
223e6897ada8a0e35c008515b70db2bc

SHA1
8939afad79670bd46a5608a3a5ca39bb51123453

SHA256
fb0aac453f5751124b4a0ea157e89eb6e86899f758ef49c428f31873a7d4f732

SHA512
6cb78c5336ce6c84521f9abbdea177ccfe10ef51eba465bfeeecdf700b297fa626ccf3800d26b95541372afa55bc4641282329d85a28e84d2344a69d3103934c

Download Submit
/data/data/com.secure.vpn/databases/key_value_store.db

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.secure.vpn/databases/key_value_store.db-journal

Filesize
512B

MD5
f658a96a01329a82d25dd57119c1f855

SHA1
1eb768242f26d73c2c08f594a4ec3956341b5ffc

SHA256
c9fe325f5c07045f91cd19b25ebeddfd6b0b759e88f505705758d29b4b67cb87

SHA512
9550711745dc2ad0029a4fe762a2d1bfff0fe9f74e13262d2c521ae81efd0554a0ec864451145e0c40d48ca80c1e2524717d5b8d084e1ebb7943366e6a37c600

Download Submit
/data/data/com.secure.vpn/databases/key_value_store.db-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.secure.vpn/databases/key_value_store.db-wal

Filesize
209KB

MD5
4d769156cc1ed256338f2bbf167dda72

SHA1
c6e4702344697387469a4e7a68cb89b96ca3321a

SHA256
18fce54417f0e1c187f4061c3e3f72576a3a6943fc0c3891c714189a77885c89

SHA512
e33b22bb72ca7f02741fd0735e2fe54579cbfce5f0f468b92462c5092a04361f9168551b1a49c6f8d79222c917ab516b2b64a7db799b55f559132b1a13931d3f

Download Submit
/data/data/com.secure.vpn/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
720d524d0cd685925f106becc0c5eace

SHA1
3870afece293479244b4a32995000f818672959b

SHA256
17b35c19fd6001a31839d2c47ed77629a47e2a4ddf6a4c2deeb199c900baaba6

SHA512
43bb04e4d33825a6d8cd0ce080912204ebce206dc9fd64efbc83412e6d59ef48625bca995d5db5197faf6099eb57355b33a5ef569aaf5d6e28020420a39d5dfa

Download Submit
/data/data/com.secure.vpn/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
9e4bbb0e5fc10bae56f51c7d67689a7a

SHA1
c9bed9f53a0cf815443d7bf02e9147d35e309077

SHA256
6a4361f7322d0c15d18670878d8e4b12fabd0f5ece3d46f943932da5ae35b996

SHA512
97dac1f78ea9a58072b8c6e7f8a9371a4ab9a9ce3b7ee50ebdcc4457ee7dc31d0f452a639c3aef9be96fa3fc60396f41fcf06e33baa5a90c25268d475f2142b5

Download Submit
/data/data/com.secure.vpn/no_backup/androidx.work.workdb-wal

Filesize
189KB

MD5
1e70b5a888fc71dfe71cf26f5986eca3

SHA1
e0486ffa55192a9298887346685ef8a4d54a2031

SHA256
2bfb5c8c359c4a557db96d300efd28b70671032be6e2ed23e69533fd938b4208

SHA512
51db5a5f1e13dfb2bfc4479cae6a08927e709b3878a0d2842a7e050d0d5333c68a3fe22521043583f09e77b45f2df93128de93ed20d415e3923191453c37ab9f

Download Submit
/data/data/com.secure.vpn/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
943ee81fb1ce941de011d7e69fad10b6

SHA1
8c736bbd0c7d0a8b371a62dfe59d3ea2c5aa1622

SHA256
b4395fb72badf31ca761239a2a9e4682638ee16a5526967a36395d2d6daa943e

SHA512
644c795a0e312ee5ee08e0d9e54d8bc1c013f7f885c0e80f5bf4d3c91fc631c5dca33eb5f080300b6a7b0fb3d100d29aede16f76e473e8268c78b824579020ed

Download Submit