Analysis
-
max time kernel
1794s -
max time network
1801s -
platform
android_x64 -
resource
android-33-x64-arm64-20240229-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240229-enlocale:en-usos:android-13-x64system -
submitted
05-05-2024 19:53
Behavioral task
behavioral1
Sample
GCQOFN.apk
Resource
android-33-x64-arm64-20240229-en
8 signatures
1800 seconds
General
-
Target
GCQOFN.apk
-
Size
2.0MB
-
MD5
91e7f991651aadb0bba46ee9385b46ae
-
SHA1
ea2e2434143f42a0f450e9b41e538a9cdd119937
-
SHA256
28431e848e6560ad8fc37e3fdba704548af3977e8ec9c9b5cc877955455f993e
-
SHA512
7a1a05ac4ba6d65588d0012df7be29df04a7e06763814133f21d275d00b8857a5cc356e694aaea7c63dc14f226d6e328008912156924e0ab65dea2a7c19d7af4
-
SSDEEP
49152:Z73fx7xKnOWUTO4Kq3nfOAzvnc21zgeFTplk:NxxKnWvKUnrzv11zgOk
Malware Config
Signatures
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.example.dat.a8andoserverx -
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS com.example.dat.a8andoserverx -
Tries to add a device administrator. 2 TTPs 1 IoCs
description ioc Process Intent action android.app.action.ADD_DEVICE_ADMIN com.example.dat.a8andoserverx -
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock com.example.dat.a8andoserverx -
Checks if the internet connection is available 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.example.dat.a8andoserverx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 30 IoCs
flow ioc 49 5.tcp.eu.ngrok.io 223 5.tcp.eu.ngrok.io 331 5.tcp.eu.ngrok.io 354 5.tcp.eu.ngrok.io 170 5.tcp.eu.ngrok.io 200 5.tcp.eu.ngrok.io 294 5.tcp.eu.ngrok.io 324 5.tcp.eu.ngrok.io 236 5.tcp.eu.ngrok.io 253 5.tcp.eu.ngrok.io 353 5.tcp.eu.ngrok.io 382 5.tcp.eu.ngrok.io 260 5.tcp.eu.ngrok.io 274 5.tcp.eu.ngrok.io 368 5.tcp.eu.ngrok.io 361 5.tcp.eu.ngrok.io 214 5.tcp.eu.ngrok.io 281 5.tcp.eu.ngrok.io 290 5.tcp.eu.ngrok.io 308 5.tcp.eu.ngrok.io 207 5.tcp.eu.ngrok.io 246 5.tcp.eu.ngrok.io 317 5.tcp.eu.ngrok.io 346 5.tcp.eu.ngrok.io 177 5.tcp.eu.ngrok.io 375 5.tcp.eu.ngrok.io 193 5.tcp.eu.ngrok.io 267 5.tcp.eu.ngrok.io 301 5.tcp.eu.ngrok.io 338 5.tcp.eu.ngrok.io -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.example.dat.a8andoserverx
Processes
-
com.example.dat.a8andoserverx1⤵
- Makes use of the framework's foreground persistence service
- Requests enabling of the accessibility settings.
- Tries to add a device administrator.
- Acquires the wake lock
- Checks if the internet connection is available
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4262