Overview

overview

10

Static

static

10

dfaae61c29...71.apk

android-9-x86

8

dfaae61c29...71.apk

android-10-x64

8

dfaae61c29...71.apk

android-11-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    android_x86
  • resource
    android-x86-arm-20240506-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240506-enlocale:en-usos:android-9-x86system
  • submitted
    07-05-2024 17:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dfaae61c292ef05981dc62f71dce4fbd4d8f0f5bc19c4f4bc739c5ea25acbb71.apk

  • Size

    8.5MB

  • MD5

    826f773160d410911f1264d9ae18b257

  • SHA1

    052d5b51a2f8dc24b9e124dadd24e6eb229e9f9f

  • SHA256

    dfaae61c292ef05981dc62f71dce4fbd4d8f0f5bc19c4f4bc739c5ea25acbb71

  • SHA512

    62a7805dc99c2c9541f7de7379db8a41207024098387e814206f29de503b5957ab18936be0d8bdfff9499a18c47914e399a698c10ff887d580cff2db366c0ad7

  • SSDEEP

    98304:osKfC9rzuhTeHp8TDaoWSW+mz3zBzTb0tgSD:08vA/WSKzJEj

Score
8/10
bankercollectioncredential_accessdiscoveryevasionexecutionpersistence

Malware Config

Signatures

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

    evasiondiscovery
  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

    evasiondiscovery
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Acquires the wake lock 1 IoCs
  • Checks if the internet connection is available 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • goal.oxygen.critical
    1⤵
    • Makes use of the framework's Accessibility service
    • Checks CPU information
    • Checks memory information
    • Makes use of the framework's foreground persistence service
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Acquires the wake lock
    • Checks if the internet connection is available
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    PID:4283

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

1
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /storage/emulated/0/Config/sys/apps/log/log-2024-05-07.txt
    Filesize

    21B

    MD5

    e70067fad5cc8b92294faa5435575498

    SHA1

    0a4ee149844f51240099789d7b6bae1c5eca1e20

    SHA256

    4dfad23d7b5eb1b05b12aea597983d33d744492441b9a748b1b68efe58027949

    SHA512

    f102dd1cbdc19c92ec3b448c6a19030b3462e8f196830b140da01a3dce5756f3700f74c376ee189f917e033a43b3a495f815a341e3e875e9a2628a009b1e0e3b

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-05-07.txt
    Filesize

    25B

    MD5

    ba30336bf53d54ed3c0ea69dd545de8c

    SHA1

    ce99c6724c75b93b7448e2d9fac16ca702a5711f

    SHA256

    2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af

    SHA512

    eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-05-07.txt
    Filesize

    272B

    MD5

    25bd3b7caa8d025727f63b1eaf7c85fb

    SHA1

    a7eac2a09dafcf6197565db4f8fef8bfdbe308c5

    SHA256

    f7a61cdeb8aa8a11ab64a579b015e9658cc915fb7eec10421cb29b17514f3e64

    SHA512

    5811370e343a128d1f363b655c18deea7f5079402be9e85b708df361f569cbd879c5fdf2c366df8e5a47b3098e0ad69f84483a3266d645fa9d7ef07753a36f4c

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-05-07.txt
    Filesize

    29B

    MD5

    d26a38d006eb68995f4898c7d3110a54

    SHA1

    0b98f9fee1d85ae1b66d454011f813ee24b22eee

    SHA256

    4ad6fda7aa7e99098a28b30c6192e86f2ff8490c27453df2e2a2cd705b8f5c0e

    SHA512

    8b70446e3a76a7b3027eca546b682acc207a5e04bcad20dad483294467f6a2551f0f0450dc7cc78d691acba08db6d43135c2e8a33e6eebf1ab2a24cdcecbcd6e

    Download Submit