Overview

overview

10

Static

static

10

dfaae61c29...71.apk

android-9-x86

8

dfaae61c29...71.apk

android-10-x64

8

dfaae61c29...71.apk

android-11-x64

8

Analysis

  • max time kernel
    157s
  • max time network
    132s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240506-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240506-enlocale:en-usos:android-11-x64system
  • submitted
    07-05-2024 17:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dfaae61c292ef05981dc62f71dce4fbd4d8f0f5bc19c4f4bc739c5ea25acbb71.apk

  • Size

    8.5MB

  • MD5

    826f773160d410911f1264d9ae18b257

  • SHA1

    052d5b51a2f8dc24b9e124dadd24e6eb229e9f9f

  • SHA256

    dfaae61c292ef05981dc62f71dce4fbd4d8f0f5bc19c4f4bc739c5ea25acbb71

  • SHA512

    62a7805dc99c2c9541f7de7379db8a41207024098387e814206f29de503b5957ab18936be0d8bdfff9499a18c47914e399a698c10ff887d580cff2db366c0ad7

  • SSDEEP

    98304:osKfC9rzuhTeHp8TDaoWSW+mz3zBzTb0tgSD:08vA/WSKzJEj

Score
8/10
bankercollectioncredential_accessdiscoveryevasionexecutionimpactpersistence

Malware Config

Signatures

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

    evasiondiscovery
  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

    evasiondiscovery
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Acquires the wake lock 1 IoCs
  • Checks if the internet connection is available 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • goal.oxygen.critical
    1⤵
    • Makes use of the framework's Accessibility service
    • Checks CPU information
    • Checks memory information
    • Makes use of the framework's foreground persistence service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Checks if the internet connection is available
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    PID:4819

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /storage/emulated/0/Config/sys/apps/log/log-2024-05-07.txt
    Filesize

    21B

    MD5

    dcdad0d8b66f7564cd6f6f48724399bf

    SHA1

    5dab479dc08e6b910530d55e749d083d6af9ac41

    SHA256

    1568c6128b3ac8004f58fc755c26b158fe7e2d47be5cbb2f49538a223af4841e

    SHA512

    f8ee2625586ffbdd6f22a0f8a6485babe61997ebe7f0c15f35c8b4eea47ae83909bf0b81a3d79dbc439b419329de118e8636385f7202a777c4b03a1cdc82aac7

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-05-07.txt
    Filesize

    21B

    MD5

    e70067fad5cc8b92294faa5435575498

    SHA1

    0a4ee149844f51240099789d7b6bae1c5eca1e20

    SHA256

    4dfad23d7b5eb1b05b12aea597983d33d744492441b9a748b1b68efe58027949

    SHA512

    f102dd1cbdc19c92ec3b448c6a19030b3462e8f196830b140da01a3dce5756f3700f74c376ee189f917e033a43b3a495f815a341e3e875e9a2628a009b1e0e3b

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-05-07.txt
    Filesize

    25B

    MD5

    ba30336bf53d54ed3c0ea69dd545de8c

    SHA1

    ce99c6724c75b93b7448e2d9fac16ca702a5711f

    SHA256

    2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af

    SHA512

    eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

    Download Submit

  • /storage/emulated/0/Config/sys/apps/log/log-2024-05-07.txt
    Filesize

    272B

    MD5

    b6734a7a5ed649131b667583c0034441

    SHA1

    6d758cd3aa96c125b42a1f8ab5a7395d2029590d

    SHA256

    6c1f298001e580161cf0e0af05b396b3200cf058a96ae0b1311ab2a629659c79

    SHA512

    ab4281589e231897bf26fd4738bb2e637397c5a75aa9a7cfb575c95e9c6affd48aea6d1a10e825180835a286810e17021c077b003cd51b1318bf6edc717f9f8a

    Download Submit