Analysis
-
max time kernel
134s -
max time network
182s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
19-05-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
fed0187aa63449ada11787b55d4993ab65e22676cb512117ac0b69276c2b7711.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
fed0187aa63449ada11787b55d4993ab65e22676cb512117ac0b69276c2b7711.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral3
Sample
fed0187aa63449ada11787b55d4993ab65e22676cb512117ac0b69276c2b7711.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
fed0187aa63449ada11787b55d4993ab65e22676cb512117ac0b69276c2b7711.apk
-
Size
610KB
-
MD5
5e31034ed2a82d1b163e327e10a6026f
-
SHA1
4645ff65e43c39de6edae7fa6ebbb99ce8e3fd76
-
SHA256
fed0187aa63449ada11787b55d4993ab65e22676cb512117ac0b69276c2b7711
-
SHA512
8453d6ff482554528c3e93adf12ed593db699fe1d7eb33c7bb62fb00e214b14e6b0ef89c6befc7d0092e7bc96c7d29b3678d9ef0ef556d9ea57faa0f5c1cd5b3
-
SSDEEP
12288:B7BUy0Y58b6YIgftbWGlhjEjdUv6jA9kASsUgTXTb6Plp:NBUjYiJtWK1Eja6TAqy/6Plp
Malware Config
Signatures
-
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.spacex.mmobiledescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.spacex.mmobile -
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
Processes:
com.spacex.mmobiledescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.spacex.mmobile -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
Processes:
com.spacex.mmobiledescription ioc process File opened for read /proc/cpuinfo com.spacex.mmobile -
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
Processes:
com.spacex.mmobiledescription ioc process File opened for read /proc/meminfo com.spacex.mmobile -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.spacex.mmobiledescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.spacex.mmobile -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.spacex.mmobiledescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.spacex.mmobile -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.spacex.mmobiledescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.spacex.mmobile -
Acquires the wake lock 1 IoCs
Processes:
com.spacex.mmobiledescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.spacex.mmobile -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 api64.ipify.org 23 api64.ipify.org -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.spacex.mmobiledescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.spacex.mmobile
Processes
-
com.spacex.mmobile1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Makes use of the framework's foreground persistence service
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4223
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24B
MD5ce1f063fb9f2005e1b6f04c21829d92f
SHA1158d6857acb9a1066c8e865002c05df53b4e0a77
SHA2566570c0b671b3cd30dd1c44bfa459c76daac0acad64e207231d56239a9d0b702e
SHA512b7a28247757c97799c33fec2115af8123b329fae807b1f8c456be5c0f97b5cc50d1406726a367d944f2cf8b402ac084bace2b0d70706f231625277b5d672bea2
-
Filesize
8B
MD51c6aa22fb10115716d1c98a6a8baae28
SHA1de6d049b8e5fc56280669dc6badcec26a9093d20
SHA25608f839aa269af34d3a34e09acc54946a3401638a6e09eab161c05337c9845b59
SHA51256853e7ec29568891f0a39e8c9571e9b0e02cd0ff64b24159c8223d0ea46fe2940d1fb898181782dee3cf2ecf3c0b26c75caa9a8f9db9f9ae19532ec336cb887
-
Filesize
624B
MD55032d05f9208570676ba8f0a7fd00e18
SHA18e7863eb1aaa553943c12b93562c270963a06705
SHA2562271f2c773e476d229b58b0c0ee7e38198ab0038886e3695c9943f18d102bac5
SHA5129701f80aad5f3ddacef0186b187ccad100fee7231cc7110dc944b378c6d6597f6dfcbd2c3b3cc086e9ac50c89e8c148370f83d5f71c6c1ae1cbe864ce5a78fab
-
Filesize
1KB
MD550be10a6f66c43873afbced293cfcbee
SHA1d267936e9d81461962ea93f76d55593c431e13fa
SHA256e9147d3dfbc2b37026a9670e32d1622772b5a3b8786b20236a106ce92e91c63f
SHA5120acaa3bfd33793a70f4f131825ed070b98b38f64bc7ac057dff08e7d49aa21d50dfc0ef832131411b9719a999aeea718766d78affbce7294415fbdafcc0cb015