Analysis
-
max time kernel
49s -
max time network
183s -
platform
android_x64 -
resource
android-x64-20240514-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240514-enlocale:en-usos:android-10-x64system -
submitted
19-05-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
fed0187aa63449ada11787b55d4993ab65e22676cb512117ac0b69276c2b7711.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
fed0187aa63449ada11787b55d4993ab65e22676cb512117ac0b69276c2b7711.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral3
Sample
fed0187aa63449ada11787b55d4993ab65e22676cb512117ac0b69276c2b7711.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
fed0187aa63449ada11787b55d4993ab65e22676cb512117ac0b69276c2b7711.apk
-
Size
610KB
-
MD5
5e31034ed2a82d1b163e327e10a6026f
-
SHA1
4645ff65e43c39de6edae7fa6ebbb99ce8e3fd76
-
SHA256
fed0187aa63449ada11787b55d4993ab65e22676cb512117ac0b69276c2b7711
-
SHA512
8453d6ff482554528c3e93adf12ed593db699fe1d7eb33c7bb62fb00e214b14e6b0ef89c6befc7d0092e7bc96c7d29b3678d9ef0ef556d9ea57faa0f5c1cd5b3
-
SSDEEP
12288:B7BUy0Y58b6YIgftbWGlhjEjdUv6jA9kASsUgTXTb6Plp:NBUjYiJtWK1Eja6TAqy/6Plp
Malware Config
Signatures
-
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.spacex.mmobiledescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.spacex.mmobile -
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
Processes:
com.spacex.mmobiledescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.spacex.mmobile -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
Processes:
com.spacex.mmobiledescription ioc process File opened for read /proc/cpuinfo com.spacex.mmobile -
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
Processes:
com.spacex.mmobiledescription ioc process File opened for read /proc/meminfo com.spacex.mmobile -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.spacex.mmobiledescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.spacex.mmobile -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
Processes:
com.spacex.mmobiledescription ioc process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.spacex.mmobile -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.spacex.mmobiledescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.spacex.mmobile -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.spacex.mmobiledescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.spacex.mmobile -
Acquires the wake lock 1 IoCs
Processes:
com.spacex.mmobiledescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.spacex.mmobile -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 31 api64.ipify.org 32 api64.ipify.org
Processes
-
com.spacex.mmobile1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Makes use of the framework's foreground persistence service
- Obtains sensitive information copied to the device clipboard
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
PID:5151
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
24B
MD5f9eb470c405be2ca997bcb57e120929c
SHA1ab703d38af0a42a40fda4c4865a8cbaadc1a0cf9
SHA2568aff2f34588ba5cc78ae8cc375f5834e8bb3250e51c7a555fcf0c3d6e5726c54
SHA5127705a5f49f3c3e24bfa7ad145002fdc684bd54c9c2b8f8bc88ad5595025294543e95e3355715db65c5653ea18285f87a69f6ba39e3945f78b9a0283f6f030044
-
Filesize
8B
MD51c37e1108a49c7d9f570f902cf5567d2
SHA12838a6cb531d4ae2a1e2cde4ad432bd225b72051
SHA2562619a739017b15d438b688a3d4dd73e23f8f26b182c41160591ea1d246c01b6f
SHA5125b75cf2d68f1eb67f3a1e82bff3fb569698cd0044cb22d9fab439ac4e85c4c8938047450e97af8bd0e57271475f96cf7b85ad2218d5eeeaf6b01455077e4b384
-
Filesize
624B
MD55032d05f9208570676ba8f0a7fd00e18
SHA18e7863eb1aaa553943c12b93562c270963a06705
SHA2562271f2c773e476d229b58b0c0ee7e38198ab0038886e3695c9943f18d102bac5
SHA5129701f80aad5f3ddacef0186b187ccad100fee7231cc7110dc944b378c6d6597f6dfcbd2c3b3cc086e9ac50c89e8c148370f83d5f71c6c1ae1cbe864ce5a78fab
-
Filesize
1KB
MD50cecfa3abb73fad1389ed8f52a861a13
SHA123709a4d24d2622b79e77a900033d7c1bd704caf
SHA25652053ca08bfe0d091324fe4de4e55ffd1817e714d3a1e098dad136c6f38ca955
SHA51297b5fb94a5f82e2e30ed279d87e632ed3867f26118befb21c7398ef25313fcc37e797baf110fc2d96d8c83f8c15103a92245ec157eb3defd6fa72cf2e62718c4