Analysis
-
max time kernel
51s -
max time network
182s -
platform
android_x64 -
resource
android-x64-arm64-20240514-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system -
submitted
19-05-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
fed0187aa63449ada11787b55d4993ab65e22676cb512117ac0b69276c2b7711.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
fed0187aa63449ada11787b55d4993ab65e22676cb512117ac0b69276c2b7711.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral3
Sample
fed0187aa63449ada11787b55d4993ab65e22676cb512117ac0b69276c2b7711.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
fed0187aa63449ada11787b55d4993ab65e22676cb512117ac0b69276c2b7711.apk
-
Size
610KB
-
MD5
5e31034ed2a82d1b163e327e10a6026f
-
SHA1
4645ff65e43c39de6edae7fa6ebbb99ce8e3fd76
-
SHA256
fed0187aa63449ada11787b55d4993ab65e22676cb512117ac0b69276c2b7711
-
SHA512
8453d6ff482554528c3e93adf12ed593db699fe1d7eb33c7bb62fb00e214b14e6b0ef89c6befc7d0092e7bc96c7d29b3678d9ef0ef556d9ea57faa0f5c1cd5b3
-
SSDEEP
12288:B7BUy0Y58b6YIgftbWGlhjEjdUv6jA9kASsUgTXTb6Plp:NBUjYiJtWK1Eja6TAqy/6Plp
Malware Config
Signatures
-
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.spacex.mmobiledescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.spacex.mmobile -
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
Processes:
com.spacex.mmobiledescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.spacex.mmobile -
Checks CPU information 2 TTPs 1 IoCs
Checks CPU information which indicate if the system is an emulator.
Processes:
com.spacex.mmobiledescription ioc process File opened for read /proc/cpuinfo com.spacex.mmobile -
Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
Processes:
com.spacex.mmobiledescription ioc process File opened for read /proc/meminfo com.spacex.mmobile -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.spacex.mmobiledescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.spacex.mmobile -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
Processes:
com.spacex.mmobiledescription ioc process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.spacex.mmobile -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Requests enabling of the accessibility settings. 1 IoCs
Processes:
com.spacex.mmobiledescription ioc process Intent action android.settings.ACCESSIBILITY_SETTINGS com.spacex.mmobile -
Acquires the wake lock 1 IoCs
Processes:
com.spacex.mmobiledescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.spacex.mmobile -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 35 api64.ipify.org 36 api64.ipify.org -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.spacex.mmobiledescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.spacex.mmobile
Processes
-
com.spacex.mmobile1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Removes its main activity from the application launcher
- Checks CPU information
- Checks memory information
- Makes use of the framework's foreground persistence service
- Obtains sensitive information copied to the device clipboard
- Requests enabling of the accessibility settings.
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4675
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8B
MD5745e3394ce581c846bb766e73216bf81
SHA143e37b50dd6efed1dbe322c1737e6a38a8266599
SHA25617de5958986349bf83562a655e020db65e16651b1e5677201aaaa7c885611327
SHA512ae171efb02cbbbdbcb9e66212b49e9080d6c8cbbe517bd4667392cc76bc7604c1709eeae5e336592820ee1a8475263749592e5f151c16467fe437d077780fe5e
-
Filesize
624B
MD55032d05f9208570676ba8f0a7fd00e18
SHA18e7863eb1aaa553943c12b93562c270963a06705
SHA2562271f2c773e476d229b58b0c0ee7e38198ab0038886e3695c9943f18d102bac5
SHA5129701f80aad5f3ddacef0186b187ccad100fee7231cc7110dc944b378c6d6597f6dfcbd2c3b3cc086e9ac50c89e8c148370f83d5f71c6c1ae1cbe864ce5a78fab
-
Filesize
1KB
MD56f773512ba04d04a691ef662d8d6c803
SHA193dd62bcf501feb481c2ed5fb468b9f38970442a
SHA2562aadd765390f998a7a5d86e17799c556de8dbaab0fbf847c3df1eabdfdc5b941
SHA51234dbb8cdea1d059fd4ca986e1389381992faa43d09a6fd6bbf8075c92fec18e81fa743f1f6ba92a6c9d805e06bd15023d9e3a7c9dbb1d1b29606b2470733cbe9