Analysis

  • max time kernel
    51s
  • max time network
    182s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240514-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240514-enlocale:en-usos:android-11-x64system
  • submitted
    19-05-2024 22:03

General

  • Target

    fed0187aa63449ada11787b55d4993ab65e22676cb512117ac0b69276c2b7711.apk

  • Size

    610KB

  • MD5

    5e31034ed2a82d1b163e327e10a6026f

  • SHA1

    4645ff65e43c39de6edae7fa6ebbb99ce8e3fd76

  • SHA256

    fed0187aa63449ada11787b55d4993ab65e22676cb512117ac0b69276c2b7711

  • SHA512

    8453d6ff482554528c3e93adf12ed593db699fe1d7eb33c7bb62fb00e214b14e6b0ef89c6befc7d0092e7bc96c7d29b3678d9ef0ef556d9ea57faa0f5c1cd5b3

  • SSDEEP

    12288:B7BUy0Y58b6YIgftbWGlhjEjdUv6jA9kASsUgTXTb6Plp:NBUjYiJtWK1Eja6TAqy/6Plp

Malware Config

Signatures

  • Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs

    Checks CPU information which indicate if the system is an emulator.

  • Checks memory information 2 TTPs 1 IoCs

    Checks memory information which indicate if the system is an emulator.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Requests enabling of the accessibility settings. 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

Processes

  • com.spacex.mmobile
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Removes its main activity from the application launcher
    • Checks CPU information
    • Checks memory information
    • Makes use of the framework's foreground persistence service
    • Obtains sensitive information copied to the device clipboard
    • Requests enabling of the accessibility settings.
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4675

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.spacex.mmobile/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

    Filesize

    8B

    MD5

    745e3394ce581c846bb766e73216bf81

    SHA1

    43e37b50dd6efed1dbe322c1737e6a38a8266599

    SHA256

    17de5958986349bf83562a655e020db65e16651b1e5677201aaaa7c885611327

    SHA512

    ae171efb02cbbbdbcb9e66212b49e9080d6c8cbbe517bd4667392cc76bc7604c1709eeae5e336592820ee1a8475263749592e5f151c16467fe437d077780fe5e

  • /data/misc/profiles/cur/0/com.spacex.mmobile/primary.prof

    Filesize

    624B

    MD5

    5032d05f9208570676ba8f0a7fd00e18

    SHA1

    8e7863eb1aaa553943c12b93562c270963a06705

    SHA256

    2271f2c773e476d229b58b0c0ee7e38198ab0038886e3695c9943f18d102bac5

    SHA512

    9701f80aad5f3ddacef0186b187ccad100fee7231cc7110dc944b378c6d6597f6dfcbd2c3b3cc086e9ac50c89e8c148370f83d5f71c6c1ae1cbe864ce5a78fab

  • /data/misc/profiles/cur/0/com.spacex.mmobile/primary.prof

    Filesize

    1KB

    MD5

    6f773512ba04d04a691ef662d8d6c803

    SHA1

    93dd62bcf501feb481c2ed5fb468b9f38970442a

    SHA256

    2aadd765390f998a7a5d86e17799c556de8dbaab0fbf847c3df1eabdfdc5b941

    SHA512

    34dbb8cdea1d059fd4ca986e1389381992faa43d09a6fd6bbf8075c92fec18e81fa743f1f6ba92a6c9d805e06bd15023d9e3a7c9dbb1d1b29606b2470733cbe9