00c1851b4d6be5c70241c9c0268e1a623ab9ccd5913399a870a6c64bb65f608e

Analysis

max time kernel
25s
max time network
155s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
20-05-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00c1851b4d6be5c70241c9c0268e1a623ab9ccd5913399a870a6c64bb65f608e.apk
Size

24.5MB
MD5

5e5fba142b81f9a6bd10404ffcfd023e
SHA1

cea2d35031731b97c4f9549bdb4c101eb40f2d5c
SHA256

00c1851b4d6be5c70241c9c0268e1a623ab9ccd5913399a870a6c64bb65f608e
SHA512

94613301ce630ca7bc8994e40a57efb4a7928f20dc45701ee2756f2ef5ba4eea0dfe55c94826974dfbc30988067ed1b64bc70c4f5d299b80b268befd8580082a
SSDEEP

786432:sJuvJLqZvnOt1PaqJOrDFGPKbHMhWbv9Be/E9lJFX4cws/xSO7HGZpug6f/Mhz+G:vvJLqFEerUqmju//e7

Score

8^/10

banker discovery evasion persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 4 IoCs

evasion

System Information Discovery

T1426

ioc	Process
/system/xbin/su	fm.xiami.main:pushservice
/system/xbin/su	ls -l /system/xbin/su
/system/bin/su	fm.xiami.main:pushservice
/system/xbin/su	ls -l /system/xbin/su

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Checks CPU information 2 TTPs 4 IoCs

Checks CPU information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	fm.xiami.main:pushservice
File opened for read	/proc/cpuinfo	cat /proc/cpuinfo \| grep Serial
File opened for read	/proc/cpuinfo	cat /proc/cpuinfo \| grep Serial
File opened for read	/proc/cpuinfo	fm.xiami.main

Checks known Qemu files. 1 TTPs 1 IoCs

Checks for known Qemu files that exist on Android virtual device images.

evasion

System Checks

T1633.001

ioc	Process
/sys/qemu_trace	fm.xiami.main:pushservice

Checks known Qemu pipes. 1 TTPs 1 IoCs

Checks for known pipes used by the Android emulator to communicate with the host.

evasion

System Checks

T1633.001

ioc	Process
/dev/qemu_pipe	fm.xiami.main:pushservice

Checks memory information 2 TTPs 2 IoCs

Checks memory information which indicate if the system is an emulator.

evasion discovery

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	fm.xiami.main
File opened for read	/proc/meminfo	fm.xiami.main:pushservice

Loads dropped Dex/Jar 1 TTPs 5 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/fm.xiami.main/app_SGLib/libsgmain_1473765996000.zip	4347	fm.xiami.main
/data/user/0/fm.xiami.main/app_SGLib/libsgmain_1473765996000.zip	4593	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/fm.xiami.main/app_SGLib/libsgmain_1473765996000.zip --output-vdex-fd=61 --oat-fd=62 --oat-location=/data/user/0/fm.xiami.main/app_SGLib/oat/x86/libsgmain_1473765996000.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/fm.xiami.main/app_SGLib/libsgmain_1473765996000.zip	4463	fm.xiami.main:pushservice
/data/user/0/fm.xiami.main/app_SGLib/libsgsecuritybody_1473765996000.zip	4692	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/fm.xiami.main/app_SGLib/libsgsecuritybody_1473765996000.zip --output-vdex-fd=73 --oat-fd=74 --oat-location=/data/user/0/fm.xiami.main/app_SGLib/oat/x86/libsgsecuritybody_1473765996000.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/fm.xiami.main/app_SGLib/libsgsecuritybody_1473765996000.zip	4463	fm.xiami.main:pushservice

Queries information about running processes on the device 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	fm.xiami.main
Framework service call	android.app.IActivityManager.getRunningAppProcesses	fm.xiami.main:pushservice

Queries information about the current Wi-Fi connection 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	fm.xiami.main
Framework service call	android.net.wifi.IWifiManager.getConnectionInfo	fm.xiami.main:pushservice

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	fm.xiami.main
Framework service call	android.app.IActivityManager.registerReceiver	fm.xiami.main:pushservice

Checks if the internet connection is available 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	fm.xiami.main
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	fm.xiami.main:pushservice

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

fm.xiami.main
1⤵
- Checks CPU information
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:4347

fm.xiami.main:pushservice
1⤵
- Checks if the Android device is rooted.
- Checks CPU information
- Checks known Qemu files.
- Checks known Qemu pipes.
- Checks memory information
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:4463
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/fm.xiami.main/app_SGLib/libsgmain_1473765996000.zip --output-vdex-fd=61 --oat-fd=62 --oat-location=/data/user/0/fm.xiami.main/app_SGLib/oat/x86/libsgmain_1473765996000.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4593
- ls -l /system/xbin/su
  2⤵
  - Checks if the Android device is rooted.
  PID:4646
- cat /proc/cpuinfo | grep Serial
  2⤵
  - Checks CPU information
  PID:4670
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/fm.xiami.main/app_SGLib/libsgsecuritybody_1473765996000.zip --output-vdex-fd=73 --oat-fd=74 --oat-location=/data/user/0/fm.xiami.main/app_SGLib/oat/x86/libsgsecuritybody_1473765996000.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4692
- ls -l /system/xbin/su
  2⤵
  - Checks if the Android device is rooted.
  PID:4731
- cat /proc/cpuinfo | grep Serial
  2⤵
  - Checks CPU information
  PID:4754

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Process Discovery

T1424

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/fm.xiami.main/app_SGLib/libsgmainso-6.1.33.so.tmp

Filesize
539KB

MD5
2dc5010fa1ef6c3d6050bfd150ca36e0

SHA1
7958d89b5b491d1f9c14175b5cb14329322d163b

SHA256
7905cb71cf014fe9b8d220cd134f47ac27c51bcf1e6523355b590d77c1e4f15c

SHA512
7ec2f6c3df0020ff254b3723aad655c12b649ccb98bcfaa97c2e8fb4200856815e87437c2daf89f2b657bb5798f5012a200443b36e198bbd622921a7e5f8a6f3

Download Submit
/data/data/fm.xiami.main/app_SGLib/libsgsecuritybodyso-6.1.15.so.tmp

Filesize
145KB

MD5
ba7ae12947d1badb3ea55fc690a632d3

SHA1
fd9f1b71bde1185b05baff7fb613349bf5ee63ab

SHA256
b7591cba08ffe5b5b6ab0faafdcc3f131cc622cc126f8c547c1a31edfd88e073

SHA512
99bb498b8248178d77e668ec1148cfc1982832aac36b728753a25eff842d20e6844de61df5887c375e5ad996d23ea75c1cced8bd2cc5e3bfa434589243a204f2

Download Submit
/data/data/fm.xiami.main/app_tombstone/crashreporter.base

Filesize
487B

MD5
615c333a2b9e8f7564de12437036ea12

SHA1
27e0d5213c7d0b7d37dfc44c13fac6c37f801e06

SHA256
1b4064ea07c95d6a42bd21c730d62c88afba3230b12c7edb3ca0489ed230c229

SHA512
4af6be1872954a1ff4b2de1254a5100f1b393f1a7ab588a40c6bfbb1883fa45536556b720fd65765893358a43d77bc9d714dc8083bac55e6ca713f168ef94e46

Download Submit
/data/data/fm.xiami.main/databases/usertrack.db

Filesize
20KB

MD5
441d5410bd6c9b097785764a63faa001

SHA1
d53f6aaf76179b92f85f862209d5814dc96dd97f

SHA256
d0d1f0a36d77c258f939610959ab6748abe5f0da10a9163a0eb6c7abfd16ee16

SHA512
297dfc29929d3b1df0ee9050f2426bec42c71bd0e745dbdf1d8465df37d50b0b307faa0760a955b301588d6ab59164653a29f96c308eea579ad9fe7f3e1919a4

Download Submit
/data/data/fm.xiami.main/databases/usertrack.db-journal

Filesize
512B

MD5
552e8fa7e2996a9732ad5d6fa83a066f

SHA1
9b8e5c0a34faa823a1f264870f80c189c53fa9dd

SHA256
2ce7135e26366f949286973dee02e483bc3708fffe9a0a7d7d68497226ac8bd6

SHA512
6a6920ce9af211f09a38b398a55654f84cbbe0e0058063a1fd2cee55bda78fb8bc70bf5558458828aea1f29357e1f7a68bd2ac7a08badef3fe2b3ff08f978bf8

Download Submit
/data/data/fm.xiami.main/databases/usertrack.db-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/fm.xiami.main/databases/usertrack.db-shm

Filesize
28KB

MD5
cf845a781c107ec1346e849c9dd1b7e8

SHA1
b44ccc7f7d519352422e59ee8b0bdbac881768a7

SHA256
18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

SHA512
4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

Download Submit
/data/data/fm.xiami.main/databases/usertrack.db-wal

Filesize
32KB

MD5
1ab3b61daa9d0e9740171d8adfa1a2cc

SHA1
5ca0a27c598e35531495a992bc1da5281201a6de

SHA256
096a28ae0c6c913cafaed3ad6defe1c86b38395f625e26c104da8536e393775a

SHA512
05d4e69cf499960ea31d242715023fa6d9525cd59a41a240ce797e4d4e0c39c750d6c13232c33000bef7f7de5f231ef2738a748b4e1a8ee7959a477330402267

Download Submit
/data/data/fm.xiami.main/databases/usertrack.db-wal

Filesize
8KB

MD5
1b98d576aad759d08580f1a8f810a5de

SHA1
f304e4aa383cc0471de78fda75d99ef98a2de3e8

SHA256
86e8dfbc73575af606dd40b0c64e063f7efe7c9ddaf43e6152202b5e2577463b

SHA512
1fba6a27065761774886d1b5b6569749334b6a6671fe8d5b99d5ad7e7e940166b9001bcc90b0e126dca50183189ce4ab57e4b49531c612e38394e03f0ee6f6d8

Download Submit
/data/data/fm.xiami.main/databases/xiamimusic.db

Filesize
94KB

MD5
93cfd529da3ac31d41bf57e4fe01100d

SHA1
064d2358587938bebd5a361efb565d6d75f9311d

SHA256
df9a7d2b2b9a852e2f33b2ec5c6f598a397fc3c3212b62b9981d950819b39cbc

SHA512
28365e924302c646eddc226770f318be385d9a7bf3b48ab9b8b17d367a808930e4b584c501cebdbdaa0f1dca875ae1c36fa4fe6175d95e8228abb5c8ff76d2e4

Download Submit
/data/data/fm.xiami.main/files/SGMANAGER_DATA2.tmp

Filesize
200B

MD5
238a6fc55c38e2c6f9c7abf1d0dd8550

SHA1
45b81d1aafbbf1922783b05d584d13d19220672f

SHA256
67484e6e60499fe8380cbc0406dc28bbb86d6e5928ce39e474f05cb86c02e3e0

SHA512
29d44d4b7f5e6ded38b2e467ea8a7dcd06304f0f9491ff625a84e750509ddbb3c3c6cf0c69547f829d1206c120e644eee7093eaf7fb73de48e53580b47f8ab0e

Download Submit
/data/data/fm.xiami.main/files/SGMANAGER_DATA2.tmp

Filesize
246B

MD5
8867a9fc77c5535648f6e1d49a5b0688

SHA1
dc3a4a05e39eb8fe82fddb25feddcb1352bca21a

SHA256
3ad49ff05036043c08f1e653b41cccd12fd12d2caf7753fe0a1572a0b0214409

SHA512
06a2f2f403b1781f1289176bde2ec4042e703774d5fad4c07000ce9d455f60c1b8b22badc4bbf34e27474b53e50d0cf285e745317f30821329ed92b6110d224f

Download Submit
/data/data/fm.xiami.main/files/SGMANAGER_DATA2.tmp

Filesize
297B

MD5
2810f80755920bbd54140130b958cb55

SHA1
da886ccc15ce5d28a13d52acbcb4abcde990778c

SHA256
348746cc1308e24ab7ce6b0b1e6701c5038270ac439b98406039304d9d1b4cae

SHA512
367f179df151749beea31cf58bdeaab49ac03d5004e70d498e988ac960529a40147bfbfc636c18112f15e20a9124b3cb9e31211ec52451626bf03b52cf6619c0

Download Submit
/data/user/0/fm.xiami.main/app_SGLib/libsgmain_1473765996000.zip

Filesize
109KB

MD5
ea7d74473a248ed6fd041f6fbb5c1a42

SHA1
6f52a0118e234fb96a08c2ecff17fe8a3e0b3cd7

SHA256
b5bf87acdd1a3ffe4831eddf7ec77f22922b1ea84c37ea674283fcfcafd1c6a5

SHA512
8b044ac9302e578675c4f1ad8c6660ace3da6bda114903437ca3e171c54d520bbb6acfeee44c0cad1e59ad5677d56269db2ebad19710ef9baed0e92970c80f77

Download Submit
/data/user/0/fm.xiami.main/app_SGLib/libsgmain_1473765996000.zip

Filesize
109KB

MD5
be499d20ccf9bef102e36ca8e4331d1e

SHA1
a129a62c2f810b0848c79576e78db9ad82d62b81

SHA256
0e80e2a10be28aae371f7e18915d0554b8b42980d00feafb387fe40fa38e6549

SHA512
5dca8e8977120a7573d2d60f7e56a5303028749738c8586ba0e9e918e1a7e31bceda15bffb099fb5ed5a4489664870618cd712ac535188ca91c4d9d50c6437bd

Download Submit
/data/user/0/fm.xiami.main/app_SGLib/libsgsecuritybody_1473765996000.zip

Filesize
11KB

MD5
df4bd20ff736e934086ece69e7a3ae1e

SHA1
245dc839341aba16395ea0902a6d497aba99768c

SHA256
45258d7360cab912e18dc6daf3b192193f545daf934f1d79cad8dd79d85b1766

SHA512
8be5c6365885196c30bcee615667c7da271a3f536331efbdb377eea76762cacceb995de49b7e8737e155bca017efb45302ea2bfb06dac25d14dd36726b093b28

Download Submit
/data/user/0/fm.xiami.main/app_SGLib/libsgsecuritybody_1473765996000.zip

Filesize
11KB

MD5
c052c5c2be10f23e3aeacf5dc3955fdd

SHA1
ee55504c2119ee02ce2c688d246f3c0fd9116ebb

SHA256
a4aa69f8d7525a2497a64a6d708dbf6985b49d67d32361e49438acb82211e49e

SHA512
9e333d5cb0fb9da68aee659ea4d293b452bfca14749568e7797982d21de3a2ccf58a1570e1b759302be253e54c1a9bff11aa96cdff9e5b7814633484b16707be

Download Submit
/storage/emulated/0/.DataStorage/ContextData.xml

Filesize
167B

MD5
2d2a95983538adb56569be40aaf82547

SHA1
2a68f424510d19f88b72fb87d6cc2d047301e3d8

SHA256
08b0dbddb8a40b32e40f7d71d2ba891f54bcf7e57094755f13808564dea82ebb

SHA512
dd4919b59e9392dca8d9360b97f6bc9dd61a1c80b2fa8e7c0bac4db0b8f7046af7ec399462487cff320d7033029087dab6a0ffc9d12f09f15db1eee0e16554f4

Download Submit
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

Filesize
167B

MD5
5f9549012c6b706c3ea5e71d81f6e481

SHA1
bff33cdd2260d6e3852a33d43e88310ae914c12f

SHA256
eeab56ee47dbc2b6ad921b307532f9d05c5ea915adae9df609ee671f4ff9e09d

SHA512
788a9148520515a31bfebf49aab4c8aff68bea3f6d4d81ae44a1ded8a1694e54e4352d306d1ea34c9ff62db47d9d791911288e3db50f330cea677ed0c9641ff1

Download Submit
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml

Filesize
111B

MD5
87df4d1a3e79bebd65a8874e8d69d444

SHA1
7a2e4d26400da1260bb62a03ad28d1a2bba0e31a

SHA256
63685daf36a0b30fd8f28a11258b26723b94531a500359d2ae5490fbf6596190

SHA512
7c5e9b925a4cc5d788fad5f9f56e6f1f1be2c6baa92adb0d8153193ac695d4ff9c4f2f20ca43c12daeb54cb806439756eee18771de7ee5e9cb7bfe4a15a33aa3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads