Analysis
-
max time kernel
171s -
max time network
159s -
platform
android_x86 -
resource
android-x86-arm-20240514-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system -
submitted
21-05-2024 22:03
Static task
static1
Behavioral task
behavioral1
Sample
d8086f67d5e8a6b7746a4426ee1575532a848a6c40496b38014800b9c707b694.apk
Resource
android-x86-arm-20240514-en
Behavioral task
behavioral2
Sample
d8086f67d5e8a6b7746a4426ee1575532a848a6c40496b38014800b9c707b694.apk
Resource
android-x64-20240514-en
Behavioral task
behavioral3
Sample
d8086f67d5e8a6b7746a4426ee1575532a848a6c40496b38014800b9c707b694.apk
Resource
android-x64-arm64-20240514-en
General
-
Target
d8086f67d5e8a6b7746a4426ee1575532a848a6c40496b38014800b9c707b694.apk
-
Size
637KB
-
MD5
979662aee27daa88aab13fab18c6b33a
-
SHA1
f0347b51b69cb833b58e1b16b134ad4fb2b431ca
-
SHA256
d8086f67d5e8a6b7746a4426ee1575532a848a6c40496b38014800b9c707b694
-
SHA512
091059696f075e5ae0a6f02972b090cf250299378adcfd7588119ab70fb12d6ca3a382092de9964146a0df594f3da3842eee7190cc959c6b4b7325378569fca4
-
SSDEEP
12288:W97/BpkcQM1xXa8bBbeQ+uiX0gzCb9N6j2mjm8jEjdUn:W9lpN1xKeBbeQri5z92mjmSEjM
Malware Config
Signatures
-
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.ku.falcondescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.ku.falcon -
Prevents application removal 1 TTPs 1 IoCs
Application may abuse the framework's APIs to prevent removal.
Processes:
com.ku.falcondescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.ku.falcon -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.ku.falcondescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.ku.falcon -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.ku.falcondescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.ku.falcon -
Requests enabling of the accessibility settings. 1 IoCs
Processes:
com.ku.falcondescription ioc process Intent action android.settings.ACCESSIBILITY_SETTINGS com.ku.falcon -
Acquires the wake lock 1 IoCs
Processes:
com.ku.falcondescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.ku.falcon -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.ku.falcondescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.ku.falcon
Processes
-
com.ku.falcon1⤵
- Makes use of the framework's Accessibility service
- Prevents application removal
- Removes its main activity from the application launcher
- Makes use of the framework's foreground persistence service
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Requests enabling of the accessibility settings.
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4308
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.ku.falcon/files/profileInstalledFilesize
24B
MD553e2827da837d9ec4ca2bb33726007b7
SHA1abc35357676be8be5abedddfdd0eee1ee69e184c
SHA256bdf3cc01d1726341b67cc50b17fef1741195c7dc3de58e640f5afcc2963f2547
SHA51221c39b2db3a4997986be7d1a9c1529b566bb10960af660d0d40bdbbf507e34db3268eb1bcdd72c3216808aae5eef62402460fe31b8ce130ab1ffd111b7c70d3c
-
/data/data/com.ku.falcon/files/profileinstaller_profileWrittenFor_lastUpdateTime.datFilesize
8B
MD5cf7db2d5998303fed977b6c5666671af
SHA14e6fded6637eb7d38cd3422166f468a1b41a0e3f
SHA2563a0800b2f7af4f7a1da329fe25ddc189d75953250bdc021c567ae80aa4cc835f
SHA512bf3b1e387573b2764e3cd98e6081b76e6fa237632c95c6bb6d839ca73dee11da1dd593b7d41cf08dfbfddb801ae9dba6d4790162c61cd6c31926328eeeed4331
-
/data/misc/profiles/cur/0/com.ku.falcon/primary.profFilesize
623B
MD5215318d70797ff33ec47f5a35322f637
SHA16e7dafab0291778487354fc7d9d6177150337d18
SHA2564e878748553ce1470397f50cfa2ecb246c7dfc754e1679a0f120f5affd558f3c
SHA512323a6429022864b948241bcceef272b2d830fe8337a2744414c4d7f7cfb6fea7238444aacc583e797da4a8d5af4e1f19f73c43ad024e4e208b3d8722b17ccc4a
-
/data/misc/profiles/cur/0/com.ku.falcon/primary.profFilesize
1004B
MD5b9e1ce708b7c9e59b484db5aff643cf0
SHA133cc43dd0dc7110124b3b224886efd32c4def68f
SHA25679d7962cf5bacab63cc78a0945cbd264295bc5fb361e50314918110a159d4ab4
SHA5126897bbf8f391e4dd554dc4864409093e1c4d1ff26a226d35fd5acfc02cb73bcc5f98513e96099911f1f3c4c2d273fe96b80ba19041cedd6c9478693996505abe