b58b7477e636565dc2f1ec838bd8f7fd6fcb14361ecc1594fd768c33c408b55e

Analysis

max time kernel
9s
max time network
131s
platform
android_x86
resource
android-x86-arm-20240514-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
submitted
23-05-2024 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

link_20200527175802.apk
Size

7.7MB
MD5

e80f18280ae16ef6fd5cf22fe6acdb44
SHA1

2c99388a2e09617da33a105ea7454ded6936d59d
SHA256

b58b7477e636565dc2f1ec838bd8f7fd6fcb14361ecc1594fd768c33c408b55e
SHA512

213c8d95e56fd333fbb838e59f0aa480c300da8b9d4235bc1950e2dc8ff2a08d2dfdab7a27003c735245d9fd756058e9dff5585ba3299d8b0913af4202fc307d
SSDEEP

196608:K4L3hozBM7yp8L9etSwO7Bo606U9kQ4A9I:K4L3s8LGt6o6ZU97LI

Score

7^/10

discovery impact persistence

Malware Config

Signatures

Queries information about running processes on the device 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

Processes:

com.fmob.client.app.linkcom.fmob.client.app.link:pushcore

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.fmob.client.app.link
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.fmob.client.app.link:pushcore

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

com.fmob.client.app.link:pushcore

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.fmob.client.app.link:pushcore

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.fmob.client.app.link:pushcore

Checks if the internet connection is available 1 TTPs 2 IoCs

discovery

System Network Connections Discovery

T1421

Processes:

com.fmob.client.app.link:pushcorecom.fmob.client.app.link

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.fmob.client.app.link:pushcore
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.fmob.client.app.link

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

com.fmob.client.app.link

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.fmob.client.app.link

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.fmob.client.app.link

com.fmob.client.app.link
1⤵
- Queries information about running processes on the device
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
PID:4353

getprop ro.product.cpu.abi
2⤵
PID:4387

com.fmob.client.app.link:pushcore
1⤵
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
PID:4411

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1424

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/storage/emulated/0/Android/data/com.fmob.client.app.link/files/tbslog/tbslog.txt
Filesize
7KB

MD5
665455dff93148def1f22e6dec7688bd

SHA1
9e9ec0eea71d8d344aaa6c76235df81b44579aac

SHA256
493899861c9723dde0e989394357613fd67f64297672ad34eba133dfde973ec9

SHA512
85216e6b7c6e939610f798241886bdc21922738a61e8900dc73e988ff969d9f9190d751b9b0dc759add1ee4cda18bbdc806ccb99ae3aa60100cd10bd967a1fd6

Download Submit