dab0c77957c0341a749a4aeb030364982f230ad08a5c77c94d2bd95f5ed596a9

General

Target

dab0c77957c0341a749a4aeb030364982f230ad08a5c77c94d2bd95f5ed596a9.apk
Size

2.0MB
MD5

7d0279c6e4ec3727984ac68a13b23bd7
SHA1

7b49ea135149bfd6d3870a882e344de195e7e6f0
SHA256

dab0c77957c0341a749a4aeb030364982f230ad08a5c77c94d2bd95f5ed596a9
SHA512

aadfa7a053d6c51f3c807561ccaa155f01dae9bc6caf8c2b11a896b45b9291ddd695ba5bf1007937d13f35417c249bda4e94a40871f1c8a5919f0df34dc32163
SSDEEP

49152:I/gGuqURokkd7DHuugOq8PQNgnNnfOpLv4tmZUV:ugGuJRo/lDOugOq8INgnxU8tXV

Score

7^/10

discovery evasion persistence

Malware Config

Signatures

Checks memory information 2 TTPs 1 IoCs
Checks memory information which indicate if the system is an emulator.
evasion discovery

T1633.001

T1426

Processes:

com.app.brainballbash

description ioc process

File opened for read /proc/meminfo com.app.brainballbash

description	ioc	process
File opened for read	/proc/meminfo	com.app.brainballbash

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

T1407

Processes:

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.app.brainballbash/files/6bb633ad.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.app.brainballbash/files/oat/x86/6bb633ad.odex --compiler-filter=quicken --class-loader-context=&com.app.brainballbash

ioc	pid	process
/data/user/0/com.app.brainballbash/files/6bb633ad.dex	4382	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.app.brainballbash/files/6bb633ad.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.app.brainballbash/files/oat/x86/6bb633ad.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.app.brainballbash/files/6bb633ad.dex	4356	com.app.brainballbash

Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

T1422

Processes:

com.app.brainballbash

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.app.brainballbash
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

T1624.001

Processes:

com.app.brainballbash

description ioc process

Framework service call android.app.IActivityManager.registerReceiver com.app.brainballbash
Acquires the wake lock 1 IoCs

Processes:

com.app.brainballbash

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock com.app.brainballbash
Checks if the internet connection is available 1 TTPs 1 IoCs
discovery

T1421

Processes:

com.app.brainballbash

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.app.brainballbash

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.app.brainballbash

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	com.app.brainballbash

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.app.brainballbash

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.app.brainballbash

com.app.brainballbash
1⤵
- Checks memory information
- Loads dropped Dex/Jar
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Acquires the wake lock
- Checks if the internet connection is available
PID:4356

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.app.brainballbash/files/6bb633ad.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.app.brainballbash/files/oat/x86/6bb633ad.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4382

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.app.brainballbash/files/6bb633ad.dex
Filesize
260KB

MD5
4db59803f5603153b5f4ec2a70d89d1b

SHA1
c6bb3c849811bc920dee9baa62693e11b0e0a855

SHA256
4d7efdf6cc9e14eeefb1ca952b70d9200660ef85b5639aa7dc2ca5e397cadefc

SHA512
90b094faaf7ac41ae27433f2c23bf49daf0a0e7ee40cee1048efe57e4b8609d249e908ec1fbcbbe823671dcb12857c63a7abd672d0746518969884f7b6cc5476

Download Submit
/data/data/com.app.brainballbash/files/BGEaUZrY
Filesize
656B

MD5
7feb7f442547de190f3e8e69ec0879e1

SHA1
d1c988cd8945b5671d55a950b0b938a960ad509d

SHA256
3795d08f62b6bdd995726df033c9009bb7a93c782365624f16850e131518108e

SHA512
0567ff62a98120841d5eb3efd7585c5b14efc04b480d5172c3574aa4e41e6d48fd00f37e44292b600d1068a8801292f44c300afe98c442a70fdc2a6f7e0d0749

Download Submit
/data/data/com.app.brainballbash/files/BGEaUZrY
Filesize
470B

MD5
490105da4aa200ed8416f6c6fd696358

SHA1
98ae5a8e1dc193bf9ce2dbd332722b1c6d10c841

SHA256
3aebab6287d0d9342bc34a6b3afe54d154509f0d62c4504a89d2b23231f64606

SHA512
9336d66be8faf304f4649a91cff93032e84fc685ceaa815a89ac3519d080e8a513365209fef1c207fe5624a9abcbb12c1e3888aa8b74c4804cbe236fc4f8fd64

Download Submit
/data/data/com.app.brainballbash/files/TrPJFdsN
Filesize
336B

MD5
bd4e0617f3b22bd5648a5043955fe8aa

SHA1
1cb5060aa9d99d9082c3e3a18bdb2a2451385795

SHA256
951817ac9b36dea32a5051a198bda6faa547b55978cc0feb6b991de3d3631430

SHA512
b082b7baec4ec572ca9fd8fc8bb1f89294579cd51d8a7a3ba8aed5c033487177bec27908cbdcb3e33186d2326ccd59275d5f45077121d4bcde39faf4533e0f50

Download Submit
/data/data/com.app.brainballbash/files/TrPJFdsN
Filesize
336B

MD5
43e45978fd3c50aaef22c0b67392e91c

SHA1
782b343dbd66b9bcfa29a209f3b5ed8b2a104f9a

SHA256
946637890b9738809a7ef9bcc2a351f7724ac7951c7b3e903285a1162521fe70

SHA512
40b184ec6d340599bdf121499c6485b92201ad5c531ac6859a23583d126b521018c2c0f594f4069399663b35b32e1c5fa5f92f80fc1fa85c19c664c894afdc96

Download Submit
/data/data/com.app.brainballbash/files/TrPJFdsN
Filesize
336B

MD5
b0a6e9eb4b1285f302597a1b02c407a8

SHA1
d97e50cdd6b9b42d9bb50c1632e1fd61cb82b9dc

SHA256
144e0c9f450993e9ac2c143af22da5971cffd6e1aa766d467561b004663458bf

SHA512
b81ecf4d522d5f5acea7306cbbfb1ab97d5cbbbf54831f4bf48c3d6a609e58c12ee6193e887630ab3e5a1644e9ab068949a0c80c9c6c092030a7d2c85eb72365

Download Submit
/data/data/com.app.brainballbash/no_backup/com.google.InstanceId.properties
Filesize
2KB

MD5
56372993fbe224fa24ebf3e18a013be8

SHA1
5f0f6d388719377ac1c64b83e9cf82f7304e2828

SHA256
9e881768f0edec9e47ed922729b2ce19f2782e0e33122662f1e373d3bec0fa51

SHA512
2cc53277c997c2930a07bd28423de23940a35b96eaf20193dbfb716d32036b5874523f6909f749da26088b81070e82367d2d3d955b9184b5108b3608d234e458

Download Submit
/data/user/0/com.app.brainballbash/files/6bb633ad.dex
Filesize
610KB

MD5
f98439605db570d0deab7b5635ef4b39

SHA1
11dd5455b51e6366f3b229bea3c34cd7baf9581d

SHA256
bb546a9d652cbd0d9729dc52eb090fda203d29adee15510a5230f76a92cc1439

SHA512
bf27b6ec13f8b0334561dcf55ea7c8b2a5e414fdf77802c11b59c60940560563298dfb03f4e3d53b4ff474ca4120b50889eec9880b28cb44c6d7190c27b87f04

Download Submit

Analysis

Sharing