Overview

overview

8

Static

static

6

462e131e3b...29.apk

android-9-x86

8

Analysis

  • max time kernel
    160s
  • max time network
    156s
  • platform
    android_x86
  • resource
    android-x86-arm-20240514-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240514-enlocale:en-usos:android-9-x86system
  • submitted
    29-05-2024 08:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    462e131e3b1b3e72f475374496bd6d0067fb271b78d25302f4798764e961e529.apk

  • Size

    2.2MB

  • MD5

    e143e7e9c6518566b164d17779aeaced

  • SHA1

    eb5c102409f45d8e3e0c137f5d3f21aed5cc2032

  • SHA256

    462e131e3b1b3e72f475374496bd6d0067fb271b78d25302f4798764e961e529

  • SHA512

    de05f5a053a3b1d445b8e28790a222e27c2cb48e6affdc5a353a76657c0abe5362f8862f5553d226257cf5d369ec3e6dfe4ac02f69b3695a74f5b6ea068bba36

  • SSDEEP

    49152:3bXariYd8Zkxqm3VSd63y8ZipwkHkB1seN0ELOcnDRoG6MnPhbe:LXaOfZkB3VSdKiikuOcnDClMo

Score
8/10
collectioncredential_accessevasionexecutionpersistencestealthtrojan

Malware Config

Signatures

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Prevents application removal 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to prevent removal.

    evasion
  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Requests enabling of the accessibility settings. 1 IoCs
  • Acquires the wake lock 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
    evasion

Processes

  • kcbemzsjob.pcqswfdcpw.xhnxkqw
    1⤵
    • Makes use of the framework's Accessibility service
    • Prevents application removal
    • Removes its main activity from the application launcher
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Loads dropped Dex/Jar
    • Makes use of the framework's foreground persistence service
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Requests enabling of the accessibility settings.
    • Acquires the wake lock
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    • Listens for changes in the sensor environment (might be used to detect emulation)
    PID:4209
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/uiBBLIE.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/oat/x86/uiBBLIE.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4233

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/oat/uiBBLIE.json.cur.prof
    Filesize

    471B

    MD5

    21aade0420a2df93b4dba7b7ba7e7b18

    SHA1

    0d1aa4873ce9ff77b2e37bb834e5c4dc1354399d

    SHA256

    43df61255ae37022179ae8f45ca4949a4b3c6f2ff452014bace951b0fe204386

    SHA512

    2349697bee7e220897ad2e201db04890771fa9aa9f56e1de9c5dfb377d79f693775c362d1f1b4ab20fa289b31ba2e60dbd59be790c4b1505f4d7dd4668471656

    Download Submit

  • /data/data/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/uiBBLIE.json
    Filesize

    1.4MB

    MD5

    41f6439a763bf43aa4c74943d7fd745f

    SHA1

    ff02de7a300cb01782158cd9aba7d32795927f16

    SHA256

    3309cc667c5b49e829999302661109a3d47db1537c188f55d0d6ce26d7406142

    SHA512

    47a5eed43fdf86b65f6dadbbd1d8d4cb377b44df6d1f61f11d1d0976279d5cba453e980fb10c8664815cd9f2e1c295722d20f213359c0ab2b911370ab098b020

    Download Submit

  • /data/data/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/uiBBLIE.json
    Filesize

    1.4MB

    MD5

    74ba1ad4d3b3f1eea3f632a866928a9c

    SHA1

    c6bc9771b7954278d821dfc007d166bc8ae0dc6b

    SHA256

    229b305917067d34eef2cfec6f126627c89998d85393597d87fe926d26943f6e

    SHA512

    593e60351622445aa4e56f26844069f5d8b942f5869dbaec88744cda8dade5fef87886c895888cc5c9dfc19f596f03d58856d62816a914a5f173efc529f30bb7

    Download Submit

  • /data/user/0/kcbemzsjob.pcqswfdcpw.xhnxkqw/app_DynamicOptDex/uiBBLIE.json
    Filesize

    1.4MB

    MD5

    5ce1939db78329d67c511b4f04e3a78b

    SHA1

    0ef8e4bfa758ecdef4643597f9dc7e0f9454cc0e

    SHA256

    3205b40deae9793dbec8b36f4a6d57f08f7a3b81693f1cd3196947367eea505c

    SHA512

    8cf1c1bffb8674883a1421d7796fe6172d284cd8932c277dc5fa54fbe1e94957416cca3cc47dc4c6db3666f5858f61408c0afb7875ba999e8ca1aa55c13389a6

    Download Submit