Overview

overview

7

Static

static

6

8ec873f849...3d.apk

android-9-x86

7

8ec873f849...3d.apk

android-10-x64

7

8ec873f849...3d.apk

android-11-x64

7

Analysis

  • max time kernel
    179s
  • max time network
    174s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    28-06-2024 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ec873f84949385ac5fbed4194503f126d5737a995f4fc2cec9789c1862b183d.apk

  • Size

    4.5MB

  • MD5

    dbf4a1cef33a59c6235bf428991414fb

  • SHA1

    e910296bfd6ca507fef563d2060b3f2bd8c0ebed

  • SHA256

    8ec873f84949385ac5fbed4194503f126d5737a995f4fc2cec9789c1862b183d

  • SHA512

    a7214f5aa7a56ef751c13768aa47cc524002663c8af1156983d715d9259c92cb12c9350052f150d3a4142236b505818475c37471ba7c4f1678f6b6c1c871900d

  • SSDEEP

    98304:hkhfz/QEcYcC3GVDssvvO9h9CwfLyEefaq7P8:YQEL2VjgfzyzaqI

Score
7/10
bankercollectioncredential_accessdiscoveryevasionexecutionpersistence

Malware Config

Signatures

  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 6 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • com.bean.cousin
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries account information for other applications stored on the device
    • Reads the contacts stored on the device.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:4257
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bean.cousin/app_DynamicOptDex/CtaDwII.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bean.cousin/app_DynamicOptDex/oat/x86/CtaDwII.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4284

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

Contact List

1
T1636.003

Screen Capture

1
T1513

Stored Application Data

1
T1409

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.bean.cousin/app_DynamicOptDex/CtaDwII.json
    Filesize

    2.2MB

    MD5

    c9ea4a96385657ebb6555b6d4d5eca0c

    SHA1

    5bae7c22a1bc9d4d0410a9a2a66056ebe00a7e93

    SHA256

    11b1cbdef463227d288271c05101ed180109d372d68fc924c29db43bf518922b

    SHA512

    e42bbc1ab5dcea9d0c54ff9ebf71919e97ec8ea49793e05179414a95a034f9108b709cbc52fd25c8a6f1d48d249b9d0bb59bfcabdac4f4853d0177ab3fdfce8c

    Download Submit

  • /data/data/com.bean.cousin/app_DynamicOptDex/CtaDwII.json
    Filesize

    2.2MB

    MD5

    f7f7cdf82b7b6c72882a6172213d0aff

    SHA1

    c423b55cb32e1c04cc8cca01cddf1d1264ab8777

    SHA256

    f6776bddb6a62dfaabcdf46eb1d5e22374ba0cfbabc45915ba887637b2f28c71

    SHA512

    e496bd409bc49ecf86bf98ed6924bfc78caa0729cc7e8277f3e53534b4aa9daee504712f885f2c46c0ee60f7b8e9e8db7b3a4e9dc20292bf24d9e81c3a6a24b7

    Download Submit

  • /data/data/com.bean.cousin/app_DynamicOptDex/oat/CtaDwII.json.cur.prof
    Filesize

    1KB

    MD5

    8a96be9ecf6827b3fba1190f452ea1e8

    SHA1

    ec1b131c85c5cf53128551cc904c25986bbf2f3c

    SHA256

    9e02bc8e613e69d386baa533fa043729de18a1be28b7b8e5c6f5904f8e619a0d

    SHA512

    f5eada4f33083705c7b411bccce3fa348e0f3cfac47eefaee855c0b2e3a901a74a5c55a38e9ffcac1cb94c71b5f9603643576e8b28391cd02d95a77fa39c8fd2

    Download Submit

  • /data/data/com.bean.cousin/app_DynamicOptDex/oat/CtaDwII.json.cur.prof
    Filesize

    2KB

    MD5

    a7e0e5c8a943af2556aaa47a5379c824

    SHA1

    288fc52dd0c5e7b778f86ef014e81737160e3a30

    SHA256

    20416abf2b74d36d448b63fa5d9aae0fe223a782b84aa86e9c382d289a60b109

    SHA512

    0a6ce5c219ee5d0a54c6f5a0f1aa341822e7a7638c6157e0b65b9ef112d7ff283686c1e5e3621c4ec693f43ae84f4ab81dcbcc0d9aa9a71225bae43a528fba0c

    Download Submit

  • /data/data/com.bean.cousin/app_DynamicOptDex/oat/CtaDwII.json.cur.prof
    Filesize

    2KB

    MD5

    01932ce2c6bbe5d092df472c8287f60f

    SHA1

    9c36a2ae5a218230e6c01be2fcec52c58ae3539c

    SHA256

    815a621b4b97c4b94f1a3d61d8924ef98f214c6cd586be15fe0eb9c249073bfc

    SHA512

    d732e83f97835961ce3c9b0b869e40f0e042372e4cad7291d0b8caa78958b4a3bf59a57aef5aea2ec5de118ccdb6ef14c263eca272f9f891a2ee78e40ae28a01

    Download Submit

  • /data/data/com.bean.cousin/app_DynamicOptDex/oat/CtaDwII.json.cur.prof
    Filesize

    2KB

    MD5

    f4bb21b287c8129054a4c7488f272a42

    SHA1

    c1562b5e612496ccc6e58ff9addb5d5b60bbf811

    SHA256

    f92a0442dc79f9c45012c4ca0e1f9c40362a48a3edc80ee1b8b3710c416104b5

    SHA512

    1d0e46259fc770e12dd0e4b110bf5c772d4c4592afb6ff34dc375c670be6da5401f9f2f0f8759bc220d88a2c8ee50bc6c7ff7c00c4b628c97650f49dbba7ef15

    Download Submit

  • /data/data/com.bean.cousin/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.bean.cousin/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    0f17d6328412ac2c927f3d6fce9593ee

    SHA1

    c772a1f32874bdf90495edafd0af2926e35223fb

    SHA256

    befc006f8d0306268c9c7f05bdafe34530db6e5143bb87afe8f54b426bdb3a6e

    SHA512

    c2f635bda2fde556b31279f312a5396b8d041c12fa39acf24b3d3efef285170f36a53d1b89ccb930da7a16f3ea9d3edf6efcd59018dd99f8bba31b520cbda05e

    Download Submit

  • /data/data/com.bean.cousin/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.bean.cousin/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    a5b23cc4c7b6306da20e2744eb800884

    SHA1

    86f4d96cd0860064120672d476611ac7713cd315

    SHA256

    e16fde19d6848c3ea5b94ea059d9fc481f6e4bc385ad7330d9f8e7a6d65187d5

    SHA512

    8eb77ccda242fc3a09b6b428f4eee310cd8bc93f886f56b6f4ff361d6383973cfefbe75cc3fd652c7c88d47dcad0ee7426acbb56168277514af8e1505843671b

    Download Submit

  • /data/data/com.bean.cousin/no_backup/androidx.work.workdb-wal
    Filesize

    197KB

    MD5

    ec61aab346c72881ba85f84485a9aa5f

    SHA1

    451d78f1ee450132da02f9dd85432b02b4172ae6

    SHA256

    4a109f059ee907e5e1d03dd813b0933cf0617a8d6e5f52f5e1c86e6dfe34f574

    SHA512

    e35a1500d4ef589092874dafbe3f7cb53738f02c88e313c8014d98f3e5da60d887b068e907894e1f0715d7937b6434b41890417484f91ffaab0142c504cf96f1

    Download Submit

  • /data/data/com.bean.cousin/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    1a9096caf3bbf19266b3563a7d016433

    SHA1

    612aec83434ef58d7c6b153e441af7b010190001

    SHA256

    c2bfdf5a8015c8c0d97373648002aa265fada117caa9108479b671fb8a6cdf01

    SHA512

    734bb366a5b9ca438c8a7c840b4c5c0352d9a1a824e999036f9e442a7a1ecaa8e1692594a584a4b65dc5e83d66242eec599efb6962065990a96a1639c3fcbbad

    Download Submit

  • /data/user/0/com.bean.cousin/app_DynamicOptDex/CtaDwII.json
    Filesize

    6.0MB

    MD5

    7650b4c1c441ffaa06c64c9ea181597d

    SHA1

    02b3192f88802366e32b02db6b491853f0474143

    SHA256

    6ca21973ebc73fb856040fd1be00603287494bed8fc7849e656ae5ec84689bff

    SHA512

    df47092217b7c6fe04f49db05d1983990b06f2b441e08895eda86b5ec2319d1eb631f3f2c8518d1f75e68fb344dc2f513e48d51caa59792d23b02e99c10674ea

    Download Submit

  • /data/user/0/com.bean.cousin/app_DynamicOptDex/CtaDwII.json
    Filesize

    6.0MB

    MD5

    cb83525904c2bff0cb586d662c5fe2b9

    SHA1

    2d63ff2e85b34006a5517f85deb470ff48734df5

    SHA256

    acd7234022738f4e8499749de805c474879fea06de0d7ca066483d03e7ef02f5

    SHA512

    33eced5d3bead49bb238f08bac960044c7359262fdd58ab559cb38c47528859e24f8578e32743ba6a1630ce7e45497c9f99edb0b96c5c8fa6c0a4ca7fb15fd3e

    Download Submit