Overview

overview

7

Static

static

6

8ec873f849...3d.apk

android-9-x86

7

8ec873f849...3d.apk

android-10-x64

7

8ec873f849...3d.apk

android-11-x64

7

Analysis

  • max time kernel
    178s
  • max time network
    165s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    28-06-2024 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ec873f84949385ac5fbed4194503f126d5737a995f4fc2cec9789c1862b183d.apk

  • Size

    4.5MB

  • MD5

    dbf4a1cef33a59c6235bf428991414fb

  • SHA1

    e910296bfd6ca507fef563d2060b3f2bd8c0ebed

  • SHA256

    8ec873f84949385ac5fbed4194503f126d5737a995f4fc2cec9789c1862b183d

  • SHA512

    a7214f5aa7a56ef751c13768aa47cc524002663c8af1156983d715d9259c92cb12c9350052f150d3a4142236b505818475c37471ba7c4f1678f6b6c1c871900d

  • SSDEEP

    98304:hkhfz/QEcYcC3GVDssvvO9h9CwfLyEefaq7P8:YQEL2VjgfzyzaqI

Score
7/10
bankercollectioncredential_accessdiscoveryevasionexecutionpersistence

Malware Config

Signatures

  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Queries account information for other applications stored on the device 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect account information stored on the device.

    collection
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Acquires the wake lock 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 15 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
    collectioncredential_access
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence

Processes

  • com.bean.cousin
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Queries account information for other applications stored on the device
    • Reads the contacts stored on the device.
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Requests accessing notifications (often used to intercept notifications before users become aware).
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    PID:4458

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Foreground Persistence

1
T1541

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

1
T1628

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Credential Access

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Access Notifications

1
T1517

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

Contact List

1
T1636.003

Screen Capture

1
T1513

Stored Application Data

1
T1409

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.bean.cousin/app_DynamicOptDex/CtaDwII.json
    Filesize

    2.2MB

    MD5

    c9ea4a96385657ebb6555b6d4d5eca0c

    SHA1

    5bae7c22a1bc9d4d0410a9a2a66056ebe00a7e93

    SHA256

    11b1cbdef463227d288271c05101ed180109d372d68fc924c29db43bf518922b

    SHA512

    e42bbc1ab5dcea9d0c54ff9ebf71919e97ec8ea49793e05179414a95a034f9108b709cbc52fd25c8a6f1d48d249b9d0bb59bfcabdac4f4853d0177ab3fdfce8c

    Download Submit

  • /data/data/com.bean.cousin/app_DynamicOptDex/CtaDwII.json
    Filesize

    2.2MB

    MD5

    f7f7cdf82b7b6c72882a6172213d0aff

    SHA1

    c423b55cb32e1c04cc8cca01cddf1d1264ab8777

    SHA256

    f6776bddb6a62dfaabcdf46eb1d5e22374ba0cfbabc45915ba887637b2f28c71

    SHA512

    e496bd409bc49ecf86bf98ed6924bfc78caa0729cc7e8277f3e53534b4aa9daee504712f885f2c46c0ee60f7b8e9e8db7b3a4e9dc20292bf24d9e81c3a6a24b7

    Download Submit

  • /data/data/com.bean.cousin/app_DynamicOptDex/oat/CtaDwII.json.cur.prof
    Filesize

    4KB

    MD5

    8a3af13f4b98e047716622062890906c

    SHA1

    c00b8adbc2e578d4f477dcea3faabfff4828f543

    SHA256

    52f9356db39023fdc139e42bfe32e43da1672aa0a251b6ea0d05668ffd9dc6c3

    SHA512

    54827a2bce28bb969f27f2485c83422aaae7b8eae3d964bb6874390b202e3e3e8986d58390fca952ea37c622922de9b22fad57df5bb93024cc2c109541006d34

    Download Submit

  • /data/data/com.bean.cousin/no_backup/androidx.work.workdb
    Filesize

    4KB

    MD5

    7e858c4054eb00fcddc653a04e5cd1c6

    SHA1

    2e056bf31a8d78df136f02a62afeeca77f4faccf

    SHA256

    9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad

    SHA512

    d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

    Download Submit

  • /data/data/com.bean.cousin/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    c7790519af90d382f62e2d1c5d7cf21f

    SHA1

    0e53384167fed4ce1380fbd93ee0ffcc6f458be2

    SHA256

    db71c16f04ea0c1045a861b9bf9b4443a1d79578ca0bd35e932ba2e8c4c5ccbf

    SHA512

    35c3f6927ac8863bb7a130b655ace2ce481f31237900983cf71eed20604194a69fb0abf7e1d35436604575878f55b53b3f29666fdf1ebcbc547113035a38dc00

    Download Submit

  • /data/data/com.bean.cousin/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.bean.cousin/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    2426eece2c0c50b4dda02216cefa77ac

    SHA1

    7437ca08f1b28ba9a257c730aefb16e77fe86e4c

    SHA256

    06c7090e9882b88e95bd368c33852b59faf2984b738b816ce5e2f773d413fe07

    SHA512

    c0db3d50f290b040f4fff059657798d3dfbf62f27a61e274c87a4e77546df9ebd31275067409b68a4057c7b15e0e01aafef58093ade7afb917031f5fd4de02d6

    Download Submit

  • /data/data/com.bean.cousin/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    37d21620e4c9c3e7ab3d8e9c107fbe46

    SHA1

    7dfa2578982f68d9d59aa567e0607a0cce8bbd2f

    SHA256

    b91ebdbcde9d920c0342057b612c075cc1c06d9c002ea6c7affc705902c6324f

    SHA512

    75fc44c460cb8880b94761dccb8e8efa58b31335f8c019c666f473c7218c59954a28c4309de04d41de17c04425837c2772d11065847f11926feaa1086efe36c2

    Download Submit

  • /data/data/com.bean.cousin/no_backup/androidx.work.workdb-wal
    Filesize

    197KB

    MD5

    216814c2a41eeea570872c536756fa42

    SHA1

    33c39b629835b077c56f374d6e5f10f07aa7a363

    SHA256

    0647700b29a53c8c570cfbad095548ced513171f0d55ceca0df1d3e29bfdf3ff

    SHA512

    024f4ab8b7774ecca228c882227036689f16f93c4c60581e0cff833bc08af3d2232c223ce9e36c63bebee40e5d9d65115bee6f5184fc1ccaf61c3ac97305a31a

    Download Submit

  • /data/user/0/com.bean.cousin/app_DynamicOptDex/CtaDwII.json
    Filesize

    6.0MB

    MD5

    cb83525904c2bff0cb586d662c5fe2b9

    SHA1

    2d63ff2e85b34006a5517f85deb470ff48734df5

    SHA256

    acd7234022738f4e8499749de805c474879fea06de0d7ca066483d03e7ef02f5

    SHA512

    33eced5d3bead49bb238f08bac960044c7359262fdd58ab559cb38c47528859e24f8578e32743ba6a1630ce7e45497c9f99edb0b96c5c8fa6c0a4ca7fb15fd3e

    Download Submit