Analysis
-
max time kernel
179s -
max time network
186s -
platform
android_x64 -
resource
android-x64-arm64-20240624-es -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-eslocale:es-esos:android-11-x64system -
submitted
03-07-2024 09:43
Static task
static1
Behavioral task
behavioral1
Sample
4859ab9cd5efbe0d4f63799126110d744a42eff057fa22ff1bd11cb59b49608c.apk
Resource
android-x64-arm64-20240624-es
General
-
Target
4859ab9cd5efbe0d4f63799126110d744a42eff057fa22ff1bd11cb59b49608c.apk
-
Size
6.0MB
-
MD5
06371fc75740162de9e6275102012e6c
-
SHA1
9b45243e89541ae26fea5ff2b9c7d14ff69044ed
-
SHA256
4859ab9cd5efbe0d4f63799126110d744a42eff057fa22ff1bd11cb59b49608c
-
SHA512
c865d89143effb176c4be93fc16f54e06d248f5b7e22ffbf19754137f9da181f6d7f6019cdb28d2d7964375b1978a255c475dd3d17487fddb9fa0e4eda8bf248
-
SSDEEP
98304:fC3rjZ1lQTKUHiLoQwaFaxCiFXzTVNeWr4kUCzwHrqrtQUn5HHOwBFyxrlV:fCvlLLNwaF8DhX4k9SrEbBFyN3
Malware Config
Signatures
-
FluBot
FluBot is an android banking trojan that uses overlays.
-
FluBot payload 1 IoCs
resource yara_rule behavioral1/memory/4476-0.dex family_flubot -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tencent.mobileqq/eGGggUk6i7/GI8kghfhhThU88f/base.apk.eUftgIu1.jjI 4476 com.tencent.mobileqq -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mobileqq Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mobileqq Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mobileqq -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 27 ipinfo.io 28 ipinfo.io -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mobileqq -
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mobileqq -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.tencent.mobileqq -
Requests changing the default SMS application. 2 TTPs 1 IoCs
description ioc Process Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT com.tencent.mobileqq -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.tencent.mobileqq -
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS com.tencent.mobileqq -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mobileqq
Processes
-
com.tencent.mobileqq1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests enabling of the accessibility settings.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4476
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD550047ec0209d69081cbd555b6c385a49
SHA198175443858a4f2998719a02e3446d610e7157ed
SHA256b1951dfd1028e85d5f62f6d5337bc9132625d4c3f972a4050e15f50daac18c2c
SHA51258a3b30b6a9315ef775bafe977b03b6e9771d764561de7c225c881b5c83d3551cd67408a2ad35504a7eb729c66c3af7158abdb18fb54df17d7a6c1fd6ebd539a
-
/data/user/0/com.tencent.mobileqq/eGGggUk6i7/GI8kghfhhThU88f/tmp-base.apk.eUftgIu7829917568604412113.jjI
Filesize915KB
MD542ebd0868bcb875ea770e2fb0d8064e3
SHA1fe1cec67c766c777507da6949d04daebbad21723
SHA2562df9eef913ee3b9fd3803b0d0363c52d4294c9fadfe00ca0b23a854fcbd10c70
SHA512a381e0ef3557c0d5fc561aa59a5abdcd8461698abd623846159b257b9c2f3168bea35d1bd8db3c3b842e1f2638feae224e1e847cc3c46076983bca3aa08c322b