Analysis
-
max time kernel
17s -
max time network
131s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
04-07-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
8c1e77c4c5bb724bda41f6c4a18372b1442dd1cc2134dd9f192a90092e78dbca.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
8c1e77c4c5bb724bda41f6c4a18372b1442dd1cc2134dd9f192a90092e78dbca.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
8c1e77c4c5bb724bda41f6c4a18372b1442dd1cc2134dd9f192a90092e78dbca.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
8c1e77c4c5bb724bda41f6c4a18372b1442dd1cc2134dd9f192a90092e78dbca.apk
-
Size
112KB
-
MD5
965f472906eb53355e554895e1f95117
-
SHA1
ec9ae20e1da6b440fa9e48ac9f83eee6063395f2
-
SHA256
8c1e77c4c5bb724bda41f6c4a18372b1442dd1cc2134dd9f192a90092e78dbca
-
SHA512
9a8a9aa8ac829be0fe24307e7704ee58632731c1b271232b47635dafce83a7e27b890d6efb5f7f253264163ae5fb4c00d5929d6a797b2ce8a040790f8cead97f
-
SSDEEP
3072:TdVMwH4Hc5VCYMa1A7Hbdexvuq4LFFJFhzUO:hCY4HRbGu3prFhL
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 6 IoCs
Runs executable file dropped to the device during analysis.
Processes:
zbsq.xzohy.fjcs/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/bikc.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/oat/x86/bikc.odex --compiler-filter=quicken --class-loader-context=&ioc pid process Anonymous-DexFile@0xd5f87000-0xd5fb1e34 4261 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/bikc.dex 4261 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/bikc.dex 4289 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/bikc.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/oat/x86/bikc.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/bikc.dex 4261 zbsq.xzohy.fjcs Anonymous-DexFile@0xd4c02000-0xd4c2ae20 4261 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes1.dex 4261 zbsq.xzohy.fjcs -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
zbsq.xzohy.fjcsdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId zbsq.xzohy.fjcs Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId zbsq.xzohy.fjcs -
Acquires the wake lock 1 IoCs
Processes:
zbsq.xzohy.fjcsdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock zbsq.xzohy.fjcs -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
zbsq.xzohy.fjcsdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground zbsq.xzohy.fjcs -
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
zbsq.xzohy.fjcsioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction zbsq.xzohy.fjcs android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction zbsq.xzohy.fjcs -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
zbsq.xzohy.fjcsdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone zbsq.xzohy.fjcs -
Requests enabling of the accessibility settings. 1 IoCs
Processes:
zbsq.xzohy.fjcsdescription ioc process Intent action android.settings.ACCESSIBILITY_SETTINGS zbsq.xzohy.fjcs -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
zbsq.xzohy.fjcsdescription ioc process Framework service call android.app.IActivityManager.registerReceiver zbsq.xzohy.fjcs
Processes
-
zbsq.xzohy.fjcs1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests enabling of the accessibility settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4261 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/bikc.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/oat/x86/bikc.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4289
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD52c36e9be721b0883f5bc1f71b3f2d918
SHA11c4d662470eae7f0af3364f1563b78472183e7a0
SHA2560ea0c0a03a1999a9d3471a8ce584eea7e16f60ceeeabb6474fada356fc72779d
SHA512fb99247128256c045ea49c7edfc3012d1e074419c30c684399ca6e4563823a2109917af7b42ba6399e891081f06a4be98625a4cf696a0a19eeba08ab450132a8
-
Filesize
171KB
MD5493e26343912179aa7244002b3decee7
SHA14546f95b5b6ef134792a4b0a80e3887586fa9837
SHA256cdacd1fb59aacab59dfa26517a6b13779fdfe3127a6a811adc4dcff5baec0b62
SHA51278962e3f42c496e98ac633155df2de2e2a0fa1f91f1a028e4137b35eb76017a0cadee41fc6fb184efe05ce830c2c0708894b6d49a43c34c3672e3c21c85f694f
-
Filesize
163KB
MD528f5b27fc4e99ed8e65833e6f764fd8a
SHA1d33641927253c0b824010cdd8fbd88f92b3734ee
SHA2568c9af932b9f6ae79ddb9699d96b9b606d8a86aa450be6184468cf2901a3eb77c
SHA512e397d04cb263f8c58fe366954ad1cabefb9dde7b238ecdfdaeec326761b52d0b0638c568251a5742caf6c972ef27431eecea92869f4cd6a9499472dff4bc1d05
-
Filesize
171KB
MD54d2015ff34118e8b472d77e9775adc70
SHA1dc6ac441cf0c6f0d88521f67630893aad2be7378
SHA256a27f78c65cd9fff3d35f6384348f3dc9b7b04349916605529bf123526d5e795c
SHA512429b581c1a62f257a6a44a54835d1dcbfb5db7e05571968407f8566081dfba8da048972d9fe1b7ff8702d974683e2d40863de83ce5d7e215748025d1a81e11a4