Analysis
-
max time kernel
179s -
max time network
183s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
04-07-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
8c1e77c4c5bb724bda41f6c4a18372b1442dd1cc2134dd9f192a90092e78dbca.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
8c1e77c4c5bb724bda41f6c4a18372b1442dd1cc2134dd9f192a90092e78dbca.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
8c1e77c4c5bb724bda41f6c4a18372b1442dd1cc2134dd9f192a90092e78dbca.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
8c1e77c4c5bb724bda41f6c4a18372b1442dd1cc2134dd9f192a90092e78dbca.apk
-
Size
112KB
-
MD5
965f472906eb53355e554895e1f95117
-
SHA1
ec9ae20e1da6b440fa9e48ac9f83eee6063395f2
-
SHA256
8c1e77c4c5bb724bda41f6c4a18372b1442dd1cc2134dd9f192a90092e78dbca
-
SHA512
9a8a9aa8ac829be0fe24307e7704ee58632731c1b271232b47635dafce83a7e27b890d6efb5f7f253264163ae5fb4c00d5929d6a797b2ce8a040790f8cead97f
-
SSDEEP
3072:TdVMwH4Hc5VCYMa1A7Hbdexvuq4LFFJFhzUO:hCY4HRbGu3prFhL
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 24 IoCs
Runs executable file dropped to the device during analysis.
Processes:
zbsq.xzohy.fjcsioc pid process /data/user/0/zbsq.xzohy.fjcs/[email protected] 4969 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/bikc.dex 4969 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/bikc.dex 4969 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/[email protected] 4969 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes1.dex 4969 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes1.dex 4969 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes2.dex 4969 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes2.dex 4969 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex 4969 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex 4969 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex 4969 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex 4969 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes2.dex 4969 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes2.dex 4969 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex 4969 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex 4969 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex 4969 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex 4969 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex 4969 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex 4969 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex 4969 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex 4969 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex 4969 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex 4969 zbsq.xzohy.fjcs -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
zbsq.xzohy.fjcsdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId zbsq.xzohy.fjcs Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId zbsq.xzohy.fjcs -
Acquires the wake lock 1 IoCs
Processes:
zbsq.xzohy.fjcsdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock zbsq.xzohy.fjcs -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
zbsq.xzohy.fjcsdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground zbsq.xzohy.fjcs -
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
zbsq.xzohy.fjcsioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction zbsq.xzohy.fjcs android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction zbsq.xzohy.fjcs android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction zbsq.xzohy.fjcs android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction zbsq.xzohy.fjcs -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
zbsq.xzohy.fjcsdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone zbsq.xzohy.fjcs -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
zbsq.xzohy.fjcsdescription ioc process Framework service call android.app.IActivityManager.registerReceiver zbsq.xzohy.fjcs
Processes
-
zbsq.xzohy.fjcs1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4969
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD52c36e9be721b0883f5bc1f71b3f2d918
SHA11c4d662470eae7f0af3364f1563b78472183e7a0
SHA2560ea0c0a03a1999a9d3471a8ce584eea7e16f60ceeeabb6474fada356fc72779d
SHA512fb99247128256c045ea49c7edfc3012d1e074419c30c684399ca6e4563823a2109917af7b42ba6399e891081f06a4be98625a4cf696a0a19eeba08ab450132a8
-
Filesize
37KB
MD519b705d3574791cfcc095173c8cabc8d
SHA105ab01d27521b77b02597b03265c9b859a1e3988
SHA2564ed3aa44064cc17b3c2ece322d6a95d8074e6a4f8f35913523304a0bddfca804
SHA512099df3863d305903a87ba7131a5897598dc2565ab82f85e2d084897cd3c0327b314bdf81bfffc676161aa6dc62c7d66445b881514b9fd287cb31233d6d0136d2
-
Filesize
67KB
MD54883ac1657fa237da009253bc9a28b02
SHA1fe697aa7be00f3e976bf1fe7ab4edbdfd64ab113
SHA2568c81b2696863b825b399872029d82794b88c52455862bdb6a5a0403ac8a1e262
SHA512183e20bec9d7ae2bbbdbe7e4170fb89519c0f8ad8b8f29185ab8c1e2b9758bb9015afa3e042c1e7d8bdc28eaba9d331cbc026463af57ab31ddcf3d76d821fdc1
-
Filesize
28KB
MD5c988c8ad5214967f7e8928bdbbfb70b0
SHA1af58e3a4f99f27ba483b2d076e7be41181bf6f34
SHA256a51308f107878dc829d6791b93419c5cba2aecf8697979060aab12231a988d74
SHA5121a56d6dc3f6c184c3f4e5296c773a59d4b71b7c924e53774331986e58404611e8c5241010906e279c5f2c1d4251b8f80c21f8e29dc716b1424c049e7234984a9
-
Filesize
235B
MD5a2e8e10d4ae0f2adea12323f9816b58e
SHA152a739ffbebc545681d399a86d66881b1ec3a543
SHA256949b9370668651f888df695502df109f8207bcb81bb9b2a06229871c63639548
SHA5120f84b22749bc5356bf6001f16da0c459964b84d7cc44a089ea09bb717b08e10fb5406d98901a658c993c334a08a8f1bc6cfc2704f22ad71df602b1daa3d21cfa
-
/data/data/zbsq.xzohy.fjcs/oat/x86_64/[email protected]
Filesize227B
MD5940fc1b09ad0ebc94f5cde0cc68054e1
SHA1d74549efc7d2af9213f5b4bb0553089a114d0a7c
SHA256bd453400f8303d3e05adddbcf3d8334fe7707d24503b6fc6273b0013397ff64d
SHA5126520cb4fc554555ad4489095b3339b99b6192768c6bdc7eee0188e21e06731631138c3bff2145433db15af09db005096166bb38c2705367a695a25a65a87e7cb
-
/data/data/zbsq.xzohy.fjcs/oat/x86_64/[email protected]
Filesize156B
MD5f190f7e272e6a791ed7a8ed4041878eb
SHA19273e365ac0fc69a6c61de13572201748e36a6f5
SHA25622f4925287602e154beae474de070fadfe7ba3f68da3c0434965bcc092f3486e
SHA5128f397a449db86404c6bc7316e321a1c60bc212d9c52593da31634edb200b4ede65a6865a45b6f9a529700789d1782d787a5348415f2002a7534444fd81cd459a
-
/data/user/0/zbsq.xzohy.fjcs/[email protected]
Filesize163KB
MD528f5b27fc4e99ed8e65833e6f764fd8a
SHA1d33641927253c0b824010cdd8fbd88f92b3734ee
SHA2568c9af932b9f6ae79ddb9699d96b9b606d8a86aa450be6184468cf2901a3eb77c
SHA512e397d04cb263f8c58fe366954ad1cabefb9dde7b238ecdfdaeec326761b52d0b0638c568251a5742caf6c972ef27431eecea92869f4cd6a9499472dff4bc1d05
-
/data/user/0/zbsq.xzohy.fjcs/[email protected]
Filesize171KB
MD54d2015ff34118e8b472d77e9775adc70
SHA1dc6ac441cf0c6f0d88521f67630893aad2be7378
SHA256a27f78c65cd9fff3d35f6384348f3dc9b7b04349916605529bf123526d5e795c
SHA512429b581c1a62f257a6a44a54835d1dcbfb5db7e05571968407f8566081dfba8da048972d9fe1b7ff8702d974683e2d40863de83ce5d7e215748025d1a81e11a4