Analysis
-
max time kernel
179s -
max time network
180s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
04-07-2024 22:01
Static task
static1
Behavioral task
behavioral1
Sample
8c1e77c4c5bb724bda41f6c4a18372b1442dd1cc2134dd9f192a90092e78dbca.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
8c1e77c4c5bb724bda41f6c4a18372b1442dd1cc2134dd9f192a90092e78dbca.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
8c1e77c4c5bb724bda41f6c4a18372b1442dd1cc2134dd9f192a90092e78dbca.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
8c1e77c4c5bb724bda41f6c4a18372b1442dd1cc2134dd9f192a90092e78dbca.apk
-
Size
112KB
-
MD5
965f472906eb53355e554895e1f95117
-
SHA1
ec9ae20e1da6b440fa9e48ac9f83eee6063395f2
-
SHA256
8c1e77c4c5bb724bda41f6c4a18372b1442dd1cc2134dd9f192a90092e78dbca
-
SHA512
9a8a9aa8ac829be0fe24307e7704ee58632731c1b271232b47635dafce83a7e27b890d6efb5f7f253264163ae5fb4c00d5929d6a797b2ce8a040790f8cead97f
-
SSDEEP
3072:TdVMwH4Hc5VCYMa1A7Hbdexvuq4LFFJFhzUO:hCY4HRbGu3prFhL
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 24 IoCs
Runs executable file dropped to the device during analysis.
Processes:
zbsq.xzohy.fjcsioc pid process /data/user/0/zbsq.xzohy.fjcs/[email protected] 4490 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/bikc.dex 4490 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/bikc.dex 4490 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/[email protected] 4490 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes1.dex 4490 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes1.dex 4490 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes2.dex 4490 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes2.dex 4490 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex 4490 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex 4490 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex 4490 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex 4490 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes2.dex 4490 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes2.dex 4490 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex 4490 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex 4490 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex 4490 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex 4490 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex 4490 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes3.dex 4490 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex 4490 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex 4490 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex 4490 zbsq.xzohy.fjcs /data/user/0/zbsq.xzohy.fjcs/files/Factory/Plugins/classes4.dex 4490 zbsq.xzohy.fjcs -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
zbsq.xzohy.fjcsdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId zbsq.xzohy.fjcs Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId zbsq.xzohy.fjcs -
Acquires the wake lock 1 IoCs
Processes:
zbsq.xzohy.fjcsdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock zbsq.xzohy.fjcs -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
zbsq.xzohy.fjcsdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground zbsq.xzohy.fjcs -
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
zbsq.xzohy.fjcsioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction zbsq.xzohy.fjcs android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction zbsq.xzohy.fjcs android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction zbsq.xzohy.fjcs android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction zbsq.xzohy.fjcs -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
zbsq.xzohy.fjcsdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone zbsq.xzohy.fjcs -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
zbsq.xzohy.fjcsdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS zbsq.xzohy.fjcs -
Requests enabling of the accessibility settings. 1 IoCs
Processes:
zbsq.xzohy.fjcsdescription ioc process Intent action android.settings.ACCESSIBILITY_SETTINGS zbsq.xzohy.fjcs
Processes
-
zbsq.xzohy.fjcs1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests enabling of the accessibility settings.
PID:4490
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/zbsq.xzohy.fjcs/[email protected]
Filesize163KB
MD528f5b27fc4e99ed8e65833e6f764fd8a
SHA1d33641927253c0b824010cdd8fbd88f92b3734ee
SHA2568c9af932b9f6ae79ddb9699d96b9b606d8a86aa450be6184468cf2901a3eb77c
SHA512e397d04cb263f8c58fe366954ad1cabefb9dde7b238ecdfdaeec326761b52d0b0638c568251a5742caf6c972ef27431eecea92869f4cd6a9499472dff4bc1d05
-
/data/user/0/zbsq.xzohy.fjcs/[email protected]
Filesize171KB
MD54d2015ff34118e8b472d77e9775adc70
SHA1dc6ac441cf0c6f0d88521f67630893aad2be7378
SHA256a27f78c65cd9fff3d35f6384348f3dc9b7b04349916605529bf123526d5e795c
SHA512429b581c1a62f257a6a44a54835d1dcbfb5db7e05571968407f8566081dfba8da048972d9fe1b7ff8702d974683e2d40863de83ce5d7e215748025d1a81e11a4
-
Filesize
33KB
MD52c36e9be721b0883f5bc1f71b3f2d918
SHA11c4d662470eae7f0af3364f1563b78472183e7a0
SHA2560ea0c0a03a1999a9d3471a8ce584eea7e16f60ceeeabb6474fada356fc72779d
SHA512fb99247128256c045ea49c7edfc3012d1e074419c30c684399ca6e4563823a2109917af7b42ba6399e891081f06a4be98625a4cf696a0a19eeba08ab450132a8
-
Filesize
37KB
MD519b705d3574791cfcc095173c8cabc8d
SHA105ab01d27521b77b02597b03265c9b859a1e3988
SHA2564ed3aa44064cc17b3c2ece322d6a95d8074e6a4f8f35913523304a0bddfca804
SHA512099df3863d305903a87ba7131a5897598dc2565ab82f85e2d084897cd3c0327b314bdf81bfffc676161aa6dc62c7d66445b881514b9fd287cb31233d6d0136d2
-
Filesize
67KB
MD54883ac1657fa237da009253bc9a28b02
SHA1fe697aa7be00f3e976bf1fe7ab4edbdfd64ab113
SHA2568c81b2696863b825b399872029d82794b88c52455862bdb6a5a0403ac8a1e262
SHA512183e20bec9d7ae2bbbdbe7e4170fb89519c0f8ad8b8f29185ab8c1e2b9758bb9015afa3e042c1e7d8bdc28eaba9d331cbc026463af57ab31ddcf3d76d821fdc1
-
Filesize
28KB
MD5c988c8ad5214967f7e8928bdbbfb70b0
SHA1af58e3a4f99f27ba483b2d076e7be41181bf6f34
SHA256a51308f107878dc829d6791b93419c5cba2aecf8697979060aab12231a988d74
SHA5121a56d6dc3f6c184c3f4e5296c773a59d4b71b7c924e53774331986e58404611e8c5241010906e279c5f2c1d4251b8f80c21f8e29dc716b1424c049e7234984a9
-
Filesize
187B
MD58c7c157e7b3b3f9872f92581f580d97b
SHA10e6d10eaaff04f75966cbca24ef9031d3c864b1e
SHA256809340217af353efa4f73a6c5a9d3c7d3c4dfbcd412143eec61c70f56f5b05bb
SHA512e93d2adda53fea5818fc13130a6d312a669f89cd895cc653749df8230222e68f3a030706544ac56d0a4fba9a46258926a048c507dc23e208795ea58c1d001128
-
/data/user/0/zbsq.xzohy.fjcs/oat/x86_64/[email protected]
Filesize468B
MD5a9120ce031104b6312a1bcf353eeda0e
SHA1b942f10e16a0ba44d41989ae08e54398c1857530
SHA256c1e9f045fe4949a542a808bf305ead5d5a791b7dbc7fc452da9ea768ed4fb91f
SHA512a017f4dcb08b65178640ca40cecff1309f8e43742b219e3264e3792a5bed4b91bf919986961a470ac59b70c2c015af71a1dc8d0171f79256aaeecd072af62e10
-
/data/user/0/zbsq.xzohy.fjcs/oat/x86_64/[email protected]
Filesize397B
MD5bc9f7be08bf3fb2e0cf537e0068ec051
SHA17f1e4bb74fb272f408d6333a1f52b8d53de21d64
SHA256674157c7c143466d57878927f87c40a80a1508508fa3a6ebc3f7e7015f7fd61e
SHA5124cbacd1b8dba13c6040d017d793fc797f32baa9d16a1501aa32cb6436169ec287583f8c8567df13f60c13c57b009aef172b3495c9bd93b56d5414c8a80b27a41