Analysis
-
max time kernel
174s -
max time network
181s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
04-07-2024 22:06
Static task
static1
Behavioral task
behavioral1
Sample
8883996a0058c9aec7d830934b97b989938ba41cd58b817438b3456de897e9a2.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
8883996a0058c9aec7d830934b97b989938ba41cd58b817438b3456de897e9a2.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
8883996a0058c9aec7d830934b97b989938ba41cd58b817438b3456de897e9a2.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
8883996a0058c9aec7d830934b97b989938ba41cd58b817438b3456de897e9a2.apk
-
Size
109KB
-
MD5
9104c8f53bd0bc90f6390589dfe22fb7
-
SHA1
c4a004d89625c15e494ec76b94820e5eb713028a
-
SHA256
8883996a0058c9aec7d830934b97b989938ba41cd58b817438b3456de897e9a2
-
SHA512
f61c46f8852178d626b16424767a3cde2c5fe0edd8600548a7651b257541a894e350243fe21115cf210245daf38754a58107477107660fa2dcc19e9c757343db
-
SSDEEP
1536:dq72vESli5yRKCM8++wK4QURb7KEtkBjHf7jtL6ea5qv0neTdHTL87O5L/Ld6b:o72MSli138EQKfkBjjjp6H+HTLoki
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
Processes:
nyqr.epzsj.vqgn/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/nyqr.epzsj.vqgn/files/Factory/Plugins/iace.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/user/0/nyqr.epzsj.vqgn/files/Factory/Plugins/oat/x86/iace.odex --compiler-filter=quicken --class-loader-context=&ioc pid process Anonymous-DexFile@0xd05cc000-0xd05f6e30 4265 nyqr.epzsj.vqgn /data/user/0/nyqr.epzsj.vqgn/files/Factory/Plugins/iace.dex 4265 nyqr.epzsj.vqgn /data/user/0/nyqr.epzsj.vqgn/files/Factory/Plugins/iace.dex 4294 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/nyqr.epzsj.vqgn/files/Factory/Plugins/iace.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/user/0/nyqr.epzsj.vqgn/files/Factory/Plugins/oat/x86/iace.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/nyqr.epzsj.vqgn/files/Factory/Plugins/iace.dex 4265 nyqr.epzsj.vqgn -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
nyqr.epzsj.vqgndescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId nyqr.epzsj.vqgn Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId nyqr.epzsj.vqgn -
Acquires the wake lock 1 IoCs
Processes:
nyqr.epzsj.vqgndescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock nyqr.epzsj.vqgn -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
nyqr.epzsj.vqgndescription ioc process Framework service call android.app.IActivityManager.setServiceForeground nyqr.epzsj.vqgn -
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
nyqr.epzsj.vqgnioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction nyqr.epzsj.vqgn android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction nyqr.epzsj.vqgn android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction nyqr.epzsj.vqgn android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction nyqr.epzsj.vqgn -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
nyqr.epzsj.vqgndescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS nyqr.epzsj.vqgn -
Requests enabling of the accessibility settings. 1 IoCs
Processes:
nyqr.epzsj.vqgndescription ioc process Intent action android.settings.ACCESSIBILITY_SETTINGS nyqr.epzsj.vqgn -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
nyqr.epzsj.vqgndescription ioc process Framework service call android.app.IActivityManager.registerReceiver nyqr.epzsj.vqgn
Processes
-
nyqr.epzsj.vqgn1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests enabling of the accessibility settings.
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4265 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/nyqr.epzsj.vqgn/files/Factory/Plugins/iace.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/user/0/nyqr.epzsj.vqgn/files/Factory/Plugins/oat/x86/iace.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4294
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153B
MD55e6be29ca45d6d4272a52770e9958b26
SHA1e711fd7de55319ff37b98b0a62b4072955ecf716
SHA256adc3b50039d350c7c15632fdeb4d5046dd081f6289de1012f58d5768b281c7f3
SHA512204a3d1d9d1f1b9669403847a0e1c8b57a0091d0557f04dc47c7574aab4188bcbb32d7ef4aa86d620e9c51c07efba9986d0ef34fde0dae63b5eb9a4b24f81f87
-
Filesize
171KB
MD50bdfe786a5f5cfe2dc096c145f008cbd
SHA1955448fbba0ade245e7fbcbbc7a508c3384f7cb3
SHA256cd3687c72dcc8b9596b1a4887d69a08d9208122bbcf1e627023bc6056aed161f
SHA512a4767330f66fc3fb272b32f9363213e6bd166cc3d697f6e3cfcfb568ffb1d841dcc7b4db1f5c82bcfd6e5a7c4337e9c9db0fb19ae84a52c8c716228c41939e27
-
Filesize
171KB
MD50b8acbb7c58b34500835df570a13ec69
SHA1ebd7c817f40d8f206a6db70178c4fb5b4e08793b
SHA256a28063669fad8546e82d3da8944c6b1f04d4d8379759c68763a3f1154425c5d8
SHA5122613218ce81b985035555ba59dc13c3a4bb263a6e5ca3a83811aea00969434687e0c38f9377eb393a5955ce0ba426c3d1f3600ed290939dbbada8414dc8b92bb