Analysis

  • max time kernel
    49s
  • max time network
    119s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    04-07-2024 22:06

General

  • Target

    f59aa1316b5b06523a3cacf063d482c5c3d6bb6a94bc9f9cc3edbd691b69ab22.apk

  • Size

    109KB

  • MD5

    7a0f526a88551f8388bc2af5186d263f

  • SHA1

    216aa5a08ccb53aca8ad2079dd2ddfc4c46a3d8b

  • SHA256

    f59aa1316b5b06523a3cacf063d482c5c3d6bb6a94bc9f9cc3edbd691b69ab22

  • SHA512

    285fe4c494be20cd095d089a1543e396b0b484ba26183d15b7377a13443081bfd11211fa298424cc819763aa0793ea90d069bd53a160c1201060152f67f1769a

  • SSDEEP

    1536:6DIiMAp4EgH1wUqcsp41SbrJ9lx2s/rk4gcAKTW4zwmvXlqNYsnI4G5GGH4lfwSS:IMIOpsSSbrJbW+wm/oNYsnNG5l4lNS

Malware Config

Signatures

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 6 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests enabling of the accessibility settings. 1 IoCs
  • Sends BOOT_COMPLETED broadcast intent. 2 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

Processes

  • buya.tgfrj.fhzv
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests enabling of the accessibility settings.
    • Sends BOOT_COMPLETED broadcast intent.
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4255
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/pueq.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/oat/x86/pueq.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4284

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/buya.tgfrj.fhzv/files/Factory/Plugins/classes1.dex

    Filesize

    33KB

    MD5

    2c36e9be721b0883f5bc1f71b3f2d918

    SHA1

    1c4d662470eae7f0af3364f1563b78472183e7a0

    SHA256

    0ea0c0a03a1999a9d3471a8ce584eea7e16f60ceeeabb6474fada356fc72779d

    SHA512

    fb99247128256c045ea49c7edfc3012d1e074419c30c684399ca6e4563823a2109917af7b42ba6399e891081f06a4be98625a4cf696a0a19eeba08ab450132a8

  • /data/data/buya.tgfrj.fhzv/files/Factory/Plugins/oat/pueq.dex.cur.prof

    Filesize

    217B

    MD5

    6e4513a1a165729738824b067a3ed358

    SHA1

    dc3fb02b05c5ec5a026d03bb9243f6696a055ee8

    SHA256

    1b8da6fe576ef99e4e7713a51ac37605949e6943bedf1b592e7c79a36964df7d

    SHA512

    0a9c6be670d43010bb503cc0fbc3fb35cb5f448655c6a3da21db5144e40e5447172fa34a6f2b41b5cf5851ce14fd3ecd6a74949fd17aed3563c8debee432b224

  • /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/pueq.dex

    Filesize

    171KB

    MD5

    82c0c796dcdf9c0d62d0e7300d4b2558

    SHA1

    e8d333c3120560fda15f4d046831bffded60d92c

    SHA256

    c70a03c2acb39b2c64fe56d2521290d78a4d45000b92ed0bfb905235e676cd6d

    SHA512

    3d4212e36dc4b4858ce5af88f2c27325766462746da20a527da9226af1d3487cbc53122776face3c1997e5fdd3a780f13f732d923c8e4fbd3d4720c784773682

  • Anonymous-DexFile@0xc7e09000-0xc7e31e20

    Filesize

    163KB

    MD5

    28f5b27fc4e99ed8e65833e6f764fd8a

    SHA1

    d33641927253c0b824010cdd8fbd88f92b3734ee

    SHA256

    8c9af932b9f6ae79ddb9699d96b9b606d8a86aa450be6184468cf2901a3eb77c

    SHA512

    e397d04cb263f8c58fe366954ad1cabefb9dde7b238ecdfdaeec326761b52d0b0638c568251a5742caf6c972ef27431eecea92869f4cd6a9499472dff4bc1d05

  • Anonymous-DexFile@0xc902f000-0xc9059e30

    Filesize

    171KB

    MD5

    7dfc40a506bdc99a7fcd6546549f562b

    SHA1

    149893d5cc023a3d5f18a15346d8e1a3407573e9

    SHA256

    e5b16930a9f12bef13e04c6ee340e0a51710493729adcc05762bcc7c7fc20aba

    SHA512

    333026cc464663b1b6b16e4d61051be43e46fa8ddd40206bebfbac99a172e905d6beddd4782e049764460f52a096fb588514b16d8cfb4567bb5ae9c9f40c2b53