Analysis
-
max time kernel
49s -
max time network
119s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
04-07-2024 22:06
Static task
static1
Behavioral task
behavioral1
Sample
f59aa1316b5b06523a3cacf063d482c5c3d6bb6a94bc9f9cc3edbd691b69ab22.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
f59aa1316b5b06523a3cacf063d482c5c3d6bb6a94bc9f9cc3edbd691b69ab22.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
f59aa1316b5b06523a3cacf063d482c5c3d6bb6a94bc9f9cc3edbd691b69ab22.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
f59aa1316b5b06523a3cacf063d482c5c3d6bb6a94bc9f9cc3edbd691b69ab22.apk
-
Size
109KB
-
MD5
7a0f526a88551f8388bc2af5186d263f
-
SHA1
216aa5a08ccb53aca8ad2079dd2ddfc4c46a3d8b
-
SHA256
f59aa1316b5b06523a3cacf063d482c5c3d6bb6a94bc9f9cc3edbd691b69ab22
-
SHA512
285fe4c494be20cd095d089a1543e396b0b484ba26183d15b7377a13443081bfd11211fa298424cc819763aa0793ea90d069bd53a160c1201060152f67f1769a
-
SSDEEP
1536:6DIiMAp4EgH1wUqcsp41SbrJ9lx2s/rk4gcAKTW4zwmvXlqNYsnI4G5GGH4lfwSS:IMIOpsSSbrJbW+wm/oNYsnNG5l4lNS
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 6 IoCs
Runs executable file dropped to the device during analysis.
Processes:
buya.tgfrj.fhzv/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/pueq.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/oat/x86/pueq.odex --compiler-filter=quicken --class-loader-context=&ioc pid process Anonymous-DexFile@0xc902f000-0xc9059e30 4255 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/pueq.dex 4255 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/pueq.dex 4284 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/pueq.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/oat/x86/pueq.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/pueq.dex 4255 buya.tgfrj.fhzv Anonymous-DexFile@0xc7e09000-0xc7e31e20 4255 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes1.dex 4255 buya.tgfrj.fhzv -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
buya.tgfrj.fhzvdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId buya.tgfrj.fhzv Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId buya.tgfrj.fhzv -
Acquires the wake lock 1 IoCs
Processes:
buya.tgfrj.fhzvdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock buya.tgfrj.fhzv -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
buya.tgfrj.fhzvdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground buya.tgfrj.fhzv -
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
buya.tgfrj.fhzvioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction buya.tgfrj.fhzv android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction buya.tgfrj.fhzv -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
buya.tgfrj.fhzvdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone buya.tgfrj.fhzv -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
buya.tgfrj.fhzvdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS buya.tgfrj.fhzv -
Requests enabling of the accessibility settings. 1 IoCs
Processes:
buya.tgfrj.fhzvdescription ioc process Intent action android.settings.ACCESSIBILITY_SETTINGS buya.tgfrj.fhzv -
Sends BOOT_COMPLETED broadcast intent. 2 TTPs 1 IoCs
Processes:
buya.tgfrj.fhzvdescription ioc process Intent action android.intent.action.BOOT_COMPLETED buya.tgfrj.fhzv -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
buya.tgfrj.fhzvdescription ioc process Framework service call android.app.IActivityManager.registerReceiver buya.tgfrj.fhzv
Processes
-
buya.tgfrj.fhzv1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests enabling of the accessibility settings.
- Sends BOOT_COMPLETED broadcast intent.
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4255 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/pueq.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/oat/x86/pueq.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4284
Network
MITRE ATT&CK Mobile v15
Persistence
Boot or Logon Initialization Scripts
1Event Triggered Execution
2Broadcast Receivers
2Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD52c36e9be721b0883f5bc1f71b3f2d918
SHA11c4d662470eae7f0af3364f1563b78472183e7a0
SHA2560ea0c0a03a1999a9d3471a8ce584eea7e16f60ceeeabb6474fada356fc72779d
SHA512fb99247128256c045ea49c7edfc3012d1e074419c30c684399ca6e4563823a2109917af7b42ba6399e891081f06a4be98625a4cf696a0a19eeba08ab450132a8
-
Filesize
217B
MD56e4513a1a165729738824b067a3ed358
SHA1dc3fb02b05c5ec5a026d03bb9243f6696a055ee8
SHA2561b8da6fe576ef99e4e7713a51ac37605949e6943bedf1b592e7c79a36964df7d
SHA5120a9c6be670d43010bb503cc0fbc3fb35cb5f448655c6a3da21db5144e40e5447172fa34a6f2b41b5cf5851ce14fd3ecd6a74949fd17aed3563c8debee432b224
-
Filesize
171KB
MD582c0c796dcdf9c0d62d0e7300d4b2558
SHA1e8d333c3120560fda15f4d046831bffded60d92c
SHA256c70a03c2acb39b2c64fe56d2521290d78a4d45000b92ed0bfb905235e676cd6d
SHA5123d4212e36dc4b4858ce5af88f2c27325766462746da20a527da9226af1d3487cbc53122776face3c1997e5fdd3a780f13f732d923c8e4fbd3d4720c784773682
-
Filesize
163KB
MD528f5b27fc4e99ed8e65833e6f764fd8a
SHA1d33641927253c0b824010cdd8fbd88f92b3734ee
SHA2568c9af932b9f6ae79ddb9699d96b9b606d8a86aa450be6184468cf2901a3eb77c
SHA512e397d04cb263f8c58fe366954ad1cabefb9dde7b238ecdfdaeec326761b52d0b0638c568251a5742caf6c972ef27431eecea92869f4cd6a9499472dff4bc1d05
-
Filesize
171KB
MD57dfc40a506bdc99a7fcd6546549f562b
SHA1149893d5cc023a3d5f18a15346d8e1a3407573e9
SHA256e5b16930a9f12bef13e04c6ee340e0a51710493729adcc05762bcc7c7fc20aba
SHA512333026cc464663b1b6b16e4d61051be43e46fa8ddd40206bebfbac99a172e905d6beddd4782e049764460f52a096fb588514b16d8cfb4567bb5ae9c9f40c2b53