Analysis

  • max time kernel
    179s
  • max time network
    182s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    04-07-2024 22:06

General

  • Target

    f59aa1316b5b06523a3cacf063d482c5c3d6bb6a94bc9f9cc3edbd691b69ab22.apk

  • Size

    109KB

  • MD5

    7a0f526a88551f8388bc2af5186d263f

  • SHA1

    216aa5a08ccb53aca8ad2079dd2ddfc4c46a3d8b

  • SHA256

    f59aa1316b5b06523a3cacf063d482c5c3d6bb6a94bc9f9cc3edbd691b69ab22

  • SHA512

    285fe4c494be20cd095d089a1543e396b0b484ba26183d15b7377a13443081bfd11211fa298424cc819763aa0793ea90d069bd53a160c1201060152f67f1769a

  • SSDEEP

    1536:6DIiMAp4EgH1wUqcsp41SbrJ9lx2s/rk4gcAKTW4zwmvXlqNYsnI4G5GGH4lfwSS:IMIOpsSSbrJbW+wm/oNYsnNG5l4lNS

Malware Config

Signatures

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
  • Loads dropped Dex/Jar 1 TTPs 24 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

Processes

  • buya.tgfrj.fhzv
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:5055

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/buya.tgfrj.fhzv/files/Factory/Plugins/classes1.dex

    Filesize

    33KB

    MD5

    2c36e9be721b0883f5bc1f71b3f2d918

    SHA1

    1c4d662470eae7f0af3364f1563b78472183e7a0

    SHA256

    0ea0c0a03a1999a9d3471a8ce584eea7e16f60ceeeabb6474fada356fc72779d

    SHA512

    fb99247128256c045ea49c7edfc3012d1e074419c30c684399ca6e4563823a2109917af7b42ba6399e891081f06a4be98625a4cf696a0a19eeba08ab450132a8

  • /data/data/buya.tgfrj.fhzv/files/Factory/Plugins/classes2.dex

    Filesize

    37KB

    MD5

    19b705d3574791cfcc095173c8cabc8d

    SHA1

    05ab01d27521b77b02597b03265c9b859a1e3988

    SHA256

    4ed3aa44064cc17b3c2ece322d6a95d8074e6a4f8f35913523304a0bddfca804

    SHA512

    099df3863d305903a87ba7131a5897598dc2565ab82f85e2d084897cd3c0327b314bdf81bfffc676161aa6dc62c7d66445b881514b9fd287cb31233d6d0136d2

  • /data/data/buya.tgfrj.fhzv/files/Factory/Plugins/classes3.dex

    Filesize

    67KB

    MD5

    4883ac1657fa237da009253bc9a28b02

    SHA1

    fe697aa7be00f3e976bf1fe7ab4edbdfd64ab113

    SHA256

    8c81b2696863b825b399872029d82794b88c52455862bdb6a5a0403ac8a1e262

    SHA512

    183e20bec9d7ae2bbbdbe7e4170fb89519c0f8ad8b8f29185ab8c1e2b9758bb9015afa3e042c1e7d8bdc28eaba9d331cbc026463af57ab31ddcf3d76d821fdc1

  • /data/data/buya.tgfrj.fhzv/files/Factory/Plugins/classes4.dex

    Filesize

    28KB

    MD5

    c988c8ad5214967f7e8928bdbbfb70b0

    SHA1

    af58e3a4f99f27ba483b2d076e7be41181bf6f34

    SHA256

    a51308f107878dc829d6791b93419c5cba2aecf8697979060aab12231a988d74

    SHA512

    1a56d6dc3f6c184c3f4e5296c773a59d4b71b7c924e53774331986e58404611e8c5241010906e279c5f2c1d4251b8f80c21f8e29dc716b1424c049e7234984a9

  • /data/data/buya.tgfrj.fhzv/files/Factory/Plugins/oat/pueq.dex.cur.prof

    Filesize

    214B

    MD5

    e55abe2943451de21caf6ba703c13626

    SHA1

    eda966a06617cb33385392b45fcd4df9dcfc26e5

    SHA256

    bfe79da74d9eae7d2730d987c272bfc8d41f158eca425c27dd876613c36850fc

    SHA512

    3cc2cf0eef5a563e30d420c5bb4e5820260947666f84b987d2a0c05fa8ca6f17947962db9be0ee8cf20500921af20d3c0593659f5bdace3f104c635862a1fb8f

  • /data/data/buya.tgfrj.fhzv/oat/x86_64/[email protected]

    Filesize

    227B

    MD5

    152510aafce588be86edd785dd51077c

    SHA1

    cfc9710774e006a5d3949b9486bffeb3935c3d20

    SHA256

    002ba8519631df1de5e2b86eed056c1d346bb6993c09ebffc7f76ed3081de7b9

    SHA512

    90a07869bbc5a4825d6e0d988419eada019ac893187bec8b0402ee7e62e15e43b4dbb817905eeb7c2d88ae1f770efbfc6dbaaa8c2d64e1eb01ccd86784662079

  • /data/data/buya.tgfrj.fhzv/oat/x86_64/[email protected]

    Filesize

    156B

    MD5

    ffa57ecaa540853d871ad7d2ad17dad8

    SHA1

    22e1c452434642e1cb884a7db8d9a12182dc662a

    SHA256

    8e973f05dd29df1362f655a85b4be22c57ac3bdcc46641b215f034091fd154d0

    SHA512

    5e5e8b5a51c9e6ddf3a4fa2af95f94be153f763f706327f4b6dec8e72a4f55868d4241f8c3ae523942b78161c2bcf4058dfe9632812d5e02d2f7e673f23ad874

  • /data/user/0/buya.tgfrj.fhzv/[email protected]

    Filesize

    163KB

    MD5

    28f5b27fc4e99ed8e65833e6f764fd8a

    SHA1

    d33641927253c0b824010cdd8fbd88f92b3734ee

    SHA256

    8c9af932b9f6ae79ddb9699d96b9b606d8a86aa450be6184468cf2901a3eb77c

    SHA512

    e397d04cb263f8c58fe366954ad1cabefb9dde7b238ecdfdaeec326761b52d0b0638c568251a5742caf6c972ef27431eecea92869f4cd6a9499472dff4bc1d05

  • /data/user/0/buya.tgfrj.fhzv/[email protected]

    Filesize

    171KB

    MD5

    7dfc40a506bdc99a7fcd6546549f562b

    SHA1

    149893d5cc023a3d5f18a15346d8e1a3407573e9

    SHA256

    e5b16930a9f12bef13e04c6ee340e0a51710493729adcc05762bcc7c7fc20aba

    SHA512

    333026cc464663b1b6b16e4d61051be43e46fa8ddd40206bebfbac99a172e905d6beddd4782e049764460f52a096fb588514b16d8cfb4567bb5ae9c9f40c2b53