Analysis
-
max time kernel
179s -
max time network
182s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
04-07-2024 22:06
Static task
static1
Behavioral task
behavioral1
Sample
f59aa1316b5b06523a3cacf063d482c5c3d6bb6a94bc9f9cc3edbd691b69ab22.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
f59aa1316b5b06523a3cacf063d482c5c3d6bb6a94bc9f9cc3edbd691b69ab22.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
f59aa1316b5b06523a3cacf063d482c5c3d6bb6a94bc9f9cc3edbd691b69ab22.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
f59aa1316b5b06523a3cacf063d482c5c3d6bb6a94bc9f9cc3edbd691b69ab22.apk
-
Size
109KB
-
MD5
7a0f526a88551f8388bc2af5186d263f
-
SHA1
216aa5a08ccb53aca8ad2079dd2ddfc4c46a3d8b
-
SHA256
f59aa1316b5b06523a3cacf063d482c5c3d6bb6a94bc9f9cc3edbd691b69ab22
-
SHA512
285fe4c494be20cd095d089a1543e396b0b484ba26183d15b7377a13443081bfd11211fa298424cc819763aa0793ea90d069bd53a160c1201060152f67f1769a
-
SSDEEP
1536:6DIiMAp4EgH1wUqcsp41SbrJ9lx2s/rk4gcAKTW4zwmvXlqNYsnI4G5GGH4lfwSS:IMIOpsSSbrJbW+wm/oNYsnNG5l4lNS
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 24 IoCs
Runs executable file dropped to the device during analysis.
Processes:
buya.tgfrj.fhzvioc pid process /data/user/0/buya.tgfrj.fhzv/[email protected] 5055 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/pueq.dex 5055 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/pueq.dex 5055 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/[email protected] 5055 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes1.dex 5055 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes1.dex 5055 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes2.dex 5055 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes2.dex 5055 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes3.dex 5055 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes3.dex 5055 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes4.dex 5055 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes4.dex 5055 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes2.dex 5055 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes2.dex 5055 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes3.dex 5055 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes3.dex 5055 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes4.dex 5055 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes4.dex 5055 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes3.dex 5055 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes3.dex 5055 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes4.dex 5055 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes4.dex 5055 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes4.dex 5055 buya.tgfrj.fhzv /data/user/0/buya.tgfrj.fhzv/files/Factory/Plugins/classes4.dex 5055 buya.tgfrj.fhzv -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
buya.tgfrj.fhzvdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId buya.tgfrj.fhzv Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId buya.tgfrj.fhzv -
Acquires the wake lock 1 IoCs
Processes:
buya.tgfrj.fhzvdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock buya.tgfrj.fhzv -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
buya.tgfrj.fhzvdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground buya.tgfrj.fhzv -
Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
buya.tgfrj.fhzvioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction buya.tgfrj.fhzv android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction buya.tgfrj.fhzv android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction buya.tgfrj.fhzv android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction buya.tgfrj.fhzv -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
buya.tgfrj.fhzvdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone buya.tgfrj.fhzv -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
buya.tgfrj.fhzvdescription ioc process Framework service call android.app.IActivityManager.registerReceiver buya.tgfrj.fhzv
Processes
-
buya.tgfrj.fhzv1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:5055
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD52c36e9be721b0883f5bc1f71b3f2d918
SHA11c4d662470eae7f0af3364f1563b78472183e7a0
SHA2560ea0c0a03a1999a9d3471a8ce584eea7e16f60ceeeabb6474fada356fc72779d
SHA512fb99247128256c045ea49c7edfc3012d1e074419c30c684399ca6e4563823a2109917af7b42ba6399e891081f06a4be98625a4cf696a0a19eeba08ab450132a8
-
Filesize
37KB
MD519b705d3574791cfcc095173c8cabc8d
SHA105ab01d27521b77b02597b03265c9b859a1e3988
SHA2564ed3aa44064cc17b3c2ece322d6a95d8074e6a4f8f35913523304a0bddfca804
SHA512099df3863d305903a87ba7131a5897598dc2565ab82f85e2d084897cd3c0327b314bdf81bfffc676161aa6dc62c7d66445b881514b9fd287cb31233d6d0136d2
-
Filesize
67KB
MD54883ac1657fa237da009253bc9a28b02
SHA1fe697aa7be00f3e976bf1fe7ab4edbdfd64ab113
SHA2568c81b2696863b825b399872029d82794b88c52455862bdb6a5a0403ac8a1e262
SHA512183e20bec9d7ae2bbbdbe7e4170fb89519c0f8ad8b8f29185ab8c1e2b9758bb9015afa3e042c1e7d8bdc28eaba9d331cbc026463af57ab31ddcf3d76d821fdc1
-
Filesize
28KB
MD5c988c8ad5214967f7e8928bdbbfb70b0
SHA1af58e3a4f99f27ba483b2d076e7be41181bf6f34
SHA256a51308f107878dc829d6791b93419c5cba2aecf8697979060aab12231a988d74
SHA5121a56d6dc3f6c184c3f4e5296c773a59d4b71b7c924e53774331986e58404611e8c5241010906e279c5f2c1d4251b8f80c21f8e29dc716b1424c049e7234984a9
-
Filesize
214B
MD5e55abe2943451de21caf6ba703c13626
SHA1eda966a06617cb33385392b45fcd4df9dcfc26e5
SHA256bfe79da74d9eae7d2730d987c272bfc8d41f158eca425c27dd876613c36850fc
SHA5123cc2cf0eef5a563e30d420c5bb4e5820260947666f84b987d2a0c05fa8ca6f17947962db9be0ee8cf20500921af20d3c0593659f5bdace3f104c635862a1fb8f
-
/data/data/buya.tgfrj.fhzv/oat/x86_64/[email protected]
Filesize227B
MD5152510aafce588be86edd785dd51077c
SHA1cfc9710774e006a5d3949b9486bffeb3935c3d20
SHA256002ba8519631df1de5e2b86eed056c1d346bb6993c09ebffc7f76ed3081de7b9
SHA51290a07869bbc5a4825d6e0d988419eada019ac893187bec8b0402ee7e62e15e43b4dbb817905eeb7c2d88ae1f770efbfc6dbaaa8c2d64e1eb01ccd86784662079
-
/data/data/buya.tgfrj.fhzv/oat/x86_64/[email protected]
Filesize156B
MD5ffa57ecaa540853d871ad7d2ad17dad8
SHA122e1c452434642e1cb884a7db8d9a12182dc662a
SHA2568e973f05dd29df1362f655a85b4be22c57ac3bdcc46641b215f034091fd154d0
SHA5125e5e8b5a51c9e6ddf3a4fa2af95f94be153f763f706327f4b6dec8e72a4f55868d4241f8c3ae523942b78161c2bcf4058dfe9632812d5e02d2f7e673f23ad874
-
/data/user/0/buya.tgfrj.fhzv/[email protected]
Filesize163KB
MD528f5b27fc4e99ed8e65833e6f764fd8a
SHA1d33641927253c0b824010cdd8fbd88f92b3734ee
SHA2568c9af932b9f6ae79ddb9699d96b9b606d8a86aa450be6184468cf2901a3eb77c
SHA512e397d04cb263f8c58fe366954ad1cabefb9dde7b238ecdfdaeec326761b52d0b0638c568251a5742caf6c972ef27431eecea92869f4cd6a9499472dff4bc1d05
-
/data/user/0/buya.tgfrj.fhzv/[email protected]
Filesize171KB
MD57dfc40a506bdc99a7fcd6546549f562b
SHA1149893d5cc023a3d5f18a15346d8e1a3407573e9
SHA256e5b16930a9f12bef13e04c6ee340e0a51710493729adcc05762bcc7c7fc20aba
SHA512333026cc464663b1b6b16e4d61051be43e46fa8ddd40206bebfbac99a172e905d6beddd4782e049764460f52a096fb588514b16d8cfb4567bb5ae9c9f40c2b53