Analysis
-
max time kernel
179s -
max time network
185s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
07-07-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
8758999e18a0e8ad8ae07929cacaf348011c692d8ed53acf0a40640c08bbb33e.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
8758999e18a0e8ad8ae07929cacaf348011c692d8ed53acf0a40640c08bbb33e.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
8758999e18a0e8ad8ae07929cacaf348011c692d8ed53acf0a40640c08bbb33e.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
8758999e18a0e8ad8ae07929cacaf348011c692d8ed53acf0a40640c08bbb33e.apk
-
Size
112KB
-
MD5
ecb650ba8fbce291b2c4ce8678f93663
-
SHA1
83ae27e9c83ac0acd78bbf3878cb8b487f3d0f53
-
SHA256
8758999e18a0e8ad8ae07929cacaf348011c692d8ed53acf0a40640c08bbb33e
-
SHA512
7d8b9ceafb1fb6214bd863376cb5f67452a06051f631857ad41b23ec2d4b4a5b6fc9f3b348d895b612dc03ad799dc117fa2a3bb2c8b06d96337838e2611a1901
-
SSDEEP
3072:nHLd3fI7gvUpcjqA4J39TkeVssZaffY32C/hXryu9G:Hx3+gvU2W9keVssIfY32C/1rD9G
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 18 IoCs
Runs executable file dropped to the device during analysis.
Processes:
hybz.kjsgu.otrn/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/xekl.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/oat/x86/xekl.odex --compiler-filter=quicken --class-loader-context=&/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex --output-vdex-fd=43 --oat-fd=52 --oat-location=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/oat/x86/classes2.odex --compiler-filter=quicken --class-loader-context=&/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex --output-vdex-fd=52 --oat-fd=53 --oat-location=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/oat/x86/classes4.odex --compiler-filter=quicken --class-loader-context=&ioc pid process Anonymous-DexFile@0xc9157000-0xc9181e40 4251 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/xekl.dex 4251 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/xekl.dex 4278 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/xekl.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/oat/x86/xekl.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/xekl.dex 4251 hybz.kjsgu.otrn Anonymous-DexFile@0xc7b99000-0xc7bc1e20 4251 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes1.dex 4251 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes1.dex 4251 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex 4251 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex 4424 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex --output-vdex-fd=43 --oat-fd=52 --oat-location=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/oat/x86/classes2.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex 4251 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex 4251 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex 4251 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex 4251 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex 4467 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex --output-vdex-fd=52 --oat-fd=53 --oat-location=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/oat/x86/classes4.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex 4251 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex 4251 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex 4251 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex 4251 hybz.kjsgu.otrn -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
hybz.kjsgu.otrndescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId hybz.kjsgu.otrn Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId hybz.kjsgu.otrn -
Acquires the wake lock 1 IoCs
Processes:
hybz.kjsgu.otrndescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock hybz.kjsgu.otrn -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
hybz.kjsgu.otrndescription ioc process Framework service call android.app.IActivityManager.setServiceForeground hybz.kjsgu.otrn -
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
hybz.kjsgu.otrnioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction hybz.kjsgu.otrn android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction hybz.kjsgu.otrn -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
hybz.kjsgu.otrndescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone hybz.kjsgu.otrn -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
hybz.kjsgu.otrndescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS hybz.kjsgu.otrn -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
hybz.kjsgu.otrndescription ioc process Framework service call android.app.IActivityManager.registerReceiver hybz.kjsgu.otrn
Processes
-
hybz.kjsgu.otrn1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4251 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/xekl.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/oat/x86/xekl.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4278 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex --output-vdex-fd=43 --oat-fd=52 --oat-location=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/oat/x86/classes2.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4424 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex --output-vdex-fd=52 --oat-fd=53 --oat-location=/data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/oat/x86/classes4.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4467
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD52c36e9be721b0883f5bc1f71b3f2d918
SHA11c4d662470eae7f0af3364f1563b78472183e7a0
SHA2560ea0c0a03a1999a9d3471a8ce584eea7e16f60ceeeabb6474fada356fc72779d
SHA512fb99247128256c045ea49c7edfc3012d1e074419c30c684399ca6e4563823a2109917af7b42ba6399e891081f06a4be98625a4cf696a0a19eeba08ab450132a8
-
Filesize
37KB
MD519b705d3574791cfcc095173c8cabc8d
SHA105ab01d27521b77b02597b03265c9b859a1e3988
SHA2564ed3aa44064cc17b3c2ece322d6a95d8074e6a4f8f35913523304a0bddfca804
SHA512099df3863d305903a87ba7131a5897598dc2565ab82f85e2d084897cd3c0327b314bdf81bfffc676161aa6dc62c7d66445b881514b9fd287cb31233d6d0136d2
-
Filesize
67KB
MD54883ac1657fa237da009253bc9a28b02
SHA1fe697aa7be00f3e976bf1fe7ab4edbdfd64ab113
SHA2568c81b2696863b825b399872029d82794b88c52455862bdb6a5a0403ac8a1e262
SHA512183e20bec9d7ae2bbbdbe7e4170fb89519c0f8ad8b8f29185ab8c1e2b9758bb9015afa3e042c1e7d8bdc28eaba9d331cbc026463af57ab31ddcf3d76d821fdc1
-
Filesize
28KB
MD5c988c8ad5214967f7e8928bdbbfb70b0
SHA1af58e3a4f99f27ba483b2d076e7be41181bf6f34
SHA256a51308f107878dc829d6791b93419c5cba2aecf8697979060aab12231a988d74
SHA5121a56d6dc3f6c184c3f4e5296c773a59d4b71b7c924e53774331986e58404611e8c5241010906e279c5f2c1d4251b8f80c21f8e29dc716b1424c049e7234984a9
-
Filesize
287B
MD529d01d37b31ad2d5ba04ff133d817f47
SHA120465f5f8c9df8a877a20961c889d70968ca0dfd
SHA256a0edea549456e46888f3612dd62e4503ab9a69a0c94ac23f9dc68c3c8db5cea4
SHA512ce45448791a7458a6356617a401e986cbe0cca3bf80199187b14c9701d0e5c51bb8bf5a308259bbf5b1e891553bb79acb7079b120506325554adf68483d9312a
-
Filesize
37KB
MD5fa33671436c87fdea53c796ba2a6beac
SHA1b9c82e91047e6fe625b8264b4462ba6d51d5d43d
SHA2565e82809e5012014b56ac83fd5a5d4518a5ab14f3dcb1a3844748d03bbaa4967f
SHA512a3ea95757766b1599b79a1fd2ff006ebcc67e9e5c43a16c838efca258c638e868e481361cc04af6f36870aac95b0cd09f02ddbc7643f8c7449172add3edd928a
-
Filesize
28KB
MD5e42382ea2d47d71bab246b374c6ee4bb
SHA1a787a00abe09928e780f2a67c86c97aadfdd4569
SHA2569332b539df650c023c42997d24a7618d75757dc053d4605b26f87dd92ab8907f
SHA51217781a63b2c8616e14d303e3573d7248672b53cba848cd9e1d0a5990bf1d17a150f395f76a42b7ed3bd3465f6adc197eba50d33d03ff03202a5aaef66a2c0d89
-
Filesize
171KB
MD5928aface4d79d1ea949eff61bd9dee58
SHA1c36bfd8a82164b0ae0a5c475102bdc707738d21c
SHA256c876c2f873d63f4c74be04057ddcda3309d4f0aa4395f7c7003527fc677f6ecf
SHA5126a82dd200c48a4184167987fb2dce51e732d05f9e3e4ed43dd3fbd1f3ea4b9a35c3e12ec1412fa2411c2683b51d62cc9421405b0dba92fd49d867a65676d7feb
-
Filesize
163KB
MD528f5b27fc4e99ed8e65833e6f764fd8a
SHA1d33641927253c0b824010cdd8fbd88f92b3734ee
SHA2568c9af932b9f6ae79ddb9699d96b9b606d8a86aa450be6184468cf2901a3eb77c
SHA512e397d04cb263f8c58fe366954ad1cabefb9dde7b238ecdfdaeec326761b52d0b0638c568251a5742caf6c972ef27431eecea92869f4cd6a9499472dff4bc1d05
-
Filesize
171KB
MD56a053aec2b97522ec06101606f903979
SHA1f1011740bca7f6f0d7fa5a2effd3db37d2d62333
SHA256b84deb0f238bfcf3fd5c9f97695f90d31251baa0fe745a3a9884f4d34e244127
SHA51245bb5a19b040f69451ff597f2d0b093a1497ba5bf83e8b982ed33826561e01b7b309922f09a1ea1e76691a7310e361bca8eec18e38f2628f84cb4c8215641984