Analysis
-
max time kernel
179s -
max time network
185s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
07-07-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
8758999e18a0e8ad8ae07929cacaf348011c692d8ed53acf0a40640c08bbb33e.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
8758999e18a0e8ad8ae07929cacaf348011c692d8ed53acf0a40640c08bbb33e.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
8758999e18a0e8ad8ae07929cacaf348011c692d8ed53acf0a40640c08bbb33e.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
8758999e18a0e8ad8ae07929cacaf348011c692d8ed53acf0a40640c08bbb33e.apk
-
Size
112KB
-
MD5
ecb650ba8fbce291b2c4ce8678f93663
-
SHA1
83ae27e9c83ac0acd78bbf3878cb8b487f3d0f53
-
SHA256
8758999e18a0e8ad8ae07929cacaf348011c692d8ed53acf0a40640c08bbb33e
-
SHA512
7d8b9ceafb1fb6214bd863376cb5f67452a06051f631857ad41b23ec2d4b4a5b6fc9f3b348d895b612dc03ad799dc117fa2a3bb2c8b06d96337838e2611a1901
-
SSDEEP
3072:nHLd3fI7gvUpcjqA4J39TkeVssZaffY32C/hXryu9G:Hx3+gvU2W9keVssIfY32C/1rD9G
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 24 IoCs
Runs executable file dropped to the device during analysis.
Processes:
hybz.kjsgu.otrnioc pid process /data/user/0/hybz.kjsgu.otrn/[email protected] 4973 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/xekl.dex 4973 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/xekl.dex 4973 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/[email protected] 4973 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes1.dex 4973 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes1.dex 4973 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex 4973 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex 4973 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex 4973 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex 4973 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex 4973 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex 4973 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex 4973 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex 4973 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex 4973 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex 4973 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex 4973 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex 4973 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex 4973 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex 4973 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex 4973 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex 4973 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex 4973 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex 4973 hybz.kjsgu.otrn -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
hybz.kjsgu.otrndescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId hybz.kjsgu.otrn Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId hybz.kjsgu.otrn -
Acquires the wake lock 1 IoCs
Processes:
hybz.kjsgu.otrndescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock hybz.kjsgu.otrn -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
hybz.kjsgu.otrndescription ioc process Framework service call android.app.IActivityManager.setServiceForeground hybz.kjsgu.otrn -
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
hybz.kjsgu.otrnioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction hybz.kjsgu.otrn android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction hybz.kjsgu.otrn -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
hybz.kjsgu.otrndescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone hybz.kjsgu.otrn -
Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
hybz.kjsgu.otrndescription ioc process Framework service call android.app.IActivityManager.registerReceiver hybz.kjsgu.otrn
Processes
-
hybz.kjsgu.otrn1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4973
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1Suppress Application Icon
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
33KB
MD52c36e9be721b0883f5bc1f71b3f2d918
SHA11c4d662470eae7f0af3364f1563b78472183e7a0
SHA2560ea0c0a03a1999a9d3471a8ce584eea7e16f60ceeeabb6474fada356fc72779d
SHA512fb99247128256c045ea49c7edfc3012d1e074419c30c684399ca6e4563823a2109917af7b42ba6399e891081f06a4be98625a4cf696a0a19eeba08ab450132a8
-
Filesize
37KB
MD519b705d3574791cfcc095173c8cabc8d
SHA105ab01d27521b77b02597b03265c9b859a1e3988
SHA2564ed3aa44064cc17b3c2ece322d6a95d8074e6a4f8f35913523304a0bddfca804
SHA512099df3863d305903a87ba7131a5897598dc2565ab82f85e2d084897cd3c0327b314bdf81bfffc676161aa6dc62c7d66445b881514b9fd287cb31233d6d0136d2
-
Filesize
67KB
MD54883ac1657fa237da009253bc9a28b02
SHA1fe697aa7be00f3e976bf1fe7ab4edbdfd64ab113
SHA2568c81b2696863b825b399872029d82794b88c52455862bdb6a5a0403ac8a1e262
SHA512183e20bec9d7ae2bbbdbe7e4170fb89519c0f8ad8b8f29185ab8c1e2b9758bb9015afa3e042c1e7d8bdc28eaba9d331cbc026463af57ab31ddcf3d76d821fdc1
-
Filesize
28KB
MD5c988c8ad5214967f7e8928bdbbfb70b0
SHA1af58e3a4f99f27ba483b2d076e7be41181bf6f34
SHA256a51308f107878dc829d6791b93419c5cba2aecf8697979060aab12231a988d74
SHA5121a56d6dc3f6c184c3f4e5296c773a59d4b71b7c924e53774331986e58404611e8c5241010906e279c5f2c1d4251b8f80c21f8e29dc716b1424c049e7234984a9
-
Filesize
265B
MD5fcc3238086dcac752dd477523c9274bb
SHA1e6939fa8616d1fcb86dc52c46942df60747b4a7f
SHA25674354823114d577de4db84d2323ce8983d4522681341a3d325ef8d60a22d433f
SHA5125d96f253a82ab762829ec48e6a2ffb606dd88bcc1df4ffb2e89a3150f60531297c544688ae7afa37e1de965d1e6b0b2aabc2909667b543d9a56288872bcc1507
-
/data/data/hybz.kjsgu.otrn/oat/x86_64/[email protected]
Filesize156B
MD5a179ea9212b9a1603ccb4442f7a8b684
SHA1a3be77a7dc3a8ab8da15333067e02ccca2645a86
SHA256e613ff4b2cc72fbdb9b38f9b11b98e79ef6580895ffadc20528ac9d21115ad60
SHA5127aef0c5162da522852c3a3910adbd2022e970074631ada02ceebd0a1cab02205b926b022a11afe178faf4612427323aa00b0e02943f14bdd5843ea063c155444
-
/data/data/hybz.kjsgu.otrn/oat/x86_64/[email protected]
Filesize227B
MD5685525c4ea81de1cc92a87cc340a5578
SHA140cc3be0f18e7114156521ef32e5dbeaef4226c1
SHA256429261cc8cfa98fc7a49433e228f0af1d29e2f4d259d5124324db975fedb56ac
SHA5129132e0e4209ac00dca63474dd4b9c8b69a2d8d8b3c3fb584be33a36e04e515567119d2fac1605fda1ce43d172f6ab69148a298b7c31f975dbe396e3ea851b523
-
/data/user/0/hybz.kjsgu.otrn/[email protected]
Filesize171KB
MD56a053aec2b97522ec06101606f903979
SHA1f1011740bca7f6f0d7fa5a2effd3db37d2d62333
SHA256b84deb0f238bfcf3fd5c9f97695f90d31251baa0fe745a3a9884f4d34e244127
SHA51245bb5a19b040f69451ff597f2d0b093a1497ba5bf83e8b982ed33826561e01b7b309922f09a1ea1e76691a7310e361bca8eec18e38f2628f84cb4c8215641984
-
/data/user/0/hybz.kjsgu.otrn/[email protected]
Filesize163KB
MD528f5b27fc4e99ed8e65833e6f764fd8a
SHA1d33641927253c0b824010cdd8fbd88f92b3734ee
SHA2568c9af932b9f6ae79ddb9699d96b9b606d8a86aa450be6184468cf2901a3eb77c
SHA512e397d04cb263f8c58fe366954ad1cabefb9dde7b238ecdfdaeec326761b52d0b0638c568251a5742caf6c972ef27431eecea92869f4cd6a9499472dff4bc1d05