Analysis
-
max time kernel
179s -
max time network
185s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
07-07-2024 22:00
Static task
static1
Behavioral task
behavioral1
Sample
8758999e18a0e8ad8ae07929cacaf348011c692d8ed53acf0a40640c08bbb33e.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
8758999e18a0e8ad8ae07929cacaf348011c692d8ed53acf0a40640c08bbb33e.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
8758999e18a0e8ad8ae07929cacaf348011c692d8ed53acf0a40640c08bbb33e.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
8758999e18a0e8ad8ae07929cacaf348011c692d8ed53acf0a40640c08bbb33e.apk
-
Size
112KB
-
MD5
ecb650ba8fbce291b2c4ce8678f93663
-
SHA1
83ae27e9c83ac0acd78bbf3878cb8b487f3d0f53
-
SHA256
8758999e18a0e8ad8ae07929cacaf348011c692d8ed53acf0a40640c08bbb33e
-
SHA512
7d8b9ceafb1fb6214bd863376cb5f67452a06051f631857ad41b23ec2d4b4a5b6fc9f3b348d895b612dc03ad799dc117fa2a3bb2c8b06d96337838e2611a1901
-
SSDEEP
3072:nHLd3fI7gvUpcjqA4J39TkeVssZaffY32C/hXryu9G:Hx3+gvU2W9keVssIfY32C/1rD9G
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 24 IoCs
Runs executable file dropped to the device during analysis.
Processes:
hybz.kjsgu.otrnioc pid process /data/user/0/hybz.kjsgu.otrn/[email protected] 4524 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/xekl.dex 4524 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/xekl.dex 4524 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/[email protected] 4524 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes1.dex 4524 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes1.dex 4524 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex 4524 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex 4524 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex 4524 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex 4524 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex 4524 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex 4524 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex 4524 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes2.dex 4524 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex 4524 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex 4524 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex 4524 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex 4524 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex 4524 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes3.dex 4524 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex 4524 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex 4524 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex 4524 hybz.kjsgu.otrn /data/user/0/hybz.kjsgu.otrn/files/Factory/Plugins/classes4.dex 4524 hybz.kjsgu.otrn -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
hybz.kjsgu.otrndescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId hybz.kjsgu.otrn Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId hybz.kjsgu.otrn -
Acquires the wake lock 1 IoCs
Processes:
hybz.kjsgu.otrndescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock hybz.kjsgu.otrn -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
hybz.kjsgu.otrndescription ioc process Framework service call android.app.IActivityManager.setServiceForeground hybz.kjsgu.otrn -
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
hybz.kjsgu.otrnioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction hybz.kjsgu.otrn android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction hybz.kjsgu.otrn -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
hybz.kjsgu.otrndescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone hybz.kjsgu.otrn -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
hybz.kjsgu.otrndescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS hybz.kjsgu.otrn
Processes
-
hybz.kjsgu.otrn1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4524
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/hybz.kjsgu.otrn/[email protected]
Filesize171KB
MD56a053aec2b97522ec06101606f903979
SHA1f1011740bca7f6f0d7fa5a2effd3db37d2d62333
SHA256b84deb0f238bfcf3fd5c9f97695f90d31251baa0fe745a3a9884f4d34e244127
SHA51245bb5a19b040f69451ff597f2d0b093a1497ba5bf83e8b982ed33826561e01b7b309922f09a1ea1e76691a7310e361bca8eec18e38f2628f84cb4c8215641984
-
/data/user/0/hybz.kjsgu.otrn/[email protected]
Filesize163KB
MD528f5b27fc4e99ed8e65833e6f764fd8a
SHA1d33641927253c0b824010cdd8fbd88f92b3734ee
SHA2568c9af932b9f6ae79ddb9699d96b9b606d8a86aa450be6184468cf2901a3eb77c
SHA512e397d04cb263f8c58fe366954ad1cabefb9dde7b238ecdfdaeec326761b52d0b0638c568251a5742caf6c972ef27431eecea92869f4cd6a9499472dff4bc1d05
-
Filesize
33KB
MD52c36e9be721b0883f5bc1f71b3f2d918
SHA11c4d662470eae7f0af3364f1563b78472183e7a0
SHA2560ea0c0a03a1999a9d3471a8ce584eea7e16f60ceeeabb6474fada356fc72779d
SHA512fb99247128256c045ea49c7edfc3012d1e074419c30c684399ca6e4563823a2109917af7b42ba6399e891081f06a4be98625a4cf696a0a19eeba08ab450132a8
-
Filesize
37KB
MD519b705d3574791cfcc095173c8cabc8d
SHA105ab01d27521b77b02597b03265c9b859a1e3988
SHA2564ed3aa44064cc17b3c2ece322d6a95d8074e6a4f8f35913523304a0bddfca804
SHA512099df3863d305903a87ba7131a5897598dc2565ab82f85e2d084897cd3c0327b314bdf81bfffc676161aa6dc62c7d66445b881514b9fd287cb31233d6d0136d2
-
Filesize
67KB
MD54883ac1657fa237da009253bc9a28b02
SHA1fe697aa7be00f3e976bf1fe7ab4edbdfd64ab113
SHA2568c81b2696863b825b399872029d82794b88c52455862bdb6a5a0403ac8a1e262
SHA512183e20bec9d7ae2bbbdbe7e4170fb89519c0f8ad8b8f29185ab8c1e2b9758bb9015afa3e042c1e7d8bdc28eaba9d331cbc026463af57ab31ddcf3d76d821fdc1
-
Filesize
28KB
MD5c988c8ad5214967f7e8928bdbbfb70b0
SHA1af58e3a4f99f27ba483b2d076e7be41181bf6f34
SHA256a51308f107878dc829d6791b93419c5cba2aecf8697979060aab12231a988d74
SHA5121a56d6dc3f6c184c3f4e5296c773a59d4b71b7c924e53774331986e58404611e8c5241010906e279c5f2c1d4251b8f80c21f8e29dc716b1424c049e7234984a9
-
Filesize
264B
MD5899f62750f50a04394296937a9e6d7d7
SHA1ac674c933c1fb12e41f3b9753aa7e8648c249903
SHA256bf1e31fbb6055a588c72db497f579e84b8dfae5c4feb6c5bb10e73beccf307c5
SHA512a87b871ec4d0837060e509f37f4dc2429f4875e1b6f82d59521fbb0b81f50e67f1558096c738e0ee256fad1a541094b6aa9dfdc3f18a898501f9e7469c8fbf13
-
/data/user/0/hybz.kjsgu.otrn/oat/x86_64/[email protected]
Filesize397B
MD53884104b0435dfd9cca95e364b80a383
SHA13b863386e4e5ccf70639b76964fc2117ab06de6f
SHA2565ade1752f5e29ece22215a6351ed0c8c511e42ccd76a77b57a42f86e1f41da04
SHA5127c58e305697de37739d65fb62cc88176ce908a315f057d139148df9259a78fa132e4349f9cd35d30cff7084fb4d4e24934369d695fc02c40096a0c24a3616a28
-
/data/user/0/hybz.kjsgu.otrn/oat/x86_64/[email protected]
Filesize468B
MD57f8778cf69420c6cd4582a74972325be
SHA11c9162e0a533dda4c6bfb048c7949071402c606b
SHA256cb556fc9d55a2854b7d491cf5df7e960f9b91ef18fccffecf3cbbfee7877ed1f
SHA512097cb3f4fcb75168054adb8be9e4bbd3d16264db80d8958fe156cd0924307a97da437392048ca379b7b77588b4b57fe65bdda795740b07675e6189f07b1004d2