9b81bc3d542d0b725fd72ee45f339ad74e4c8a0916281ea6b83177d7c74bcf5b

Analysis

max time kernel
179s
max time network
181s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
14-07-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b81bc3d542d0b725fd72ee45f339ad74e4c8a0916281ea6b83177d7c74bcf5b.apk
Size

1.5MB
MD5

457c10101cbd978be3c6948cd5e040a4
SHA1

a0495306bb6b7ffd076e89adcf1128479cd67a29
SHA256

9b81bc3d542d0b725fd72ee45f339ad74e4c8a0916281ea6b83177d7c74bcf5b
SHA512

db38da19e8ec5385885e89f2727605b1deb6d4c99871dea644dcec68be9329acfade4295ff74047f1f5c310024b41af21da30a70dac79855d5ec6484de0bf7aa
SSDEEP

24576:QTjqzxNGfJzxUVQXHoGy1CQmKhAtK8lK/kF8QYnp703kkCCL4HgLn23:QTjanA1UVCHt0Ckhq2sFxYnSk/CL/n23

Score

8^/10

banker collection credential_access discovery evasion impact persistence stealth trojan

Malware Config

Signatures

Removes its main activity from the application launcher 1 TTPs 1 IoCs
stealth trojan evasion

Suppress Application Icon
T1628.001

Processes:

sampop.sampo.samp

pid process

4250 sampop.sampo.samp

pid	process
4250	sampop.sampo.samp

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

sampop.sampo.samp

description	ioc	process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	sampop.sampo.samp
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	sampop.sampo.samp

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001
Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422
Acquires the wake lock 1 IoCs

Processes:

sampop.sampo.samp

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock sampop.sampo.samp
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
evasion persistence

Foreground Persistence
T1541

Processes:

sampop.sampo.samp

description ioc process

Framework service call android.app.IActivityManager.setServiceForeground sampop.sampo.samp
Queries information about active data network 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

sampop.sampo.samp

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo sampop.sampo.samp
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
discovery

System Network Configuration Discovery
T1422

Processes:

sampop.sampo.samp

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone sampop.sampo.samp
Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

sampop.sampo.samp

description ioc process

Framework service call android.app.IActivityManager.registerReceiver sampop.sampo.samp
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

sampop.sampo.samp

description ioc process

Framework API call javax.crypto.Cipher.doFinal sampop.sampo.samp

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	sampop.sampo.samp

description	ioc	process
Framework service call	android.app.IActivityManager.setServiceForeground	sampop.sampo.samp

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	sampop.sampo.samp

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	sampop.sampo.samp

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	sampop.sampo.samp

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	sampop.sampo.samp

sampop.sampo.samp
1⤵
- Removes its main activity from the application launcher
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
PID:4250