Analysis
-
max time kernel
35s -
max time network
335s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
24-07-2024 07:02
Behavioral task
behavioral1
Sample
5a6e73f49b3b2fe89cf1b213504bc8caa26e37b2380accb4ffb6258baaf3ab46.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
5a6e73f49b3b2fe89cf1b213504bc8caa26e37b2380accb4ffb6258baaf3ab46.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
5a6e73f49b3b2fe89cf1b213504bc8caa26e37b2380accb4ffb6258baaf3ab46.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral4
Sample
childapp.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral5
Sample
childapp.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral6
Sample
childapp.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
childapp.apk
-
Size
8.5MB
-
MD5
0f4d342c7a1261e9315fe83be60bbb73
-
SHA1
e5a516a153419acecd9c3c6d9407daddd29b0aaa
-
SHA256
50860a0d89d1b44e3f4c55843810d4484e128a91979f0f7c72fcda79853bd62d
-
SHA512
d0e9df8e064d807e37392f052f81c2b767f2925bd4582108c415bd048c7cddbf193e55e061d09134a67575cfafe084204fe8bd381ecfe4964889371a53f9e33b
-
SSDEEP
98304:mcyZKB4oIT4HVLwRq5JSQ3osEZmz/zBoT90twO:hyZKKHT4HVLw4DSQTFzKyt
Malware Config
Signatures
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
anonymous.prerequisite.armeddescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId anonymous.prerequisite.armed Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText anonymous.prerequisite.armed Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId anonymous.prerequisite.armed -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
Processes:
anonymous.prerequisite.armeddescription ioc process Framework service call android.content.IClipboard.addPrimaryClipChangedListener anonymous.prerequisite.armed -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
anonymous.prerequisite.armeddescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock anonymous.prerequisite.armed -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
anonymous.prerequisite.armeddescription ioc process Framework service call android.app.IActivityManager.setServiceForeground anonymous.prerequisite.armed -
Queries information about active data network 1 TTPs 1 IoCs
Processes:
anonymous.prerequisite.armeddescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo anonymous.prerequisite.armed -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
anonymous.prerequisite.armeddescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone anonymous.prerequisite.armed -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
anonymous.prerequisite.armeddescription ioc process Framework service call android.app.IActivityManager.registerReceiver anonymous.prerequisite.armed -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes:
anonymous.prerequisite.armeddescription ioc process Framework service call android.app.job.IJobScheduler.schedule anonymous.prerequisite.armed -
Checks memory information 2 TTPs 1 IoCs
Processes:
anonymous.prerequisite.armeddescription ioc process File opened for read /proc/meminfo anonymous.prerequisite.armed
Processes
-
anonymous.prerequisite.armed1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Checks memory information
PID:4967
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
1System Checks
1Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Configuration Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25B
MD5181ca4915c38099a3d0885178d8167c8
SHA10058f33a8c74a602e35f85b9ba671763d836bddd
SHA256ae6bf282126812a2f89f8fe77e3a6c433a84f2bc7a3814dd20938ce6afcc942c
SHA51213cfdd5021c8c25058b5201105da5b8eff3f897f3ab497efb030e8f9b9fbf53eb1789da4516ea2fe42e13f7e2415d3c60374926774cf3b39844bf0692f3a2bdf
-
Filesize
25B
MD5ba30336bf53d54ed3c0ea69dd545de8c
SHA1ce99c6724c75b93b7448e2d9fac16ca702a5711f
SHA2562d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af
SHA512eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e
-
Filesize
280B
MD5ad6eeea6d1db09e9b7049f8e529bcff2
SHA1344206dbdc5c71d33d97d664de47ad42db2873d0
SHA2569df0f41b19b05490a06df8ffbaafbeed39573ad2f36dd9fc3ea42d32884a3be1
SHA512d8a30c629db1e5d47f2b5bc032017d06b4eec24f89e625c0d5d9a7ae85f7bdf7765f39f77de617103a0ac585a1d3549095ca3d83725a0f4ab1cac184a7d77769
-
Filesize
41B
MD56257776b05e222923ff165ba5669a88a
SHA17c20a852a95ae9bbaebe205a6bef9ef07eec3a06
SHA25638784a9b5f3907da8ccc4a5da857e9c0976041c59b75b4c1e46216f82a1b6de1
SHA512e14c58d3f7f2264e7fc81672b8a81c968a26f8f198dda876a9de3d31786d4d22d827bb39fa6f50b181dd1d59f8a91d9c47e1e8460d92d1edc0d96d7be2ad3066