Analysis
-
max time kernel
329s -
max time network
339s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
24-07-2024 07:02
Behavioral task
behavioral1
Sample
5a6e73f49b3b2fe89cf1b213504bc8caa26e37b2380accb4ffb6258baaf3ab46.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
5a6e73f49b3b2fe89cf1b213504bc8caa26e37b2380accb4ffb6258baaf3ab46.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
5a6e73f49b3b2fe89cf1b213504bc8caa26e37b2380accb4ffb6258baaf3ab46.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral4
Sample
childapp.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral5
Sample
childapp.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral6
Sample
childapp.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
childapp.apk
-
Size
8.5MB
-
MD5
0f4d342c7a1261e9315fe83be60bbb73
-
SHA1
e5a516a153419acecd9c3c6d9407daddd29b0aaa
-
SHA256
50860a0d89d1b44e3f4c55843810d4484e128a91979f0f7c72fcda79853bd62d
-
SHA512
d0e9df8e064d807e37392f052f81c2b767f2925bd4582108c415bd048c7cddbf193e55e061d09134a67575cfafe084204fe8bd381ecfe4964889371a53f9e33b
-
SSDEEP
98304:mcyZKB4oIT4HVLwRq5JSQ3osEZmz/zBoT90twO:hyZKKHT4HVLw4DSQTFzKyt
Malware Config
Signatures
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
anonymous.prerequisite.armeddescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId anonymous.prerequisite.armed Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText anonymous.prerequisite.armed Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId anonymous.prerequisite.armed -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
Processes:
anonymous.prerequisite.armeddescription ioc process Framework service call android.content.IClipboard.addPrimaryClipChangedListener anonymous.prerequisite.armed -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
anonymous.prerequisite.armeddescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock anonymous.prerequisite.armed -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
anonymous.prerequisite.armeddescription ioc process Framework service call android.app.IActivityManager.setServiceForeground anonymous.prerequisite.armed -
Queries information about active data network 1 TTPs 1 IoCs
Processes:
anonymous.prerequisite.armeddescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo anonymous.prerequisite.armed -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
anonymous.prerequisite.armeddescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS anonymous.prerequisite.armed -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes:
anonymous.prerequisite.armeddescription ioc process Framework service call android.app.job.IJobScheduler.schedule anonymous.prerequisite.armed -
Checks memory information 2 TTPs 1 IoCs
Processes:
anonymous.prerequisite.armeddescription ioc process File opened for read /proc/meminfo anonymous.prerequisite.armed
Processes
-
anonymous.prerequisite.armed1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
- Checks memory information
PID:4615
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Foreground Persistence
1Hide Artifacts
1User Evasion
1Input Injection
1Virtualization/Sandbox Evasion
1System Checks
1Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29B
MD5a72df8865c6aac92dd7bf0f50690280c
SHA1409678f2211431df52e6440bb3854eebd68839ed
SHA2565b2a131f256590c5740f8e063c7aac60f9022e80b11f73a6bb750ec5254ce8fd
SHA512f3afbd3e218cd7961a7a63168a86bbd92fee5460e9754ebcc84b44c3b8264696f5b68f832e2562ad259bf6bdffe9ac3568b5236454abdfe6931a8e9fe9e018e1
-
Filesize
25B
MD5181ca4915c38099a3d0885178d8167c8
SHA10058f33a8c74a602e35f85b9ba671763d836bddd
SHA256ae6bf282126812a2f89f8fe77e3a6c433a84f2bc7a3814dd20938ce6afcc942c
SHA51213cfdd5021c8c25058b5201105da5b8eff3f897f3ab497efb030e8f9b9fbf53eb1789da4516ea2fe42e13f7e2415d3c60374926774cf3b39844bf0692f3a2bdf
-
Filesize
25B
MD5ba30336bf53d54ed3c0ea69dd545de8c
SHA1ce99c6724c75b93b7448e2d9fac16ca702a5711f
SHA2562d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af
SHA512eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e
-
Filesize
280B
MD51e950d5d401ecaea93f944858eca52b8
SHA15729db3cb8c9c7c9a1fcbb4dd5d2fc4120046bed
SHA2562754b43b9e6b0cf578ee80657d4910d3064e67db2753dec8ace695f261001711
SHA512adb4c797c0ac0e384b26041a70b434b5c2a3d8e84b9612aac7ac8866e56f889976cd1aa848ff7956a3ee357bef45a18d5481cb3f83aea672edbd29d86179881a