Overview

overview

10

Static

static

10

f650d333d3...32.apk

android-9-x86

4

f650d333d3...32.apk

android-10-x64

6

f650d333d3...32.apk

android-11-x64

6

xuwexi.apk

android-9-x86

1

xuwexi.apk

android-10-x64

7

xuwexi.apk

android-11-x64

7

Analysis

  • max time kernel
    176s
  • max time network
    185s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    27-07-2024 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xuwexi.apk

  • Size

    3.0MB

  • MD5

    a38a3000393bb258f4308a7ca69b7d0b

  • SHA1

    6bcb76a2f0f9ca53aa7391ee4a9bcf30f3df0eea

  • SHA256

    46af9709835a5d664094a40c2922af519e39aa04324fc57626f4cfb1dd62162d

  • SHA512

    58ef0a50eb2ecd9d2d8c6196c45f716cad2faa8a18cc7aee21d9c26ce7e8e0041a6b7111c931fead6a8c444b89be850ebb24e27f1935549315f5c28dbcf9a6c7

  • SSDEEP

    49152:wox/YEdJsYI0xkzx18pUpzhjDzgGGUc32Dkuk:woKGKRGUc324uk

Score
7/10
bankercollectioncredential_accessdiscoveryevasionexecutionimpactpersistence

Malware Config

Signatures

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
    bankerdiscovery
  • Reads the content of the SMS messages. 1 TTPs 1 IoCs
    collection
  • Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries information about active data network 1 TTPs 1 IoCs
    discovery
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.civexefati.output
    1⤵
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Reads the content of the SMS messages.
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4969

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

2
T1426

System Network Configuration Discovery

1
T1422

System Network Connections Discovery

1
T1421

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Protected User Data

1
T1636

SMS Messages

1
T1636.004

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.civexefati.output/files/profileInstalled
    Filesize

    24B

    MD5

    3cc9ed769f1a76319653e870675a5829

    SHA1

    8ff89604f8bf89c5119b028949d85cff671f35dc

    SHA256

    7333fff2620f3ff99b88bcdcd9c23a54506234d17bc65cacf3ae8ac4a0a4b69b

    SHA512

    0be3b585324b4b800df7bfa099e8ffcbdcab75098601b0adc9521447756d127ed37fb50ab1f8ff434ea1f4f64a5789b03227b25683eb2f8400e63e56a2a201ab

    Download Submit

  • /data/data/com.civexefati.output/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
    Filesize

    8B

    MD5

    d3456ce1a89458b416ee16b78f48db0d

    SHA1

    71cbcbfae7df2ed0c11785e4d4901b9a04fc004f

    SHA256

    e9f516d0eed94a3402d80809c47de825424f8f53cc0284e98f30794d45eba05a

    SHA512

    439033bfed05c978acaea51c243cea906cd36dea16bfed612ad5a3d3d0f1f228b6de2622d83156105c44ef40e483c64e718f67612ddfcd31d65852489581cb6b

    Download Submit

  • /data/data/com.civexefati.output/no_backup/androidx.work.workdb
    Filesize

    104KB

    MD5

    83a30d38d534c3ef9ce3611936989acc

    SHA1

    e8131e7d2673254994da2b4affb4f073cf493317

    SHA256

    794ed6088fbf9c35a0bb8f6f7fc920340e203de89d89bf54b08191400ac021c5

    SHA512

    7b1745f8b850d1534a651bd9476d3cc33daf3eaa3dc46f55dc07157e0a85d88c53b9f5126f1976e3e0f03a86927f5e2718587ccbaa01dbae4fb76c9526c6fede

    Download Submit

  • /data/data/com.civexefati.output/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    e8d6f6c5ce37ac1a0e3492764ee4c0b0

    SHA1

    5d57f417e441dcac1c8f0480f2b2b4e4f4dab9b1

    SHA256

    adab3b935c0d5bc6b33c7a321ba476bb4fa4552d667b6436b923dc3ae3ddc491

    SHA512

    0f35409c643881adfb91444a4ebe912ea51ba3a18e526fec09dc247f6821b64d5425388b2eb734081afdc12b5a83cab7fa245896f1dfcbf2a9aeef24aff26ffb

    Download Submit

  • /data/data/com.civexefati.output/no_backup/androidx.work.workdb-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.civexefati.output/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    d535e609a5e995935c837cb693da3ee2

    SHA1

    96aed87ed588fc91acae16e3506dc75ec680cce4

    SHA256

    4a039515b1ca92b9a2bc19ff9b5cfcdf669a80bb7b875f7173d61df9d12c944f

    SHA512

    c5ddf9b35244472e8be7285e8b92e68574c4e2cf233bafbc46a5b1268043b4f7833996d8cc073ffc259b026450d40741d603b97a9ce37f0e4c81afadc89476a9

    Download Submit

  • /data/data/com.civexefati.output/no_backup/androidx.work.workdb-wal
    Filesize

    116KB

    MD5

    648be788e408b8656199115e69e2c521

    SHA1

    179bccddae67453990f0d7e03c9bf5192ccc3fb1

    SHA256

    00d3c933ec0a59bc7205f693176195cea0aad53e2df1fcda22abd8d2523c9245

    SHA512

    25b53cd2f8296405bf76e2f6942db2a00999bddf7b7e1d0fbb82cd66603793ae247598318e578d66dad1d5b1ed054b884b0c3180f9e3c13dbe52d68fa82b274d

    Download Submit

  • /data/data/com.civexefati.output/no_backup/androidx.work.workdb-wal
    Filesize

    442KB

    MD5

    0a7e85f97574a1f888b4e29de86bebe3

    SHA1

    71cf7aff676e6c549a0189e5939a168f4f96c73e

    SHA256

    f83e6bb885e13f8ad9f566a2a85ad3e122e463dc889cf87c752e561d834b4623

    SHA512

    3d3a46bb95ce589ddc0414b15312321d754d7f1f4af5b9412995d9a8da280505284993db5543576d129e46ed5b79cb675a6e3b00444a99f01d998a788c3730ed

    Download Submit

  • /data/misc/profiles/cur/0/com.civexefati.output/primary.prof
    Filesize

    3KB

    MD5

    8f6d3e375b71508768efdb7578700b0b

    SHA1

    ef285ce8f70c93520ed8dffa7300671041d9800b

    SHA256

    905fdc0879406178d46a24d74a8a12a7ba3475da9c48e5d9f4f06af2eaa06159

    SHA512

    3e494486ebd925f56fa62c4a107480ff31da4d43cdcf8eb72acf0c5c735beea98e80e3b170b5fe7cd393306e770e0e775a6d4cd37d144fcbb102596a71c583b1

    Download Submit

  • /data/misc/profiles/cur/0/com.civexefati.output/primary.prof
    Filesize

    3KB

    MD5

    b08bda7835711ce17a70b481cbdde895

    SHA1

    b383168450950435f590fa19cf7d3e33ba5e3c81

    SHA256

    f02416df9ca481a6ea777afd3e109d32282f9f97ba9d8392d1a30242ba0bf12e

    SHA512

    9686c1c1edc195a806068a789ff439df8e47474dcce9686203d2b2a8e1922dda2b361cfe80c06783d0e6abc916b146563e1f63e473f7a3332decdbbc6c50d543

    Download Submit

  • /data/misc/profiles/cur/0/com.civexefati.output/primary.prof
    Filesize

    1KB

    MD5

    994cade9d899e8c4cc987b80fecc58b5

    SHA1

    84a60f7593ee681005f38f10c143c51938eecead

    SHA256

    aa3aeaa7287ed5637358d1e3815f7fcdc574ae8365b3d337e72ae5802cf2a83f

    SHA512

    d1408dc1b4986f401717207c68e5b11d46172531f9a0d20f95fbe12d82bd13f4d8c7acf92df16a3f547845ef4b1b437dec1f087fe00a25a37d350b8112c496ec

    Download Submit