Analysis
-
max time kernel
176s -
max time network
185s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
27-07-2024 22:01
Behavioral task
behavioral1
Sample
f650d333d32fce85a906bded4fc57213c90052b08f9ace1c0cca5e658eeb7432.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
f650d333d32fce85a906bded4fc57213c90052b08f9ace1c0cca5e658eeb7432.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
f650d333d32fce85a906bded4fc57213c90052b08f9ace1c0cca5e658eeb7432.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral4
Sample
xuwexi.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral5
Sample
xuwexi.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral6
Sample
xuwexi.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
xuwexi.apk
-
Size
3.0MB
-
MD5
a38a3000393bb258f4308a7ca69b7d0b
-
SHA1
6bcb76a2f0f9ca53aa7391ee4a9bcf30f3df0eea
-
SHA256
46af9709835a5d664094a40c2922af519e39aa04324fc57626f4cfb1dd62162d
-
SHA512
58ef0a50eb2ecd9d2d8c6196c45f716cad2faa8a18cc7aee21d9c26ce7e8e0041a6b7111c931fead6a8c444b89be850ebb24e27f1935549315f5c28dbcf9a6c7
-
SSDEEP
49152:wox/YEdJsYI0xkzx18pUpzhjDzgGGUc32Dkuk:woKGKRGUc324uk
Malware Config
Signatures
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.civexefati.outputdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.civexefati.output Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.civexefati.output Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.civexefati.output -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Reads the content of the SMS messages. 1 TTPs 1 IoCs
Processes:
com.civexefati.outputdescription ioc process URI accessed for read content://sms/ com.civexefati.output -
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
com.civexefati.outputioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.civexefati.output android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.civexefati.output -
Queries information about active data network 1 TTPs 1 IoCs
Processes:
com.civexefati.outputdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.civexefati.output -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.civexefati.outputdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.civexefati.output -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.civexefati.outputdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.civexefati.output -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes:
com.civexefati.outputdescription ioc process Framework service call android.app.job.IJobScheduler.schedule com.civexefati.output -
Checks CPU information 2 TTPs 1 IoCs
-
Checks memory information 2 TTPs 1 IoCs
Processes
-
com.civexefati.output1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Reads the content of the SMS messages.
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.civexefati.output/files/profileInstalledFilesize
24B
MD53cc9ed769f1a76319653e870675a5829
SHA18ff89604f8bf89c5119b028949d85cff671f35dc
SHA2567333fff2620f3ff99b88bcdcd9c23a54506234d17bc65cacf3ae8ac4a0a4b69b
SHA5120be3b585324b4b800df7bfa099e8ffcbdcab75098601b0adc9521447756d127ed37fb50ab1f8ff434ea1f4f64a5789b03227b25683eb2f8400e63e56a2a201ab
-
/data/data/com.civexefati.output/files/profileinstaller_profileWrittenFor_lastUpdateTime.datFilesize
8B
MD5d3456ce1a89458b416ee16b78f48db0d
SHA171cbcbfae7df2ed0c11785e4d4901b9a04fc004f
SHA256e9f516d0eed94a3402d80809c47de825424f8f53cc0284e98f30794d45eba05a
SHA512439033bfed05c978acaea51c243cea906cd36dea16bfed612ad5a3d3d0f1f228b6de2622d83156105c44ef40e483c64e718f67612ddfcd31d65852489581cb6b
-
/data/data/com.civexefati.output/no_backup/androidx.work.workdbFilesize
104KB
MD583a30d38d534c3ef9ce3611936989acc
SHA1e8131e7d2673254994da2b4affb4f073cf493317
SHA256794ed6088fbf9c35a0bb8f6f7fc920340e203de89d89bf54b08191400ac021c5
SHA5127b1745f8b850d1534a651bd9476d3cc33daf3eaa3dc46f55dc07157e0a85d88c53b9f5126f1976e3e0f03a86927f5e2718587ccbaa01dbae4fb76c9526c6fede
-
/data/data/com.civexefati.output/no_backup/androidx.work.workdb-journalFilesize
512B
MD5e8d6f6c5ce37ac1a0e3492764ee4c0b0
SHA15d57f417e441dcac1c8f0480f2b2b4e4f4dab9b1
SHA256adab3b935c0d5bc6b33c7a321ba476bb4fa4552d667b6436b923dc3ae3ddc491
SHA5120f35409c643881adfb91444a4ebe912ea51ba3a18e526fec09dc247f6821b64d5425388b2eb734081afdc12b5a83cab7fa245896f1dfcbf2a9aeef24aff26ffb
-
/data/data/com.civexefati.output/no_backup/androidx.work.workdb-shmFilesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
/data/data/com.civexefati.output/no_backup/androidx.work.workdb-walFilesize
16KB
MD5d535e609a5e995935c837cb693da3ee2
SHA196aed87ed588fc91acae16e3506dc75ec680cce4
SHA2564a039515b1ca92b9a2bc19ff9b5cfcdf669a80bb7b875f7173d61df9d12c944f
SHA512c5ddf9b35244472e8be7285e8b92e68574c4e2cf233bafbc46a5b1268043b4f7833996d8cc073ffc259b026450d40741d603b97a9ce37f0e4c81afadc89476a9
-
/data/data/com.civexefati.output/no_backup/androidx.work.workdb-walFilesize
116KB
MD5648be788e408b8656199115e69e2c521
SHA1179bccddae67453990f0d7e03c9bf5192ccc3fb1
SHA25600d3c933ec0a59bc7205f693176195cea0aad53e2df1fcda22abd8d2523c9245
SHA51225b53cd2f8296405bf76e2f6942db2a00999bddf7b7e1d0fbb82cd66603793ae247598318e578d66dad1d5b1ed054b884b0c3180f9e3c13dbe52d68fa82b274d
-
/data/data/com.civexefati.output/no_backup/androidx.work.workdb-walFilesize
442KB
MD50a7e85f97574a1f888b4e29de86bebe3
SHA171cf7aff676e6c549a0189e5939a168f4f96c73e
SHA256f83e6bb885e13f8ad9f566a2a85ad3e122e463dc889cf87c752e561d834b4623
SHA5123d3a46bb95ce589ddc0414b15312321d754d7f1f4af5b9412995d9a8da280505284993db5543576d129e46ed5b79cb675a6e3b00444a99f01d998a788c3730ed
-
/data/misc/profiles/cur/0/com.civexefati.output/primary.profFilesize
3KB
MD58f6d3e375b71508768efdb7578700b0b
SHA1ef285ce8f70c93520ed8dffa7300671041d9800b
SHA256905fdc0879406178d46a24d74a8a12a7ba3475da9c48e5d9f4f06af2eaa06159
SHA5123e494486ebd925f56fa62c4a107480ff31da4d43cdcf8eb72acf0c5c735beea98e80e3b170b5fe7cd393306e770e0e775a6d4cd37d144fcbb102596a71c583b1
-
/data/misc/profiles/cur/0/com.civexefati.output/primary.profFilesize
3KB
MD5b08bda7835711ce17a70b481cbdde895
SHA1b383168450950435f590fa19cf7d3e33ba5e3c81
SHA256f02416df9ca481a6ea777afd3e109d32282f9f97ba9d8392d1a30242ba0bf12e
SHA5129686c1c1edc195a806068a789ff439df8e47474dcce9686203d2b2a8e1922dda2b361cfe80c06783d0e6abc916b146563e1f63e473f7a3332decdbbc6c50d543
-
/data/misc/profiles/cur/0/com.civexefati.output/primary.profFilesize
1KB
MD5994cade9d899e8c4cc987b80fecc58b5
SHA184a60f7593ee681005f38f10c143c51938eecead
SHA256aa3aeaa7287ed5637358d1e3815f7fcdc574ae8365b3d337e72ae5802cf2a83f
SHA512d1408dc1b4986f401717207c68e5b11d46172531f9a0d20f95fbe12d82bd13f4d8c7acf92df16a3f547845ef4b1b437dec1f087fe00a25a37d350b8112c496ec