Analysis
-
max time kernel
179s -
max time network
188s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
29-07-2024 16:37
General
-
Target
Malware.unknown.apk
-
Size
3.0MB
-
MD5
75c0eb2c78ff31534a588ec47088b622
-
SHA1
abc703f6e5b824d0a1c14108228009001509a162
-
SHA256
0de7ded6e4db0cb540ef7249c4bb96ca3147aa193801b06c5235781271bc4b23
-
SHA512
d0b74f972f851fc7a1f715e152e6f439a080b4d7b1f3129cec6c3164d8b1f75c34a920c393d5d05be45185a2b926b6c382b5e83387436b7905b2500e3db4c36b
-
SSDEEP
49152:Y09ypryDHH0D6gmPOroTV8asMbUCNhSBNwj0ciNcJ3W7HxTQqUonX73lwp:YXrWn0DAOroTV87w4kjD09RzUsyp
Malware Config
Signatures
-
FluBot
FluBot is an android banking trojan that uses overlays.
-
FluBot payload 2 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Queries information about active data network 1 TTPs 1 IoCs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Requests enabling of the accessibility settings. 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.xunmeng.pinduoduo1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests enabling of the accessibility settings.
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.xunmeng.pinduoduo/app_apkprotector_dex/xCSswjlO.king --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.xunmeng.pinduoduo/app_apkprotector_dex/oat/x86/xCSswjlO.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD55b49441a9350dd3b4dba093b8faa2c8e
SHA1bbe36075bd706b87eb7f96fc498c83088b717226
SHA256c23491993bd680fa89ca42a5ff0695365e07c83874e4db29b96234d8a21fe10d
SHA512e4ce7f58ed24644094dee157d4e364c9bd4d68507bac760c760695dc2280052914bfeeb2c020f53b4e9e5da75e173bba28fd994176a4cea66d79a0e648279f94
-
Filesize
2.4MB
MD53295dbeea222279d227a2c3cab5d99ca
SHA1a8cdf90f561932d3c4d731df6bf659229488167b
SHA256c6c265e23b50e5375c9e67b27da8bb36ada0f10840a2881720ef4f3314abd6f8
SHA51227a15346ee73a817fcbcf6a80c4c576e91b74d2f0141a11fe11a5be8cd94482e3597a54e0277475b420702ca064d02422bff3adc9d702215a8f59a1d01ffea00