Analysis
-
max time kernel
176s -
max time network
184s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
-
submitted
04-08-2024 22:09
General
-
Target
664c1b4ef5e7caa17e3caa5a4bc0dcfe6fba23beb866ca8959a3791512d33798.apk
-
Size
3.8MB
-
MD5
ff0861b94469b50816dd80f3a8c5ddfa
-
SHA1
749f8aa6ab57f7c2059312e7304edecd5391cf30
-
SHA256
664c1b4ef5e7caa17e3caa5a4bc0dcfe6fba23beb866ca8959a3791512d33798
-
SHA512
76e658539bb17db06b03f6a13b7bae1b0852657cb956e8f1a365e06c01dc6ff1468b366b39e7f8a75b2edc76e0dd3979136ffe0ed8eed9343dd833b2af492a79
-
SSDEEP
98304:qKUkN1yVuEGZwi2T8fd1iNGhGQTEQu9fzdP:mk6IFqMbfXWrl
Malware Config
Signatures
-
FluBot
FluBot is an android banking trojan that uses overlays.
-
FluBot payload 2 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Removes its main activity from the application launcher 1 TTPs 1 IoCs
-
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
-
Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs
Application may abuse the accessibility service to prevent their removal.
-
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
-
Requests changing the default SMS application. 2 TTPs 1 IoCs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes
-
com.tencent.mm1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Performs UI accessibility actions on behalf of the user
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_apkprotector_dex/oat/x86/classes-v1.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
-
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD55c58194c9290a3da97069125c255cddf
SHA1a4f1b797dc3dccd81f30ff6fbac1cbbbe997fe28
SHA2561bbade053c0a4aac93ba65af9d003c250ef2f1a19fcf01181bc7f125501ab6ab
SHA512af10fed875066ac505ea7ef1a9aba0c9e242be70013e70c37b95ba5d46beee80b3a5c3bb5dc997f2cc275e618ec19567a59c8df0a2b005fbf6e681960cb1d0cf
-
Filesize
3.1MB
MD530fa2b11465312054af7e52a9e1ac6be
SHA1efc75acac9a9b0901011fed945f893e5024d8dce
SHA256c6812183ce3d26fce88f195e45324ff0f896280bd349e72f5b90e430438f062f
SHA512df99d2b45c1ee802fca82ef9bece15864621eb3533d8736fed2d8fbfae94719648d706f1a956f437a8d6ceea364ea292ef8f5eb9cb22684d7302a97740bd3f20