Resubmissions
06-08-2024 09:37
240806-ll1gdszcqd 1005-08-2024 17:24
240805-vypebswgrf 1005-08-2024 17:22
240805-vxll2swgpd 1004-08-2024 22:14
240804-15xxyaxhmr 10Analysis
-
max time kernel
179s -
max time network
187s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system -
submitted
05-08-2024 17:22
Behavioral task
behavioral1
Sample
xiezi015436 .apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
xiezi015436 .apk
-
Size
5.0MB
-
MD5
8fe8d843d3ccd242dce71ab13827aff3
-
SHA1
1a650859ba4aaa79b9d091c6909afca7d8f12799
-
SHA256
aa8829ed490d1eb7794d3baf3f4693583da130d275b44083c050255fc92fc8a1
-
SHA512
ccbb57a89bb6cf1ed66b6b6c833bb52c27cf7f4034cebd3a38151f3f8999405ee09f24756e28b7bef6c2f20caede8ea110d52dff3735e89633fd36b449f0cc61
-
SSDEEP
98304:ewmzezBzTz0trktFXpBX4MfjZakOqtkjDUwFUfaoK57f:+ze8YXpxj4kD2lF0W9f
Malware Config
Signatures
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
goat.proportion.performancedescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId goat.proportion.performance Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText goat.proportion.performance Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId goat.proportion.performance -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
Processes:
goat.proportion.performancedescription ioc process Framework service call android.content.IClipboard.addPrimaryClipChangedListener goat.proportion.performance -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
goat.proportion.performancedescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock goat.proportion.performance -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
goat.proportion.performancedescription ioc process Framework service call android.app.IActivityManager.setServiceForeground goat.proportion.performance -
Performs UI accessibility actions on behalf of the user 1 TTPs 12 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
goat.proportion.performanceioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance -
Queries information about active data network 1 TTPs 1 IoCs
Processes:
goat.proportion.performancedescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo goat.proportion.performance -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
goat.proportion.performancedescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS goat.proportion.performance -
Requests enabling of the accessibility settings. 1 IoCs
Processes:
goat.proportion.performancedescription ioc process Intent action android.settings.ACCESSIBILITY_SETTINGS goat.proportion.performance -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes:
goat.proportion.performancedescription ioc process Framework service call android.app.job.IJobScheduler.schedule goat.proportion.performance -
Checks CPU information 2 TTPs 1 IoCs
Processes:
goat.proportion.performancedescription ioc process File opened for read /proc/cpuinfo goat.proportion.performance -
Checks memory information 2 TTPs 1 IoCs
Processes:
goat.proportion.performancedescription ioc process File opened for read /proc/meminfo goat.proportion.performance
Processes
-
goat.proportion.performance1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests enabling of the accessibility settings.
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4348
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Mobile v15
Defense Evasion
Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25B
MD5ba30336bf53d54ed3c0ea69dd545de8c
SHA1ce99c6724c75b93b7448e2d9fac16ca702a5711f
SHA2562d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af
SHA512eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e
-
Filesize
25B
MD5fd8ed43ac31bbf329c395582c15753cd
SHA13c76ee3fa79dde645c0447d6b23d6f435efb3b72
SHA256049d51bf61bf26d7b9e55391560cc23ec59d2240453ac81b87f2e81153b0fcaf
SHA51277bb10d1eeeea15fc35f7232af698c951d3f47a5fff56682bbc32f6bea9ebecc997d89ed88c6dff9c226c09446261f184ecbac9697f95799753d73a71e6c4d37
-
Filesize
21B
MD5cfb2fc8a0af4f4adec3fe47a4b07650c
SHA1bf2888f53795c86ca8cd8f65477b475181502547
SHA256916f3c154374fb9958d715001a369e4eb7a00ba5b3dc8c39a3f91b23be1e191d
SHA512f7e44ccc4e499e319960f5c9f1aa49fac6038912d3608bdd161d0279d422b40456292eabef080f0e3466f2050b5240d3ee6d653dc80df489a859a367c1d289c6
-
Filesize
252B
MD5869d5ce4a4ca929cd7a4a256560c3aea
SHA1e266e45ee8895be257834dd6c9d014c7ada752e8
SHA25627e8cc41aa443e3e444c3615b103ff9105a6ca106020cf77b27218476e2ab0e2
SHA5120fa3bc5f69d48c48bb922185059d326cdd12c07d985cca51a861fee6123c74adcb2bc74689285c490b3a677c97cc01f822d188fc48bf1511b3891e548e342933