Resubmissions

06-08-2024 09:37

240806-ll1gdszcqd 10

05-08-2024 17:24

240805-vypebswgrf 10

05-08-2024 17:22

240805-vxll2swgpd 10

04-08-2024 22:14

240804-15xxyaxhmr 10

Analysis

  • max time kernel
    179s
  • max time network
    187s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    05-08-2024 17:22

General

  • Target

    xiezi015436 .apk

  • Size

    5.0MB

  • MD5

    8fe8d843d3ccd242dce71ab13827aff3

  • SHA1

    1a650859ba4aaa79b9d091c6909afca7d8f12799

  • SHA256

    aa8829ed490d1eb7794d3baf3f4693583da130d275b44083c050255fc92fc8a1

  • SHA512

    ccbb57a89bb6cf1ed66b6b6c833bb52c27cf7f4034cebd3a38151f3f8999405ee09f24756e28b7bef6c2f20caede8ea110d52dff3735e89633fd36b449f0cc61

  • SSDEEP

    98304:ewmzezBzTz0trktFXpBX4MfjZakOqtkjDUwFUfaoK57f:+ze8YXpxj4kD2lF0W9f

Malware Config

Signatures

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 12 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Requests enabling of the accessibility settings. 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • goat.proportion.performance
    1⤵
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Requests enabling of the accessibility settings.
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4348

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /storage/emulated/0/Config/sys/apps/log/log-2024-08-05.txt

    Filesize

    25B

    MD5

    ba30336bf53d54ed3c0ea69dd545de8c

    SHA1

    ce99c6724c75b93b7448e2d9fac16ca702a5711f

    SHA256

    2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af

    SHA512

    eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

  • /storage/emulated/0/Config/sys/apps/log/log-2024-08-05.txt

    Filesize

    25B

    MD5

    fd8ed43ac31bbf329c395582c15753cd

    SHA1

    3c76ee3fa79dde645c0447d6b23d6f435efb3b72

    SHA256

    049d51bf61bf26d7b9e55391560cc23ec59d2240453ac81b87f2e81153b0fcaf

    SHA512

    77bb10d1eeeea15fc35f7232af698c951d3f47a5fff56682bbc32f6bea9ebecc997d89ed88c6dff9c226c09446261f184ecbac9697f95799753d73a71e6c4d37

  • /storage/emulated/0/Config/sys/apps/log/log-2024-08-05.txt

    Filesize

    21B

    MD5

    cfb2fc8a0af4f4adec3fe47a4b07650c

    SHA1

    bf2888f53795c86ca8cd8f65477b475181502547

    SHA256

    916f3c154374fb9958d715001a369e4eb7a00ba5b3dc8c39a3f91b23be1e191d

    SHA512

    f7e44ccc4e499e319960f5c9f1aa49fac6038912d3608bdd161d0279d422b40456292eabef080f0e3466f2050b5240d3ee6d653dc80df489a859a367c1d289c6

  • /storage/emulated/0/Config/sys/apps/log/log-2024-08-05.txt

    Filesize

    252B

    MD5

    869d5ce4a4ca929cd7a4a256560c3aea

    SHA1

    e266e45ee8895be257834dd6c9d014c7ada752e8

    SHA256

    27e8cc41aa443e3e444c3615b103ff9105a6ca106020cf77b27218476e2ab0e2

    SHA512

    0fa3bc5f69d48c48bb922185059d326cdd12c07d985cca51a861fee6123c74adcb2bc74689285c490b3a677c97cc01f822d188fc48bf1511b3891e548e342933