Analysis
-
max time kernel
158s -
max time network
162s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
06-08-2024 06:58
Behavioral task
behavioral1
Sample
kali.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
kali.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
kali.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
kali.apk
-
Size
8.5MB
-
MD5
4ae7d800dd355704372ab216f201ad13
-
SHA1
f19950514dace1d890e568d1e9ae41492f207214
-
SHA256
d9a95dbbeecf78ccc08781c73bbdef49fb5e1a26de850a5b0939c4ac8f08d0e6
-
SHA512
d9f4220fd37045dc1de67a6ba117d3683ec47b9c68176c85077707f30813ed70f4ca1f260bb7bb1cabcd4be62b29b2ba7361fd260faaa1579a58c610fb77ec8e
-
SSDEEP
98304:HyY6kBfDjcY7KMjVwEL70OVYmzNzBLTm0tlV:H5Djn+A30OVnzvtn
Malware Config
Signatures
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
website.knowledge.ssldescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText website.knowledge.ssl Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId website.knowledge.ssl Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId website.knowledge.ssl -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
Processes:
website.knowledge.ssldescription ioc process Framework service call android.content.IClipboard.addPrimaryClipChangedListener website.knowledge.ssl -
Acquires the wake lock 1 IoCs
Processes:
website.knowledge.ssldescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock website.knowledge.ssl -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
website.knowledge.ssldescription ioc process Framework service call android.app.IActivityManager.setServiceForeground website.knowledge.ssl -
Queries information about active data network 1 TTPs 1 IoCs
Processes:
website.knowledge.ssldescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo website.knowledge.ssl -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
website.knowledge.ssldescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone website.knowledge.ssl -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
website.knowledge.ssldescription ioc process Framework service call android.app.IActivityManager.registerReceiver website.knowledge.ssl -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes:
website.knowledge.ssldescription ioc process Framework service call android.app.job.IJobScheduler.schedule website.knowledge.ssl -
Checks CPU information 2 TTPs 1 IoCs
Processes:
website.knowledge.ssldescription ioc process File opened for read /proc/cpuinfo website.knowledge.ssl -
Checks memory information 2 TTPs 1 IoCs
Processes:
website.knowledge.ssldescription ioc process File opened for read /proc/meminfo website.knowledge.ssl
Processes
-
website.knowledge.ssl1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4988
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
System Information Discovery
2System Network Configuration Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
29B
MD558289ccf28520f001ae0d5e744f12cbc
SHA114d6c4ce740676b33f72081d547aa57c73e78f7c
SHA256f4972706b56ff8fe17c1d86943cb071e3457f2c91adaa8a8703c730e521cd6ec
SHA512785b398af90bdfbb226bb1015390aa417aacc476a47996848dcf83ddf9b44d175264a162fe517f2bf94e02819789b33b91df7f3f77f39ee778f68693d90fda97
-
Filesize
29B
MD5ece45f8623243feea4df6c2fe45b36e1
SHA1ef24e005271d92ed255e24a40a15d94b0d5f6bd3
SHA256e011b2d4119782d41972729f76497925f6f503f6b87dbf8363a50d5134ff39a2
SHA51286e5a142bb1c4607af14414558fca4711e9a043842aef5add7229d2b49a640d43d62383729edd60869f26e2ad28218d48228303e358b56038267d8bdaf6353da
-
Filesize
25B
MD5ba30336bf53d54ed3c0ea69dd545de8c
SHA1ce99c6724c75b93b7448e2d9fac16ca702a5711f
SHA2562d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af
SHA512eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e
-
Filesize
284B
MD588a7b3bfdd6e7f0beae5f639709bcd75
SHA1229168ce9f42e5b07bf989367a7171d5dab5d9e8
SHA256fbff664f0e6c6b6d8af0fb6304f2011eac8a39d55c1ce145ffaadc8312616cef
SHA5124833359af8e22f00cf058a1bc81c1f344c4f35b9cf2a186728976db823d4b900f953fb4aa51d31713a7f20e5fd434d526d69cb9442b714b24ee63a37d996314a