Resubmissions
06-08-2024 09:37
240806-ll1gdszcqd 1005-08-2024 17:24
240805-vypebswgrf 1005-08-2024 17:22
240805-vxll2swgpd 1004-08-2024 22:14
240804-15xxyaxhmr 10Analysis
-
max time kernel
43s -
max time network
50s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
06-08-2024 09:37
Behavioral task
behavioral1
Sample
xiezi015436 .apk
Resource
android-x64-20240624-en
General
-
Target
xiezi015436 .apk
-
Size
5.0MB
-
MD5
8fe8d843d3ccd242dce71ab13827aff3
-
SHA1
1a650859ba4aaa79b9d091c6909afca7d8f12799
-
SHA256
aa8829ed490d1eb7794d3baf3f4693583da130d275b44083c050255fc92fc8a1
-
SHA512
ccbb57a89bb6cf1ed66b6b6c833bb52c27cf7f4034cebd3a38151f3f8999405ee09f24756e28b7bef6c2f20caede8ea110d52dff3735e89633fd36b449f0cc61
-
SSDEEP
98304:ewmzezBzTz0trktFXpBX4MfjZakOqtkjDUwFUfaoK57f:+ze8YXpxj4kD2lF0W9f
Malware Config
Signatures
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
goat.proportion.performancedescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId goat.proportion.performance Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText goat.proportion.performance Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId goat.proportion.performance -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
Processes:
goat.proportion.performancedescription ioc process Framework service call android.content.IClipboard.addPrimaryClipChangedListener goat.proportion.performance -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
goat.proportion.performancedescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock goat.proportion.performance -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
goat.proportion.performancedescription ioc process Framework service call android.app.IActivityManager.setServiceForeground goat.proportion.performance -
Performs UI accessibility actions on behalf of the user 1 TTPs 36 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
goat.proportion.performanceioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction goat.proportion.performance -
Queries information about active data network 1 TTPs 1 IoCs
Processes:
goat.proportion.performancedescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo goat.proportion.performance -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
goat.proportion.performancedescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone goat.proportion.performance -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
goat.proportion.performancedescription ioc process Framework service call android.app.IActivityManager.registerReceiver goat.proportion.performance -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes:
goat.proportion.performancedescription ioc process Framework service call android.app.job.IJobScheduler.schedule goat.proportion.performance -
Checks CPU information 2 TTPs 1 IoCs
Processes:
goat.proportion.performancedescription ioc process File opened for read /proc/cpuinfo goat.proportion.performance -
Checks memory information 2 TTPs 1 IoCs
Processes:
goat.proportion.performancedescription ioc process File opened for read /proc/meminfo goat.proportion.performance
Processes
-
goat.proportion.performance1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4944
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21B
MD50b1f75938c5ba26cd58a25c5f9f40926
SHA1ccfffba984e8aae471ab08a12c3b73b1bdc9252d
SHA2564326a4c64514beb75e863292311c382b31ded1775253cb93472573562674ba72
SHA512cc1f54c6bb8cc6539b5f4a915dab61eb2c1b610a70f66d62970b75a9b9356f0a8452e971587ece39fa2ed57c972cee84d071cf4749e926c01ebe32b5f54bc856
-
Filesize
21B
MD51d5c8ac9435fdfa7d48a3659e4e4aa8a
SHA10e5d8088d0de9223b7486a6e6d341cfce2f7630c
SHA256c4a7fdecbe064016dfc7154631496ab643c059e1716a8e036e0200c9058da037
SHA512ae008d2531ac40ab32399f25d5501e2a8a3a955a168014db72988a2be60d958be25403e096e560b89bcb0858c18877e496f7796e913b91fa497ae9c8d8bfdba3
-
Filesize
21B
MD5cfb2fc8a0af4f4adec3fe47a4b07650c
SHA1bf2888f53795c86ca8cd8f65477b475181502547
SHA256916f3c154374fb9958d715001a369e4eb7a00ba5b3dc8c39a3f91b23be1e191d
SHA512f7e44ccc4e499e319960f5c9f1aa49fac6038912d3608bdd161d0279d422b40456292eabef080f0e3466f2050b5240d3ee6d653dc80df489a859a367c1d289c6
-
Filesize
276B
MD599db2431bb636c838f5cb9c814f921a7
SHA1779a1944770c60d5e09b760a433723a37145bafd
SHA2561982d4769043a1a965a8395c4a4f34e52849612ff69121143301b3de46ca55ac
SHA5125301974bcba199a707cc698465bf5f8da044b2e79814fb1f10cd302786fecf41cdf54d517e19d2e8a28f41eb4b80cf4657b2f9dbbdefcc986d97dc52dfb06728