Resubmissions

06-08-2024 09:37

240806-ll1gdszcqd 10

05-08-2024 17:24

240805-vypebswgrf 10

05-08-2024 17:22

240805-vxll2swgpd 10

04-08-2024 22:14

240804-15xxyaxhmr 10

Analysis

  • max time kernel
    43s
  • max time network
    50s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    06-08-2024 09:37

General

  • Target

    xiezi015436 .apk

  • Size

    5.0MB

  • MD5

    8fe8d843d3ccd242dce71ab13827aff3

  • SHA1

    1a650859ba4aaa79b9d091c6909afca7d8f12799

  • SHA256

    aa8829ed490d1eb7794d3baf3f4693583da130d275b44083c050255fc92fc8a1

  • SHA512

    ccbb57a89bb6cf1ed66b6b6c833bb52c27cf7f4034cebd3a38151f3f8999405ee09f24756e28b7bef6c2f20caede8ea110d52dff3735e89633fd36b449f0cc61

  • SSDEEP

    98304:ewmzezBzTz0trktFXpBX4MfjZakOqtkjDUwFUfaoK57f:+ze8YXpxj4kD2lF0W9f

Malware Config

Signatures

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 36 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • goat.proportion.performance
    1⤵
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4944

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /storage/emulated/0/Config/sys/apps/log/log-2024-08-06.txt

    Filesize

    21B

    MD5

    0b1f75938c5ba26cd58a25c5f9f40926

    SHA1

    ccfffba984e8aae471ab08a12c3b73b1bdc9252d

    SHA256

    4326a4c64514beb75e863292311c382b31ded1775253cb93472573562674ba72

    SHA512

    cc1f54c6bb8cc6539b5f4a915dab61eb2c1b610a70f66d62970b75a9b9356f0a8452e971587ece39fa2ed57c972cee84d071cf4749e926c01ebe32b5f54bc856

  • /storage/emulated/0/Config/sys/apps/log/log-2024-08-06.txt

    Filesize

    21B

    MD5

    1d5c8ac9435fdfa7d48a3659e4e4aa8a

    SHA1

    0e5d8088d0de9223b7486a6e6d341cfce2f7630c

    SHA256

    c4a7fdecbe064016dfc7154631496ab643c059e1716a8e036e0200c9058da037

    SHA512

    ae008d2531ac40ab32399f25d5501e2a8a3a955a168014db72988a2be60d958be25403e096e560b89bcb0858c18877e496f7796e913b91fa497ae9c8d8bfdba3

  • /storage/emulated/0/Config/sys/apps/log/log-2024-08-06.txt

    Filesize

    21B

    MD5

    cfb2fc8a0af4f4adec3fe47a4b07650c

    SHA1

    bf2888f53795c86ca8cd8f65477b475181502547

    SHA256

    916f3c154374fb9958d715001a369e4eb7a00ba5b3dc8c39a3f91b23be1e191d

    SHA512

    f7e44ccc4e499e319960f5c9f1aa49fac6038912d3608bdd161d0279d422b40456292eabef080f0e3466f2050b5240d3ee6d653dc80df489a859a367c1d289c6

  • /storage/emulated/0/Config/sys/apps/log/log-2024-08-06.txt

    Filesize

    276B

    MD5

    99db2431bb636c838f5cb9c814f921a7

    SHA1

    779a1944770c60d5e09b760a433723a37145bafd

    SHA256

    1982d4769043a1a965a8395c4a4f34e52849612ff69121143301b3de46ca55ac

    SHA512

    5301974bcba199a707cc698465bf5f8da044b2e79814fb1f10cd302786fecf41cdf54d517e19d2e8a28f41eb4b80cf4657b2f9dbbdefcc986d97dc52dfb06728