Analysis
-
max time kernel
179s -
max time network
187s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
06-08-2024 09:51
Behavioral task
behavioral1
Sample
ready.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
ready.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
ready.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
ready.apk
-
Size
6.2MB
-
MD5
211d34ce11710f949825bb6cd0df21df
-
SHA1
4485edf80952024922c352b1616f507e65a6d634
-
SHA256
e9d1f2314105bfa14bc60b3e312463a044fa4cc7b1c8455751a9f2582a077ce2
-
SHA512
4f68ef062189262ffc95c12ee9b5b1cd6ea20af2c20493a7114ec3e88ec4f6abdadf6c062c19249cfe4d05dd89dcec5000f2dcf3655078c55a19d70c0b86ee63
-
SSDEEP
24576:GIAma80GlSNwpBlicH26/yHLRF7VyioVDca77EjwFsNiz:GTmaUJpBR26KlF7Vyiod77wC
Malware Config
Signatures
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
westminster.ala.soldierdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId westminster.ala.soldier Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText westminster.ala.soldier Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId westminster.ala.soldier -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
Processes:
westminster.ala.soldierdescription ioc process Framework service call android.content.IClipboard.addPrimaryClipChangedListener westminster.ala.soldier -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
westminster.ala.soldierdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock westminster.ala.soldier -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
westminster.ala.soldierdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground westminster.ala.soldier -
Queries information about active data network 1 TTPs 1 IoCs
Processes:
westminster.ala.soldierdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo westminster.ala.soldier -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
westminster.ala.soldierdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone westminster.ala.soldier -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
westminster.ala.soldierdescription ioc process Framework service call android.app.IActivityManager.registerReceiver westminster.ala.soldier -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes:
westminster.ala.soldierdescription ioc process Framework service call android.app.job.IJobScheduler.schedule westminster.ala.soldier -
Checks CPU information 2 TTPs 1 IoCs
Processes:
westminster.ala.soldierdescription ioc process File opened for read /proc/cpuinfo westminster.ala.soldier -
Checks memory information 2 TTPs 1 IoCs
Processes:
westminster.ala.soldierdescription ioc process File opened for read /proc/meminfo westminster.ala.soldier
Processes
-
westminster.ala.soldier1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:5066
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Foreground Persistence
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17B
MD5e9741c8b822d66f3190e379511b05305
SHA15a534d9a8acf1d681cc5fcc3fe872eff02abaec2
SHA2565cbdeb6552a33c4de8ade686f135d01418fe09d82e9cb3a7219be145c80bd152
SHA51244db01c4a90608d23be9825e7ce24d240e1ee211e576b7b67b564b67f7737d9fcd28ed5338196bc5541592ad0284aeda4a9f4df0302f462147b127f3a1db1fc9
-
Filesize
33B
MD51b53a778d621f0c57c870a8671885ba0
SHA15b59c23b354ca814f75c2e948bb265cd1222c44d
SHA2560d0ef5fa2ac930e0af6b1dd79ad347ccce39b6199e86416162d65578e87a75d2
SHA5121c1466a20de1c20a1d297484b77e4a5c9717830c1d42fbdc82a5ed39acb527147e79961cf730a8aba906102b338dce8eca7256189747464782002ff0d61f6b41
-
Filesize
17B
MD55b862261088406aa53ead558c39a2365
SHA1446b32d61f4ebb33a32341f59bcd44daccb0253c
SHA2565f4a8e64ea9e677d2d01cee8415d4c96fa34c2a28862b7d4f6065b6f0c7031f5
SHA51287b1362909a441eb4e40a654bb804e707fc06d5fa2f704d5cb09caa4b3361cf25086cd599fe1f7bc681f84c45f7e18bd3cc407a8b72225f6c3cdfcfd143699cd
-
Filesize
272B
MD57eb40d32778506a3cd6b32179d2ce7b8
SHA1d93906ccdce613efee960ae81e4e684d711ea1ba
SHA256415539e393e879d6da9254603dd9a1ca4efc13c6389745a8e53d67ff8dd8e0b7
SHA51217f7239ce959148af6ed3d414c9a83c5c52b16159bcaf7f1d77fa69058e2fa0c9fc30d7e15d56eb189e219b1091f19e31be7599993fbcfbafbb0a8338fa30b88