Analysis

  • max time kernel
    179s
  • max time network
    173s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    06-08-2024 09:51

General

  • Target

    ready.apk

  • Size

    6.2MB

  • MD5

    211d34ce11710f949825bb6cd0df21df

  • SHA1

    4485edf80952024922c352b1616f507e65a6d634

  • SHA256

    e9d1f2314105bfa14bc60b3e312463a044fa4cc7b1c8455751a9f2582a077ce2

  • SHA512

    4f68ef062189262ffc95c12ee9b5b1cd6ea20af2c20493a7114ec3e88ec4f6abdadf6c062c19249cfe4d05dd89dcec5000f2dcf3655078c55a19d70c0b86ee63

  • SSDEEP

    24576:GIAma80GlSNwpBlicH26/yHLRF7VyioVDca77EjwFsNiz:GTmaUJpBR26KlF7Vyiod77wC

Malware Config

Signatures

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • westminster.ala.soldier
    1⤵
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Queries information about active data network
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4492

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /storage/emulated/0/Config/sys/apps/log/log-2024-08-06.txt

    Filesize

    17B

    MD5

    e9741c8b822d66f3190e379511b05305

    SHA1

    5a534d9a8acf1d681cc5fcc3fe872eff02abaec2

    SHA256

    5cbdeb6552a33c4de8ade686f135d01418fe09d82e9cb3a7219be145c80bd152

    SHA512

    44db01c4a90608d23be9825e7ce24d240e1ee211e576b7b67b564b67f7737d9fcd28ed5338196bc5541592ad0284aeda4a9f4df0302f462147b127f3a1db1fc9

  • /storage/emulated/0/Config/sys/apps/log/log-2024-08-06.txt

    Filesize

    33B

    MD5

    1b53a778d621f0c57c870a8671885ba0

    SHA1

    5b59c23b354ca814f75c2e948bb265cd1222c44d

    SHA256

    0d0ef5fa2ac930e0af6b1dd79ad347ccce39b6199e86416162d65578e87a75d2

    SHA512

    1c1466a20de1c20a1d297484b77e4a5c9717830c1d42fbdc82a5ed39acb527147e79961cf730a8aba906102b338dce8eca7256189747464782002ff0d61f6b41

  • /storage/emulated/0/Config/sys/apps/log/log-2024-08-06.txt

    Filesize

    17B

    MD5

    5b862261088406aa53ead558c39a2365

    SHA1

    446b32d61f4ebb33a32341f59bcd44daccb0253c

    SHA256

    5f4a8e64ea9e677d2d01cee8415d4c96fa34c2a28862b7d4f6065b6f0c7031f5

    SHA512

    87b1362909a441eb4e40a654bb804e707fc06d5fa2f704d5cb09caa4b3361cf25086cd599fe1f7bc681f84c45f7e18bd3cc407a8b72225f6c3cdfcfd143699cd

  • /storage/emulated/0/Config/sys/apps/log/log-2024-08-06.txt

    Filesize

    272B

    MD5

    fafecf27ffab24bb18568aea2e29b084

    SHA1

    1647b1374543d5885025f2a8ddf974fd1a72bb6c

    SHA256

    a39e7bfed91060c6c1c55e03e7eb3407e0657b923d8be8e8dd28ea590ab010ba

    SHA512

    15196e5f365057641e7b6cf43357c57a3135a5d35d30cf2ab873b9a502cc39ed6927233020c0d9b9ca33fa1ab5337d84a5e7f6e943cd2de02f92430f31e656f4