Analysis
-
max time kernel
179s -
max time network
173s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
06-08-2024 09:51
Behavioral task
behavioral1
Sample
ready.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
ready.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
ready.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
ready.apk
-
Size
6.2MB
-
MD5
211d34ce11710f949825bb6cd0df21df
-
SHA1
4485edf80952024922c352b1616f507e65a6d634
-
SHA256
e9d1f2314105bfa14bc60b3e312463a044fa4cc7b1c8455751a9f2582a077ce2
-
SHA512
4f68ef062189262ffc95c12ee9b5b1cd6ea20af2c20493a7114ec3e88ec4f6abdadf6c062c19249cfe4d05dd89dcec5000f2dcf3655078c55a19d70c0b86ee63
-
SSDEEP
24576:GIAma80GlSNwpBlicH26/yHLRF7VyioVDca77EjwFsNiz:GTmaUJpBR26KlF7Vyiod77wC
Malware Config
Signatures
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
westminster.ala.soldierdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId westminster.ala.soldier Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText westminster.ala.soldier Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId westminster.ala.soldier -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
Processes:
westminster.ala.soldierdescription ioc process Framework service call android.content.IClipboard.addPrimaryClipChangedListener westminster.ala.soldier -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Acquires the wake lock 1 IoCs
Processes:
westminster.ala.soldierdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock westminster.ala.soldier -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
westminster.ala.soldierdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground westminster.ala.soldier -
Queries information about active data network 1 TTPs 1 IoCs
Processes:
westminster.ala.soldierdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo westminster.ala.soldier -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
westminster.ala.soldierdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS westminster.ala.soldier -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes:
westminster.ala.soldierdescription ioc process Framework service call android.app.job.IJobScheduler.schedule westminster.ala.soldier -
Checks CPU information 2 TTPs 1 IoCs
Processes:
westminster.ala.soldierdescription ioc process File opened for read /proc/cpuinfo westminster.ala.soldier -
Checks memory information 2 TTPs 1 IoCs
Processes:
westminster.ala.soldierdescription ioc process File opened for read /proc/meminfo westminster.ala.soldier
Processes
-
westminster.ala.soldier1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4492
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Foreground Persistence
1Hide Artifacts
1User Evasion
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17B
MD5e9741c8b822d66f3190e379511b05305
SHA15a534d9a8acf1d681cc5fcc3fe872eff02abaec2
SHA2565cbdeb6552a33c4de8ade686f135d01418fe09d82e9cb3a7219be145c80bd152
SHA51244db01c4a90608d23be9825e7ce24d240e1ee211e576b7b67b564b67f7737d9fcd28ed5338196bc5541592ad0284aeda4a9f4df0302f462147b127f3a1db1fc9
-
Filesize
33B
MD51b53a778d621f0c57c870a8671885ba0
SHA15b59c23b354ca814f75c2e948bb265cd1222c44d
SHA2560d0ef5fa2ac930e0af6b1dd79ad347ccce39b6199e86416162d65578e87a75d2
SHA5121c1466a20de1c20a1d297484b77e4a5c9717830c1d42fbdc82a5ed39acb527147e79961cf730a8aba906102b338dce8eca7256189747464782002ff0d61f6b41
-
Filesize
17B
MD55b862261088406aa53ead558c39a2365
SHA1446b32d61f4ebb33a32341f59bcd44daccb0253c
SHA2565f4a8e64ea9e677d2d01cee8415d4c96fa34c2a28862b7d4f6065b6f0c7031f5
SHA51287b1362909a441eb4e40a654bb804e707fc06d5fa2f704d5cb09caa4b3361cf25086cd599fe1f7bc681f84c45f7e18bd3cc407a8b72225f6c3cdfcfd143699cd
-
Filesize
272B
MD5fafecf27ffab24bb18568aea2e29b084
SHA11647b1374543d5885025f2a8ddf974fd1a72bb6c
SHA256a39e7bfed91060c6c1c55e03e7eb3407e0657b923d8be8e8dd28ea590ab010ba
SHA51215196e5f365057641e7b6cf43357c57a3135a5d35d30cf2ab873b9a502cc39ed6927233020c0d9b9ca33fa1ab5337d84a5e7f6e943cd2de02f92430f31e656f4