Analysis
-
max time kernel
135s -
max time network
141s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
07-08-2024 21:56
Behavioral task
behavioral1
Sample
ready.apk
Resource
android-x64-20240624-en
General
-
Target
ready.apk
-
Size
8.5MB
-
MD5
6082b5dc1353aae9aa21cdea633aba35
-
SHA1
8938bf46337000b30a0506d0462d46166de49899
-
SHA256
22db1592a6baa3f90ae2ba47bc024b28ab48b2fb420e2b838ba216c9bfaa9507
-
SHA512
befcf1b32e352e2ba1dc09f5c4b32ee2ce7685522be5d1e54967723a9f8cbf150649f7b3d11cf1ce1ca42d1524ce61dbc6115b0a4095b0aa35c8882e2eeb6b0d
-
SSDEEP
98304:ES6p+dL6maOWsGN6GpQ81Mlmz8zBmTC0tRu:ES6pc1WskT13zlB0
Malware Config
Signatures
-
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
susan.re.tapedescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId susan.re.tape Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText susan.re.tape Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId susan.re.tape -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
Processes:
susan.re.tapedescription ioc process Framework service call android.content.IClipboard.addPrimaryClipChangedListener susan.re.tape -
Acquires the wake lock 1 IoCs
Processes:
susan.re.tapedescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock susan.re.tape -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
susan.re.tapedescription ioc process Framework service call android.app.IActivityManager.setServiceForeground susan.re.tape -
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
susan.re.tapeioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction susan.re.tape android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction susan.re.tape android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction susan.re.tape android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction susan.re.tape android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction susan.re.tape android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction susan.re.tape android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction susan.re.tape android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction susan.re.tape -
Queries information about active data network 1 TTPs 1 IoCs
Processes:
susan.re.tapedescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo susan.re.tape -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
susan.re.tapedescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone susan.re.tape -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
susan.re.tapedescription ioc process Framework service call android.app.IActivityManager.registerReceiver susan.re.tape -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes:
susan.re.tapedescription ioc process Framework service call android.app.job.IJobScheduler.schedule susan.re.tape -
Checks CPU information 2 TTPs 1 IoCs
Processes:
susan.re.tapedescription ioc process File opened for read /proc/cpuinfo susan.re.tape -
Checks memory information 2 TTPs 1 IoCs
Processes:
susan.re.tapedescription ioc process File opened for read /proc/meminfo susan.re.tape
Processes
-
susan.re.tape1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4963
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
System Information Discovery
2System Network Configuration Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25B
MD5ba30336bf53d54ed3c0ea69dd545de8c
SHA1ce99c6724c75b93b7448e2d9fac16ca702a5711f
SHA2562d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af
SHA512eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e
-
Filesize
25B
MD5c272d9f3c5617a1229b6cc1405dcfc16
SHA1244dec9624acb498004f7a5d28450458aa7991a5
SHA2565f9bc6e730f16a5f4d09a8672eb5d169c3133a16c8eaeb338da3d73f78737054
SHA5125ae15ac746859fd8a9f7acd067690ce7e3bc19a6aa4760fda21a3b783085237527d3c3103964c7b50e68418cd7b1fbf1d366383e42e8335f422fd0c30381935c
-
Filesize
280B
MD5784d0d1671158562c2e323c6b29e5dd8
SHA1e62b45b71c4ff4c81565fa22e32cae4b34a7b756
SHA2568fbaff3feaf0fa2309e71109bba620047f66c4ae1f1cb8ad3745aa61ae2adc83
SHA5127dad19269c3320af25af437c8e17eb89714cd83b6766db34c1f04b0989cd5279c20a5de7e511b751b3a5c8de3aa06feb7503ac4c3d7a40e68eaee4e14af7178c