Overview

overview

8

Static

static

6

6d6774973a...fe.apk

android-9-x86

8

6d6774973a...fe.apk

android-10-x64

8

6d6774973a...fe.apk

android-11-x64

8

Sharing

Copy URL Twitter E-mail

General

  • Target

    6d6774973a12cc7724a7729f6a6ab6a7ece755f7eb3c5b339a01b9de4a1cf2fe.bin

  • Size

    1.0MB

  • Sample

    240809-17cd1swcqg

  • MD5

    1e18f0bc52ba485fd1f839f670413cb9

  • SHA1

    e3aae4c17029cb71a7db2abc076e77aa0a157a53

  • SHA256

    6d6774973a12cc7724a7729f6a6ab6a7ece755f7eb3c5b339a01b9de4a1cf2fe

  • SHA512

    002574e5d3e09197a03479160f4f308857dec1f8e2f412c373c166c27e480ae478c247abaa4e9459eb0cdaf95a951e070ff40284ba869198a8a7db48e199a193

  • SSDEEP

    24576:9qA5ozZWrqvgb3NwvNHPziWGJDOND1tias3Mk13mzJLA+GvAiH:9r5UZOiG6GWKc3ias3j13mzZcA0

Score
8/10
androidbankercollectiondiscoveryevasionimpactpersistenceprivilege_escalationstealthtrojan

Malware Config

Targets

    • Target

      6d6774973a12cc7724a7729f6a6ab6a7ece755f7eb3c5b339a01b9de4a1cf2fe.bin

    • Size

      1.0MB

    • MD5

      1e18f0bc52ba485fd1f839f670413cb9

    • SHA1

      e3aae4c17029cb71a7db2abc076e77aa0a157a53

    • SHA256

      6d6774973a12cc7724a7729f6a6ab6a7ece755f7eb3c5b339a01b9de4a1cf2fe

    • SHA512

      002574e5d3e09197a03479160f4f308857dec1f8e2f412c373c166c27e480ae478c247abaa4e9459eb0cdaf95a951e070ff40284ba869198a8a7db48e199a193

    • SSDEEP

      24576:9qA5ozZWrqvgb3NwvNHPziWGJDOND1tias3Mk13mzJLA+GvAiH:9r5UZOiG6GWKc3ias3j13mzZcA0

    Score
    8/10
    bankercollectiondiscoveryevasionimpactpersistenceprivilege_escalationstealthtrojan

    • Removes its main activity from the application launcher

      stealthtrojanevasion

    • Checks known Qemu pipes.

      Checks for known pipes used by the Android emulator to communicate with the host.

      evasion

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

      evasion

    • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

      bankerdiscovery

    • Queries account information for other applications stored on the device

      Application may abuse the framework's APIs to collect account information stored on the device.

      collection

    • Queries the phone number (MSISDN for GSM devices)

      discovery

    • Requests cell location

      Uses Android APIs to to get current cell location.

      collectiondiscoveryevasion

    • Acquires the wake lock

    • Queries information about active data network

      discovery

    • Queries information about the current Wi-Fi connection

      Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

      discovery

    • Queries the mobile country code (MCC)

      discovery

    • Queries the unique device ID (IMEI, MEID, IMSI)

      discovery

    • Reads information about phone network operator.

      discovery

    • Tries to add a device administrator.

      privilege_escalationimpact
    behavioral1behavioral2behavioral3

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1626

Device Administrator Permissions

1
T1626.001

Defense Evasion

Download New Code at Runtime

1
T1407

Execution Guardrails

1
T1627

Geofencing

1
T1627.001

Hide Artifacts

1
T1628

Suppress Application Icon

1
T1628.001

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Discovery

Location Tracking

1
T1430

Software Discovery

1
T1418

Security Software Discovery

1
T1418.001

System Information Discovery

1
T1426

System Network Configuration Discovery

4
T1422

System Network Connections Discovery

2
T1421

Lateral Movement

Collection

Location Tracking

1
T1430

Stored Application Data

1
T1409

Command and Control

Exfiltration

Impact

Account Access Removal

1
T1640

Tasks