Analysis
-
max time kernel
95s -
max time network
84s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
24-08-2024 10:18
Static task
static1
Behavioral task
behavioral1
Sample
f76524d907aa6b2e6f192e3e513622ab31489997d0754df775f9f5e8e111e3e4.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
f76524d907aa6b2e6f192e3e513622ab31489997d0754df775f9f5e8e111e3e4.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
f76524d907aa6b2e6f192e3e513622ab31489997d0754df775f9f5e8e111e3e4.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
f76524d907aa6b2e6f192e3e513622ab31489997d0754df775f9f5e8e111e3e4.apk
-
Size
2.1MB
-
MD5
9495d2a58fb5efe2189ab890fe98a2fa
-
SHA1
e30941e6adb3411176509c79e0377a9b4903717d
-
SHA256
f76524d907aa6b2e6f192e3e513622ab31489997d0754df775f9f5e8e111e3e4
-
SHA512
31e828bec5be506c823c3eeba6c1174d339510c5479ef93f0000453095c319c1c9330c859a133d7ac4af4df4b8ed6caccf744b57a0ecac012a2dbc7ebe46b141
-
SSDEEP
49152:aaErDVPV5HJzTpkb6flyDqqQT775RPxpXQEg0JT4tYT+x8hw5zpcViOJouzoS8A:aaCpHJzTpkbHDqF75JxpOs42TybpuNoM
Malware Config
Signatures
-
pid Process 4265 btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz/app_DynamicOptDex/cca.json 4265 btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz /data/user/0/btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz/app_DynamicOptDex/cca.json 4290 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz/app_DynamicOptDex/cca.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz/app_DynamicOptDex/oat/x86/cca.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz/app_DynamicOptDex/cca.json 4265 btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Acquires the wake lock 1 IoCs
description ioc Process Framework service call android.os.IPowerManager.acquireWakeLock btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz -
Performs UI accessibility actions on behalf of the user 1 TTPs 1 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz -
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz -
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz -
Listens for changes in the sensor environment (might be used to detect emulation) 1 TTPs 1 IoCs
description ioc Process Framework API call android.hardware.SensorManager.registerListener btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz
Processes
-
btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests enabling of the accessibility settings.
- Listens for changes in the sensor environment (might be used to detect emulation)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4265 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz/app_DynamicOptDex/cca.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/btkyxyc.kowtwacupumntmcf.qiwehukjxrxmukpisz/app_DynamicOptDex/oat/x86/cca.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4290
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
3Suppress Application Icon
1User Evasion
2Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD50e5739c89dfe5f9dd8f93841560dbb47
SHA13f507351b592fc133c5e930f26f9565108e978b3
SHA256d77cfdc3c783695a1776b033f409dc5375990de3f4272f73c2008fe426600a1c
SHA51273fe1cf143b223608db3ca05c9978516692f6bfe6ffabc3e06a4892c855929e2dc18659e8b51c36b26627ddd637da571fd8b29c8e011235c04aa51b50e5cd2ae
-
Filesize
1.4MB
MD5818950cda870ce6b4ef7b46e8ad89c29
SHA17ad04f6a2df89ea2c4a9935c496ea88a89f90f90
SHA256d4884cd50ecd05387a0c2b3693fb16f39fdd6f4516337fbf54f0ab6e9a01f564
SHA512c49c3d15c37db1da8244f33a9fb4f864dc311d6b126ba15120915a3363f198f1d5eb67c78f8a2719c8c1fef13774e17526b663bde4c0326f7d48a8ebacd7402a
-
Filesize
475B
MD5e7b8c0989cb1474eefe462b687cee887
SHA100380316cf0a1e584674fcf816d29190956b0b78
SHA256223f7c624704159e02589eb5190da8a48d1174550a0facd05066b34ce08bcb36
SHA512305275d6025e6c824e538b85ec816fd7e6ff71b7440c94e154ce5f40024b1f7d32bf701b00d0a2cd15b48f6def3fcfd468f23b0c5232c2eec9fcf63504a6abbb
-
Filesize
1.4MB
MD51b502db42f2ef1f8f5b6016ce0996340
SHA15a5add7dc790496a0e245c082e326041675d833c
SHA256cfc89ee8db9910fc01e8f0487e37fb2d8f6ac5ffa451d9d6d953240fa4a3df06
SHA51279f557ec6a2be10d520284d09304bf02b86440aeed3f7aedcdfe7df6b5faa71bbc5a7dc99364a5f751f302de0614f382bb4a1542d5f7dbfae72a08cb0040af69