Analysis
-
max time kernel
154s -
max time network
139s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
25-08-2024 05:34
Static task
static1
General
-
Target
Indian Army.apk
-
Size
15.8MB
-
MD5
74cabe96731427c1ce99c2e02b69f19b
-
SHA1
e30fe038535e73ce135339677c6b609b22079d90
-
SHA256
7f753c97e4d13bd94eda8f2505d6f228e97ea615692bf33ed030a4d4db78960b
-
SHA512
28b969f2e5e0f8c8bb746d170183972211fac6e6ae8b0c9f91e954fe0c17e14a1bc3441382c3678b2b619730f658c89563252c5f4877399a7ac41fa3b43abda1
-
SSDEEP
393216:5zzVhBvXzRQ6ymfXyMKVJJ1eIje5Qc5ahxDaaVHnOy:RzVne6LXyMcJJ1e5uhxVHOy
Malware Config
Signatures
-
pid Process 4482 com.devicf -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.devicf/cache/natives_sec_blob968523387863523665.dex 4482 com.devicf /data/user/0/com.devicf/cache/natives_sec_blob968523387863523665.dex 4482 com.devicf -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 37 pastebin.com 38 pastebin.com 115 pastebin.com -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.devicf -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.devicf -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.devicf
Processes
-
com.devicf1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's foreground persistence service
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Uses Crypto APIs (Might try to encrypt user data)
PID:4482
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
407KB
MD5d743db0c89d4626d2e078ecebae80a04
SHA107faeec4f4892ea850bd76e31ad2779b8c3bda64
SHA2562f1a706ebdb117e3f7c63deabdd1df7032352f9517293cd8f19dc126d66dbfb0
SHA5129dd5126cbb4d0a887ef0231a7c8582e9c69ecbbed71204cb14c6ddcd1000f19479a0cbe11b663c3b617fd85acc57e15419d7220ecc5c7002e11b2ea432bf4955
-
Filesize
273B
MD5073fcef210080a7d20892b6ba6092868
SHA1a752b0691aebf4de84936cbabe6dbc1cdbc24d0c
SHA2561701a7c317a17b3383a8ae8451d73f3b3c54cdf09553997d96ad9c05b2e7c89a
SHA5122f64a31bfc32aa18ec5711c0c22502e525e776ea68ed2ded8bba0e46cb9fae69b0b0f622a6df30dce7daa80ce86c354ee96ddb5454ab44aaf60f099dd3722524