Analysis
-
max time kernel
179s -
max time network
186s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
26-08-2024 22:07
Static task
static1
Behavioral task
behavioral1
Sample
e83fecae4baa2f7edf37bf398f0705d20b9946cfcc2cc7397e451d6d5ae11014.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
e83fecae4baa2f7edf37bf398f0705d20b9946cfcc2cc7397e451d6d5ae11014.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
e83fecae4baa2f7edf37bf398f0705d20b9946cfcc2cc7397e451d6d5ae11014.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
e83fecae4baa2f7edf37bf398f0705d20b9946cfcc2cc7397e451d6d5ae11014.apk
-
Size
4.8MB
-
MD5
7acf525b37bd716b16b905d6a57fa500
-
SHA1
ce51de2b984ffd9ce64614efa52d2ad29547bd4e
-
SHA256
e83fecae4baa2f7edf37bf398f0705d20b9946cfcc2cc7397e451d6d5ae11014
-
SHA512
67b8f3b6b781c1adad0be9b9a1a2d89f4133f28a17d3a617ca8980f16fda14e2755cfe2e11a6a08d436757c3c14bbfab576a45ac9d5b5b5c72dbdca3eaae1393
-
SSDEEP
98304:ifrlNqjQu3ltTcCysCtb/yP5JlP4cvVBzCOlx3c/BwxF3dHEB+1KBwJBRk:ifrlIlt0tTc5P5vVhCOkwf3dkYoB+g
Malware Config
Signatures
-
FluBot
FluBot is an android banking trojan that uses overlays.
-
FluBot payload 1 IoCs
resource yara_rule behavioral1/memory/4277-0.dex family_flubot -
pid Process 4247 com.tencent.mobileqq -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/com.tencent.mobileqq/agUkgggIg8/eeGgfghgeejgfgr/base.apk.7FjfUh71.fy7 4277 /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.tencent.mobileqq/agUkgggIg8/eeGgfghgeejgfgr/base.apk.7FjfUh71.fy7 --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.tencent.mobileqq/agUkgggIg8/eeGgfghgeejgfgr/oat/x86/base.apk.7FjfUh71.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.tencent.mobileqq/agUkgggIg8/eeGgfghgeejgfgr/base.apk.7FjfUh71.fy7 4247 com.tencent.mobileqq -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.tencent.mobileqq Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.tencent.mobileqq Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.tencent.mobileqq -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ipinfo.io 8 ipinfo.io -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground com.tencent.mobileqq -
Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mobileqq android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mobileqq android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.tencent.mobileqq -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.tencent.mobileqq -
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.tencent.mobileqq -
Requests changing the default SMS application. 2 TTPs 1 IoCs
description ioc Process Intent action android.provider.Telephony.ACTION_CHANGE_DEFAULT com.tencent.mobileqq -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.tencent.mobileqq -
Requests enabling of the accessibility settings. 1 IoCs
description ioc Process Intent action android.settings.ACCESSIBILITY_SETTINGS com.tencent.mobileqq -
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
description ioc Process Framework API call javax.crypto.Cipher.doFinal com.tencent.mobileqq
Processes
-
com.tencent.mobileqq1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests changing the default SMS application.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Requests enabling of the accessibility settings.
- Uses Crypto APIs (Might try to encrypt user data)
PID:4247 -
/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.tencent.mobileqq/agUkgggIg8/eeGgfghgeejgfgr/base.apk.7FjfUh71.fy7 --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/user/0/com.tencent.mobileqq/agUkgggIg8/eeGgfghgeejgfgr/oat/x86/base.apk.7FjfUh71.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4277
-
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Credential Access
Access Notifications
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.tencent.mobileqq/agUkgggIg8/eeGgfghgeejgfgr/tmp-base.apk.7FjfUh71309980446537125918.fy7
Filesize918KB
MD592a17c95b62516fa03a1bce7078c1347
SHA1fac4fb202522b2edf068de81ea47ad6d0e711fcd
SHA25652be0d32048188725166de8d1b4c0a61dbb505ccae03d7bdbbd5814b39f7d5e7
SHA51230435e217d79313ae80c4b31bea38e4c29b429327d40327c9cd26b1abf1e2de228335d5eceb2560725c6beb21ad9edf5a730f1386311f4fc41ce562f804d808b
-
Filesize
2.0MB
MD528860a73d09a3a605f9cd9126a5dc187
SHA1b0ca441db850e7a826e6e9078f79900ac56ebcee
SHA25642527f144284424c65171dd1ce40cc10cec846c5ee920ce3d3aea77ca1587c5d
SHA512e3f99db49e32f1cb265d4de315b3f5d81007da546b92965c364e18d1461f932c4caffbb22599ceafc9c9917f676cdc0eebd537164ad9301436e82b9d321e060c