312a30b8abbf7caaf0cf3ac312eef5eef78c8a777af2b04db4195700bdb07cd0

Resubmissions

02/09/2024, 12:56

240902-p6p3yazhql 8

02/09/2024, 11:26

240902-nj99xsygml 8

02/09/2024, 11:08

240902-m8vp4azcpe 10

Analysis

max time kernel
106s
max time network
111s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
02/09/2024, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LIVE XXX (3).apk
Size

4.8MB
MD5

98931c607b3b6be96fecf4e54fd62b48
SHA1

4a3ec0ba1d74e61be278a4ab7b2e4f1f55e003a8
SHA256

312a30b8abbf7caaf0cf3ac312eef5eef78c8a777af2b04db4195700bdb07cd0
SHA512

4255a282c3500afc891bbfdc7b10599b5fc07c86ae9e0bced92a30de9d60398c75d695cbca35015fbdf9307f7ea003bad0c400c3aca6dc5fd9c76687aa88aba2
SSDEEP

98304:TbJuaNHeoBzzY9UbDh6BDehFEzj154vqT75v2dOIYAhag:TNkoBfgBDehOzx54al2Nz0g

Score

8^/10

collection credential_access evasion execution persistence stealth trojan

Malware Config

Signatures

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
4241	com.tencent.mm

Loads dropped Dex/Jar 1 TTPs 6 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.tencent.mm/app_mph_dex/apk.crazy-v1.AndroidManifest.xml	4241	com.tencent.mm
/data/user/0/com.tencent.mm/app_mph_dex/apk.crazy-v1.AndroidManifest.xml	4293	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/apk.crazy-v1.AndroidManifest.xml --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/apk.crazy-v1.AndroidManifest.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.tencent.mm/app_mph_dex/apk.crazy-v1.AndroidManifest.xml	4241	com.tencent.mm
/data/user/0/com.tencent.mm/app_mph_dex/apk.crazy-v1.AndroidManifest.xml	4367	com.tencent.mm:remote
/data/user/0/com.tencent.mm/app_mph_dex/apk.crazy-v1.AndroidManifest.xml	4463	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/apk.crazy-v1.AndroidManifest.xml --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/apk.crazy-v1.AndroidManifest.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.tencent.mm/app_mph_dex/apk.crazy-v1.AndroidManifest.xml	4367	com.tencent.mm:remote

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.tencent.mm

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.tencent.mm

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.tencent.mm

Schedules tasks to execute at a specified time 1 TTPs 2 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.tencent.mm
Framework service call	android.app.job.IJobScheduler.schedule	com.tencent.mm:remote

com.tencent.mm
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4241
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/apk.crazy-v1.AndroidManifest.xml --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/apk.crazy-v1.AndroidManifest.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4293

com.tencent.mm:remote
1⤵
- Loads dropped Dex/Jar
- Schedules tasks to execute at a specified time
PID:4367
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.tencent.mm/app_mph_dex/apk.crazy-v1.AndroidManifest.xml --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.tencent.mm/app_mph_dex/oat/x86/apk.crazy-v1.AndroidManifest.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4463

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

User Evasion

T1628.002

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.mm/app_mph_dex/apk.crazy-v1.AndroidManifest.xml

Filesize
7.9MB

MD5
f8e11d98fbaf38ebd77bc811887a0742

SHA1
1b5aa6aa71e134310021c20c91b4e3584b72090b

SHA256
1e1f2f64622098d3530df5819b7cf87b41b2969583f05e60160884eebd38b9d1

SHA512
8df0ea75f556a1ef70f023f8fa1521921c4f6f67ee1304c2396324727fcf6b847b05010978cf07c846425f027cc2753d24ff760b489416914c53971d2d155445

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
36KB

MD5
3eae2a98ffcadf99497b974231c78998

SHA1
d4b52954e79ddac14499cbab13ef96deca2ed796

SHA256
c2c8ad8270f2e24b0479959fcf7e37ede00080b9b128fbcd3c30e13dbbda8c86

SHA512
7c5770b83ffdd028d07736d2dd0a150e1b74688289197c8b6865c3bd59f35984e81d2e0f509b9dc8a491b46f8341621685e55a6220431e27dd0327ad21fada64

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-wal

Filesize
72KB

MD5
fb0e184b6eae5dff8ce7f65ae3979835

SHA1
ac065ce45c585dd40acc3302ac66c7675c3c87ac

SHA256
ec6af1346aed27dc70f272a3de4ccd1b9d2c0aa028f843861f12af66c7346d0f

SHA512
431170b6c3e0eb7c79e8cf8f0bba04edb2e9654b0c83e296ae8f2ba75d866371090e10ede028101cea0a85265c7798637371b80d3ea3134a71008e9983746c29

Download Submit
/data/user/0/com.tencent.mm/app_mph_dex/apk.crazy-v1.AndroidManifest.xml

Filesize
7.9MB

MD5
c8200af007dc02e887c34654f173d832

SHA1
a653cd477708311d4ba131ed24ec99daef2d101e

SHA256
1d2b3c43f810ad4085a5d117bbcaae4121c1ec2e6c3690d378b0719b852699b8

SHA512
3983a9ef2dcd70f819c80480fa476743f179f972a41246e16575670b5c172996d47a5b936b2bcc2a33765581119f704a4d1f1e7918ebb204fb281157134740f5

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-09-02.txt

Filesize
45B

MD5
0fd0027e48564400b030e49702411fcc

SHA1
5fdbd6adda1197ec3be92a404f363a85b5c15792

SHA256
943c9c7f5ce0e54b488c9ae2728f082076dc9e139b1aab4c1dc7705d3cc3175e

SHA512
2705ade851abf46df9cbf0601904efe44d3330c2591f4c2572b3a64f09c5bc447bf2bd40033227d7aa23eb8eb99b99c9e209108396c6e442798bf3dc1122cdfe

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-09-02.txt

Filesize
37B

MD5
431832ac11a27d3c5dc7d1f0cb1037bf

SHA1
69bcf8ced51c3feb9479913e695c2c760898ef99

SHA256
76a6990408688a7732ce0ca160db4f0e89210fe97b337c2ff31730703fd87158

SHA512
cb6e85aa9f27d35931e4b8d10e8c828ba83e4b6734871eaf7daf22af5d34275eb648b6fd454cf726bd3073e41c4e993b0ca4e4502157350aa8f166b1e749c2db

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-09-02.txt

Filesize
13B

MD5
90d0fa7ccdb0cb7811deebf7ba61bcd8

SHA1
5df3531436beb45f541a2ecf66f9d5b63e1fd8e8

SHA256
af2231aaeeee16d548418d872b61e50f05602bc5bc2f19f99a18fd17178a5803

SHA512
c4e7bcdb35bb47e8204dbc8a882bbb95dc4fe54d8d42c3f935d2e43b87754df6744e5a1b8cf672213760b666e66381fd2876d8ad928670645a3f6eca1a25ffaa

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-09-02.txt

Filesize
13B

MD5
de2c41a51ee9246eb1708f65b511add0

SHA1
2f442d634c8a18760a232c8829d4b5d74a52f074

SHA256
ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab

SHA512
7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-09-02.txt

Filesize
268B

MD5
aec07a2e522c2f2065d58f97f74f1e06

SHA1
48ba5c6ef01221c7014a5488e09d8cb3e3321685

SHA256
67c73e2bca92351a1633938c72bcad269cf6cf6069d2fadeb23a476105749585

SHA512
ad4f7ae8729337bfb1999611b2fcb5aa13b1854d74428bc15e5f164396def7fcb84e75e61e4effae982ad848d240271d26a3a528098c9ab3e1aad72369055664

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads