312a30b8abbf7caaf0cf3ac312eef5eef78c8a777af2b04db4195700bdb07cd0

Resubmissions

02-09-2024 12:56

240902-p6p3yazhql 8

02-09-2024 11:26

240902-nj99xsygml 8

02-09-2024 11:08

240902-m8vp4azcpe 10

Analysis

max time kernel
71s
max time network
76s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
02-09-2024 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LIVE XXX (3).apk
Size

4.8MB
MD5

98931c607b3b6be96fecf4e54fd62b48
SHA1

4a3ec0ba1d74e61be278a4ab7b2e4f1f55e003a8
SHA256

312a30b8abbf7caaf0cf3ac312eef5eef78c8a777af2b04db4195700bdb07cd0
SHA512

4255a282c3500afc891bbfdc7b10599b5fc07c86ae9e0bced92a30de9d60398c75d695cbca35015fbdf9307f7ea003bad0c400c3aca6dc5fd9c76687aa88aba2
SSDEEP

98304:TbJuaNHeoBzzY9UbDh6BDehFEzj154vqT75v2dOIYAhag:TNkoBfgBDehOzx54al2Nz0g

Score

8^/10

collection credential_access evasion execution persistence stealth trojan

Malware Config

Signatures

Removes its main activity from the application launcher 1 TTPs 1 IoCs

stealth trojan evasion

Suppress Application Icon

T1628.001

pid	Process
5074	com.tencent.mm

Loads dropped Dex/Jar 1 TTPs 4 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.tencent.mm/app_mph_dex/apk.crazy-v1.AndroidManifest.xml	5074	com.tencent.mm
/data/user/0/com.tencent.mm/app_mph_dex/apk.crazy-v1.AndroidManifest.xml	5074	com.tencent.mm
/data/user/0/com.tencent.mm/app_mph_dex/apk.crazy-v1.AndroidManifest.xml	5546	com.tencent.mm:remote
/data/user/0/com.tencent.mm/app_mph_dex/apk.crazy-v1.AndroidManifest.xml	5546	com.tencent.mm:remote

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	com.tencent.mm
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.tencent.mm

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.tencent.mm

Performs UI accessibility actions on behalf of the user 1 TTPs 28 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.tencent.mm

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.tencent.mm

Schedules tasks to execute at a specified time 1 TTPs 2 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.tencent.mm
Framework service call	android.app.job.IJobScheduler.schedule	com.tencent.mm:remote

com.tencent.mm
1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Performs UI accessibility actions on behalf of the user
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:5074

com.tencent.mm:remote
1⤵
- Loads dropped Dex/Jar
- Schedules tasks to execute at a specified time
PID:5546

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Hide Artifacts

T1628

Suppress Application Icon

T1628.001

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.tencent.mm/app_mph_dex/apk.crazy-v1.AndroidManifest.xml

Filesize
7.9MB

MD5
f8e11d98fbaf38ebd77bc811887a0742

SHA1
1b5aa6aa71e134310021c20c91b4e3584b72090b

SHA256
1e1f2f64622098d3530df5819b7cf87b41b2969583f05e60160884eebd38b9d1

SHA512
8df0ea75f556a1ef70f023f8fa1521921c4f6f67ee1304c2396324727fcf6b847b05010978cf07c846425f027cc2753d24ff760b489416914c53971d2d155445

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db

Filesize
16KB

MD5
a08f2dd3bdc55648f497adbd24e4bdef

SHA1
7993d38d7c40d500882dd89830b8a3900c346410

SHA256
340974ac845d9bbe1a09731fc05daf9cc8f1e1621e9b47b19baa08867c2de47b

SHA512
f5c6cdc415bf1c4d80cc6d55845a4e8a32bb10fd86505ea371200d1a97923c04f618aacfd15aac434745250dab15f44078e70d9e9a1b20bdec8204855f92c7c5

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
749e426411273953c39f139acd0c96d1

SHA1
eb0b3c74d0ecf32965ff98120b13bf8c442da992

SHA256
0307a6735a5afb697c457a8873e35c684d8ef410dc87fc3ea14a00fdd7174161

SHA512
a5e5437e64363144b0fe2646472d42d4e2c5552c169c59709f35ba797ffed8043c7ae9d02ffa5e79225dfb513f56bda005c2abb1537140961948551973d1b577

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
dd3f41b1b7d8ba535de2524007613221

SHA1
2d2429f2e3f92c8c06e9cfed82dafc8e5110bbb6

SHA256
414c5264a26c6f9e167e7067ea370b01e8239da860c7a9185988c55edbe7afe9

SHA512
cec062339423f18ee05180c98e43215a22390a9a726ece7b49b84dcc11c7c979f74e48f4faa7094a9fb206dfd1733aed8cccc710d2a7b336f3c135d3c006da52

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
041abde5d24ce077b7eb5a4914988739

SHA1
24225ccd4f03afd5207fe3390a790153f1ed7838

SHA256
168f340aafa63bcc062456e00ac374b6e10cebefbecf7dc661d5c8e410c282b6

SHA512
b9c9f8d18ded0f2a4e5d976827953c47429db09e766daa1f9a98f0fda128ff24462160a551d1e70d37e8d1f65ac4566389a45b72c1f39f5a769433fc21e0a033

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
abb4a15cf1d9a8eae4f66cc225459471

SHA1
2cb1b1786cff16a91f80eef7249281ae9ad61b36

SHA256
7092d2bdea3ca5fb59e91ab81b205045c7e141fa52a251bce8571ad5dc20d490

SHA512
f1438ba0585b3119e1c9a5e9e1fe91a0f11bbc3ae5ccf93ee0c55337c483bbdf63298190e60c08e95a0f0e6d4faaf065eeafbadc388adbb32f453ffa3f9327f5

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
00d13a446790b8e5e9f08c0b94a2c732

SHA1
9a94e30c968fd4a2826e082ec2b0b9e66f8dea48

SHA256
b3d26cc57704ea866299778af1f0da44e97cf67f2aafe1f78e15796ca147e50b

SHA512
5e0b73fec4cf6668caa0b4214a1325c4985b1c2fd2348f7dcf447118ab47f07ec3c102623faa32d40caa6280bd2ebfa22db5efd4b0d1759f1718eaa5f1aa78aa

Download Submit
/data/data/com.tencent.mm/databases/evernote_jobs.db-journal

Filesize
8KB

MD5
03381e9192df782d3d25ec74197826ea

SHA1
8b97825baca89890891dba4a596bda65f46694f0

SHA256
7d965cf3678ca48d8c622c683898bd43e4d41911b9bf6d38aa06d4f20ce2674d

SHA512
31a9ad64b4ce6b414a75ff938f5fcaa6048315a6eccb94de1f0007a8965e16dbd525d860ce880a39aebe26802911f1b259b7e03ecd37be7012842f389f79bedd

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-09-02.txt

Filesize
21B

MD5
6aa0ede6cdd0d02dfff8f4aa2f70398d

SHA1
ee273b05ff7159e5c58bdff92d9a94d2100c9e96

SHA256
f94140e2582acdbd397635c444d3937aef485cd355a0c77eaebfb0392293910b

SHA512
cb4e08c01b6e96dd0d005674b9f3cd06bff1a73ff374f228d4f0032b9c79d1bf120de7fce860b66cc51f7c4bda899432d2078e29d1f566a0ba37141290bab065

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-09-02.txt

Filesize
414B

MD5
b367ce7a981ba145d630e3e82f952d11

SHA1
1fee890911e34f2a00d88dc5236bfbe7b12cc99b

SHA256
8d77c7e40392122f474592f36b2f190692ee7debf637b38e6fd59ce5c964b5a3

SHA512
f361dfb6194ccf0fc20196e5f528b6bda67979e0a08fb8cd604da6ad6dd942bc40fb200e58fdc33830bf7de58ef9dbc5b1ef68708bb7e39f4ca82f8e43979c5c

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-09-02.txt

Filesize
45B

MD5
0fd0027e48564400b030e49702411fcc

SHA1
5fdbd6adda1197ec3be92a404f363a85b5c15792

SHA256
943c9c7f5ce0e54b488c9ae2728f082076dc9e139b1aab4c1dc7705d3cc3175e

SHA512
2705ade851abf46df9cbf0601904efe44d3330c2591f4c2572b3a64f09c5bc447bf2bd40033227d7aa23eb8eb99b99c9e209108396c6e442798bf3dc1122cdfe

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-09-02.txt

Filesize
21B

MD5
f85041b8e33af3e36c249c4dfe7b65bf

SHA1
c0ba527661c94130d791a8a7a97ea4dbb12b0b8d

SHA256
95a978593029cff987e3229bb623618ac6310904d13b08991891c4043b46b732

SHA512
bf3b381debbc3737eb24cfc5541b7277db51deae18a00854c7188f5ae1fc83362995e0bbd2c37c75f59738ef048bfd18730e0bb08a14196a31a72b144b5bc49e

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads