Overview

overview

8

Static

static

6

400427c299...73.apk

android-9-x86

8

400427c299...73.apk

android-10-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    android-10_x64
  • resource
    android-x64-20240910-en
  • resource tags

    arch:x64arch:x86image:android-x64-20240910-enlocale:en-usos:android-10-x64system
  • submitted
    18/09/2024, 22:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    400427c2994400bd18b66d20e8bc0c4fcaf900f24b9c8b6a21c9b7f1ae8f9c73.apk

  • Size

    4.7MB

  • MD5

    3890999ec2c35068cfb90f0e06426fef

  • SHA1

    b79f243ced3d8a546b4c3ca3a153bc80a3d13672

  • SHA256

    400427c2994400bd18b66d20e8bc0c4fcaf900f24b9c8b6a21c9b7f1ae8f9c73

  • SHA512

    d6f8bf1b8d9d46b4342a25c5264966164cea1d7cbbee11a24f04dbd1388168f367cca9dad543462e9ca5c0be51b688ae3402931f6309fc1a3e3dfba8cc416a4e

  • SSDEEP

    98304:iH22220ysdqQK6XkxSzp1SL7MkSBxz8IQG9t6GfBTDuI/o/nnYmKdEnYpf:5y8VK60xw07MkSBlf9leLKCnY9

Score
8/10
collectioncredential_accessdiscoveryevasionexecutionimpactpersistencestealthtrojan

Malware Config

Signatures

  • Removes its main activity from the application launcher 1 TTPs 7 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Performs UI accessibility actions on behalf of the user 1 TTPs 24 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.parentsquare.psapp
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:5234

Network

        MITRE ATT&CK Mobile v15

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1603

        Persistence

        Event Triggered Execution

        1
        T1624

        Broadcast Receivers

        1
        T1624.001

        Scheduled Task/Job

        1
        T1603

        Privilege Escalation

        Defense Evasion

        Download New Code at Runtime

        1
        T1407

        Hide Artifacts

        1
        T1628

        Suppress Application Icon

        1
        T1628.001

        Impair Defenses

        1
        T1629

        Prevent Application Removal

        1
        T1629.001

        Input Injection

        1
        T1516

        Virtualization/Sandbox Evasion

        2
        T1633

        System Checks

        2
        T1633.001

        Credential Access

        Clipboard Data

        1
        T1414

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Discovery

        System Information Discovery

        2
        T1426

        System Network Configuration Discovery

        1
        T1422

        Lateral Movement

        Collection

        Clipboard Data

        1
        T1414

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Screen Capture

        1
        T1513

        Command and Control

        Exfiltration

        Impact

        Data Manipulation

        1
        T1641

        Transmitted Data Manipulation

        1
        T1641.001

        Input Injection

        1
        T1516

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/com.parentsquare.psapp/app_DynamicOptDex/JlyZADbPuVD.json
          Filesize

          550KB

          MD5

          2a45ecd351732c7b6b2b4e259b2d1c81

          SHA1

          cbfcf22c02b74d10b497b671d10e09ca3442ab19

          SHA256

          cc23d29b2216fa04f39035563315a737456914f8dd78598475a88a41fe6d625e

          SHA512

          1e946e801db8a26d73a4f4efbcfb06845ad70e3a1d10daaae8f6d2c7251e162acc94db625f14f3ac5eea97ab9926f1904c2cc2b2119e9b79fdf3115719f2ff08

          Download Submit

        • /data/data/com.parentsquare.psapp/app_DynamicOptDex/JlyZADbPuVD.json
          Filesize

          550KB

          MD5

          f453cd423cf706ee7d5ea20e71c66d92

          SHA1

          7e1ef7068f31cf72a2f1fb6ad3639bd69f6ca210

          SHA256

          672383e806fc3e1c5989070e0062c3fd68d930921e589f9e448c2a9053c8c203

          SHA512

          1a7309aad93113291582134e5e48be0103421da12bf43e6cae0da58ed65acc9fa93ac5b7d544b9ea465b8b04538e554a91e1e88b0fc1adbc7afcfa384011aaf6

          Download Submit

        • /data/data/com.parentsquare.psapp/app_DynamicOptDex/oat/JlyZADbPuVD.json.cur.prof
          Filesize

          561B

          MD5

          f9e484f7c146e2e953d17d2c3f3998b6

          SHA1

          5e5509cab1e1b4cba61870f8abc79fc087d44ba9

          SHA256

          b717e7a1cd90277069a023f3c76aaf74b597905197251150ccbe9818251df998

          SHA512

          e29ddf72e3b57498ee371808fb025dcce245dcdc603970b601daa45f4c2dc77e8145c44b1e0013bfd3d6b335c7d47937d53f7940fe5a3e756c4a55900030c1bb

          Download Submit

        • /data/user/0/com.parentsquare.psapp/app_DynamicOptDex/JlyZADbPuVD.json
          Filesize

          629KB

          MD5

          2dfb65e0daadeddf40e4ca5239b113e1

          SHA1

          ff8c8bbfdd53d96357a10d72090ff580684a722b

          SHA256

          d329ea2356234aaaa3cf425bd2e8fc4a848640642333d214001ac6664efcd489

          SHA512

          a2fded7592540bdcd4556bad260ac9cc6500c77e57ff1d0a7b202daeb3e5ac875edbf078967c9b8a5bba9aa1b968a8a22c2fb6bcb10e68a0e448e573f8c55a71

          Download Submit