1cf64aaae65f6b8b3af1b774a1c6caa24c9ee90198f237c63f8420e3712b4d0f

Analysis

max time kernel
149s
max time network
154s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
01/10/2024, 22:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1cf64aaae65f6b8b3af1b774a1c6caa24c9ee90198f237c63f8420e3712b4d0f.apk
Size

2.5MB
MD5

9260d4fb5b884fb95593231810dc4344
SHA1

6f6f7eeb85260e85d71c3e7f357f0d8b9edf49a0
SHA256

1cf64aaae65f6b8b3af1b774a1c6caa24c9ee90198f237c63f8420e3712b4d0f
SHA512

5498c8d51633c1dda367dd4aaae3543457a92667b035a79477237e10e3c0d5fdcee3df5e3835c8e0d0380f0865749daca051634eca6594156b93ce29d721a685
SSDEEP

49152:gB6oTT5U3IQnLwcXvxF6Caz04ubX3Sme1OWdKi3Mb:gB/H5U3pLwcJF6m4ubnRiOCcb

Score

7^/10

banker collection credential_access discovery evasion impact persistence

Malware Config

Signatures

Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	mmg78a4eb56.mmg78a262d3.mmg78a96dc7
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	mmg78a4eb56.mmg78a262d3.mmg78a96dc7

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	mmg78a4eb56.mmg78a262d3.mmg78a96dc7

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	mmg78a4eb56.mmg78a262d3.mmg78a96dc7

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	mmg78a4eb56.mmg78a262d3.mmg78a96dc7

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	mmg78a4eb56.mmg78a262d3.mmg78a96dc7

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	mmg78a4eb56.mmg78a262d3.mmg78a96dc7

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	mmg78a4eb56.mmg78a262d3.mmg78a96dc7

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	mmg78a4eb56.mmg78a262d3.mmg78a96dc7

mmg78a4eb56.mmg78a262d3.mmg78a96dc7
1⤵
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
- Checks memory information
PID:4233