Overview

overview

8

Static

static

6

excess.und...ng.apk

android-9-x86

8

excess.und...ng.apk

android-10-x64

8

Resubmissions

14-10-2024 17:23

241014-vx752swhjf 8

09-10-2024 09:04

241009-k148fssclj 8

Analysis

  • max time kernel
    16s
  • max time network
    22s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    09-10-2024 09:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    excess.undrilled.improper.crushing.apk

  • Size

    2.4MB

  • MD5

    eb0ad0b462c65a40c16d43c15cd06aea

  • SHA1

    28b0a4559078eac3bd1c06b493c35408e3def804

  • SHA256

    136d00629e8cd59a6be639b0eaef925fd8cd68cbcbdb71a3a407836c560b8579

  • SHA512

    d5178c83b493999e380b68abc6511ace9c3296393f08bee01dd80582a752fa07a2658bd1d2d0ef3fed01cca9ef17b31c5e5e0c4986ea46ce91a19c9c10e42b58

  • SSDEEP

    49152:oRkr6w6JVKUf5wj0FRaVeRyWogZqChiBx1gwxm:V2dJIg7PaV8yvgZnhWm

Score
8/10
collectioncredential_accessdiscoveryevasionpersistencestealthtrojan

Malware Config

Signatures

  • Removes its main activity from the application launcher 1 TTPs 1 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 5 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 10 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
    persistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • excess.undrilled.improper.crushing
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4214
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/excess.undrilled.improper.crushing/code_cache/decrypted.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/data/excess.undrilled.improper.crushing/code_cache/oat/x86/decrypted.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4279
  • excess.undrilled.improper.crushing:webview_process
    1⤵
    • Loads dropped Dex/Jar
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4337

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Foreground Persistence

1
T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Foreground Persistence

1
T1541

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

2
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/excess.undrilled.improper.crushing/code_cache/decrypted.dex
    Filesize

    975KB

    MD5

    dfde1000d6b51cdc38b21ac5fbaa462a

    SHA1

    8389cd13c15f316d55f7909e6ae71f56dfa8ea1b

    SHA256

    09e3db729b16cf271d9be99996334422b372bafaae9ba95f65828c5b2bc97d34

    SHA512

    3f11d6d1c0f4063bb79771834959e8a9d10b7210138fbde88fdf504138ff74c4467b1ca746e341b845ebd10ceb82a122386c1f4f57e2a1ea33f1d51063b08038

    Download Submit

  • /data/data/excess.undrilled.improper.crushing/code_cache/decrypted.dex
    Filesize

    975KB

    MD5

    3eb5114b544c4c195d7d55f6c99f7868

    SHA1

    f6f7cb27e2c3bb3b2ba8334924f0c7bd5ac701c5

    SHA256

    2d217f39b0abb2c9c16783af3a2327b52d189f3d5ac479efefaaa982998a8c20

    SHA512

    13f95117cb48e80ac99d10a255112032b563e33854c09944818ed7d733f66788517372f18a9f735feed9520a5682607e280de2b912178426d73973263214237a

    Download Submit