9dbe5b1a7dc239f17fb41e399e9137c675b2e4e3882974ef9397cee4d4bd91ff

Analysis

max time kernel
152s
max time network
140s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
13/10/2024, 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EvilRAT.apk
Size

4.7MB
MD5

97f3286dcaecf39951d3b7a0e66d208f
SHA1

2435be5eb810dd2f76757579b8c272511adb59b0
SHA256

9dbe5b1a7dc239f17fb41e399e9137c675b2e4e3882974ef9397cee4d4bd91ff
SHA512

81dfb13099ce13f63efa89d43a557c71e8e7ca0c6aa6bdeb06e4d1d58e08292b83f4d861ab91db4d76f901616511226a2e049f86482f1016201008f81fc40c6c
SSDEEP

98304:G/xXWXStFaLWlUapHhDciMiSm4LqN8VNmzpyzBeTr0tqodTb:QxXWX+FlUUBDNMxmYAzpfUxF

Score

7^/10

collection credential_access evasion execution persistence

Malware Config

Signatures

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	build.ledear.kankx

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	build.ledear.kankx

Requests enabling of the accessibility settings. 1 IoCs

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	build.ledear.kankx

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	build.ledear.kankx

build.ledear.kankx
1⤵
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Requests enabling of the accessibility settings.
- Schedules tasks to execute at a specified time
PID:4332

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/storage/emulated/0/Config/sys/apps/log/log-2024-10-13.txt

Filesize
13B

MD5
de2c41a51ee9246eb1708f65b511add0

SHA1
2f442d634c8a18760a232c8829d4b5d74a52f074

SHA256
ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab

SHA512
7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-10-13.txt

Filesize
25B

MD5
ba30336bf53d54ed3c0ea69dd545de8c

SHA1
ce99c6724c75b93b7448e2d9fac16ca702a5711f

SHA256
2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af

SHA512
eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-10-13.txt

Filesize
564B

MD5
c128a19d2a7cc9246c7699b2ff94fe1d

SHA1
383f36855827781ad4461b1e1b191d53d78ccbe3

SHA256
9b912c73c8eaf8bf5b7104f80ae3643a3c724eb5fcddd4bbc99edefa76f31cd9

SHA512
096152b66836f7c38762ce46edf371668343081bb9912be24e606c17e2047fcfb9690c8a4fc683f9aac55dac8e35543d78394a35852a9556b9350956cbcb3016

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads