Analysis
-
max time kernel
145s -
max time network
152s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system -
submitted
14/10/2024, 16:34
Static task
static1
Behavioral task
behavioral1
Sample
516282073b7d81c630d4c5955d396e1e47a2f476f03dea7308461fa62f465c11.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
516282073b7d81c630d4c5955d396e1e47a2f476f03dea7308461fa62f465c11.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
516282073b7d81c630d4c5955d396e1e47a2f476f03dea7308461fa62f465c11.apk
-
Size
2.4MB
-
MD5
f3a8b8947a994aba2581c54cf4a7e3d3
-
SHA1
6c854a80ecd9fbd1dcea7f272942ff13f4435022
-
SHA256
516282073b7d81c630d4c5955d396e1e47a2f476f03dea7308461fa62f465c11
-
SHA512
37157a2c7d3852d0df32a1b291d62678730fb61dc223df82c05c7b8a68ea45ad32d49ab3591128282c458ed28b10b2383c9069006da05d7a1ac8fc37894606a7
-
SSDEEP
49152:gpIOeqIDfH3BGFnGQRGiLMnGl2XeF/2mpApChaBo1gw7GY:AeqSfXBGFnGQQiLMnGl2XeF/rpAwhB9
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/data/moneyless.freckled.daily/code_cache/decrypted.dex 4307 moneyless.freckled.daily -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId moneyless.freckled.daily Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId moneyless.freckled.daily -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener moneyless.freckled.daily -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground moneyless.freckled.daily -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction moneyless.freckled.daily android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction moneyless.freckled.daily android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction moneyless.freckled.daily android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction moneyless.freckled.daily android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction moneyless.freckled.daily -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS moneyless.freckled.daily -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo moneyless.freckled.daily -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo moneyless.freckled.daily
Processes
-
moneyless.freckled.daily1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Checks CPU information
- Checks memory information
PID:4307
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Configuration Discovery
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
972KB
MD58493827c05160d36e6519cad7021a5bb
SHA199cfac459bb6a0815a67ac984c84e3360c75cbc1
SHA2561abe80031904df25a6d98e66ccde6145da056ec42e0e370db2a5d35e65cd8f39
SHA512e7de8916408143e4dd6ba739227e080c4477cb26c52ea332ce381aa1b22e99cd3ddb6f0a179e142c634a4fb945f77a490bc3cdf3448eb6e4698b44fe00700e26