Analysis
-
max time kernel
141s -
max time network
146s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
14/10/2024, 16:38
Static task
static1
Behavioral task
behavioral1
Sample
516282073b7d81c630d4c5955d396e1e47a2f476f03dea7308461fa62f465c11.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
516282073b7d81c630d4c5955d396e1e47a2f476f03dea7308461fa62f465c11.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
516282073b7d81c630d4c5955d396e1e47a2f476f03dea7308461fa62f465c11.apk
-
Size
2.4MB
-
MD5
f3a8b8947a994aba2581c54cf4a7e3d3
-
SHA1
6c854a80ecd9fbd1dcea7f272942ff13f4435022
-
SHA256
516282073b7d81c630d4c5955d396e1e47a2f476f03dea7308461fa62f465c11
-
SHA512
37157a2c7d3852d0df32a1b291d62678730fb61dc223df82c05c7b8a68ea45ad32d49ab3591128282c458ed28b10b2383c9069006da05d7a1ac8fc37894606a7
-
SSDEEP
49152:gpIOeqIDfH3BGFnGQRGiLMnGl2XeF/2mpApChaBo1gw7GY:AeqSfXBGFnGQQiLMnGl2XeF/rpAwhB9
Malware Config
Signatures
-
pid Process 4260 moneyless.freckled.daily 4260 moneyless.freckled.daily -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/data/moneyless.freckled.daily/code_cache/decrypted.dex 4260 moneyless.freckled.daily /data/data/moneyless.freckled.daily/code_cache/decrypted.dex 4288 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/moneyless.freckled.daily/code_cache/decrypted.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/data/moneyless.freckled.daily/code_cache/oat/x86/decrypted.odex --compiler-filter=quicken --class-loader-context=& /data/data/moneyless.freckled.daily/code_cache/decrypted.dex 4260 moneyless.freckled.daily -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId moneyless.freckled.daily Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId moneyless.freckled.daily -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground moneyless.freckled.daily -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction moneyless.freckled.daily android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction moneyless.freckled.daily android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction moneyless.freckled.daily android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction moneyless.freckled.daily android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction moneyless.freckled.daily -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone moneyless.freckled.daily -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS moneyless.freckled.daily -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver moneyless.freckled.daily -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo moneyless.freckled.daily -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo moneyless.freckled.daily
Processes
-
moneyless.freckled.daily1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4260 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/moneyless.freckled.daily/code_cache/decrypted.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/data/moneyless.freckled.daily/code_cache/oat/x86/decrypted.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4288
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
972KB
MD58493827c05160d36e6519cad7021a5bb
SHA199cfac459bb6a0815a67ac984c84e3360c75cbc1
SHA2561abe80031904df25a6d98e66ccde6145da056ec42e0e370db2a5d35e65cd8f39
SHA512e7de8916408143e4dd6ba739227e080c4477cb26c52ea332ce381aa1b22e99cd3ddb6f0a179e142c634a4fb945f77a490bc3cdf3448eb6e4698b44fe00700e26
-
Filesize
972KB
MD5b0af9e36680a2460ffdbc981d50e2131
SHA1e32965d9787084db95fce7e4e26e502924acee03
SHA256c3e0b6c5e83da309d30e872e8e4caf8fcd89321a6d06fa696fd3c7a39298b90f
SHA512edef72cf56854f6aa61183b88ae607e36899a49b87934cde795511880f08946e2cb5818eb15be451f016bce2b651512dffc4f1671cb45e8032316403850f453a