Resubmissions

14/10/2024, 16:38

241014-t5mzeavdjd 8

14/10/2024, 16:34

241014-t3ev1svbrd 8

Analysis

  • max time kernel
    141s
  • max time network
    146s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    14/10/2024, 16:38

General

  • Target

    516282073b7d81c630d4c5955d396e1e47a2f476f03dea7308461fa62f465c11.apk

  • Size

    2.4MB

  • MD5

    f3a8b8947a994aba2581c54cf4a7e3d3

  • SHA1

    6c854a80ecd9fbd1dcea7f272942ff13f4435022

  • SHA256

    516282073b7d81c630d4c5955d396e1e47a2f476f03dea7308461fa62f465c11

  • SHA512

    37157a2c7d3852d0df32a1b291d62678730fb61dc223df82c05c7b8a68ea45ad32d49ab3591128282c458ed28b10b2383c9069006da05d7a1ac8fc37894606a7

  • SSDEEP

    49152:gpIOeqIDfH3BGFnGQRGiLMnGl2XeF/2mpApChaBo1gw7GY:AeqSfXBGFnGQQiLMnGl2XeF/rpAwhB9

Malware Config

Signatures

  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • moneyless.freckled.daily
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4260
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/moneyless.freckled.daily/code_cache/decrypted.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/data/moneyless.freckled.daily/code_cache/oat/x86/decrypted.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4288

Network

        MITRE ATT&CK Mobile v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/moneyless.freckled.daily/code_cache/decrypted.dex

          Filesize

          972KB

          MD5

          8493827c05160d36e6519cad7021a5bb

          SHA1

          99cfac459bb6a0815a67ac984c84e3360c75cbc1

          SHA256

          1abe80031904df25a6d98e66ccde6145da056ec42e0e370db2a5d35e65cd8f39

          SHA512

          e7de8916408143e4dd6ba739227e080c4477cb26c52ea332ce381aa1b22e99cd3ddb6f0a179e142c634a4fb945f77a490bc3cdf3448eb6e4698b44fe00700e26

        • /data/data/moneyless.freckled.daily/code_cache/decrypted.dex

          Filesize

          972KB

          MD5

          b0af9e36680a2460ffdbc981d50e2131

          SHA1

          e32965d9787084db95fce7e4e26e502924acee03

          SHA256

          c3e0b6c5e83da309d30e872e8e4caf8fcd89321a6d06fa696fd3c7a39298b90f

          SHA512

          edef72cf56854f6aa61183b88ae607e36899a49b87934cde795511880f08946e2cb5818eb15be451f016bce2b651512dffc4f1671cb45e8032316403850f453a