Analysis
-
max time kernel
29s -
max time network
34s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
14/10/2024, 17:17
Static task
static1
Behavioral task
behavioral1
Sample
880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc.apk
-
Size
2.5MB
-
MD5
d9763c68ebbfaeef4334cfefc54b322f
-
SHA1
cb6f9bcd4b491858583ee9f10b72c0582bf94ab1
-
SHA256
880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc
-
SHA512
4a408c2b284632f54dcb91568161f951d3d36d4092eb9c3f4a823cebf1e5e89395693dd31ba8dbd90bf392b96944fda96c5d01cd149c934c3401e606efe914d4
-
SSDEEP
49152:XtLVdMwtV/l221ikvxQ/1UVjtCXnmptDGCz4aBR1gwmbu:9LZtV/lCkY1UVjinYtD7z4Dbu
Malware Config
Signatures
-
pid Process 4220 suds.expend.affiliate.rising 4220 suds.expend.affiliate.rising -
Loads dropped Dex/Jar 1 TTPs 3 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/data/suds.expend.affiliate.rising/code_cache/decrypted.dex 4220 suds.expend.affiliate.rising /data/data/suds.expend.affiliate.rising/code_cache/decrypted.dex 4285 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/suds.expend.affiliate.rising/code_cache/decrypted.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/data/suds.expend.affiliate.rising/code_cache/oat/x86/decrypted.odex --compiler-filter=quicken --class-loader-context=& /data/data/suds.expend.affiliate.rising/code_cache/decrypted.dex 4220 suds.expend.affiliate.rising -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId suds.expend.affiliate.rising Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId suds.expend.affiliate.rising -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground suds.expend.affiliate.rising -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction suds.expend.affiliate.rising android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction suds.expend.affiliate.rising android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction suds.expend.affiliate.rising android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction suds.expend.affiliate.rising android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction suds.expend.affiliate.rising -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone suds.expend.affiliate.rising -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS suds.expend.affiliate.rising -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver suds.expend.affiliate.rising -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo suds.expend.affiliate.rising -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo suds.expend.affiliate.rising
Processes
-
suds.expend.affiliate.rising1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4220 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/suds.expend.affiliate.rising/code_cache/decrypted.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/data/suds.expend.affiliate.rising/code_cache/oat/x86/decrypted.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4285
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
972KB
MD5f9d5b402acee67675f87d33d7d52b364
SHA1c7ebf2adfd6482e1eb2c3b05f79cdff5c733c47b
SHA2566c045a521d4d19bd52165ea992e91d338473a70962bcfded9213e592cea27359
SHA5126b64569a675dd1186e11aebbc136d7cbd302f02493b48e82fe0916bdd86547a40b3e988a4c122895b11c562d857e0311b851f80b4915e28bf9111140afd47a31
-
Filesize
972KB
MD5a499d4c87d704e28c1d74fd352da5c84
SHA192a3bef63121a495aaf390497514f5d7d3d91abd
SHA2569a871e9dd626e236bfa8f438e32dbe42f1b68ae5900bd8636fd37d438b596813
SHA512c5360a5418b3a67eac85abc3523b2f07f58d596ed23ea90a486f526455a9ca497cd873f32bf18adefd16fcbd369296cd87d5a3ff3aaf4bf8fdfe60a749815db9