Analysis

  • max time kernel
    29s
  • max time network
    34s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    14/10/2024, 17:17

General

  • Target

    880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc.apk

  • Size

    2.5MB

  • MD5

    d9763c68ebbfaeef4334cfefc54b322f

  • SHA1

    cb6f9bcd4b491858583ee9f10b72c0582bf94ab1

  • SHA256

    880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc

  • SHA512

    4a408c2b284632f54dcb91568161f951d3d36d4092eb9c3f4a823cebf1e5e89395693dd31ba8dbd90bf392b96944fda96c5d01cd149c934c3401e606efe914d4

  • SSDEEP

    49152:XtLVdMwtV/l221ikvxQ/1UVjtCXnmptDGCz4aBR1gwmbu:9LZtV/lCkY1UVjinYtD7z4Dbu

Malware Config

Signatures

  • Removes its main activity from the application launcher 1 TTPs 2 IoCs
  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • suds.expend.affiliate.rising
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks CPU information
    • Checks memory information
    PID:4220
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/suds.expend.affiliate.rising/code_cache/decrypted.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/data/suds.expend.affiliate.rising/code_cache/oat/x86/decrypted.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4285

Network

        MITRE ATT&CK Mobile v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/suds.expend.affiliate.rising/code_cache/decrypted.dex

          Filesize

          972KB

          MD5

          f9d5b402acee67675f87d33d7d52b364

          SHA1

          c7ebf2adfd6482e1eb2c3b05f79cdff5c733c47b

          SHA256

          6c045a521d4d19bd52165ea992e91d338473a70962bcfded9213e592cea27359

          SHA512

          6b64569a675dd1186e11aebbc136d7cbd302f02493b48e82fe0916bdd86547a40b3e988a4c122895b11c562d857e0311b851f80b4915e28bf9111140afd47a31

        • /data/data/suds.expend.affiliate.rising/code_cache/decrypted.dex

          Filesize

          972KB

          MD5

          a499d4c87d704e28c1d74fd352da5c84

          SHA1

          92a3bef63121a495aaf390497514f5d7d3d91abd

          SHA256

          9a871e9dd626e236bfa8f438e32dbe42f1b68ae5900bd8636fd37d438b596813

          SHA512

          c5360a5418b3a67eac85abc3523b2f07f58d596ed23ea90a486f526455a9ca497cd873f32bf18adefd16fcbd369296cd87d5a3ff3aaf4bf8fdfe60a749815db9