Analysis
-
max time kernel
29s -
max time network
37s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system -
submitted
14/10/2024, 17:17
Static task
static1
Behavioral task
behavioral1
Sample
880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc.apk
-
Size
2.5MB
-
MD5
d9763c68ebbfaeef4334cfefc54b322f
-
SHA1
cb6f9bcd4b491858583ee9f10b72c0582bf94ab1
-
SHA256
880c9f65c5e2007bfed3a2179e64e36854266023a00e1a7066cbcf8ee6c93cbc
-
SHA512
4a408c2b284632f54dcb91568161f951d3d36d4092eb9c3f4a823cebf1e5e89395693dd31ba8dbd90bf392b96944fda96c5d01cd149c934c3401e606efe914d4
-
SSDEEP
49152:XtLVdMwtV/l221ikvxQ/1UVjtCXnmptDGCz4aBR1gwmbu:9LZtV/lCkY1UVjinYtD7z4Dbu
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/data/suds.expend.affiliate.rising/code_cache/decrypted.dex 4310 suds.expend.affiliate.rising -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId suds.expend.affiliate.rising Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId suds.expend.affiliate.rising -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener suds.expend.affiliate.rising -
Queries the phone number (MSISDN for GSM devices) 1 TTPs
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
description ioc Process Framework service call android.app.IActivityManager.setServiceForeground suds.expend.affiliate.rising -
Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction suds.expend.affiliate.rising android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction suds.expend.affiliate.rising android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction suds.expend.affiliate.rising android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction suds.expend.affiliate.rising android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction suds.expend.affiliate.rising -
Reads information about phone network operator. 1 TTPs
-
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS suds.expend.affiliate.rising -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo suds.expend.affiliate.rising -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo suds.expend.affiliate.rising
Processes
-
suds.expend.affiliate.rising1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Checks CPU information
- Checks memory information
PID:4310
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
972KB
MD5f9d5b402acee67675f87d33d7d52b364
SHA1c7ebf2adfd6482e1eb2c3b05f79cdff5c733c47b
SHA2566c045a521d4d19bd52165ea992e91d338473a70962bcfded9213e592cea27359
SHA5126b64569a675dd1186e11aebbc136d7cbd302f02493b48e82fe0916bdd86547a40b3e988a4c122895b11c562d857e0311b851f80b4915e28bf9111140afd47a31