Overview

overview

8

Static

static

6

excess.und...ng.apk

android-9-x86

8

excess.und...ng.apk

android-13-x64

7

Resubmissions

14/10/2024, 17:23

241014-vx752swhjf 8

09/10/2024, 09:04

241009-k148fssclj 8

Analysis

  • max time kernel
    27s
  • max time network
    36s
  • platform
    android_x64
  • resource
    android-33-x64-arm64-20240624-en
  • resource tags

    androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
  • submitted
    14/10/2024, 17:23

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    excess.undrilled.improper.crushing.apk

  • Size

    2.4MB

  • MD5

    eb0ad0b462c65a40c16d43c15cd06aea

  • SHA1

    28b0a4559078eac3bd1c06b493c35408e3def804

  • SHA256

    136d00629e8cd59a6be639b0eaef925fd8cd68cbcbdb71a3a407836c560b8579

  • SHA512

    d5178c83b493999e380b68abc6511ace9c3296393f08bee01dd80582a752fa07a2658bd1d2d0ef3fed01cca9ef17b31c5e5e0c4986ea46ce91a19c9c10e42b58

  • SSDEEP

    49152:oRkr6w6JVKUf5wj0FRaVeRyWogZqChiBx1gwxm:V2dJIg7PaV8yvgZnhWm

Score
7/10
collectioncredential_accessdiscoveryevasionimpactpersistence

Malware Config

Signatures

  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
    discovery
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Reads information about phone network operator. 1 TTPs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    evasion
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • excess.undrilled.improper.crushing
    1⤵
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    PID:4338
  • excess.undrilled.improper.crushing:webview_process
    1⤵
    • Loads dropped Dex/Jar
    • Obtains sensitive information copied to the device clipboard
    • Checks CPU information
    • Checks memory information
    PID:4401

Network

        MITRE ATT&CK Mobile v15

        Initial Access

        Execution

        Persistence

        Foreground Persistence

        1
        T1541

        Privilege Escalation

        Defense Evasion

        Download New Code at Runtime

        1
        T1407

        Foreground Persistence

        1
        T1541

        Hide Artifacts

        1
        T1628

        User Evasion

        1
        T1628.002

        Impair Defenses

        1
        T1629

        Prevent Application Removal

        1
        T1629.001

        Input Injection

        1
        T1516

        Virtualization/Sandbox Evasion

        2
        T1633

        System Checks

        2
        T1633.001

        Credential Access

        Clipboard Data

        1
        T1414

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Discovery

        System Information Discovery

        2
        T1426

        System Network Configuration Discovery

        2
        T1422

        Lateral Movement

        Collection

        Clipboard Data

        1
        T1414

        Input Capture

        2
        T1417

        GUI Input Capture

        1
        T1417.002

        Keylogging

        1
        T1417.001

        Screen Capture

        1
        T1513

        Command and Control

        Exfiltration

        Impact

        Data Manipulation

        1
        T1641

        Transmitted Data Manipulation

        1
        T1641.001

        Input Injection

        1
        T1516

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/excess.undrilled.improper.crushing/code_cache/decrypted.dex
          Filesize

          975KB

          MD5

          dfde1000d6b51cdc38b21ac5fbaa462a

          SHA1

          8389cd13c15f316d55f7909e6ae71f56dfa8ea1b

          SHA256

          09e3db729b16cf271d9be99996334422b372bafaae9ba95f65828c5b2bc97d34

          SHA512

          3f11d6d1c0f4063bb79771834959e8a9d10b7210138fbde88fdf504138ff74c4467b1ca746e341b845ebd10ceb82a122386c1f4f57e2a1ea33f1d51063b08038

          Download Submit