Analysis
-
max time kernel
147s -
max time network
129s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
15/10/2024, 22:05
Static task
static1
Behavioral task
behavioral1
Sample
50b83546575bc63af113f2ac4b43814dd37a010ad3b4837203cff709f325e20d.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
50b83546575bc63af113f2ac4b43814dd37a010ad3b4837203cff709f325e20d.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
50b83546575bc63af113f2ac4b43814dd37a010ad3b4837203cff709f325e20d.apk
-
Size
4.7MB
-
MD5
f14a91c5c27567e5742b66621468ba31
-
SHA1
9117fa80578d12fcb2da1e21e05ab51d6adf79d3
-
SHA256
50b83546575bc63af113f2ac4b43814dd37a010ad3b4837203cff709f325e20d
-
SHA512
00d13eba85e0f4fe0b0b83096c86d82173a389211deeeea344fa40e60c017b564b5f206f857eb64426f303279533c59ca80c30b5b251b3020ec267ed91484c7e
-
SSDEEP
98304:/8DcbmekaLf340kH/khQwXUTITKOJbKvEjVu/UWYUBl4y/T/1roq1PQSrI9w8b:kYbm9aLfSKpUTpE82/e0q1509w8b
Malware Config
Signatures
-
pid Process 4251 org.twisevictory.apps 4251 org.twisevictory.apps 4251 org.twisevictory.apps 4251 org.twisevictory.apps 4251 org.twisevictory.apps 4251 org.twisevictory.apps 4251 org.twisevictory.apps 4251 org.twisevictory.apps -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/org.twisevictory.apps/app_DynamicOptDex/nAYGaDlhczKOcdhQ.json 4275 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/org.twisevictory.apps/app_DynamicOptDex/nAYGaDlhczKOcdhQ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/org.twisevictory.apps/app_DynamicOptDex/oat/x86/nAYGaDlhczKOcdhQ.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/org.twisevictory.apps/app_DynamicOptDex/nAYGaDlhczKOcdhQ.json 4251 org.twisevictory.apps -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId org.twisevictory.apps Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText org.twisevictory.apps Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId org.twisevictory.apps -
Performs UI accessibility actions on behalf of the user 1 TTPs 24 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone org.twisevictory.apps -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS org.twisevictory.apps -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver org.twisevictory.apps -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule org.twisevictory.apps -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo org.twisevictory.apps -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo org.twisevictory.apps
Processes
-
org.twisevictory.apps1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4251 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/org.twisevictory.apps/app_DynamicOptDex/nAYGaDlhczKOcdhQ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/org.twisevictory.apps/app_DynamicOptDex/oat/x86/nAYGaDlhczKOcdhQ.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4275
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
551KB
MD5a7d652c0740fe775d465ccc7a2b60a7e
SHA11c66ddf0dac433c8ee1d1eefc5c5fc340668ded9
SHA256f63410ed9cb8cb2146ba2dc18784f960344f2c8882d112f07399f67a6d59322f
SHA5122ebc1849996e8ae60ffb91795ccf7ed8614af520367edd70d958242f5d3c80f9289e5573d74869711afdfa30328cdf3bc20d79cef943f5fcc7050b06812fda0a
-
Filesize
551KB
MD5e6f00974f78355e6e9fcce1074bd27e0
SHA199735a6e0cb0bb0a4cd5b41cd954d672353301fa
SHA256e73e421ea07b1f9d4994ea94d7d3ce88e1a9a23567558802f5e7c761d8f5a531
SHA51280951537aeaa66ed980994874e0480f2e508f44697f809fc1ad3b9d14b55e992cb048b18dc0788a8a0a6339cb24d85d02fd68c0328c49682316ef01ef5185999
-
Filesize
548B
MD55d79673d5a17aef37aa37a9fb3b08369
SHA1ee71afb25a19a7a4c4ebdeaf3ffeb9db7b885b5f
SHA256d6a5bbdc54b52313460eaf182fd227bb6b3ead92597ca254d29e846b85f781ca
SHA5125e645a774497898208c83ccc804eef9ea3fd672e22c691c2bdcacb1a059420eaa07c4058d1b6777955af17674d9d5db21579c19a2761a8ea39f3281730f0cf9c
-
Filesize
631KB
MD52dcb425afed845361996d40b9e29a2de
SHA129cd704d0cd49c0b813227d8395acaa85a3a53f9
SHA2568fa4b04136401f0f2ca892b7dd75245bd643636926ae9270fe7b1aa04a690b58
SHA51279a5990311cd843e64d64c7f235e06ded1c78a7eb319dc233437743f47cd9246661c03a3a4b2d7874a5a3f2f8e6c3774c83763af59f1852be969f7e643585cce
-
Filesize
631KB
MD56e66c9de2c10224f3cea97f276a31883
SHA19fc334522d9c215490e8e7f44689c54766d19f7b
SHA256f77387dc66df6778e45f9082bf8fd5d5344d0f5e7c89db88c6dbf3ea1b450c5a
SHA51281744b0726586b9b9b311f395599a901bc3eead36e18e1fcfe76598eaf4f09645ddacbfa8e7bdd4d4c1462dd2b03d2638222ed0fb59f0f898b0beaac7376548f