Analysis

  • max time kernel
    147s
  • max time network
    129s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    15/10/2024, 22:05

General

  • Target

    50b83546575bc63af113f2ac4b43814dd37a010ad3b4837203cff709f325e20d.apk

  • Size

    4.7MB

  • MD5

    f14a91c5c27567e5742b66621468ba31

  • SHA1

    9117fa80578d12fcb2da1e21e05ab51d6adf79d3

  • SHA256

    50b83546575bc63af113f2ac4b43814dd37a010ad3b4837203cff709f325e20d

  • SHA512

    00d13eba85e0f4fe0b0b83096c86d82173a389211deeeea344fa40e60c017b564b5f206f857eb64426f303279533c59ca80c30b5b251b3020ec267ed91484c7e

  • SSDEEP

    98304:/8DcbmekaLf340kH/khQwXUTITKOJbKvEjVu/UWYUBl4y/T/1roq1PQSrI9w8b:kYbm9aLfSKpUTpE82/e0q1509w8b

Malware Config

Signatures

  • Removes its main activity from the application launcher 1 TTPs 8 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 24 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • org.twisevictory.apps
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4251
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/org.twisevictory.apps/app_DynamicOptDex/nAYGaDlhczKOcdhQ.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/org.twisevictory.apps/app_DynamicOptDex/oat/x86/nAYGaDlhczKOcdhQ.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4275

Network

        MITRE ATT&CK Mobile v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • /data/data/org.twisevictory.apps/app_DynamicOptDex/nAYGaDlhczKOcdhQ.json

          Filesize

          551KB

          MD5

          a7d652c0740fe775d465ccc7a2b60a7e

          SHA1

          1c66ddf0dac433c8ee1d1eefc5c5fc340668ded9

          SHA256

          f63410ed9cb8cb2146ba2dc18784f960344f2c8882d112f07399f67a6d59322f

          SHA512

          2ebc1849996e8ae60ffb91795ccf7ed8614af520367edd70d958242f5d3c80f9289e5573d74869711afdfa30328cdf3bc20d79cef943f5fcc7050b06812fda0a

        • /data/data/org.twisevictory.apps/app_DynamicOptDex/nAYGaDlhczKOcdhQ.json

          Filesize

          551KB

          MD5

          e6f00974f78355e6e9fcce1074bd27e0

          SHA1

          99735a6e0cb0bb0a4cd5b41cd954d672353301fa

          SHA256

          e73e421ea07b1f9d4994ea94d7d3ce88e1a9a23567558802f5e7c761d8f5a531

          SHA512

          80951537aeaa66ed980994874e0480f2e508f44697f809fc1ad3b9d14b55e992cb048b18dc0788a8a0a6339cb24d85d02fd68c0328c49682316ef01ef5185999

        • /data/data/org.twisevictory.apps/app_DynamicOptDex/oat/nAYGaDlhczKOcdhQ.json.cur.prof

          Filesize

          548B

          MD5

          5d79673d5a17aef37aa37a9fb3b08369

          SHA1

          ee71afb25a19a7a4c4ebdeaf3ffeb9db7b885b5f

          SHA256

          d6a5bbdc54b52313460eaf182fd227bb6b3ead92597ca254d29e846b85f781ca

          SHA512

          5e645a774497898208c83ccc804eef9ea3fd672e22c691c2bdcacb1a059420eaa07c4058d1b6777955af17674d9d5db21579c19a2761a8ea39f3281730f0cf9c

        • /data/user/0/org.twisevictory.apps/app_DynamicOptDex/nAYGaDlhczKOcdhQ.json

          Filesize

          631KB

          MD5

          2dcb425afed845361996d40b9e29a2de

          SHA1

          29cd704d0cd49c0b813227d8395acaa85a3a53f9

          SHA256

          8fa4b04136401f0f2ca892b7dd75245bd643636926ae9270fe7b1aa04a690b58

          SHA512

          79a5990311cd843e64d64c7f235e06ded1c78a7eb319dc233437743f47cd9246661c03a3a4b2d7874a5a3f2f8e6c3774c83763af59f1852be969f7e643585cce

        • /data/user/0/org.twisevictory.apps/app_DynamicOptDex/nAYGaDlhczKOcdhQ.json

          Filesize

          631KB

          MD5

          6e66c9de2c10224f3cea97f276a31883

          SHA1

          9fc334522d9c215490e8e7f44689c54766d19f7b

          SHA256

          f77387dc66df6778e45f9082bf8fd5d5344d0f5e7c89db88c6dbf3ea1b450c5a

          SHA512

          81744b0726586b9b9b311f395599a901bc3eead36e18e1fcfe76598eaf4f09645ddacbfa8e7bdd4d4c1462dd2b03d2638222ed0fb59f0f898b0beaac7376548f