Analysis
-
max time kernel
136s -
max time network
132s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
15/10/2024, 22:05
Static task
static1
Behavioral task
behavioral1
Sample
50b83546575bc63af113f2ac4b43814dd37a010ad3b4837203cff709f325e20d.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
50b83546575bc63af113f2ac4b43814dd37a010ad3b4837203cff709f325e20d.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
50b83546575bc63af113f2ac4b43814dd37a010ad3b4837203cff709f325e20d.apk
-
Size
4.7MB
-
MD5
f14a91c5c27567e5742b66621468ba31
-
SHA1
9117fa80578d12fcb2da1e21e05ab51d6adf79d3
-
SHA256
50b83546575bc63af113f2ac4b43814dd37a010ad3b4837203cff709f325e20d
-
SHA512
00d13eba85e0f4fe0b0b83096c86d82173a389211deeeea344fa40e60c017b564b5f206f857eb64426f303279533c59ca80c30b5b251b3020ec267ed91484c7e
-
SSDEEP
98304:/8DcbmekaLf340kH/khQwXUTITKOJbKvEjVu/UWYUBl4y/T/1roq1PQSrI9w8b:kYbm9aLfSKpUTpE82/e0q1509w8b
Malware Config
Signatures
-
pid Process 4464 org.twisevictory.apps 4464 org.twisevictory.apps 4464 org.twisevictory.apps 4464 org.twisevictory.apps 4464 org.twisevictory.apps 4464 org.twisevictory.apps 4464 org.twisevictory.apps -
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/org.twisevictory.apps/app_DynamicOptDex/nAYGaDlhczKOcdhQ.json 4464 org.twisevictory.apps -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText org.twisevictory.apps Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId org.twisevictory.apps Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId org.twisevictory.apps -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener org.twisevictory.apps -
Performs UI accessibility actions on behalf of the user 1 TTPs 24 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction org.twisevictory.apps -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS org.twisevictory.apps -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
description ioc Process Framework service call android.app.job.IJobScheduler.schedule org.twisevictory.apps -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo org.twisevictory.apps -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo org.twisevictory.apps
Processes
-
org.twisevictory.apps1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4464
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
551KB
MD5a7d652c0740fe775d465ccc7a2b60a7e
SHA11c66ddf0dac433c8ee1d1eefc5c5fc340668ded9
SHA256f63410ed9cb8cb2146ba2dc18784f960344f2c8882d112f07399f67a6d59322f
SHA5122ebc1849996e8ae60ffb91795ccf7ed8614af520367edd70d958242f5d3c80f9289e5573d74869711afdfa30328cdf3bc20d79cef943f5fcc7050b06812fda0a
-
Filesize
551KB
MD5e6f00974f78355e6e9fcce1074bd27e0
SHA199735a6e0cb0bb0a4cd5b41cd954d672353301fa
SHA256e73e421ea07b1f9d4994ea94d7d3ce88e1a9a23567558802f5e7c761d8f5a531
SHA51280951537aeaa66ed980994874e0480f2e508f44697f809fc1ad3b9d14b55e992cb048b18dc0788a8a0a6339cb24d85d02fd68c0328c49682316ef01ef5185999
-
Filesize
631KB
MD56e66c9de2c10224f3cea97f276a31883
SHA19fc334522d9c215490e8e7f44689c54766d19f7b
SHA256f77387dc66df6778e45f9082bf8fd5d5344d0f5e7c89db88c6dbf3ea1b450c5a
SHA51281744b0726586b9b9b311f395599a901bc3eead36e18e1fcfe76598eaf4f09645ddacbfa8e7bdd4d4c1462dd2b03d2638222ed0fb59f0f898b0beaac7376548f
-
Filesize
232B
MD505f0081cf3f8900e9c92ed87eb0bc243
SHA19fdb4d49c9c63909d01b1c3698d4f31ccf47016c
SHA256d41a61f26a1e1d9d41ac10f376d7423bd9bce7c43ae40a7c7ae0944f9f91c936
SHA5127bea586223c9c54829d89212b503c5c8b3afc91deb5dedfaea61bc39c75baa373970c01339fb00c9c39093e68f5a79a4fd7f05333a20e20d420672795805353f