c885e45ba897c999ae3291c8314d94365db1f466ec2ff3f501e996762b74371e

Analysis

max time kernel
149s
max time network
156s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
21/10/2024, 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

M-Pajak.apk
Size

13.0MB
MD5

ec05e3c8455f7d39c4c7540e5a402a5b
SHA1

522e3031d8aa2bbd69469301ea1dbafcb89c9412
SHA256

c885e45ba897c999ae3291c8314d94365db1f466ec2ff3f501e996762b74371e
SHA512

b1b1390ebff758d2284671f21ac0d16d252b4ee542c073704412e0b29532947ee30f58707084bf6f97dcfedd68f8df85c989c8b24887fb7d01eb095a5b784144
SSDEEP

196608:3pN6uNxK7VmWuFxX+uUBeVG/5OQ0x6JEDgNtcC0CMRalk4iCP8MMIINO5asobgW5:3nMV+xXXrx6xAC0C/78JIOOdobgahN

Score

7^/10

collection credential_access discovery evasion execution impact persistence

Malware Config

Signatures

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.aa.bb

Queries account information for other applications stored on the device 1 TTPs 3 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.aa.bb
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.aa.bb:s1
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.aa.bb:main

Queries information about running processes on the device 1 TTPs 3 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.aa.bb:main
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.aa.bb
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.aa.bb:s1

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.aa.bb

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.aa.bb

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.aa.bb

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.aa.bb

Schedules tasks to execute at a specified time 1 TTPs 2 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.aa.bb
Framework service call	android.app.job.IJobScheduler.schedule	com.aa.bb:main

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 3 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.aa.bb
Framework API call	javax.crypto.Cipher.doFinal	com.aa.bb:s1
Framework API call	javax.crypto.Cipher.doFinal	com.aa.bb:main

com.aa.bb
1⤵
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4343
- getprop ro.build.display.id
  2⤵
  PID:4783
- getprop ro.build.display.id
  2⤵
  PID:4868
- getprop ro.build.display.id
  2⤵
  PID:4896
- getprop ro.build.display.id
  2⤵
  PID:4925
- getprop ro.build.display.id
  2⤵
  PID:4947
- getprop ro.build.display.id
  2⤵
  PID:4987
- getprop ro.build.display.id
  2⤵
  PID:5016
- getprop ro.build.display.id
  2⤵
  PID:5047
- getprop ro.build.display.id
  2⤵
  PID:5144
- getprop ro.build.display.id
  2⤵
  PID:5186
- getprop ro.build.display.id
  2⤵
  PID:5210
- getprop ro.build.display.id
  2⤵
  PID:5245
- getprop ro.build.display.id
  2⤵
  PID:5276
- getprop ro.build.display.id
  2⤵
  PID:5309
- getprop ro.build.display.id
  2⤵
  PID:5353
- getprop ro.build.display.id
  2⤵
  PID:5376
- getprop ro.build.display.id
  2⤵
  PID:5398
- getprop ro.build.display.id
  2⤵
  PID:5436
- getprop ro.build.display.id
  2⤵
  PID:5466
- getprop ro.build.display.id
  2⤵
  PID:5484
- getprop ro.build.display.id
  2⤵
  PID:5522
- getprop ro.build.display.id
  2⤵
  PID:5547
- getprop ro.build.display.id
  2⤵
  PID:5568
- getprop ro.build.display.id
  2⤵
  PID:5607
- getprop ro.build.display.id
  2⤵
  PID:5636
- getprop ro.build.display.id
  2⤵
  PID:5654
- getprop ro.build.display.id
  2⤵
  PID:5692
- getprop ro.build.display.id
  2⤵
  PID:5720
- getprop ro.build.display.id
  2⤵
  PID:5743

com.aa.bb:s1
1⤵
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Uses Crypto APIs (Might try to encrypt user data)
PID:4615

com.aa.bb:main
1⤵
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4598

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Foreground Persistence

T1541

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Process Discovery

T1424

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.aa.bb/no_backup/androidx.work.workdb

Filesize
100KB

MD5
66e7fc2d9f95995e198b5ad068d9edc5

SHA1
ff4decc66ae231406e0fd4d584e9afa9268f9110

SHA256
fc98ab41f53a443786c8b4022f048fc1ce95b0c6090c602b536c28fc00f024cb

SHA512
0aed00a3bcb1fdf83ab9a642ee39b5c5c2ee34ac80fc26e0377362133d411810742cb7fc61114fd4ccfb845fd6b7d691eebd6ef25ce7debb5593f818cc1faeab

Download Submit
/data/data/com.aa.bb/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.aa.bb/no_backup/androidx.work.workdb-wal

Filesize
402KB

MD5
e2bad4d2fb3fdf13b811dac5a5d52bed

SHA1
d4ca8d79486ceb6ad12ef8b8d89c2f2ebb66f1b9

SHA256
d89f596585b6665b02239553c09479de7d9d8c8bee4cfeabc899fa188fbb21f3

SHA512
599d11d1956d9ff2bb19c0f416d84455f42487cb7fc6098ed867df5a56314f47ecc2ba1d760abb080008c73d032c7a3865de1d20f8279727f71b94bab61c151c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads