9e00e23077fd90ab4fc5cd98375591161bf8508fc959265605c47b10efa2a73d

Analysis

max time kernel
148s
max time network
156s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
21/10/2024, 15:26 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

M-Pajak.apk
Size

14.9MB
MD5

6270c107c32174763caf5ee3013abb96
SHA1

f6d3c9b2cf10ef3edb3c1d6b732fd558c89251f5
SHA256

9e00e23077fd90ab4fc5cd98375591161bf8508fc959265605c47b10efa2a73d
SHA512

20316f727da990c31fad7364d5a4966b80ab1ea0cf65abb358bd87995ac0b0048dfbb02f2074cb61738396bddc29166fe8f289bdb6f61b969e1b0f920ebe3e4f
SSDEEP

196608:8pN6uUP8op7rZXtEF022Mrkx/PznXfHc3OuRwXGgE5oFdqXcbpNFqkLPQFugFQ4J:8ne8qJ+RxYT8+4LoFPckLSugvpO6s3gB

Score

7^/10

collection credential_access discovery evasion execution impact persistence

Malware Config

Signatures

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.aa.bb

Queries account information for other applications stored on the device 1 TTPs 2 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.aa.bb:main
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.aa.bb

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.aa.bb

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.aa.bb

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.aa.bb

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.aa.bb

Schedules tasks to execute at a specified time 1 TTPs 2 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.aa.bb
Framework service call	android.app.job.IJobScheduler.schedule	com.aa.bb:main

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 3 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.aa.bb
Framework API call	javax.crypto.Cipher.doFinal	com.aa.bb:s1
Framework API call	javax.crypto.Cipher.doFinal	com.aa.bb:main

com.aa.bb
1⤵
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4304
- getprop ro.build.display.id
  2⤵
  PID:4686
- getprop ro.build.display.id
  2⤵
  PID:4802
- getprop ro.build.display.id
  2⤵
  PID:4838
- getprop ro.build.display.id
  2⤵
  PID:4886
- getprop ro.build.display.id
  2⤵
  PID:4925
- getprop ro.build.display.id
  2⤵
  PID:4949
- getprop ro.build.display.id
  2⤵
  PID:4972
- getprop ro.build.display.id
  2⤵
  PID:5022
- getprop ro.build.display.id
  2⤵
  PID:5188
- getprop ro.build.display.id
  2⤵
  PID:5252
- getprop ro.build.display.id
  2⤵
  PID:5295
- getprop ro.build.display.id
  2⤵
  PID:5334
- getprop ro.build.display.id
  2⤵
  PID:5363
- getprop ro.build.display.id
  2⤵
  PID:5419
- getprop ro.build.display.id
  2⤵
  PID:5447
- getprop ro.build.display.id
  2⤵
  PID:5465
- getprop ro.build.display.id
  2⤵
  PID:5504
- getprop ro.build.display.id
  2⤵
  PID:5531
- getprop ro.build.display.id
  2⤵
  PID:5592
- getprop ro.build.display.id
  2⤵
  PID:5620
- getprop ro.build.display.id
  2⤵
  PID:5638

com.aa.bb:main
1⤵
- Queries account information for other applications stored on the device
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4398

com.aa.bb:s1
1⤵
- Uses Crypto APIs (Might try to encrypt user data)
PID:4430

Network

DNS

semanticlocation-pa.googleapis.com

Remote address:

1.1.1.1:53

Request

semanticlocation-pa.googleapis.com

IN A

Response

semanticlocation-pa.googleapis.com

IN A

216.58.212.234

semanticlocation-pa.googleapis.com

IN A

142.250.200.10

semanticlocation-pa.googleapis.com

IN A

216.58.204.74

semanticlocation-pa.googleapis.com

IN A

172.217.169.74

semanticlocation-pa.googleapis.com

IN A

142.250.178.10

semanticlocation-pa.googleapis.com

IN A

142.250.179.234

semanticlocation-pa.googleapis.com

IN A

216.58.212.202

semanticlocation-pa.googleapis.com

IN A

142.250.187.202

semanticlocation-pa.googleapis.com

IN A

172.217.169.10

semanticlocation-pa.googleapis.com

IN A

216.58.201.106

semanticlocation-pa.googleapis.com

IN A

172.217.16.234

semanticlocation-pa.googleapis.com

IN A

142.250.187.234

semanticlocation-pa.googleapis.com

IN A

172.217.169.42

semanticlocation-pa.googleapis.com

IN A

216.58.213.10

semanticlocation-pa.googleapis.com

IN A

142.250.180.10

semanticlocation-pa.googleapis.com

IN A

142.250.200.42
DNS

www.baidu.com

Remote address:

1.1.1.1:53

Request

www.baidu.com

IN A

Response

www.baidu.com

IN CNAME

www.a.shifen.com

www.a.shifen.com

IN CNAME

www.wshifen.com

www.wshifen.com

IN A

103.235.46.96

www.wshifen.com

IN A

103.235.47.188
GET

http://www.baidu.com/

Remote address:

103.235.46.96:80

Request

GET / HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; AOSP on IA Emulator Build/PSR1.180720.122)
Host: www.baidu.com
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Content-Encoding: gzip
Content-Length: 1108
Content-Type: text/html
Server: bfe
Date: Mon, 21 Oct 2024 15:26:26 GMT
GET

http://www.baidu.com/

Remote address:

103.235.46.96:80

Request

GET / HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
Host: www.baidu.com
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Content-Encoding: gzip
Content-Length: 1108
Content-Type: text/html
Server: bfe
Date: Mon, 21 Oct 2024 15:26:28 GMT
GET

http://www.baidu.com/

Remote address:

103.235.46.96:80

Request

GET / HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
Host: www.baidu.com
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Content-Encoding: gzip
Content-Length: 1108
Content-Type: text/html
Server: bfe
Date: Mon, 21 Oct 2024 15:26:31 GMT
GET

http://www.baidu.com/

Remote address:

103.235.46.96:80

Request

GET / HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
Host: www.baidu.com
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Content-Encoding: gzip
Content-Length: 1108
Content-Type: text/html
Server: bfe
Date: Mon, 21 Oct 2024 15:26:31 GMT
DNS

android.apis.google.com

Remote address:

1.1.1.1:53

Request

android.apis.google.com

IN A

Response

android.apis.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

142.250.187.206
DNS

rpc.ynlay.xyz

Remote address:

1.1.1.1:53

Request

rpc.ynlay.xyz

IN A

Response

rpc.ynlay.xyz

IN A

13.214.232.76
POST

https://rpc.ynlay.xyz/x/command-screen-up

Remote address:

13.214.232.76:443

Request

POST /x/command-screen-up HTTP/2.0
host: rpc.ynlay.xyz
type: encryption
version: 06301448-Rebuild
content-type: application/json; charset=UTF-8
content-length: 1379
accept-encoding: gzip
user-agent: okhttp/4.11.0

Response

HTTP/2.0 200

server: nginx
date: Mon, 21 Oct 2024 15:26:40 GMT
content-type: application/json; charset=UTF-8
content-length: 131
content-encoding: gzip
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-request-id: zkCqcqaM3f1zy72sWUWye2y1Z75NocbS
x-xss-protection: 1; mode=block
strict-transport-security: max-age=31536000

103.235.46.96:80

http://www.baidu.com/

http

581 B
3.4kB
9
8

HTTP Request

GET http://www.baidu.com/

HTTP Response

200
103.235.46.96:80

http://www.baidu.com/

http

741 B
3.1kB
13
13

HTTP Request

GET http://www.baidu.com/

HTTP Response

200
103.235.46.96:80

http://www.baidu.com/

http

701 B
3.6kB
12
11

HTTP Request

GET http://www.baidu.com/

HTTP Response

200
103.235.46.96:80

http://www.baidu.com/

http

741 B
3.1kB
13
12

HTTP Request

GET http://www.baidu.com/

HTTP Response

200
216.58.201.110:443

tls, https

1.8kB
40 B
1
1
142.250.187.206:443

android.apis.google.com

tls

7.5kB
10.4kB
19
30
13.214.232.76:443

https://rpc.ynlay.xyz/x/command-screen-up

tls, http2

2.8kB
4.6kB
16
14

HTTP Request

POST https://rpc.ynlay.xyz/x/command-screen-up

HTTP Response

200
142.250.178.10:443

semanticlocation-pa.googleapis.com

520 B
10

1.1.1.1:53

semanticlocation-pa.googleapis.com

dns

80 B
336 B
1
1

DNS Request

semanticlocation-pa.googleapis.com

DNS Response

216.58.212.234

142.250.200.10

216.58.204.74

172.217.169.74

142.250.178.10

142.250.179.234

216.58.212.202

142.250.187.202

172.217.169.10

216.58.201.106

172.217.16.234

142.250.187.234

172.217.169.42

216.58.213.10

142.250.180.10

142.250.200.42
1.1.1.1:53

www.baidu.com

dns

59 B
144 B
1
1

DNS Request

www.baidu.com

DNS Response

103.235.46.96

103.235.47.188
1.1.1.1:53

android.apis.google.com

dns

69 B
109 B
1
1

DNS Request

android.apis.google.com

DNS Response

142.250.187.206
1.1.1.1:53

rpc.ynlay.xyz

dns

59 B
75 B
1
1

DNS Request

rpc.ynlay.xyz

DNS Response

13.214.232.76

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Foreground Persistence

T1541

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.aa.bb/no_backup/androidx.work.workdb

Filesize
100KB

MD5
c4cd87ab329f7af4580c49de17274e0c

SHA1
e211e940f0f4477d78d4e31c0e05d5318f66c663

SHA256
eb526f8e075bb890ad087e4b37fcffb991f3fd8541ea2118acfaaddc1151b6eb

SHA512
cb322f398912a667fc97f40cb3a32bbc1429179e508d2781b52c1154f2992248db2712f82aab399d60feb9c030f56491f5107fd28d2794ed329244ed8149fd41

Download Submit
/data/data/com.aa.bb/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.aa.bb/no_backup/androidx.work.workdb-wal

Filesize
402KB

MD5
79191eb3add56b7ee60a86e1af8f0f3a

SHA1
bc933d2dd5462f75cb0fd6241da73686174ba4c7

SHA256
edccfd9453c296ef73aa318d7a00dd6f1c87851fd6bce4f0f2f6117cd9fa7af6

SHA512
a56a35c3b0d9038dd0523902331ac1b3b7a955432293aaa642c6505e36dc53b48c0f92fccdd194a06c029fa4b08c511957ef7251580516ff266d06a6a9a4dfb5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.