62b002528c334cec9d29d6126ef1b935d10f3b1796cb6380254045189553185d

Analysis

max time kernel
149s
max time network
132s
platform
android_x64
resource
android-x64-arm64-20240624-en
resource tags

androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
submitted
22-10-2024 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ready.apk
Size

6.2MB
MD5

24d0f3802c0891d625fac917a940936c
SHA1

36ad393f4687a676efb2fc0d62a6532c17eb89ab
SHA256

62b002528c334cec9d29d6126ef1b935d10f3b1796cb6380254045189553185d
SHA512

23f65fbce631f3f97eb65f4dbb01b0495ef84a50de5bbfe4bffbfc66040b83480678b1071e2c9d49ba4681a972dc04304e81570f68669be507b93c4607029fd7
SSDEEP

24576:lXvLvTSt4jfa4zBj2mFXs8WFuiWUFutbF:lXvFO4zBKmFaFuHtp

Score

7^/10

collection credential_access discovery evasion execution impact persistence

Malware Config

Signatures

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

vessel.wax.phrases

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	vessel.wax.phrases

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

Processes:

vessel.wax.phrases

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	vessel.wax.phrases

Acquires the wake lock 1 IoCs

Processes:

vessel.wax.phrases

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	vessel.wax.phrases

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

Processes:

vessel.wax.phrases

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	vessel.wax.phrases

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

evasion

User Evasion

T1628.002

Processes:

vessel.wax.phrases

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	vessel.wax.phrases

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

Processes:

vessel.wax.phrases

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	vessel.wax.phrases

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

Processes:

vessel.wax.phrases

description	ioc	Process
File opened for read	/proc/cpuinfo	vessel.wax.phrases

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

Processes:

vessel.wax.phrases

description	ioc	Process
File opened for read	/proc/meminfo	vessel.wax.phrases

vessel.wax.phrases
1⤵
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Queries information about active data network
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4485

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Hide Artifacts

T1628

User Evasion

T1628.002

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

System Information Discovery

T1426

System Network Connections Discovery

T1421

Lateral Movement

Collection

Clipboard Data

T1414

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/storage/emulated/0/Config/sys/apps/log/log-2024-10-22.txt

Filesize
33B

MD5
da25c7bff55a2936a9cb811d9fe27d93

SHA1
87711aa4a1ee842a6d0cf50a254c742e853b48a5

SHA256
49ecccba597e47651a3dc051292ed5b1c89a9c36a0e85bff287c2127b3330be5

SHA512
51d114639fee48a61618964fb064562b7cf3b1dc29accce57ab1e99f9fb6593c4727671ee4a23caba7f157adf294ef5734ec6f910f596f35b4c2ed7231f76c6c

Download Submit