b9f0e2997fe027035d4c49c27dcefceb66d74ed09b631a34f724ddd82280deac

Analysis

max time kernel
148s
max time network
140s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
23/10/2024, 01:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9f0e2997fe027035d4c49c27dcefceb66d74ed09b631a34f724ddd82280deac.apk
Size

13.4MB
MD5

e82475b9a15b2b91ff5cd9a5a0e8993f
SHA1

bcdd6076d8a02d2105886cd6b721509b2168f4a7
SHA256

b9f0e2997fe027035d4c49c27dcefceb66d74ed09b631a34f724ddd82280deac
SHA512

c22e254a706209483bda99d00f6a539f3d54065ac30fc84463311bf7e5a39ecea7738e2d1fd793c27c41005ea438592bd3defeaad49ae0245898ba907abf09ab
SSDEEP

393216:vn5OZxXm55555AElsj70euc6UpiIMqUuKROQ8yNgV:vM255555Ac+7/UIzuROQ8yNC

Score

7^/10

collection credential_access discovery evasion execution impact persistence

Malware Config

Signatures

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.sextest.test

Queries account information for other applications stored on the device 1 TTPs 3 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.sextest.test:s1
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.sextest.test
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.sextest.test:main

Queries information about running processes on the device 1 TTPs 3 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.sextest.test:s1
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.sextest.test
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.sextest.test:main

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.sextest.test

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.sextest.test

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.sextest.test

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.sextest.test

Schedules tasks to execute at a specified time 1 TTPs 2 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.sextest.test
Framework service call	android.app.job.IJobScheduler.schedule	com.sextest.test:main

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 3 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.sextest.test
Framework API call	javax.crypto.Cipher.doFinal	com.sextest.test:main
Framework API call	javax.crypto.Cipher.doFinal	com.sextest.test:s1

com.sextest.test
1⤵
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4331
- getprop ro.build.display.id
  2⤵
  PID:4744
- getprop ro.build.display.id
  2⤵
  PID:4833
- getprop ro.build.display.id
  2⤵
  PID:4857
- getprop ro.build.display.id
  2⤵
  PID:4887
- getprop ro.build.display.id
  2⤵
  PID:4908
- getprop ro.build.display.id
  2⤵
  PID:4980
- getprop ro.build.display.id
  2⤵
  PID:5068
- getprop ro.build.display.id
  2⤵
  PID:5104
- getprop ro.build.display.id
  2⤵
  PID:5160
- getprop ro.build.display.id
  2⤵
  PID:5185
- getprop ro.build.display.id
  2⤵
  PID:5205
- getprop ro.build.display.id
  2⤵
  PID:5243
- getprop ro.build.display.id
  2⤵
  PID:5269
- getprop ro.build.display.id
  2⤵
  PID:5297
- getprop ro.build.display.id
  2⤵
  PID:5345
- getprop ro.build.display.id
  2⤵
  PID:5373
- getprop ro.build.display.id
  2⤵
  PID:5392
- getprop ro.build.display.id
  2⤵
  PID:5431
- getprop ro.build.display.id
  2⤵
  PID:5462
- getprop ro.build.display.id
  2⤵
  PID:5482
- getprop ro.build.display.id
  2⤵
  PID:5524
- getprop ro.build.display.id
  2⤵
  PID:5553
- getprop ro.build.display.id
  2⤵
  PID:5572
- getprop ro.build.display.id
  2⤵
  PID:5611
- getprop ro.build.display.id
  2⤵
  PID:5641
- getprop ro.build.display.id
  2⤵
  PID:5663
- getprop ro.build.display.id
  2⤵
  PID:5701
- getprop ro.build.display.id
  2⤵
  PID:5731
- getprop ro.build.display.id
  2⤵
  PID:5751

com.sextest.test:s1
1⤵
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Uses Crypto APIs (Might try to encrypt user data)
PID:4565

com.sextest.test:main
1⤵
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4548

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Foreground Persistence

T1541

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Process Discovery

T1424

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.sextest.test/no_backup/androidx.work.workdb

Filesize
100KB

MD5
b0d98752e53cac10412d5c85b8e99d4a

SHA1
830a21afe8c87dd7133cc196258079b4b4e08253

SHA256
5bd258d2154be00687c522ff17f3f5ea2f4bcd0adcdc67aaa23e719673a9fc1b

SHA512
36343f9de761da64d8b10e75c3ea6a68a9066992ad49b739f93c47101051f35439c0acc1a4734f3b0c6174cfc08f88e10f88b56511f64718307995c23691bebd

Download Submit
/data/data/com.sextest.test/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.sextest.test/no_backup/androidx.work.workdb-wal

Filesize
402KB

MD5
55f4734bb01d413681c906b0e4713998

SHA1
46eb8a87e2c118ee50b8058eba510f3a0f63af91

SHA256
31a10eda6324e96f4e45cba41dd84b73113a8a2f1894f0dceac6448ddcfca3a1

SHA512
ae0ffcbf6dd56a5eb829ca0f29bbb72509bb148a558783b5ee4f6773545a98c0eab4bd4eeb2b0f99f93d7421ab89d91489a76b2cfd283d4d2b8650af00fe0142

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads