5662fdb0a11ab5aaf32c0e920d8690a03a8b259af1fc8775495a4739c3572e2b

Analysis

max time kernel
689s
max time network
690s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
23-10-2024 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EvilRAT.apk
Size

4.7MB
MD5

8e2d9680d83d88a4f54ca1f83e39911a
SHA1

0cf2ad380a8fcd4a715f142dfd1f8571c34d8308
SHA256

5662fdb0a11ab5aaf32c0e920d8690a03a8b259af1fc8775495a4739c3572e2b
SHA512

c8436a0448396f170457de2d78b6b0cd031b2ae2471995b67b1701e5883765f8390664394072e81859327407aa90d479947ce8d4694bda5c0781663d5262a5bd
SSDEEP

98304:hNn8qr+ELiDzJHQv9B194wnyl8mzzazBUTb0t6M3Dh:gq6EOD9Qv9b9rnerzzFEFN

Score

7^/10

collection credential_access evasion execution persistence

Malware Config

Signatures

Loads dropped Dex/Jar 1 TTPs 64 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

build.ledear.xwtps

ioc	pid	Process
/storage/emulated/0/AppData/meta_data0	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data1	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data2	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data3	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data4	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data5	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data6	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data7	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data8	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data9	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data10	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data11	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data12	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data13	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data14	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data15	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data16	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data17	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data18	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data19	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data20	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data21	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data22	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data23	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data24	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data25	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data26	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data27	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data28	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data29	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data30	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data31	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data32	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data33	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data34	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data35	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data36	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data37	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data38	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data39	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data40	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data41	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data42	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data43	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data44	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data45	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data46	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data47	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data48	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data49	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data50	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data51	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data52	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data53	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data54	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data55	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data56	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data57	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data58	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data59	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data60	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data61	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data62	4402	build.ledear.xwtps
/storage/emulated/0/AppData/meta_data63	4402	build.ledear.xwtps

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

Processes:

build.ledear.xwtps

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	build.ledear.xwtps

Acquires the wake lock 1 IoCs

Processes:

build.ledear.xwtps

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	build.ledear.xwtps

Requests enabling of the accessibility settings. 1 IoCs

Processes:

build.ledear.xwtps

description	ioc	Process
Intent action	android.settings.ACCESSIBILITY_SETTINGS	build.ledear.xwtps

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

Processes:

build.ledear.xwtps

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	build.ledear.xwtps

build.ledear.xwtps
1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Requests enabling of the accessibility settings.
- Schedules tasks to execute at a specified time
PID:4402

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/storage/emulated/0/AppData/meta_data0

Filesize
7KB

MD5
effbc10b41f027e5c2130835d524c99d

SHA1
affb65361d7a36d00e402ad869696578b5ac3259

SHA256
566fb91b6bf186c05c4ec051aa2e2802961cbb158df24a8fecaa0678febece84

SHA512
b2ddd0142a80663097e9b71d8d654d88382ef8f765c92f0c8fbf600f1174cb1b1e9e61088f954e609e6d2402fd4750b88945af7c1080018b991f2e6e6d9ad52a

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-10-23.txt

Filesize
25B

MD5
fd8ed43ac31bbf329c395582c15753cd

SHA1
3c76ee3fa79dde645c0447d6b23d6f435efb3b72

SHA256
049d51bf61bf26d7b9e55391560cc23ec59d2240453ac81b87f2e81153b0fcaf

SHA512
77bb10d1eeeea15fc35f7232af698c951d3f47a5fff56682bbc32f6bea9ebecc997d89ed88c6dff9c226c09446261f184ecbac9697f95799753d73a71e6c4d37

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-10-23.txt

Filesize
25B

MD5
ba30336bf53d54ed3c0ea69dd545de8c

SHA1
ce99c6724c75b93b7448e2d9fac16ca702a5711f

SHA256
2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af

SHA512
eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-10-23.txt

Filesize
25B

MD5
bdb821a955117250611e94cd23842584

SHA1
81edcea1b44f94cfc140710c8410d0696b760c67

SHA256
076eb89055ff3d929eb732e1002a0105652e628682a741151388ce1df3b6ec9d

SHA512
e52ffed4ee84acc414c530c239c8876d9e99c1f2b2c7626c0ed7fbe0c59b9cb8f8a5e9e983541bea3dfdb849dd3b9593df054c2482ed8bcda7c70ebd960ca268

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-10-23.txt

Filesize
13B

MD5
de2c41a51ee9246eb1708f65b511add0

SHA1
2f442d634c8a18760a232c8829d4b5d74a52f074

SHA256
ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab

SHA512
7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-10-23.txt

Filesize
41B

MD5
fe1c35db506d34cc02ce27453c21444b

SHA1
3dd3be86fdcd405ede9272d6384fa48b3b0c0c3c

SHA256
cbe81e79afaaba185b6c79d7358a30f9c9e9c41cef66a7e8d1e3a673203d03c2

SHA512
88684044777b32bb3eb89b2fd9db73ba48da9e87aa3f34e0003e4bd6418d6099f36c7da4aaec5a5804bdfbd00143be269362ba60485e2f22f3ad059de103e67c

Download Submit