Analysis

  • max time kernel
    59s
  • max time network
    45s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    30-10-2024 23:41

General

  • Target

    Vavada.apk

  • Size

    3.8MB

  • MD5

    d83333cf8add0987d3b3e5ebb98ff12c

  • SHA1

    41ded4b0f5efb4ccfbe34e6ca43a07fa39ec9a43

  • SHA256

    5b4fa3c6c80e071c55defa741ae1d95e5d19566f1a8c8bc326f1c7cd85289416

  • SHA512

    0d95e8a203a2c4f7c6a957e57d252a8773e15dae3a52e852e98cfab660d077b0f0774950cadc939d3ed1fbb8c4fb5ec5a9d99f09488d69fd6fb4f9a8bca55998

  • SSDEEP

    49152:inFc7vtaOUX4O6R+AHmB81kUdc1wmzZzdGGpQTOT3UBYqu0cghQ9jikGK:2q7v4H4O58fCwmzZzBmTg0thQcK

Malware Config

Signatures

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

Processes

  • matrix.predicted.indicates
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    PID:4262

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

    Filesize

    21B

    MD5

    a321fc986b2570a7b24effe9e6475da9

    SHA1

    84fb8302687d1bf7e971f85b7ad80098c033fe2d

    SHA256

    4e7076ecf79121835420f9c2cc90c3155fcd7f943695e54e8ec57218d2398abf

    SHA512

    3b5249fdd93e67d625b1c45234a81979d3a34b9338a6c3c8960366ba9a5c26007364247c1da45f1f82391043d4c13fa060723b93e809170859a276d57c46ec4e

  • /storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

    Filesize

    25B

    MD5

    ba30336bf53d54ed3c0ea69dd545de8c

    SHA1

    ce99c6724c75b93b7448e2d9fac16ca702a5711f

    SHA256

    2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af

    SHA512

    eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

  • /storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

    Filesize

    276B

    MD5

    ad306204c5771b12c2fcad91bcbaae0a

    SHA1

    b5cea55c7b372b30d784ff7e904390a7293e8b34

    SHA256

    6a7852f3b8dbf59d31bf1fb2880d60a5c0479f1048b386b528f0fdc8f0960a18

    SHA512

    2d9b8acea928c114038edbc83f300765a16fa041da1ce9ae40cc81b55849108afb44446364f96bb7d95d575f34db00555fdf9e40159496cf501277a521d1e76f

  • /storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

    Filesize

    57B

    MD5

    3af69119804d1d999d56d230338ffd36

    SHA1

    69350826205583c8acc385ee0a6e3fc2673ee2ca

    SHA256

    10994862cb263ab6b1e4428cc24cc9c585458fc67544fe0f5dfea81a5a7a115c

    SHA512

    4a41b19d28f637b397d9dff225621694c44c750a9bd65f3e6ad5d3b9acf0d118910ddf53d4618213f9e14c61e0fb154f33f2747dd3b8d50459990767f42fc8cb