af1309a36633e1043e9aba14dcf027fa37a05322d92255cd726d4a0cae8e3790

General

Target

VideoChat.apk
Size

5.5MB
MD5

a1c80b92be1b894d4074a61435171a74
SHA1

0ea2763db7adf07273a54f1c192ed9dca7f381cd
SHA256

af1309a36633e1043e9aba14dcf027fa37a05322d92255cd726d4a0cae8e3790
SHA512

eab59baad76682e60a034cd8a8810ac92ee8b9d67ccfe9219ed9e25edc73a4f9bbef5661f2aeeb1f9dc269f50b075ef994a65857ec81958cdb92fda6b2003616
SSDEEP

98304:vfOKlooooooocoooJXtArfbKeN+GstQlX1p12qGItRaz/TgLzqRSqE+fhmzJzBsq:v/ooooooocoooJarjBNvstQlX1iUQHKj

Score

7^/10

banker collection credential_access discovery evasion execution persistence

Malware Config

Signatures

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	riverside.wire.sellers
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	riverside.wire.sellers
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	riverside.wire.sellers

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	riverside.wire.sellers

Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	riverside.wire.sellers
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	riverside.wire.sellers
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	riverside.wire.sellers
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	riverside.wire.sellers
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	riverside.wire.sellers
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	riverside.wire.sellers
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	riverside.wire.sellers
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	riverside.wire.sellers

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	riverside.wire.sellers

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	riverside.wire.sellers

riverside.wire.sellers
1⤵
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Performs UI accessibility actions on behalf of the user
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:5047

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1

T1603

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Credential Access

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

Software Discovery

1

T1418

Security Software Discovery

1

T1418.001

Lateral Movement

Collection

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

1

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

Filesize
25B

MD5
cecb6fa23370eb98415c5b5daf389669

SHA1
df5d9b9f6b0b9943219798246d0b7c71770ed841

SHA256
e89a1627ab94a9d1bd4000b7595e5298315b93d856395116efe5b14a8f1d2bda

SHA512
aef75601254734c1626a5220ee420c749191acbe86b17bfc6fa5bff8849dc49f75704c19ce1ee141e596225d7d31e860e454fac2b8fbffc9d1ba72fb5baa83fd

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

Filesize
25B

MD5
60aff59648b4ddfe7bd488893d5dc9bc

SHA1
262c1d03db468996ed7d55527c94d7c1d47e6f11

SHA256
7560436bcc4bca53fffc267e9221405b7986da337d6974e1bb92bf8e7fd99b2a

SHA512
b0ff71dd471be46606b15c01d50d0a1e9dc85a5f352928b8968d158fc0d86e0b4037d798b9bb9ad216f94a9c21e0b120726b77a4a5f620f3d2b2ac38dc6ec630

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

Filesize
25B

MD5
ba30336bf53d54ed3c0ea69dd545de8c

SHA1
ce99c6724c75b93b7448e2d9fac16ca702a5711f

SHA256
2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af

SHA512
eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-10-30.txt

Filesize
280B

MD5
67d78a67462515b87a91b048199f0e38

SHA1
916236d42d681c19465d09f6a633755989f156b4

SHA256
31812dd8606368770a613ec07133a1c51fed55393dd3d9e58f79b20e17ae4352

SHA512
a4764ac5c866ffbedf005cde4bc02816bd0fbaa966a9faddcd86c3ebb7c5df999ad2a012ede6334894e69477aac4d89edb3f2c8c908c78c98a60c3ff2905eab6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads