af1309a36633e1043e9aba14dcf027fa37a05322d92255cd726d4a0cae8e3790

General

Target

VideoChat.apk
Size

5.5MB
MD5

a1c80b92be1b894d4074a61435171a74
SHA1

0ea2763db7adf07273a54f1c192ed9dca7f381cd
SHA256

af1309a36633e1043e9aba14dcf027fa37a05322d92255cd726d4a0cae8e3790
SHA512

eab59baad76682e60a034cd8a8810ac92ee8b9d67ccfe9219ed9e25edc73a4f9bbef5661f2aeeb1f9dc269f50b075ef994a65857ec81958cdb92fda6b2003616
SSDEEP

98304:vfOKlooooooocoooJXtArfbKeN+GstQlX1p12qGItRaz/TgLzqRSqE+fhmzJzBsq:v/ooooooocoooJarjBNvstQlX1iUQHKj

Score

7^/10

banker collection credential_access discovery evasion execution persistence

Malware Config

Signatures

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	riverside.wire.sellers
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	riverside.wire.sellers
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	riverside.wire.sellers

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	riverside.wire.sellers

Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	riverside.wire.sellers
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	riverside.wire.sellers
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	riverside.wire.sellers
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	riverside.wire.sellers
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	riverside.wire.sellers
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	riverside.wire.sellers
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	riverside.wire.sellers
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	riverside.wire.sellers

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	riverside.wire.sellers

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	riverside.wire.sellers

riverside.wire.sellers
1⤵
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Performs UI accessibility actions on behalf of the user
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
PID:4945

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1

T1603

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1629

Prevent Application Removal

Input Injection

Credential Access

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

Software Discovery

1

T1418

Security Software Discovery

1

T1418.001

Lateral Movement

Collection

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Command and Control

Exfiltration

Impact

Input Injection

1

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/storage/emulated/0/Config/sys/apps/log/log-2024-10-31.txt

Filesize
25B

MD5
60aff59648b4ddfe7bd488893d5dc9bc

SHA1
262c1d03db468996ed7d55527c94d7c1d47e6f11

SHA256
7560436bcc4bca53fffc267e9221405b7986da337d6974e1bb92bf8e7fd99b2a

SHA512
b0ff71dd471be46606b15c01d50d0a1e9dc85a5f352928b8968d158fc0d86e0b4037d798b9bb9ad216f94a9c21e0b120726b77a4a5f620f3d2b2ac38dc6ec630

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-10-31.txt

Filesize
25B

MD5
ba30336bf53d54ed3c0ea69dd545de8c

SHA1
ce99c6724c75b93b7448e2d9fac16ca702a5711f

SHA256
2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af

SHA512
eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-10-31.txt

Filesize
280B

MD5
6fee8e9c29bbbdd6b552b4dd708c7fcb

SHA1
0af2d5c88a05d99488b424688053e1cec839ad77

SHA256
3820677a5551f216847628df4a57cf28ff8ae74328c9654cea6057f59e494691

SHA512
600a55f563ad009260030a6a9e0aade0f7bd1f48db030b35b36a8b7e93087359d6b111377209f50952dc3da0ee71dcf038c8732fe88f689a5f1aa45046607a59

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2024-10-31.txt

Filesize
57B

MD5
3af69119804d1d999d56d230338ffd36

SHA1
69350826205583c8acc385ee0a6e3fc2673ee2ca

SHA256
10994862cb263ab6b1e4428cc24cc9c585458fc67544fe0f5dfea81a5a7a115c

SHA512
4a41b19d28f637b397d9dff225621694c44c750a9bd65f3e6ad5d3b9acf0d118910ddf53d4618213f9e14c61e0fb154f33f2747dd3b8d50459990767f42fc8cb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads