b9c767ea7910322727759dd0d3b7aae7b0e89fbb495985974652cd07270f9aaf

General

Target

b9c767ea7910322727759dd0d3b7aae7b0e89fbb495985974652cd07270f9aaf.apk
Size

13.0MB
MD5

7a7ca1f2149a5d66758ee226f90b5c79
SHA1

b9348977821b75e4f5dce0386de00db2aa4a4cbb
SHA256

b9c767ea7910322727759dd0d3b7aae7b0e89fbb495985974652cd07270f9aaf
SHA512

764d6e68eb64017b738d1646b7199db09674ebaa2d4647cdb658cc3181789f448f0da461809c9de99c6cb21af8880f4a367bbe0fbf836a1d834c10d1b4c53732
SSDEEP

196608:5uPP4fPuTuFxXVuUFXbMGLRYoauDhkDpfm3NUCtM10LlIqkpbIDUtSZMgXt6yFV:0WVxXtX9RPdDi6NygHKbItMg/

Score

7^/10

collection credential_access discovery evasion execution impact persistence

Malware Config

Signatures

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.aa.bb

Queries account information for other applications stored on the device 1 TTPs 3 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.aa.bb
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.aa.bb:main
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.aa.bb:s1

Queries information about running processes on the device 1 TTPs 3 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.aa.bb
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.aa.bb:main
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.aa.bb:s1

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.aa.bb

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.aa.bb

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.aa.bb

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.aa.bb

Schedules tasks to execute at a specified time 1 TTPs 2 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.aa.bb:main
Framework service call	android.app.job.IJobScheduler.schedule	com.aa.bb

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 3 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.aa.bb
Framework API call	javax.crypto.Cipher.doFinal	com.aa.bb:main
Framework API call	javax.crypto.Cipher.doFinal	com.aa.bb:s1

com.aa.bb
1⤵
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4345
- getprop ro.build.display.id
  2⤵
  PID:4788
- getprop ro.build.display.id
  2⤵
  PID:4876
- getprop ro.build.display.id
  2⤵
  PID:4936
- getprop ro.build.display.id
  2⤵
  PID:4994
- getprop ro.build.display.id
  2⤵
  PID:5102
- getprop ro.build.display.id
  2⤵
  PID:5137
- getprop ro.build.display.id
  2⤵
  PID:5181
- getprop ro.build.display.id
  2⤵
  PID:5236
- getprop ro.build.display.id
  2⤵
  PID:5269
- getprop ro.build.display.id
  2⤵
  PID:5291
- getprop ro.build.display.id
  2⤵
  PID:5335
- getprop ro.build.display.id
  2⤵
  PID:5375

com.aa.bb:main
1⤵
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4599

com.aa.bb:s1
1⤵
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Uses Crypto APIs (Might try to encrypt user data)
PID:4622

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1

T1603

Persistence

Event Triggered Execution

1

T1624

Broadcast Receivers

1

T1624.001

Foreground Persistence

Scheduled Task/Job

Privilege Escalation

Defense Evasion

Foreground Persistence

Input Injection

Credential Access

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

1

T1417.001

Discovery

Process Discovery

1

T1424

System Network Connections Discovery

1

T1421

Lateral Movement

Collection

Input Capture

2

T1417

GUI Input Capture

1

T1417.002

Keylogging

Screen Capture

Stored Application Data

1

T1409

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

Input Injection

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.aa.bb/no_backup/androidx.work.workdb

Filesize
100KB

MD5
41c4444091a6f1f71212d5e81877eba5

SHA1
504dd5f89c7c26a11cfdb2af6f61a09f3fbf94b7

SHA256
a5f586618f36cb58227feef98752344f77827a4f4b588f08d1c275fda1c6593d

SHA512
721107162ccdfd85babd7b293a43028585353c5e49583c60588ab91a11ff00f58d40950e7494036255f49b132928433d3f800a9a343a23e8b3f181934868a306

Download Submit
/data/data/com.aa.bb/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.aa.bb/no_backup/androidx.work.workdb-wal

Filesize
402KB

MD5
3d799591e24b061a65a8fa541769b021

SHA1
7e7ddfbbdecfcf61df2c722f538b7b63c89b2df1

SHA256
fcf4212ff8e074fbcff275147d70e54033234fda553f27cbea2c000465855963

SHA512
b6e1a54b6869642893fe1d5062f417d4081c4051a9b13d0ee745f717c96c2e585f7b059375d047c85e857bd8d7bd4841a02a4616596bf5e57779a7fbcb83807b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads