cc366c3cb1c65f96a8fbf2b6c2d4d3e8787a77bdfb0e3d9413e5d8020cda9041

Analysis

max time kernel
149s
max time network
151s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
05/11/2024, 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

latamAirLines.apk
Size

13.8MB
MD5

9f2af61449faf42d605e3936b4e8942e
SHA1

d3fb55c0dffdd78ab880aaffb341067d7a190d90
SHA256

cc366c3cb1c65f96a8fbf2b6c2d4d3e8787a77bdfb0e3d9413e5d8020cda9041
SHA512

3561a04acd7f8338439361615fcc9b107c5b0ec449d5a8997ca1579f8f40b8cf12671355baf677f137d9b66393d3ab738a72133ff53840b27e365a596515a2fe
SSDEEP

393216:J/i7bzxX/Hx8I/hTAUl42TduLUvpeO8SYYtMg/:J/05hWIzpP8sM0

Score

7^/10

collection credential_access discovery evasion execution impact persistence

Malware Config

Signatures

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.fdsaf.fafafafd

Queries account information for other applications stored on the device 1 TTPs 3 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.fdsaf.fafafafd
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.fdsaf.fafafafd:main
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.fdsaf.fafafafd:s1

Queries information about running processes on the device 1 TTPs 3 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.fdsaf.fafafafd
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.fdsaf.fafafafd:main
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.fdsaf.fafafafd:s1

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.fdsaf.fafafafd

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.fdsaf.fafafafd

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.fdsaf.fafafafd

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.fdsaf.fafafafd

Schedules tasks to execute at a specified time 1 TTPs 2 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.fdsaf.fafafafd
Framework service call	android.app.job.IJobScheduler.schedule	com.fdsaf.fafafafd:main

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 3 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.fdsaf.fafafafd
Framework API call	javax.crypto.Cipher.doFinal	com.fdsaf.fafafafd:main
Framework API call	javax.crypto.Cipher.doFinal	com.fdsaf.fafafafd:s1

com.fdsaf.fafafafd
1⤵
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4310
- getprop ro.build.display.id
  2⤵
  PID:4629
- getprop ro.build.display.id
  2⤵
  PID:4776
- getprop ro.build.display.id
  2⤵
  PID:4807
- getprop ro.build.display.id
  2⤵
  PID:4839
- getprop ro.build.display.id
  2⤵
  PID:4860
- getprop ro.build.display.id
  2⤵
  PID:4901
- getprop ro.build.display.id
  2⤵
  PID:4926
- getprop ro.build.display.id
  2⤵
  PID:4955
- getprop ro.build.display.id
  2⤵
  PID:5001
- getprop ro.build.display.id
  2⤵
  PID:5025
- getprop ro.build.display.id
  2⤵
  PID:5044
- getprop ro.build.display.id
  2⤵
  PID:5089
- getprop ro.build.display.id
  2⤵
  PID:5114
- getprop ro.build.display.id
  2⤵
  PID:5145
- getprop ro.build.display.id
  2⤵
  PID:5185
- getprop ro.build.display.id
  2⤵
  PID:5209
- getprop ro.build.display.id
  2⤵
  PID:5231
- getprop ro.build.display.id
  2⤵
  PID:5272
- getprop ro.build.display.id
  2⤵
  PID:5301
- getprop ro.build.display.id
  2⤵
  PID:5320
- getprop ro.build.display.id
  2⤵
  PID:5365
- getprop ro.build.display.id
  2⤵
  PID:5396
- getprop ro.build.display.id
  2⤵
  PID:5416
- getprop ro.build.display.id
  2⤵
  PID:5514
- getprop ro.build.display.id
  2⤵
  PID:5548
- getprop ro.build.display.id
  2⤵
  PID:5569
- getprop ro.build.display.id
  2⤵
  PID:5613
- getprop ro.build.display.id
  2⤵
  PID:5647
- getprop ro.build.display.id
  2⤵
  PID:5669

com.fdsaf.fafafafd:main
1⤵
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4407

com.fdsaf.fafafafd:s1
1⤵
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Uses Crypto APIs (Might try to encrypt user data)
PID:4439

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Foreground Persistence

T1541

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Process Discovery

T1424

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.fdsaf.fafafafd/no_backup/androidx.work.workdb

Filesize
100KB

MD5
a75977b308be88c8e48e038e30ed530d

SHA1
18e45e288780874083a5d1537514e7eeac9edcc3

SHA256
14ca8e70f861dea80b7cf8b1974d996e8dbd899379cf171467f2fa95cdf69d0f

SHA512
0af2d4674198f74a08d60a736d3f3eba7057f7901f3e64ac3e0a7f82f08c1ee167f2db3f06b052dd06c44adc709ac0b1d7c124db4a6ea61dc117cab8bede7e58

Download Submit
/data/data/com.fdsaf.fafafafd/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.fdsaf.fafafafd/no_backup/androidx.work.workdb-wal

Filesize
402KB

MD5
c0bab87d8399d76be57f65b053d23b63

SHA1
e1c60c43281b473a84fe74f26b709ee3eb0de22c

SHA256
bad1ff1de3562d09a91f66098f51985e875be35ee6a25aea14ceafcf96cf27a0

SHA512
f389f2bfa99e2a4fcc6209ee6258c052270c74f4b00eb53cb1668caf145ab70a66ffb88c729e1740ab5ca8423803c67ced08c9f0764c27aead603884ce64d2fe

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads