6b510337bcd1f004ea05de9d848bd8316d2f2c3c6fcba6e84bc31d87fd1e36aa

Analysis

max time kernel
149s
max time network
155s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
05/11/2024, 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEA.apk
Size

13.2MB
MD5

97ffda88c14091b87669cb41f2716d47
SHA1

c078d574b72f30a229aa34b13b22443b87c8cb20
SHA256

6b510337bcd1f004ea05de9d848bd8316d2f2c3c6fcba6e84bc31d87fd1e36aa
SHA512

942528f0ae6c123f758f83a267936073901dbe1c2ff03cdf2edde5fd6a7d55686593088531121afdeb6fba07bf8e43f80ac9ce92512917ea49df5768e5f0b8ea
SSDEEP

393216:+AiHDxXIQekExHQ7ZqVWRRdsnjuasOgS0:WebxHQ7ZwWndsnjuasOd0

Score

7^/10

collection credential_access discovery evasion execution impact persistence

Malware Config

Signatures

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.mmt.myao

Queries account information for other applications stored on the device 1 TTPs 3 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.mmt.myao
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.mmt.myao:main
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.mmt.myao:s1

Queries information about running processes on the device 1 TTPs 3 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.mmt.myao
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.mmt.myao:main
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.mmt.myao:s1

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.mmt.myao

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.mmt.myao

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.mmt.myao

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.mmt.myao

Schedules tasks to execute at a specified time 1 TTPs 2 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.mmt.myao
Framework service call	android.app.job.IJobScheduler.schedule	com.mmt.myao:main

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 3 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.mmt.myao:s1
Framework API call	javax.crypto.Cipher.doFinal	com.mmt.myao
Framework API call	javax.crypto.Cipher.doFinal	com.mmt.myao:main

com.mmt.myao
1⤵
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4290
- getprop ro.build.display.id
  2⤵
  PID:4673
- getprop ro.build.display.id
  2⤵
  PID:4789
- getprop ro.build.display.id
  2⤵
  PID:4819
- getprop ro.build.display.id
  2⤵
  PID:4855
- getprop ro.build.display.id
  2⤵
  PID:4876
- getprop ro.build.display.id
  2⤵
  PID:4914
- getprop ro.build.display.id
  2⤵
  PID:4947
- getprop ro.build.display.id
  2⤵
  PID:4983
- getprop ro.build.display.id
  2⤵
  PID:5074
- getprop ro.build.display.id
  2⤵
  PID:5132
- getprop ro.build.display.id
  2⤵
  PID:5156
- getprop ro.build.display.id
  2⤵
  PID:5191
- getprop ro.build.display.id
  2⤵
  PID:5222
- getprop ro.build.display.id
  2⤵
  PID:5249
- getprop ro.build.display.id
  2⤵
  PID:5295
- getprop ro.build.display.id
  2⤵
  PID:5325
- getprop ro.build.display.id
  2⤵
  PID:5348
- getprop ro.build.display.id
  2⤵
  PID:5385
- getprop ro.build.display.id
  2⤵
  PID:5417
- getprop ro.build.display.id
  2⤵
  PID:5439
- getprop ro.build.display.id
  2⤵
  PID:5480
- getprop ro.build.display.id
  2⤵
  PID:5511
- getprop ro.build.display.id
  2⤵
  PID:5532
- getprop ro.build.display.id
  2⤵
  PID:5566
- getprop ro.build.display.id
  2⤵
  PID:5597
- getprop ro.build.display.id
  2⤵
  PID:5615
- getprop ro.build.display.id
  2⤵
  PID:5655
- getprop ro.build.display.id
  2⤵
  PID:5684
- getprop ro.build.display.id
  2⤵
  PID:5705

com.mmt.myao:main
1⤵
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4383

com.mmt.myao:s1
1⤵
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Uses Crypto APIs (Might try to encrypt user data)
PID:4402

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Foreground Persistence

T1541

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Process Discovery

T1424

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.mmt.myao/no_backup/androidx.work.workdb

Filesize
100KB

MD5
95bf3f267e8ba3c10ab7deb72ff5a403

SHA1
e9445e39052ee424a9a2690581c5ba149e644d7b

SHA256
14952253b3cd6087dc1be97083ce2fc03dfc6948f545d191594ffeb1694bf87b

SHA512
a1a61f8dcd61ab4a8c2f272ef96072382e4fbccde5b395e6a5f785f47882d07208e7259c8a664bfc29a5ded996fcebc20986a9e27dfb92b162c5efbba9950e7b

Download Submit
/data/data/com.mmt.myao/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.mmt.myao/no_backup/androidx.work.workdb-wal

Filesize
410KB

MD5
900ab40a3e1afadc480bdd4c456e6e3c

SHA1
4206443d6314fa4a242a488c2589f4fd810bea7f

SHA256
60bf5f5bb3d79aab1019c920b23073dec80b672204e30be11078708aa70acd08

SHA512
e12e088c2df8ad32b8fa5405d8c938afad79931ed27f6073d913b881ee99b382c6629f1e2c5b97307d6c5500bc2ffc3e2ab4999b9121c15e7bfd55fc0a7aeb0b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads