Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    06/11/2024, 02:40 UTC

General

  • Target

    5415d740f286a1ff7f7a22df18a9910c66841402a151a37b7fb2bb673b1cf63b.apk

  • Size

    64.0MB

  • MD5

    b261bda3ea80addbea9e282f840ebe10

  • SHA1

    660ea4e4177fddd07ad4aa70eed41d100e6c9938

  • SHA256

    5415d740f286a1ff7f7a22df18a9910c66841402a151a37b7fb2bb673b1cf63b

  • SHA512

    ef9848686f672dcb9df064bc2b8abc4735009a7d20b8ab600274546eb060b24dc07277633e3ab9eb0baadbca327339f7b1d283d83961c2c8c8bd1a4068f6958c

  • SSDEEP

    1572864:5DaeuGCBiCYbdIqLcuc4ET4SoxM1m/9DlQrct2zOSj5KF+Be:pCcdBct4Dx7pQYq/Ur

Malware Config

Signatures

  • Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Acquires the wake lock 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

Processes

  • rel.competition.closer
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Schedules tasks to execute at a specified time
    PID:4761

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    216.58.201.110
  • flag-us
    DNS
    www.youtube.com
    Remote address:
    1.1.1.1:53
    Request
    www.youtube.com
    IN A
    Response
    www.youtube.com
    IN CNAME
    youtube-ui.l.google.com
    youtube-ui.l.google.com
    IN A
    216.58.204.78
    youtube-ui.l.google.com
    IN A
    142.250.200.46
    youtube-ui.l.google.com
    IN A
    172.217.16.238
    youtube-ui.l.google.com
    IN A
    172.217.169.46
    youtube-ui.l.google.com
    IN A
    216.58.213.14
    youtube-ui.l.google.com
    IN A
    172.217.169.78
    youtube-ui.l.google.com
    IN A
    216.58.201.110
    youtube-ui.l.google.com
    IN A
    142.250.180.14
    youtube-ui.l.google.com
    IN A
    172.217.169.14
    youtube-ui.l.google.com
    IN A
    142.250.200.14
    youtube-ui.l.google.com
    IN A
    142.250.179.238
    youtube-ui.l.google.com
    IN A
    142.250.187.206
    youtube-ui.l.google.com
    IN A
    216.58.212.206
    youtube-ui.l.google.com
    IN A
    142.250.178.14
    youtube-ui.l.google.com
    IN A
    142.250.187.238
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    216.58.201.110
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    172.217.16.232
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
  • flag-us
    DNS
    1.tcp.ngrok.io
    Remote address:
    1.1.1.1:53
    Request
    1.tcp.ngrok.io
    IN A
    Response
    1.tcp.ngrok.io
    IN A
    3.141.109.23
  • flag-us
    DNS
    1.tcp.ngrok.io
    Remote address:
    1.1.1.1:53
    Request
    1.tcp.ngrok.io
    IN A
    Response
    1.tcp.ngrok.io
    IN A
    3.135.79.72
  • flag-us
    DNS
    1.tcp.ngrok.io
    Remote address:
    1.1.1.1:53
    Request
    1.tcp.ngrok.io
    IN A
    Response
    1.tcp.ngrok.io
    IN A
    3.135.79.72
  • 142.250.200.46:443
    tls, https
    920 B
    40 B
    1
    1
  • 216.58.201.110:443
    android.apis.google.com
    tls
    1.1kB
    4.5kB
    9
    7
  • 216.58.201.106:443
    tls, https
    8.6kB
    40 B
    4
    1
  • 216.58.201.110:443
    android.apis.google.com
    tls
    2.5kB
    5.9kB
    11
    10
  • 216.58.204.78:443
    www.youtube.com
    tls
    2.1kB
    8.3kB
    17
    14
  • 216.58.201.110:443
    android.apis.google.com
    tls
    2.7kB
    6.0kB
    13
    11
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 172.217.16.232:443
    ssl.google-analytics.com
    tls
    1.3kB
    6.3kB
    9
    9
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    180 B
    40 B
    3
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    120 B
    40 B
    2
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 216.239.36.223:443
    520 B
    10
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.141.109.23:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    120 B
    40 B
    2
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 216.239.36.223:443
    tls, https
    128 B
    40 B
    2
    1
  • 142.250.200.1:443
    tls
    135 B
    40 B
    2
    1
  • 216.58.212.193:443
    tls
    135 B
    40 B
    2
    1
  • 216.239.36.223:443
    tls, https
    128 B
    40 B
    2
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 216.239.36.223:443
    tls, https
    128 B
    40 B
    2
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 3.135.79.72:25334
    1.tcp.ngrok.io
    60 B
    40 B
    1
    1
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    216.58.201.110

  • 224.0.0.251:5353
    3.9kB
    13
  • 1.1.1.1:53
    www.youtube.com
    dns
    61 B
    335 B
    1
    1

    DNS Request

    www.youtube.com

    DNS Response

    216.58.204.78
    142.250.200.46
    172.217.16.238
    172.217.169.46
    216.58.213.14
    172.217.169.78
    216.58.201.110
    142.250.180.14
    172.217.169.14
    142.250.200.14
    142.250.179.238
    142.250.187.206
    216.58.212.206
    142.250.178.14
    142.250.187.238

  • 216.58.204.78:443
    www.youtube.com
    https
    1.4kB
    54 B
    1
    1
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    216.58.201.110

  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    140 B
    86 B
    2
    1

    DNS Request

    ssl.google-analytics.com

    DNS Request

    ssl.google-analytics.com

    DNS Response

    172.217.16.232

  • 1.1.1.1:53
    1.tcp.ngrok.io
    dns
    60 B
    76 B
    1
    1

    DNS Request

    1.tcp.ngrok.io

    DNS Response

    3.141.109.23

  • 1.1.1.1:53
    1.tcp.ngrok.io
    dns
    60 B
    76 B
    1
    1

    DNS Request

    1.tcp.ngrok.io

    DNS Response

    3.135.79.72

  • 1.1.1.1:53
    1.tcp.ngrok.io
    dns
    60 B
    76 B
    1
    1

    DNS Request

    1.tcp.ngrok.io

    DNS Response

    3.135.79.72

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /storage/emulated/0/Config/sys/apps/log/log-2024-11-06.txt

    Filesize

    13B

    MD5

    de2c41a51ee9246eb1708f65b511add0

    SHA1

    2f442d634c8a18760a232c8829d4b5d74a52f074

    SHA256

    ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab

    SHA512

    7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

  • /storage/emulated/0/Config/sys/apps/log/log-2024-11-06.txt

    Filesize

    29B

    MD5

    621f9425436b66436a4ee0be89b42d8e

    SHA1

    f3fa61140cf45325628a68700dc8b61029f99736

    SHA256

    b0dbbd96c28234895fb6c04b93a509967bc59884c0dcfa7c5b5e7143bf403d5b

    SHA512

    4002e1ef91d4c5ca68755132e7a0201b7fe227c19adc6f88eba8b8a348778eb315ae6e2714a898e8abeb6cf7eecfb714e9f3fbf5bd9fb7ed4440c37322c12bf2

  • /storage/emulated/0/Config/sys/apps/log/log-2024-11-06.txt

    Filesize

    45B

    MD5

    54c6a11bcfee5ba7ba120c25db4c3ea2

    SHA1

    84ace4968ffaca96ceb4963474d0982b5aa7f8b9

    SHA256

    ba02e9b68f9ce65fca9fad4f1aaad7bf04a06d0a4518d6be015d98010b410f34

    SHA512

    e4c5c7cc1d8f9e88ecea91408eca461daeb659a52b5f17e10bb33f50b8ee5e9255124c4c0af4bd186756bd36b08a76398858709556fafb625d45303b75df9d2e

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.