Analysis

  • max time kernel
    149s
  • max time network
    156s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    07/11/2024, 01:20 UTC

General

  • Target

    childapp.apk

  • Size

    9.3MB

  • MD5

    b9f9b3f15f1d46b2fcc7603c27fdd162

  • SHA1

    d07bb872d7f523e113986690302cd49577d4ddf8

  • SHA256

    a2c4875714b92fdaca68879b3227c937d57867479d9975465bc3a8413966342c

  • SHA512

    7619ac4ce1e727e56b7abad8663de921fa4ad5145d8100dc3099013f0f89c69d6412db8ecbe4d5a1d9566aecf30e9d2f5b8343ad9d5c9266faae5bcbca4c8583

  • SSDEEP

    98304:0OZqx0VfLBQ/kFx3zX6LInnvAjC/D80uemzvzBaTD0tYaWN:exSLBQc/3zX68vAjC/Pu5z8Mk

Malware Config

Signatures

  • Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

Processes

  • breed.considering.holiday
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Schedules tasks to execute at a specified time
    PID:4801

Network

  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    216.58.201.110
  • flag-us
    DNS
    www.youtube.com
    Remote address:
    1.1.1.1:53
    Request
    www.youtube.com
    IN A
    Response
    www.youtube.com
    IN CNAME
    youtube-ui.l.google.com
    youtube-ui.l.google.com
    IN A
    216.58.201.110
    youtube-ui.l.google.com
    IN A
    172.217.16.238
    youtube-ui.l.google.com
    IN A
    142.250.200.46
    youtube-ui.l.google.com
    IN A
    142.250.200.14
    youtube-ui.l.google.com
    IN A
    142.250.180.14
    youtube-ui.l.google.com
    IN A
    142.250.179.238
    youtube-ui.l.google.com
    IN A
    142.250.187.238
    youtube-ui.l.google.com
    IN A
    216.58.204.78
    youtube-ui.l.google.com
    IN A
    142.250.178.14
    youtube-ui.l.google.com
    IN A
    216.58.213.14
    youtube-ui.l.google.com
    IN A
    142.250.187.206
  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    172.217.16.232
  • flag-us
    DNS
    1.tcp.sa.ngrok.io
    Remote address:
    1.1.1.1:53
    Request
    1.tcp.sa.ngrok.io
    IN A
    Response
    1.tcp.sa.ngrok.io
    IN A
    18.230.165.72
  • flag-us
    DNS
    1.tcp.sa.ngrok.io
    Remote address:
    1.1.1.1:53
    Request
    1.tcp.sa.ngrok.io
    IN A
    Response
    1.tcp.sa.ngrok.io
    IN A
    54.232.181.172
  • flag-us
    DNS
    1.tcp.sa.ngrok.io
    Remote address:
    1.1.1.1:53
    Request
    1.tcp.sa.ngrok.io
    IN A
    Response
    1.tcp.sa.ngrok.io
    IN A
    15.229.188.194
  • 216.239.38.223:443
    https
    336 B
    40 B
    1
    1
  • 142.250.187.238:443
    tls, https
    1.4kB
    40 B
    1
    1
  • 216.58.201.110:443
    android.apis.google.com
    tls
    2.6kB
    5.9kB
    12
    11
  • 216.58.201.110:443
    www.youtube.com
    tls
    2.1kB
    8.2kB
    17
    13
  • 216.58.201.110:443
    android.apis.google.com
    tls
    2.6kB
    6.0kB
    12
    11
  • 172.217.16.232:443
    ssl.google-analytics.com
    tls
    1.4kB
    6.3kB
    10
    9
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 18.230.165.72:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 54.232.181.172:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 15.229.188.194:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 15.229.188.194:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 15.229.188.194:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 15.229.188.194:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 15.229.188.194:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 15.229.188.194:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 15.229.188.194:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 15.229.188.194:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 15.229.188.194:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 15.229.188.194:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 15.229.188.194:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 15.229.188.194:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 15.229.188.194:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 15.229.188.194:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 142.250.200.46:443
    www.youtube.com
    tls
    135 B
    40 B
    2
    1
  • 15.229.188.194:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 142.250.200.33:443
    tls
    135 B
    40 B
    2
    1
  • 216.239.38.223:443
    tls, https
    128 B
    40 B
    2
    1
  • 216.58.204.65:443
    tls
    135 B
    40 B
    2
    1
  • 216.239.38.223:443
    tls, https
    128 B
    40 B
    2
    1
  • 15.229.188.194:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 15.229.188.194:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 15.229.188.194:20231
    1.tcp.sa.ngrok.io
    60 B
    40 B
    1
    1
  • 224.0.0.251:5353
    3.9kB
    13
  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    216.58.201.110

  • 1.1.1.1:53
    www.youtube.com
    dns
    61 B
    271 B
    1
    1

    DNS Request

    www.youtube.com

    DNS Response

    216.58.201.110
    172.217.16.238
    142.250.200.46
    142.250.200.14
    142.250.180.14
    142.250.179.238
    142.250.187.238
    216.58.204.78
    142.250.178.14
    216.58.213.14
    142.250.187.206

  • 216.58.201.110:443
    www.youtube.com
    https
    1.4kB
    54 B
    1
    1
  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
    86 B
    1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    172.217.16.232

  • 1.1.1.1:53
    1.tcp.sa.ngrok.io
    dns
    63 B
    79 B
    1
    1

    DNS Request

    1.tcp.sa.ngrok.io

    DNS Response

    18.230.165.72

  • 1.1.1.1:53
    1.tcp.sa.ngrok.io
    dns
    63 B
    79 B
    1
    1

    DNS Request

    1.tcp.sa.ngrok.io

    DNS Response

    54.232.181.172

  • 1.1.1.1:53
    1.tcp.sa.ngrok.io
    dns
    63 B
    79 B
    1
    1

    DNS Request

    1.tcp.sa.ngrok.io

    DNS Response

    15.229.188.194

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /storage/emulated/0/Config/sys/apps/log/log-2024-11-07.txt

    Filesize

    13B

    MD5

    de2c41a51ee9246eb1708f65b511add0

    SHA1

    2f442d634c8a18760a232c8829d4b5d74a52f074

    SHA256

    ad2d914ca347cd1930e32f21c6d5448c34104bea181b93abc85ec518985653ab

    SHA512

    7cdfbd001594503644e9ed80ae852f90ef9e841a8382e2eec6979e149a2c400a3b83055d205b4d1d66e1600e5127482932d5127eb5800d35a4ee5673fe34d84a

  • /storage/emulated/0/Config/sys/apps/log/log-2024-11-07.txt

    Filesize

    21B

    MD5

    40fcf48a4ecdb632240619eb756772ce

    SHA1

    83706b0dcc3ff8032962dcd0d73a36ba65dd6f30

    SHA256

    d153cc76e9f7a12c26dbe0d197285a77fc8efeed1b1f3d35c25ba386711b5c80

    SHA512

    4757ed0904a24ed77c8c2dca9be96f084cebc54a93c43eb0eb27545aba7e58916abb0b639254d90ebffea1e760b85d0a0fe53ada28194734748116475dd9829b

  • /storage/emulated/0/Config/sys/apps/log/log-2024-11-07.txt

    Filesize

    25B

    MD5

    bdb821a955117250611e94cd23842584

    SHA1

    81edcea1b44f94cfc140710c8410d0696b760c67

    SHA256

    076eb89055ff3d929eb732e1002a0105652e628682a741151388ce1df3b6ec9d

    SHA512

    e52ffed4ee84acc414c530c239c8876d9e99c1f2b2c7626c0ed7fbe0c59b9cb8f8a5e9e983541bea3dfdb849dd3b9593df054c2482ed8bcda7c70ebd960ca268

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.