Analysis
-
max time kernel
140s -
max time network
154s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
07-11-2024 18:11
Static task
static1
Behavioral task
behavioral1
Sample
28b749d21484b653350f716fa90147726680a41166f248539faad6d5f6f163f1.apk
Resource
android-x86-arm-20240624-en
General
-
Target
28b749d21484b653350f716fa90147726680a41166f248539faad6d5f6f163f1.apk
-
Size
19.0MB
-
MD5
a78e3a827160e955e4828dc0bee0a0cf
-
SHA1
c6dd47e8b6a5a6daa5b3898bdc4f64913df190cd
-
SHA256
28b749d21484b653350f716fa90147726680a41166f248539faad6d5f6f163f1
-
SHA512
5a174e89505ad8953e4d26b1624626ec7dc779e072578e623ecb8e6abcf83870172c9f8a7a9a4d0203bf6b3d1f2221829b8cd4b46d60b441476d07f4a48e621b
-
SSDEEP
393216:Y1T5RRbzyJbpqV295MmBcc/HsALDrj9tdsPW6IsUNMA02DdDTHq6K9u6bpCCoYr:O5bWJbpX95C83f5sU0IvHqX9PpjoYr
Malware Config
Signatures
-
Checks if the Android device is rooted. 1 TTPs 1 IoCs
Processes:
com.iavhtg.htzeu.uyghzioc Process /sbin/su com.iavhtg.htzeu.uyghz -
Loads dropped Dex/Jar 1 TTPs 4 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.iavhtg.htzeu.uyghz/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.iavhtg.htzeu.uyghz/com.iavhtg.htzeu.uyghz-m-YZryPmtMEoq_NQ0b8mTA==/base.apk --output-vdex-fd=57 --oat-fd=58 --oat-location=/data/user/0/com.iavhtg.htzeu.uyghz/com.iavhtg.htzeu.uyghz-m-YZryPmtMEoq_NQ0b8mTA==/oat/x86/base.odex --compiler-filter=quicken --class-loader-context=&ioc pid Process Anonymous-DexFile@0xd25cf000-0xd26607b4 4263 com.iavhtg.htzeu.uyghz Anonymous-DexFile@0xd1c44000-0xd1cdd270 4263 com.iavhtg.htzeu.uyghz /data/user/0/com.iavhtg.htzeu.uyghz/com.iavhtg.htzeu.uyghz-m-YZryPmtMEoq_NQ0b8mTA==/base.apk 4305 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.iavhtg.htzeu.uyghz/com.iavhtg.htzeu.uyghz-m-YZryPmtMEoq_NQ0b8mTA==/base.apk --output-vdex-fd=57 --oat-fd=58 --oat-location=/data/user/0/com.iavhtg.htzeu.uyghz/com.iavhtg.htzeu.uyghz-m-YZryPmtMEoq_NQ0b8mTA==/oat/x86/base.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.iavhtg.htzeu.uyghz/com.iavhtg.htzeu.uyghz-m-YZryPmtMEoq_NQ0b8mTA==/base.apk 4263 com.iavhtg.htzeu.uyghz -
Makes use of the framework's Accessibility service 4 TTPs 1 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.iavhtg.htzeu.uyghzdescription ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.iavhtg.htzeu.uyghz -
Declares services with permission to bind to the system 2 IoCs
Processes:
description ioc Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE Required by in-call services to bind with the system. Allows apps to handle aspects of phone calls while they are in progress. android.permission.BIND_INCALL_SERVICE -
Queries information about active data network 1 TTPs 1 IoCs
Processes:
com.iavhtg.htzeu.uyghzdescription ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.iavhtg.htzeu.uyghz -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.iavhtg.htzeu.uyghzdescription ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.iavhtg.htzeu.uyghz -
Requests allowing to install additional applications from unknown sources. 1 TTPs 1 IoCs
Processes:
com.iavhtg.htzeu.uyghzdescription ioc Process Intent action android.settings.MANAGE_UNKNOWN_APP_SOURCES com.iavhtg.htzeu.uyghz -
Requests dangerous framework permissions 18 IoCs
Processes:
description ioc Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION Allows the app to answer an incoming phone call. android.permission.ANSWER_PHONE_CALLS Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE Required to be able to access the camera device. android.permission.CAMERA Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW Allows an application to read the user's call log. android.permission.READ_CALL_LOG Allows an application to read the user's contacts data. android.permission.READ_CONTACTS Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE Allows an application to read SMS messages. android.permission.READ_SMS Allows an application to record audio. android.permission.RECORD_AUDIO Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.iavhtg.htzeu.uyghzdescription ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.iavhtg.htzeu.uyghz -
Checks the presence of a debugger
-
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.iavhtg.htzeu.uyghzdescription ioc Process Framework service call android.app.IActivityManager.registerReceiver com.iavhtg.htzeu.uyghz -
Checks CPU information 2 TTPs 1 IoCs
Processes:
com.iavhtg.htzeu.uyghzdescription ioc Process File opened for read /proc/cpuinfo com.iavhtg.htzeu.uyghz -
Checks memory information 2 TTPs 1 IoCs
Processes:
com.iavhtg.htzeu.uyghzdescription ioc Process File opened for read /proc/meminfo com.iavhtg.htzeu.uyghz
Processes
-
com.iavhtg.htzeu.uyghz1⤵
- Checks if the Android device is rooted.
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Queries information about active data network
- Queries the mobile country code (MCC)
- Requests allowing to install additional applications from unknown sources.
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4263 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.iavhtg.htzeu.uyghz/com.iavhtg.htzeu.uyghz-m-YZryPmtMEoq_NQ0b8mTA==/base.apk --output-vdex-fd=57 --oat-fd=58 --oat-location=/data/user/0/com.iavhtg.htzeu.uyghz/com.iavhtg.htzeu.uyghz-m-YZryPmtMEoq_NQ0b8mTA==/oat/x86/base.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4305
-
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
1User Evasion
1Input Injection
1Subvert Trust Controls
1Code Signing Policy Modification
1Virtualization/Sandbox Evasion
2System Checks
2Discovery
System Information Discovery
3System Network Configuration Discovery
1System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
58B
MD50d210bfb2a0e1f1b4c082a6a0f79de07
SHA1bb8ed9e364db79d1d9f2fcde3f15091893222faa
SHA256988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d
SHA512536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1
-
Filesize
251B
MD5ad85adfef0fa555ef5c3eb9631aa5cc1
SHA1d90a6602fb1a3ac7c404db3b72ed6ffc9a9f8f0d
SHA256f7e8378b667586bc2a23898f0e8ecb1261384cfcfd073c12bf72bfc82d818c36
SHA51210ea14ef2a452d12852ab55cede7770a97eb3a12494dbbac75391d3f853a403f873d70f9f38fa9e17857e69312d75ebd4242b22145eb22218b4697ee36cddae1
-
Filesize
14.8MB
MD58344fa9281b5bd4683e9345c3e90cc0f
SHA17caf95d0da223df62cc933df6e8eef30294877f4
SHA256dd39ee03e6a82e11e49b6f9a5ef77a09057f4145ddbe5aa55fc2134b190c1ea2
SHA512d2768a4a89d31f3134f3e2600409a5fce01e16dcd329e86c4dfb82d88ff18049dff162f88229d49b2a16e3e980d6dd0769933300497fff41e97d6938318ef1d5
-
Filesize
4KB
MD5f2b4b0190b9f384ca885f0c8c9b14700
SHA1934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA2560a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1
-
Filesize
512B
MD58f3821b89b9550f43f7feba8851cd504
SHA18f3b45f0a349d53cabc22994ed8498bcf577d304
SHA25659af82a5e1e87a0512760777cc38e8da6399a66a76f67bdd5164581ee7d38ddb
SHA512dc78b5bf8270b91f3043565c00f145bd66d86c22f736f4dbbfbfb60c379fef5848ac7e24d4d344fac38e8ae17cd09b78af8b21ee701dfdf71d8a35a891a3dfe9
-
Filesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
Filesize
92KB
MD537d326ddbd6323f9c4ecb3417835af9d
SHA1eb420fe08540315bbbbb761d0a47e8b00c066100
SHA256bc5b8e63c2c3a4d6aed4ff920621390096ac67e6736aa3dfb6277ea721b958cf
SHA5121bd1a7b0dc7eb47359505bff35791b9c214867e8e9a5c96d752128355bce6fb1c72289289935ccf928368011d4ccaadd839fdc21ea11c4ee9f2a99b5055b6434
-
Filesize
13B
MD56505a52ca45c888d7f1cb2b2997e112f
SHA1d848af026bcc5133b4b729df43e0d94ae3bb685c
SHA256de38c7ea688b2c0b10b4c5b7ca8cd835a0d205905534eb87208d9946ecff956a
SHA5123a7ab558fb475317ca11953a92ced68d551bded220df03527239d0d6aad78d0c9b4a8fa71b3f0a8ff496a2d4b61722ed069e3e7b322d3d8a3c1eb4e9d47235a2
-
Filesize
1.7MB
MD538ba9bcdd54a66b2afa65473406db36c
SHA12be2510b221a22a1768956bdda5b13b541d4e0af
SHA25639926a900b5334225d48755b15576a5a7bf8082793a7be9ea47e517c9cf19fb1
SHA5124cdd32a1242f0a6d3b31c076fda0b53d80e8b6239ab3e22f35dff0e03f11123ce7c6815ad5ed470bdb3077ed51b3a29bc245e5871d2b806b610cf9a35cda2a62
-
Filesize
1.7MB
MD5b6f6282d441b26685a99f26e4e4e94f6
SHA106d5faaa38eb59746b88c581f67578f1314f72db
SHA2564b4a131ab5c314c38031bd3c3c8b771ee77163674b6cb4af1484f80ec70ad86c
SHA5128a91010fd8b996e636d6b363fc5eddc65e15068aa176c3246db498c438eeab7e50a8cc9b3bf3179fbd6014fc3e15344cdc69ccbe992bcf3d2448b9f9462bb43b
-
Filesize
13.8MB
MD50b7e0153ccf0090f91a0c51fe45e5e41
SHA181f1c14514a6fd71c9ccdc6d93b07951eebb4812
SHA2562eff25bd16b760a560add76ac3c3fffcc06dd3c1713824c9c0369f513c377bfe
SHA51236fba7f30a46bd08e19a68a135773d274a303a8d64d2e2c43de39ed3e9f78bd773d97df2d3daf9ecde5fc0108cdf61fea757af7a7d8b66ac5b3cf9d3654ae929
-
Filesize
612KB
MD539549363beaaa502526992067cf25a9d
SHA113358ed0969db9b95874df66fb462e4cb5d8ef61
SHA25674736c6d36e8b6a0ad2b16f5f3ab25f0175fdac5fd07b77440e064d6593c3956
SHA5123d6d006b31769df3705869437566730cf04f6f36bdb6fb4c523b63693fedc150890212136225d2bb34932661c198552c37ab39025d40562ce74a0843609f9bd5
-
Filesize
581KB
MD5434e2419edfed7e143b797ba724e6416
SHA10b0d244eb1511e5cdd7e02e116d40f4dd9eada08
SHA256592ff173e0492d92e61ddb15b7610c868d82412d2f7d723ec202296eaf9f4fb0
SHA5122ca878466b2de82360dbf3fe2b737edb22ad533465bdb42137ebe66a55e007a31195ae5d8295a7a8a6b04d8629319e4adb92b51f3cca6881c57e0a9ddc02d708