Analysis

  • max time kernel
    142s
  • max time network
    148s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    10-11-2024 01:32

General

  • Target

    8916722da4fa14539c7785b8ae24570043287a20870a45b33c0c50cc8c9df2ef.apk

  • Size

    4.6MB

  • MD5

    799322311ea8b30d4d61bf671db5694c

  • SHA1

    386746d10fbea70c779ea97bf2a992b91dbc000d

  • SHA256

    8916722da4fa14539c7785b8ae24570043287a20870a45b33c0c50cc8c9df2ef

  • SHA512

    115add7f90b86ac94df7227286af12cf9ebeeeae5364f32feff6f58c6aac72e431b4392f417446f492063e276c22021f7206d02f64fc1a08c588cb9915d144df

  • SSDEEP

    49152:SeyctKx3GV++PeiNNjs1hmMr1YXPevsfSdPGRoB38GVXQBFJUEH4ircnurRvb5pt:NKxWVWiMhmeoLoBhVXQBe0np/4lpUnIg

Malware Config

Signatures

  • Makes use of the framework's Accessibility service 4 TTPs 2 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Queries the phone number (MSISDN for GSM devices) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 5 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • kjjff.jsjdjsdj.ssss
    1⤵
    • Makes use of the framework's Accessibility service
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks CPU information
    • Checks memory information
    PID:4258
    • getprop ro.miui.ui.version.name
      2⤵
        PID:4436
      • getprop ro.miui.ui.version.name
        2⤵
          PID:4456

      Network

      MITRE ATT&CK Mobile v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • /data/data/kjjff.jsjdjsdj.ssss/cache/2

        Filesize

        14B

        MD5

        4c1809c31f018f8645a2879bf6fe538a

        SHA1

        728a8e37f95bd1bf9ddcbd5d9345ddd4058b45ea

        SHA256

        f749b919effb22a4a479f08e61e22a0a1ea42233dd1bba06be0c14517775a100

        SHA512

        58085450e592182ea74d9fff6cf48a6fc7787153c9d71a9725c95f6bee4cd6686e47b4706c1e4754b0cdd9ee7d14685d3f12d3f9423ef1adc10e3d03509dd3c1

      • /data/data/kjjff.jsjdjsdj.ssss/cache/~test.test

        Filesize

        4B

        MD5

        098f6bcd4621d373cade4e832627b4f6

        SHA1

        a94a8fe5ccb19ba61c4c0873d391e987982fbbd3

        SHA256

        9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08

        SHA512

        ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

      • /data/data/kjjff.jsjdjsdj.ssss/files/INJ6662.pussy

        Filesize

        7B

        MD5

        8bd634bb8a36e5982b00cead5528b5cc

        SHA1

        f58d82b60c9f338648a00aa6f4fb83b39ed225eb

        SHA256

        d2cb49216759f2d2666a702518a34da8d2a53a6fa042992d517bec6808c833dd

        SHA512

        d3ca77c4be81cf0d0c62831af9417cbbaeb455098b4519364a16c79474779dd98a12f521787f6468fe7eccbc2d7a6034eb1499a60e4a95dc3d35fd0166ab52cc

      • /data/data/kjjff.jsjdjsdj.ssss/files/mqtt_connect

        Filesize

        516B

        MD5

        86949f0b9a05afee9ef7a313d3606cb6

        SHA1

        a52434d5bdbe4690af9f793d62f982c0b0c3d2fe

        SHA256

        2995a42bee87e197104dd0d05f5688b89e126b2d6c62445ddb7bf39ae2e93616

        SHA512

        5075417a8d2d0d2ca73ae48bedfef823eca84222fffea0f0ca34226a6bcdaf79e671412cb6062e3a0bcfd384c3793ab04d0d08238aa898ab80e0c3f0755b7a75

      • /data/data/kjjff.jsjdjsdj.ssss/files/mqtt_connect

        Filesize

        516B

        MD5

        7bf30d992beb542714e0b5f907bc6053

        SHA1

        14c2b81d48173f9f6197cf71f087a4ba8bca608a

        SHA256

        b076ee9d9dd5aee6de15fe7573bcca82035f4a440863bdd2bc710b6a4df27e1b

        SHA512

        ac946fd13d21171a89830bc37e46bc87e00ef1c4fa80ce5b34e6931c2aaad537b95bdaff78228786b712d2d9076cbe52264bddd640b5ff9148e566f6e7e16408

      • /data/data/kjjff.jsjdjsdj.ssss/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫

        Filesize

        1.7MB

        MD5

        c57ec092b51247e160e49fea97b5e2e8

        SHA1

        b7b8047e42bd9e6247e9135d29f8fec4de508da8

        SHA256

        45dcff3a75b3c6fa937ff362cf510432149797b99484a35c871683f303fc3bb5

        SHA512

        00d695d78b43a2cc364f9c720f9dd0a11db8750768d946294865428eb1631f54c72c46ed739ee1dedfa5742540974dd12fd2198456f07d664617eecbbe58ce24

      • /data/data/kjjff.jsjdjsdj.ssss/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫/ۦۖ۫.

        Filesize

        8B

        MD5

        76111eecd6d9f9349dbcca3aae6d1747

        SHA1

        9db362cbe8bf3f07201d5d6fd8c18640012c2a17

        SHA256

        0d9bd10397a5b9f64266841319cb6d9a72e80d33ffe17c431393847222e1f6ad

        SHA512

        66b33684c5a9be30095ef174c0a4c7da0cbd458e442d372dade83fadc8c4b03b8a26272d7fafc885f0212a5274b624a479a4297877019c09a655d0332476e463