Analysis
-
max time kernel
1799s -
max time network
1803s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
10-11-2024 03:30
Static task
static1
Behavioral task
behavioral1
Sample
signed.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
signed.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
signed.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
signed.apk
-
Size
78KB
-
MD5
2b71306486b7948be17924ed3d7608d1
-
SHA1
afbe9a05550c418dd77acaf65bce46ba5d541080
-
SHA256
6657b221083beef8c1d73e16fc553ebf05962fd812b3d1f81b8c17ddff775310
-
SHA512
4a094207acef91bddb91f7bd705cce8aa54a4776d00854bea457fd19173cf94382e4526b7d161f7f51f4fb65215bb4fae692673b8908cd04332d488b7d92dfa3
-
SSDEEP
1536:OAtfCB3d/aaR+7CJwfbcvzqgZoCLB51IB0KlsrcbGYA6a0VpxNi39eND:OSfCBt/NwTxgZoCr1RKCQMd0VrNWeND
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 17 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.bani.kedr.clv/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bani.kedr/files/Factory/Plugins/classes.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.bani.kedr/files/Factory/Plugins/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bani.kedr/files/Factory/Plugins/classes1.dex --output-vdex-fd=50 --oat-fd=51 --oat-location=/data/user/0/com.bani.kedr/files/Factory/Plugins/oat/x86/classes1.odex --compiler-filter=quicken --class-loader-context=&/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bani.kedr/files/Factory/Plugins/classes2.dex --output-vdex-fd=50 --oat-fd=51 --oat-location=/data/user/0/com.bani.kedr/files/Factory/Plugins/oat/x86/classes2.odex --compiler-filter=quicken --class-loader-context=&/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bani.kedr/files/Factory/Plugins/classes3.dex --output-vdex-fd=49 --oat-fd=50 --oat-location=/data/user/0/com.bani.kedr/files/Factory/Plugins/oat/x86/classes3.odex --compiler-filter=quicken --class-loader-context=&/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bani.kedr/files/Factory/Plugins/classes4.dex --output-vdex-fd=49 --oat-fd=48 --oat-location=/data/user/0/com.bani.kedr/files/Factory/Plugins/oat/x86/classes4.odex --compiler-filter=quicken --class-loader-context=&ioc pid process Anonymous-DexFile@0xc9bc1000-0xc9bdfac0 4315 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes.dex 4315 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes.dex 4342 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bani.kedr/files/Factory/Plugins/classes.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.bani.kedr/files/Factory/Plugins/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.bani.kedr/files/Factory/Plugins/classes.dex 4315 com.bani.kedr.clv Anonymous-DexFile@0xc8e4b000-0xc8e5b398 4315 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes1.dex 4315 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes1.dex 4381 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bani.kedr/files/Factory/Plugins/classes1.dex --output-vdex-fd=50 --oat-fd=51 --oat-location=/data/user/0/com.bani.kedr/files/Factory/Plugins/oat/x86/classes1.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.bani.kedr/files/Factory/Plugins/classes1.dex 4315 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes2.dex 4315 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes2.dex 4404 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bani.kedr/files/Factory/Plugins/classes2.dex --output-vdex-fd=50 --oat-fd=51 --oat-location=/data/user/0/com.bani.kedr/files/Factory/Plugins/oat/x86/classes2.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.bani.kedr/files/Factory/Plugins/classes2.dex 4315 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes3.dex 4315 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes3.dex 4427 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bani.kedr/files/Factory/Plugins/classes3.dex --output-vdex-fd=49 --oat-fd=50 --oat-location=/data/user/0/com.bani.kedr/files/Factory/Plugins/oat/x86/classes3.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.bani.kedr/files/Factory/Plugins/classes3.dex 4315 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes4.dex 4315 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes4.dex 4449 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bani.kedr/files/Factory/Plugins/classes4.dex --output-vdex-fd=49 --oat-fd=48 --oat-location=/data/user/0/com.bani.kedr/files/Factory/Plugins/oat/x86/classes4.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.bani.kedr/files/Factory/Plugins/classes4.dex 4315 com.bani.kedr.clv -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.bani.kedr.clvdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.bani.kedr.clv Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.bani.kedr.clv -
Reads the content of the call log. 1 TTPs 1 IoCs
Processes:
com.bani.kedr.clvdescription ioc process URI accessed for read content://call_log/calls com.bani.kedr.clv -
Acquires the wake lock 1 IoCs
Processes:
com.bani.kedr.clvdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.bani.kedr.clv -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.bani.kedr.clvdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.bani.kedr.clv -
Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
com.bani.kedr.clvioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bani.kedr.clv android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bani.kedr.clv android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bani.kedr.clv -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.bani.kedr.clvdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.bani.kedr.clv -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.bani.kedr.clvdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.bani.kedr.clv -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.bani.kedr.clvdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.bani.kedr.clv
Processes
-
com.bani.kedr.clv1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the content of the call log.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4315 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bani.kedr/files/Factory/Plugins/classes.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.bani.kedr/files/Factory/Plugins/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4342
-
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bani.kedr/files/Factory/Plugins/classes1.dex --output-vdex-fd=50 --oat-fd=51 --oat-location=/data/user/0/com.bani.kedr/files/Factory/Plugins/oat/x86/classes1.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4381
-
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bani.kedr/files/Factory/Plugins/classes2.dex --output-vdex-fd=50 --oat-fd=51 --oat-location=/data/user/0/com.bani.kedr/files/Factory/Plugins/oat/x86/classes2.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4404
-
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bani.kedr/files/Factory/Plugins/classes3.dex --output-vdex-fd=49 --oat-fd=50 --oat-location=/data/user/0/com.bani.kedr/files/Factory/Plugins/oat/x86/classes3.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4427
-
-
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bani.kedr/files/Factory/Plugins/classes4.dex --output-vdex-fd=49 --oat-fd=48 --oat-location=/data/user/0/com.bani.kedr/files/Factory/Plugins/oat/x86/classes4.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4449
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD58fa8f30cdfccbe47530250ab737af2bf
SHA1dbf0e9e0f414be03463547581350caa17174a20d
SHA256bd28319b7ecac8a73d0b0cb6654fc0a1cde3ce41d592a12babbffbf4f6fd48b2
SHA512548918ac987671d698675725e123e7af5839bad48fddd7f5ececea200834f65bf7bd93c1e3d6121c7a8ffa83be65043ecd02df356184f76970d85d6dc703ab19
-
Filesize
31KB
MD5c037f8990c548abee13ddd75841f6e19
SHA1b0a91adeb28877c37abaedce612514985a9bd048
SHA2562f2af59ad907901a7697704b9c614cae33d41e3a7cbe4c12713db2a46a870ba2
SHA512fe8a445780c7032246e25ffd7df1b86f56fc28d1dbe0d29ae7e8ebc3bfddc48e8c8ac0edc7207238cc6e2d1482cde1b4b35a8a903655f859e9f7b87293512f54
-
Filesize
49KB
MD55d0c876854c63ae1fe8a2efe6cd2de7f
SHA12c2bdc9a16318e420680a40c5517a544f30f0c22
SHA256da42b5ae7c80e6526f46fa09528f30274eb115225f06574e0af3c96137645dba
SHA51263179e2ef46be90ac80e9ac921121fbd106c93d056529aa1192da075473bca375de21cf902e0e4e0530cf7e56dacea40b6e8ece2077df7fc6ef29b4a091d72c5
-
Filesize
24KB
MD5c6cc207eb8351ba12c1dd9179d7e2e6a
SHA113437dfcdcd1b98edc2f1f5eb7518c6a3087401e
SHA2560a78879b05450ce3427a9c661887ff1d468acc798150abbf579cc4ba723aee45
SHA512c6bbd11f2704181636e9d60a7cbd51a01bf0ef45873264a2f1f986000233b9c2440928d0a4704d59586a714d183cabeeb9d3d02e0de5576a28192c40672eb0fd
-
Filesize
304B
MD5cd230b4ae872e6df7e381f8a1efcab31
SHA127678bb061f5f573e748f6e501e17ba939eaf585
SHA256a7416226fac639adef3c90736b442bfe8c7e2810e8042c8aa7bee94b28706fd3
SHA512f614beb4d22c3b0c0c86b536972c80ad4829f2a0b12ef3111983838f637c9a8c42ae455404c43c6d01b7b767337d4676f922cbaac96db70d31e76528af4fee18
-
Filesize
152B
MD54f5e80722e7dd7d260eee419f5f2e7f1
SHA1517f1e6e43e9339bd0eef6b5c45053942068abb0
SHA2567cb0b2b7b397b59e157e245475fb9e77a3f30abad72d7ee57418954a5225bd1b
SHA5123d3dbbcdf753e5241769290241d2182c8d4bba48ff6689a74f90746b5769e55fb8e0c107a7e527980552c8bde6aadacbad08f2d35cd52fc50f3232b7d47cbe33
-
Filesize
122KB
MD52609398a3ef4fa35db724161351a775a
SHA13d813dbe5d37a554fe951d6a5447afded2edeb4a
SHA256b9976886fad8dc0750c76d481cfe766b8d785e80831b373a671f5ee2b44087cf
SHA512e771dccc46302e10a4769d58c8e7f37712de373327e9f59535fc15acf240de146572734075a8caca3aff26bbb31e34ecb2ad1d03439055609183a9c314c09e28
-
Filesize
32KB
MD50250ff9934474769c55ece75265c3c94
SHA11db7e7248e6ccd2d9e1170f657a3a844c8c60566
SHA2568d24dfce6df8006b7e0f9a3d493753de5e5cc1a772bc3dd472d13c3e7385b298
SHA512f691a82a4c4a0fc2040885cd83ad35f71c2de8c318f5e8c544cbfddc78793d9d39cd93b1fafe48b921179fb3d03e67ec5aabfbd7d33512936d9be177b3e9244c
-
Filesize
31KB
MD566f9fccc05adbcecbaefaf1328048308
SHA13e58ff25deab903288d54bd4ac54f82f933d8eb4
SHA2569b9500b6abd22bff8a4e013312d46197e7c67ac52866e1a1066256fb18c5ebee
SHA512e3486996490c72de3d2b75f7d8d62ae94f9cb195f2bd037f13919aefc8db04fa66abfd914f7b6802f9d82a96b5b6c48a1dd3ad3863f76ec4d65283ba5fa0fe13
-
Filesize
49KB
MD5245650322c5aaeabed6b825bb3db4296
SHA15d0c1a228c430248dd692d0b559c2e116245b449
SHA25681fd3f356f6e08549c6de691e6927d3c62886f77f94ed2c330dc1028cba1341f
SHA512e2c5618665c8facac49a83f5f95743bce029a67d18268cf124f06fdba2691b96169e2a37063baf2fcbab5092b33869bb5b33de9d7e1282cc2e33dc9a2dc4b894
-
Filesize
24KB
MD5e4d55779d25ac6c8590694d68171b153
SHA12c54417bbf253085211f4b47c04af4b2038bb561
SHA256ad485c9580cdf64988bd663352f9b40045b4c1d5283d7d8ced52c78f528b909c
SHA51278a83a68e0c0c2dc5ef520bb6fe32cc25aaf49e6b05e5869f1b7dc03d15d9f5f466d4ca725c85ce7e516cf8049a90c2690de0cc04146e96ff13ab258e1b817cc
-
Filesize
64KB
MD50d2f45057fbd60e4990a61f945ae75d4
SHA189decf38cf17577be26e76b67959d18373949ff4
SHA2567f50f81d62d1131f31d48c31c93980f5c14d318696f74295835844c7fafe4144
SHA512a73ac905fdebe3faded9882db05619eea2f59ccd35e056ffbebdf28dd7e8bfc0571cfce973cace717a8db5b86c43a34c70b8e49783aba37a6dec0174eaf1d0df
-
Filesize
122KB
MD546fa0be21b6c8acbc6b665d481c78f97
SHA19da7501a290f1bc64e8099fa4cf47d7ed769c93b
SHA256a5b9862c8187bc8677ba6f503265d68ae650314e679b636c246c12d5aab6d255
SHA5126cb44404ed32e4b57fb6b18ba23d5aaf37cbbd3f63468a95d042dc92c15a9202773e58216d0694b84d137f73ed4652937ea36e3cf4770a9a92d81d353762f362