Analysis
-
max time kernel
1799s -
max time network
1803s -
platform
android_x64 -
resource
android-x64-20240624-en -
resource tags
androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system -
submitted
10-11-2024 03:30
Static task
static1
Behavioral task
behavioral1
Sample
signed.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
signed.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
signed.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
signed.apk
-
Size
78KB
-
MD5
2b71306486b7948be17924ed3d7608d1
-
SHA1
afbe9a05550c418dd77acaf65bce46ba5d541080
-
SHA256
6657b221083beef8c1d73e16fc553ebf05962fd812b3d1f81b8c17ddff775310
-
SHA512
4a094207acef91bddb91f7bd705cce8aa54a4776d00854bea457fd19173cf94382e4526b7d161f7f51f4fb65215bb4fae692673b8908cd04332d488b7d92dfa3
-
SSDEEP
1536:OAtfCB3d/aaR+7CJwfbcvzqgZoCLB51IB0KlsrcbGYA6a0VpxNi39eND:OSfCBt/NwTxgZoCr1RKCQMd0VrNWeND
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 12 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.bani.kedr.clvioc pid process /data/user/0/com.bani.kedr/[email protected] 4972 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes.dex 4972 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes.dex 4972 com.bani.kedr.clv /data/user/0/com.bani.kedr/[email protected] 4972 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes1.dex 4972 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes1.dex 4972 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes2.dex 4972 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes2.dex 4972 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes3.dex 4972 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes3.dex 4972 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes4.dex 4972 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes4.dex 4972 com.bani.kedr.clv -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.bani.kedr.clvdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.bani.kedr.clv Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.bani.kedr.clv -
Acquires the wake lock 1 IoCs
Processes:
com.bani.kedr.clvdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.bani.kedr.clv -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.bani.kedr.clvdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.bani.kedr.clv -
Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
com.bani.kedr.clvioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bani.kedr.clv android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bani.kedr.clv android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bani.kedr.clv -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.bani.kedr.clvdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.bani.kedr.clv -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.bani.kedr.clvdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.bani.kedr.clv
Processes
-
com.bani.kedr.clv1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
PID:4972
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Foreground Persistence
1Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
32KB
MD58fa8f30cdfccbe47530250ab737af2bf
SHA1dbf0e9e0f414be03463547581350caa17174a20d
SHA256bd28319b7ecac8a73d0b0cb6654fc0a1cde3ce41d592a12babbffbf4f6fd48b2
SHA512548918ac987671d698675725e123e7af5839bad48fddd7f5ececea200834f65bf7bd93c1e3d6121c7a8ffa83be65043ecd02df356184f76970d85d6dc703ab19
-
Filesize
31KB
MD5c037f8990c548abee13ddd75841f6e19
SHA1b0a91adeb28877c37abaedce612514985a9bd048
SHA2562f2af59ad907901a7697704b9c614cae33d41e3a7cbe4c12713db2a46a870ba2
SHA512fe8a445780c7032246e25ffd7df1b86f56fc28d1dbe0d29ae7e8ebc3bfddc48e8c8ac0edc7207238cc6e2d1482cde1b4b35a8a903655f859e9f7b87293512f54
-
Filesize
49KB
MD55d0c876854c63ae1fe8a2efe6cd2de7f
SHA12c2bdc9a16318e420680a40c5517a544f30f0c22
SHA256da42b5ae7c80e6526f46fa09528f30274eb115225f06574e0af3c96137645dba
SHA51263179e2ef46be90ac80e9ac921121fbd106c93d056529aa1192da075473bca375de21cf902e0e4e0530cf7e56dacea40b6e8ece2077df7fc6ef29b4a091d72c5
-
Filesize
24KB
MD5c6cc207eb8351ba12c1dd9179d7e2e6a
SHA113437dfcdcd1b98edc2f1f5eb7518c6a3087401e
SHA2560a78879b05450ce3427a9c661887ff1d468acc798150abbf579cc4ba723aee45
SHA512c6bbd11f2704181636e9d60a7cbd51a01bf0ef45873264a2f1f986000233b9c2440928d0a4704d59586a714d183cabeeb9d3d02e0de5576a28192c40672eb0fd
-
Filesize
301B
MD55a13df95bdaf873b582805115114aabf
SHA1d28e2c839965ee5b77948a045c9ba1c6c2dd2ec3
SHA2562fbcbef054acebd29ed5518a822e15abc6e3da56be2ed94186098efa014bf0c6
SHA51292677de3a849155221b2db88cfd2f72b9203c4f867d7b15bbaa001d66091330d2a92968b40bdf10272fd8c7bf7708f4dc330354271e4d059f527570063f988ad
-
Filesize
68B
MD509b80dc602684e2e8da6b016f6de30c5
SHA14c6d43146aaf88f230db3e6d3b98fbdf643a705a
SHA256b4a7fd194024bd382bec9abf73535273d8f16e39a6a529d60a1ee25b73a81a51
SHA5120d90181abea7778f41309de02d10fbd7fbd9aa41fddb5d57c3498f9caf95bcab4e8105c12adfddd09496afd764076066f40c30ced3d311c32a75e20562567ac1
-
Filesize
142B
MD534d74fa99eb532270b67086ef2042ecd
SHA1337b388563ea5bd324fb3bf7199cdd2054979004
SHA25695611899c7596912c4545e3aa54cb9cf0ee52bb6e3c7d11039a2794d4d4ab383
SHA512f9a852a8887b712b75ef0fc5eeef5c3cf5f258ad66beb687fd8d3a999d93df2a13bf09a9c5f609189e0c6f080d9c384119aa70bb148192e035060a94bb106cb6
-
/data/user/0/com.bani.kedr/[email protected]
Filesize64KB
MD50d2f45057fbd60e4990a61f945ae75d4
SHA189decf38cf17577be26e76b67959d18373949ff4
SHA2567f50f81d62d1131f31d48c31c93980f5c14d318696f74295835844c7fafe4144
SHA512a73ac905fdebe3faded9882db05619eea2f59ccd35e056ffbebdf28dd7e8bfc0571cfce973cace717a8db5b86c43a34c70b8e49783aba37a6dec0174eaf1d0df
-
/data/user/0/com.bani.kedr/[email protected]
Filesize122KB
MD546fa0be21b6c8acbc6b665d481c78f97
SHA19da7501a290f1bc64e8099fa4cf47d7ed769c93b
SHA256a5b9862c8187bc8677ba6f503265d68ae650314e679b636c246c12d5aab6d255
SHA5126cb44404ed32e4b57fb6b18ba23d5aaf37cbbd3f63468a95d042dc92c15a9202773e58216d0694b84d137f73ed4652937ea36e3cf4770a9a92d81d353762f362