Analysis
-
max time kernel
1799s -
max time network
1804s -
platform
android_x64 -
resource
android-x64-arm64-20240624-en -
resource tags
androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system -
submitted
10-11-2024 03:30
Static task
static1
Behavioral task
behavioral1
Sample
signed.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
signed.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
signed.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
signed.apk
-
Size
78KB
-
MD5
2b71306486b7948be17924ed3d7608d1
-
SHA1
afbe9a05550c418dd77acaf65bce46ba5d541080
-
SHA256
6657b221083beef8c1d73e16fc553ebf05962fd812b3d1f81b8c17ddff775310
-
SHA512
4a094207acef91bddb91f7bd705cce8aa54a4776d00854bea457fd19173cf94382e4526b7d161f7f51f4fb65215bb4fae692673b8908cd04332d488b7d92dfa3
-
SSDEEP
1536:OAtfCB3d/aaR+7CJwfbcvzqgZoCLB51IB0KlsrcbGYA6a0VpxNi39eND:OSfCBt/NwTxgZoCr1RKCQMd0VrNWeND
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 12 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.bani.kedr.clvioc pid process /data/user/0/com.bani.kedr/[email protected] 4547 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes.dex 4547 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes.dex 4547 com.bani.kedr.clv /data/user/0/com.bani.kedr/[email protected] 4547 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes1.dex 4547 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes1.dex 4547 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes2.dex 4547 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes2.dex 4547 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes3.dex 4547 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes3.dex 4547 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes4.dex 4547 com.bani.kedr.clv /data/user/0/com.bani.kedr/files/Factory/Plugins/classes4.dex 4547 com.bani.kedr.clv -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.bani.kedr.clvdescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.bani.kedr.clv Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.bani.kedr.clv -
Reads the content of the SMS messages. 1 TTPs 1 IoCs
Processes:
com.bani.kedr.clvdescription ioc process URI accessed for read content://sms/ com.bani.kedr.clv -
Acquires the wake lock 1 IoCs
Processes:
com.bani.kedr.clvdescription ioc process Framework service call android.os.IPowerManager.acquireWakeLock com.bani.kedr.clv -
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.bani.kedr.clvdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.bani.kedr.clv -
Performs UI accessibility actions on behalf of the user 1 TTPs 3 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
com.bani.kedr.clvioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bani.kedr.clv android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bani.kedr.clv android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.bani.kedr.clv -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.bani.kedr.clvdescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.bani.kedr.clv -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.bani.kedr.clvdescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.bani.kedr.clv
Processes
-
com.bani.kedr.clv1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Reads the content of the SMS messages.
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
PID:4547
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Foreground Persistence
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/user/0/com.bani.kedr/[email protected]
Filesize64KB
MD50d2f45057fbd60e4990a61f945ae75d4
SHA189decf38cf17577be26e76b67959d18373949ff4
SHA2567f50f81d62d1131f31d48c31c93980f5c14d318696f74295835844c7fafe4144
SHA512a73ac905fdebe3faded9882db05619eea2f59ccd35e056ffbebdf28dd7e8bfc0571cfce973cace717a8db5b86c43a34c70b8e49783aba37a6dec0174eaf1d0df
-
/data/user/0/com.bani.kedr/[email protected]
Filesize122KB
MD546fa0be21b6c8acbc6b665d481c78f97
SHA19da7501a290f1bc64e8099fa4cf47d7ed769c93b
SHA256a5b9862c8187bc8677ba6f503265d68ae650314e679b636c246c12d5aab6d255
SHA5126cb44404ed32e4b57fb6b18ba23d5aaf37cbbd3f63468a95d042dc92c15a9202773e58216d0694b84d137f73ed4652937ea36e3cf4770a9a92d81d353762f362
-
Filesize
32KB
MD58fa8f30cdfccbe47530250ab737af2bf
SHA1dbf0e9e0f414be03463547581350caa17174a20d
SHA256bd28319b7ecac8a73d0b0cb6654fc0a1cde3ce41d592a12babbffbf4f6fd48b2
SHA512548918ac987671d698675725e123e7af5839bad48fddd7f5ececea200834f65bf7bd93c1e3d6121c7a8ffa83be65043ecd02df356184f76970d85d6dc703ab19
-
Filesize
31KB
MD5c037f8990c548abee13ddd75841f6e19
SHA1b0a91adeb28877c37abaedce612514985a9bd048
SHA2562f2af59ad907901a7697704b9c614cae33d41e3a7cbe4c12713db2a46a870ba2
SHA512fe8a445780c7032246e25ffd7df1b86f56fc28d1dbe0d29ae7e8ebc3bfddc48e8c8ac0edc7207238cc6e2d1482cde1b4b35a8a903655f859e9f7b87293512f54
-
Filesize
49KB
MD55d0c876854c63ae1fe8a2efe6cd2de7f
SHA12c2bdc9a16318e420680a40c5517a544f30f0c22
SHA256da42b5ae7c80e6526f46fa09528f30274eb115225f06574e0af3c96137645dba
SHA51263179e2ef46be90ac80e9ac921121fbd106c93d056529aa1192da075473bca375de21cf902e0e4e0530cf7e56dacea40b6e8ece2077df7fc6ef29b4a091d72c5
-
Filesize
24KB
MD5c6cc207eb8351ba12c1dd9179d7e2e6a
SHA113437dfcdcd1b98edc2f1f5eb7518c6a3087401e
SHA2560a78879b05450ce3427a9c661887ff1d468acc798150abbf579cc4ba723aee45
SHA512c6bbd11f2704181636e9d60a7cbd51a01bf0ef45873264a2f1f986000233b9c2440928d0a4704d59586a714d183cabeeb9d3d02e0de5576a28192c40672eb0fd
-
Filesize
301B
MD5b174c5d88ba603c83b9c4988db1536c7
SHA16305b1ff317e201fd68701aa99ea2e5a3c0472fc
SHA256d4407ad17b4bed57ea3dfa13d51ffa2df27ad79bed0eea908e2bb00553fcce79
SHA5120102cdd5574dedc022996854238d50ad1b67a29a2736aff5d22efd6ccdd3c74ce47e87282c9398232849d225d0dc3f53758519793924afa735422d3772625000
-
Filesize
82B
MD50e1800502d1dbc94fc01131d6d41867e
SHA1b230651e588e01bb609d6342698da86d7c9bd979
SHA256eb31e281fb807c64f68e07f45580405f69dcaef4fc94a4dc0b6b6e85f78a6090
SHA5121257dc3f9309cf19556854e4fa46174bbd8d1a4f59632492d47634ab77b9173ad7624a8147f1b1a6486c1c1466cbe69f0339c3c2b6ee381436582aeddeebaf01