Analysis

  • max time kernel
    149s
  • max time network
    133s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    10-11-2024 05:59

General

  • Target

    99a74459be10ba8604298bf34ebb8c498b671db711a980b6e6cf5e22642b4bdc.apk

  • Size

    4.5MB

  • MD5

    e1ffc2a7e54d7dd2d66b2d32d633b22f

  • SHA1

    bb8e9c08fb918e8e32fd8ad909362d72f074b6eb

  • SHA256

    99a74459be10ba8604298bf34ebb8c498b671db711a980b6e6cf5e22642b4bdc

  • SHA512

    886cd10e3e4b08193323e890c921e1acd2036f6670fd6501a5dacbd44d574c711cc5c6f0d54d5218c5a8cfbde73cb181df8e67d3c44f9e6529559f16b2b15985

  • SSDEEP

    98304:m/gIrrMdS6XqjN9uUZ2QUR0bpw1h2FxL+vY/diE2Kp/g/NjtW1hu6cTLcL:PqrMdSMw9bZjrNwXcN+vYIBthKCHcL

Malware Config

Signatures

  • Removes its main activity from the application launcher 1 TTPs 8 IoCs
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 32 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.airbnb.android
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4243
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.airbnb.android/app_DynamicOptDex/NJWYcsjzoWq.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.airbnb.android/app_DynamicOptDex/oat/x86/NJWYcsjzoWq.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4268

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.airbnb.android/app_DynamicOptDex/NJWYcsjzoWq.json

    Filesize

    571KB

    MD5

    a78706d4f94f6790fc48eb085d77f839

    SHA1

    4d559a1eb29706e8c59b5d97fee6a62eb4200ce7

    SHA256

    d230eb540ccb92f3c87da24d6e9d10bb7c16191170c71780ef912661b1a1c755

    SHA512

    09231b99dc278a4eb438876572743a5537134fdc1d20ff68eb3ff507aa14af7b97c16519b6b7bb490c2dd662d65a4912059e7f3e79c02bc4737b620c72fbe4b2

  • /data/data/com.airbnb.android/app_DynamicOptDex/NJWYcsjzoWq.json

    Filesize

    571KB

    MD5

    fdaeb2de7faaab6eccae697f31589bde

    SHA1

    f6f174e4b0ec984498f4c7f0bd87574d85dc091c

    SHA256

    371ebbd6283a7b180a6b95bbb19dd3a4359d5f7908f7ee3fb93068b9ed7bb7e9

    SHA512

    bdc2ddb0d0ba42c9cef9b63e04bae64377f232212fddaf986937efd0848d0caf091b60238b78765562eb79f52230d3a99618ed0d2e8c5600f2fa6cea44f6ecfa

  • /data/data/com.airbnb.android/app_DynamicOptDex/oat/NJWYcsjzoWq.json.cur.prof

    Filesize

    476B

    MD5

    cbf6f191b4184b2499f80b1101ea45a9

    SHA1

    f2f6055ea2fbe56b8f3ed3b5225457cbba5001e0

    SHA256

    319d1041f22b9903db1d10a9d72cf9b7d026d423e62ad5111fd3ec0d7d3c8e5b

    SHA512

    5094ce54642bb4ba24043384477b13c55591e2f98291692757175cceab5168fc495ca5cae218c9c651b75edbe9d7c1f56d4dbae1e6842d8772d6c615228817a4

  • /data/user/0/com.airbnb.android/app_DynamicOptDex/NJWYcsjzoWq.json

    Filesize

    631KB

    MD5

    4ff5effde6fcee6240d7bad355c2112c

    SHA1

    cc4355769fa638c3d55dfeb192f5f9d87e2b6477

    SHA256

    8b957055505c655aeed66c879163a6467758de3766ce26601bdb848e04603f99

    SHA512

    ed32c6d667e1059280c85601f5aeddcec43c521e5a0d06f5de6ff4fc27965ac86d31101b06fb1c33c635be744b8369b4809932ffabbde79d7e0cc6fa6db40b13

  • /data/user/0/com.airbnb.android/app_DynamicOptDex/NJWYcsjzoWq.json

    Filesize

    631KB

    MD5

    421566823a86bc4e8a90c92e3df4da43

    SHA1

    1eb219c76168a70a0872d2086a1c01e9ced0d513

    SHA256

    706a1ae9b4f5630aa9077a3dc0489f5910fa285b3756e4bbb03e689eae422579

    SHA512

    872c79cbcfcd0d268aedb19adc8676a141446bbf74757646ed8cef9aaa4cb99f5d92992e0e300712ea5a0aded100397d9da4c8e6f278e0cad5ed89e734e06fd5