Analysis
-
max time kernel
149s -
max time network
133s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
10-11-2024 05:59
Static task
static1
Behavioral task
behavioral1
Sample
99a74459be10ba8604298bf34ebb8c498b671db711a980b6e6cf5e22642b4bdc.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
99a74459be10ba8604298bf34ebb8c498b671db711a980b6e6cf5e22642b4bdc.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
99a74459be10ba8604298bf34ebb8c498b671db711a980b6e6cf5e22642b4bdc.apk
-
Size
4.5MB
-
MD5
e1ffc2a7e54d7dd2d66b2d32d633b22f
-
SHA1
bb8e9c08fb918e8e32fd8ad909362d72f074b6eb
-
SHA256
99a74459be10ba8604298bf34ebb8c498b671db711a980b6e6cf5e22642b4bdc
-
SHA512
886cd10e3e4b08193323e890c921e1acd2036f6670fd6501a5dacbd44d574c711cc5c6f0d54d5218c5a8cfbde73cb181df8e67d3c44f9e6529559f16b2b15985
-
SSDEEP
98304:m/gIrrMdS6XqjN9uUZ2QUR0bpw1h2FxL+vY/diE2Kp/g/NjtW1hu6cTLcL:PqrMdSMw9bZjrNwXcN+vYIBthKCHcL
Malware Config
Signatures
-
Processes:
com.airbnb.androidpid process 4243 com.airbnb.android 4243 com.airbnb.android 4243 com.airbnb.android 4243 com.airbnb.android 4243 com.airbnb.android 4243 com.airbnb.android 4243 com.airbnb.android 4243 com.airbnb.android -
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
Processes:
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.airbnb.android/app_DynamicOptDex/NJWYcsjzoWq.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.airbnb.android/app_DynamicOptDex/oat/x86/NJWYcsjzoWq.odex --compiler-filter=quicken --class-loader-context=&com.airbnb.androidioc pid process /data/user/0/com.airbnb.android/app_DynamicOptDex/NJWYcsjzoWq.json 4268 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.airbnb.android/app_DynamicOptDex/NJWYcsjzoWq.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.airbnb.android/app_DynamicOptDex/oat/x86/NJWYcsjzoWq.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/com.airbnb.android/app_DynamicOptDex/NJWYcsjzoWq.json 4243 com.airbnb.android -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.airbnb.androiddescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.airbnb.android Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.airbnb.android Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.airbnb.android -
Performs UI accessibility actions on behalf of the user 1 TTPs 32 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
com.airbnb.androidioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
Processes:
com.airbnb.androiddescription ioc process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone com.airbnb.android -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.airbnb.androiddescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.airbnb.android -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
Processes:
com.airbnb.androiddescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.airbnb.android -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes:
com.airbnb.androiddescription ioc process Framework service call android.app.job.IJobScheduler.schedule com.airbnb.android -
Checks CPU information 2 TTPs 1 IoCs
Processes:
com.airbnb.androiddescription ioc process File opened for read /proc/cpuinfo com.airbnb.android -
Checks memory information 2 TTPs 1 IoCs
Processes:
com.airbnb.androiddescription ioc process File opened for read /proc/meminfo com.airbnb.android
Processes
-
com.airbnb.android1⤵
- Removes its main activity from the application launcher
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Performs UI accessibility actions on behalf of the user
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4243 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.airbnb.android/app_DynamicOptDex/NJWYcsjzoWq.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.airbnb.android/app_DynamicOptDex/oat/x86/NJWYcsjzoWq.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4268
-
Network
MITRE ATT&CK Mobile v15
Persistence
Event Triggered Execution
1Broadcast Receivers
1Scheduled Task/Job
1Defense Evasion
Download New Code at Runtime
1Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
571KB
MD5a78706d4f94f6790fc48eb085d77f839
SHA14d559a1eb29706e8c59b5d97fee6a62eb4200ce7
SHA256d230eb540ccb92f3c87da24d6e9d10bb7c16191170c71780ef912661b1a1c755
SHA51209231b99dc278a4eb438876572743a5537134fdc1d20ff68eb3ff507aa14af7b97c16519b6b7bb490c2dd662d65a4912059e7f3e79c02bc4737b620c72fbe4b2
-
Filesize
571KB
MD5fdaeb2de7faaab6eccae697f31589bde
SHA1f6f174e4b0ec984498f4c7f0bd87574d85dc091c
SHA256371ebbd6283a7b180a6b95bbb19dd3a4359d5f7908f7ee3fb93068b9ed7bb7e9
SHA512bdc2ddb0d0ba42c9cef9b63e04bae64377f232212fddaf986937efd0848d0caf091b60238b78765562eb79f52230d3a99618ed0d2e8c5600f2fa6cea44f6ecfa
-
Filesize
476B
MD5cbf6f191b4184b2499f80b1101ea45a9
SHA1f2f6055ea2fbe56b8f3ed3b5225457cbba5001e0
SHA256319d1041f22b9903db1d10a9d72cf9b7d026d423e62ad5111fd3ec0d7d3c8e5b
SHA5125094ce54642bb4ba24043384477b13c55591e2f98291692757175cceab5168fc495ca5cae218c9c651b75edbe9d7c1f56d4dbae1e6842d8772d6c615228817a4
-
Filesize
631KB
MD54ff5effde6fcee6240d7bad355c2112c
SHA1cc4355769fa638c3d55dfeb192f5f9d87e2b6477
SHA2568b957055505c655aeed66c879163a6467758de3766ce26601bdb848e04603f99
SHA512ed32c6d667e1059280c85601f5aeddcec43c521e5a0d06f5de6ff4fc27965ac86d31101b06fb1c33c635be744b8369b4809932ffabbde79d7e0cc6fa6db40b13
-
Filesize
631KB
MD5421566823a86bc4e8a90c92e3df4da43
SHA11eb219c76168a70a0872d2086a1c01e9ced0d513
SHA256706a1ae9b4f5630aa9077a3dc0489f5910fa285b3756e4bbb03e689eae422579
SHA512872c79cbcfcd0d268aedb19adc8676a141446bbf74757646ed8cef9aaa4cb99f5d92992e0e300712ea5a0aded100397d9da4c8e6f278e0cad5ed89e734e06fd5