Analysis
-
max time kernel
102s -
max time network
134s -
platform
android_x64 -
resource
android-33-x64-arm64-20240624-en -
resource tags
androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system -
submitted
10-11-2024 05:59
Static task
static1
Behavioral task
behavioral1
Sample
99a74459be10ba8604298bf34ebb8c498b671db711a980b6e6cf5e22642b4bdc.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
99a74459be10ba8604298bf34ebb8c498b671db711a980b6e6cf5e22642b4bdc.apk
Resource
android-33-x64-arm64-20240624-en
General
-
Target
99a74459be10ba8604298bf34ebb8c498b671db711a980b6e6cf5e22642b4bdc.apk
-
Size
4.5MB
-
MD5
e1ffc2a7e54d7dd2d66b2d32d633b22f
-
SHA1
bb8e9c08fb918e8e32fd8ad909362d72f074b6eb
-
SHA256
99a74459be10ba8604298bf34ebb8c498b671db711a980b6e6cf5e22642b4bdc
-
SHA512
886cd10e3e4b08193323e890c921e1acd2036f6670fd6501a5dacbd44d574c711cc5c6f0d54d5218c5a8cfbde73cb181df8e67d3c44f9e6529559f16b2b15985
-
SSDEEP
98304:m/gIrrMdS6XqjN9uUZ2QUR0bpw1h2FxL+vY/diE2Kp/g/NjtW1hu6cTLcL:PqrMdSMw9bZjrNwXcN+vYIBthKCHcL
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 1 IoCs
Runs executable file dropped to the device during analysis.
Processes:
com.airbnb.androidioc pid process /data/user/0/com.airbnb.android/app_DynamicOptDex/NJWYcsjzoWq.json 4353 com.airbnb.android -
Makes use of the framework's Accessibility service 4 TTPs 3 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
Processes:
com.airbnb.androiddescription ioc process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.airbnb.android Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.airbnb.android Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId com.airbnb.android -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
Processes:
com.airbnb.androiddescription ioc process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.airbnb.android -
Performs UI accessibility actions on behalf of the user 1 TTPs 12 IoCs
Application may abuse the accessibility service to prevent their removal.
Processes:
com.airbnb.androidioc process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.airbnb.android -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
Processes:
com.airbnb.androiddescription ioc process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.airbnb.android -
Schedules tasks to execute at a specified time 1 TTPs 1 IoCs
Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.
Processes:
com.airbnb.androiddescription ioc process Framework service call android.app.job.IJobScheduler.schedule com.airbnb.android -
Checks CPU information 2 TTPs 1 IoCs
Processes:
com.airbnb.androiddescription ioc process File opened for read /proc/cpuinfo com.airbnb.android -
Checks memory information 2 TTPs 1 IoCs
Processes:
com.airbnb.androiddescription ioc process File opened for read /proc/meminfo com.airbnb.android
Processes
-
com.airbnb.android1⤵
- Loads dropped Dex/Jar
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4353
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Download New Code at Runtime
1Hide Artifacts
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
571KB
MD5a78706d4f94f6790fc48eb085d77f839
SHA14d559a1eb29706e8c59b5d97fee6a62eb4200ce7
SHA256d230eb540ccb92f3c87da24d6e9d10bb7c16191170c71780ef912661b1a1c755
SHA51209231b99dc278a4eb438876572743a5537134fdc1d20ff68eb3ff507aa14af7b97c16519b6b7bb490c2dd662d65a4912059e7f3e79c02bc4737b620c72fbe4b2
-
Filesize
571KB
MD5fdaeb2de7faaab6eccae697f31589bde
SHA1f6f174e4b0ec984498f4c7f0bd87574d85dc091c
SHA256371ebbd6283a7b180a6b95bbb19dd3a4359d5f7908f7ee3fb93068b9ed7bb7e9
SHA512bdc2ddb0d0ba42c9cef9b63e04bae64377f232212fddaf986937efd0848d0caf091b60238b78765562eb79f52230d3a99618ed0d2e8c5600f2fa6cea44f6ecfa
-
Filesize
631KB
MD5421566823a86bc4e8a90c92e3df4da43
SHA11eb219c76168a70a0872d2086a1c01e9ced0d513
SHA256706a1ae9b4f5630aa9077a3dc0489f5910fa285b3756e4bbb03e689eae422579
SHA512872c79cbcfcd0d268aedb19adc8676a141446bbf74757646ed8cef9aaa4cb99f5d92992e0e300712ea5a0aded100397d9da4c8e6f278e0cad5ed89e734e06fd5
-
Filesize
312B
MD5642e24720d6497d98501601c2f7c32c0
SHA1955bce1c3b087a2ccdca591d23d92868185bd26c
SHA256a114fa7e9c7da8592570dc79ad176ac26b9af2823d128ab44fcec092b02610e3
SHA5126b11ffdb4cff3d00fad695ca0246beb07c1631bfbc6d40b203161491cd6a2901a64fd8505fe928335f7ce6e57452f6a88a1846e7385d5c20816817a72e95b3c9