3b03ce13856931ae2235e39896e58f4e9f42ebbd851701ec5ad594dfd4eaa28d

Analysis

max time kernel
10s
max time network
136s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
21-11-2024 06:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

增强-ApplePay.apk
Size

4.7MB
MD5

3b1f8a6e92271606ebae98726f26cd88
SHA1

768dcb8745c9f7a01ab9dd9f7c7b02059b011d75
SHA256

3b03ce13856931ae2235e39896e58f4e9f42ebbd851701ec5ad594dfd4eaa28d
SHA512

08777ce9f6b706b5451e61928d4f00a8c363e3dc23052a26edc6b46a555d90cfdce5961267a2b33b07b615e6e007273766ddaa29f60ae7c718850f6490e0dbce
SSDEEP

98304:TSTWL4ZLhlB/TysYPq6MJgx3j9umyrLMfVoG9TuccZ:TSTGml1ysYPqqx0m2IVoGMv

Score

7^/10

discovery evasion impact persistence

Malware Config

Signatures

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

sf.apple.pay

ioc	pid	process
Anonymous-DexFile@0xd5301000-0xd531c810	4264	sf.apple.pay
Anonymous-DexFile@0xd5241000-0xd52706a0	4264	sf.apple.pay
Anonymous-DexFile@0xd51b0000-0xd51e0100	4264	sf.apple.pay

Queries information about running processes on the device 1 TTPs 1 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
discovery

Process Discovery
T1424

Processes:

sf.apple.pay

description ioc process

Framework service call android.app.IActivityManager.getRunningAppProcesses sf.apple.pay
Checks the presence of a debugger
evasion
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
persistence

Broadcast Receivers
T1624.001

Processes:

sf.apple.pay

description ioc process

Framework service call android.app.IActivityManager.registerReceiver sf.apple.pay
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

sf.apple.pay

description ioc process

Framework API call javax.crypto.Cipher.doFinal sf.apple.pay
Checks memory information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

sf.apple.pay

description ioc process

File opened for read /proc/meminfo sf.apple.pay

description	ioc	process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	sf.apple.pay

description	ioc	process
Framework service call	android.app.IActivityManager.registerReceiver	sf.apple.pay

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	sf.apple.pay

description	ioc	process
File opened for read	/proc/meminfo	sf.apple.pay

sf.apple.pay
1⤵
- Loads dropped Dex/Jar
- Queries information about running processes on the device
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Uses Crypto APIs (Might try to encrypt user data)
- Checks memory information
PID:4264
- getenforce
  2⤵
  PID:4309

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

Process Discovery

T1424

System Information Discovery

T1426

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/sf.apple.pay/.1/.suuid

Filesize
628B

MD5
1045331f751705a6c6fb63cc3cd09ef8

SHA1
5033b52d61edfd9bfd1f34650f13d43042c97f0d

SHA256
18b31344ddf64ce9cdd832e90fb3529cd8378120ff5f7273ba3f82c9faa6e06c

SHA512
015a117f6891f35893ed4cc15581a90c7ca3df1cde928f3f91f450ec8798a91d2d2cb04b28ca5ea15e531287b6860bdf2062a545f250e92280064db1b3b13225

Download Submit
/data/data/sf.apple.pay/cache/sf.apple.pay_rpt_cache

Filesize
1KB

MD5
4e0ced981601a991f7ddd8c8f3d2a3ac

SHA1
f649cd52320a831426a40f4a957142ffbcc07e07

SHA256
4234fa7ca420144f3612aa60804137679ea14ef08ffc72ddeadcdfbbfda9457c

SHA512
44512d984b73f0614d9d06063997863667405caa3f5df9ff0eedf9c326824884cb354e8c44de7079d583ce4a4893535a34992786396b7425f0164a9e86d83eeb

Download Submit
/data/data/sf.apple.pay/cache/sf.apple.pay_rpt_cache

Filesize
685B

MD5
c5102c7ba1ecf86a828ad31620e3c505

SHA1
ea077f590f99f8589a25f6abae6fcb4a8a779734

SHA256
64ce26591ef737b2bdf752647e6ad90815e813653400d713253d10e7bd3164c6

SHA512
18bd3235ee6eec19a8b98d76a03c607b2bb97f8d37bce1fd7307c2f2ee03298906eab9a85325db8cca29e73f8e33d9f0d4e6d0d96edfdb822e1ddccea0ddfd12

Download Submit
/data/data/sf.apple.pay/files/tiny/uuid

Filesize
36B

MD5
a730287273b208c6b25ac909902e091a

SHA1
b15bb2dea92a64bd38139d06284bc039530c6418

SHA256
ea858ee645ce81b27eed76e64d01ffc0e3a883440861048d295d51276ddf5f49

SHA512
5b76b742d42de0533b514117d85c2a403fc77993e5c00bc97ea1bb06ac95c4a3bbabfa656059434ff3d711518ca88540299153bc14024117326548bb960b6fa3

Download Submit
/data/data/sf.apple.pay/tvsafe/plugin

Filesize
48B

MD5
278367dd1dedc8b2f7ee7f53133b2733

SHA1
4382610908751b8e9282cdc4205d3430444cc183

SHA256
bea5f440d668f0b6098f6e594480f91192b43dadfe47edcec566ccdc88311927

SHA512
58fa34ab29dc0a440cecc6121b675089d904e21cd7430472922eb3263ee6c930aed421f12426399c96b0431a3f6677ac5ba01145bf4ec99006edf0f0f32a3ab4

Download Submit
/data/data/sf.apple.pay/tvsafe/plugin

Filesize
58B

MD5
4f37adbe3b6dd8c817328997ecd6de7c

SHA1
7f4f9949cfd2024e7917c4e428bf99fb1c7404f6

SHA256
b6c0c4bb0d3792288b726652640a0d312eedfbc88fb4ac7d471a45d90d37dcc0

SHA512
3e4a503efb4251c8dbe29fe1cf36684b6195560fda19ce8c2277521432cfa3f332ed73082f74ea86c86b4b84d733dd52c20d517596905519a6eb602921c9cceb

Download Submit
/data/data/sf.apple.pay/tvsafe/plugin

Filesize
59B

MD5
f12b8e35d8850e0f9c21e1c869fa8091

SHA1
86948267f4647530917223665a61e7c85e97005c

SHA256
8c49bab4865a319ce9eaf1a823420ade4c787473851f17ffcf9f0bd4737c2871

SHA512
f705e349a1ff419d30e93403bfc55cc821c6f32af9b0ef50acf4ed33dcdb6d1ef3555a89af34ca41c80dc4ef4974b834280a615bd0203e062addd0374994d1f9

Download Submit
/data/data/sf.apple.pay/tvsafe/plugin

Filesize
24B

MD5
cd66a3a26f9735f8af572b3e65b9904a

SHA1
0ea221fdde7fd8d1a1058c5bff3149f15c24425c

SHA256
862e4c2dc446ad328b361635d0f2da9755371dbd1d7c95267e86895f2e1b9912

SHA512
0b628ecd98a7ed8103842c1815659279c31f55163d965a020e8e2af28ef7e654b4d893e38e521e2e00b918c1e07a0382557565e19c40650126f2c013e1d5e2da

Download Submit
/data/data/sf.apple.pay/tvsafe/roo_report_sp

Filesize
41B

MD5
f541f9a4d590193ae11798749cdcb55e

SHA1
9b13d431d541507b7553b40373f7c69930b51b95

SHA256
168e433850649efa709d4dd8b2300e5b40935daaef7285a63e189b8cd9418eb9

SHA512
b17bb095363a77514136dab6f716c2ccd6ef68bd19d5ce8a81a2e3055ff8bf8980f1a7485c36e26b03e0d2ff02b017782a278f4abb9197813ae0ccabc5671d14

Download Submit
Anonymous-DexFile@0xd51b0000-0xd51e0100

Filesize
192KB

MD5
a4357e310fad387f3dc81e668567fd2e

SHA1
f566df93709fe272ec9f8bcc5cecce616888e45a

SHA256
89096d65c2925d1451d5151b9c70168cee798cba7b1a68fe460035e2b2711c61

SHA512
c147cd04c86d2a143deda4ec4bd31229f3dbad8223db04c31599ff70b25b251c4e3fc7bc3c8826e6ce1766e804ea328c7dd522cb68cfcdd2f690934a8b4cb3f7

Download Submit
Anonymous-DexFile@0xd5241000-0xd52706a0

Filesize
189KB

MD5
1a2498480c8f6408595879e4ec20aa91

SHA1
e09c410206d375295dc4d2b78111b09c428b7235

SHA256
9326ae7cd03f5568d8a1b8d1d672601b5894afcc7f92b8130b34e8dbd357dd0f

SHA512
cc6e4ed40720de6302e321e21c9bda9a10c523fbdeb15122b04baf6d5a1b7604feaad9666997e35d3c4302a10d2cb4e4a08aeb4195f554ab9f745525748ef678

Download Submit
Anonymous-DexFile@0xd5301000-0xd531c810

Filesize
110KB

MD5
d7a65b5377fe64ff0a113feb58bae027

SHA1
1f4a89b8e1589cd81b72c0776afb781a2d379cec

SHA256
a4bc753b6a1e28c2b3df213ab4a050645a8a2089c5d281064acc8a131d8cf17e

SHA512
56c515967863843439ee5c31265a1c1c0a0e7dcb47d729163dd8e115c72154b4caae16f55270b967b61373dc209f8d0f148a4c20b413551cada84fe4cb794383

Download Submit