Analysis

  • max time kernel
    149s
  • max time network
    158s
  • platform
    android_x64
  • resource
    android-x64-arm64-20240624-en
  • resource tags

    androidarch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240624-enlocale:en-usos:android-11-x64system
  • submitted
    26-11-2024 11:57

General

  • Target

    PSB Guard.apk

  • Size

    8.7MB

  • MD5

    53b01bb4d064c9826feb45f2bd265ea2

  • SHA1

    320ee119945675b2db689ff1258cdde8ffc2c6cc

  • SHA256

    4814530804e0e6aca8103cc9919d0ed470bd96662f0937d6a5990d58441346a1

  • SHA512

    23d70b32bb062647745ac0687b2808d9a45c96b965311c238d7c92c32a288f72dd5ad4e80cd2d2d64df01630f73cdcb274cfa947ca30ae5ef2cae0940f2e23fd

  • SSDEEP

    49152:PHQKDb2EyknAZkZRwxWP424W3M7svSf2ymzgzdGGdQTOG1UZYqB0cgZiiYikJtt:oxETA6oxWQiMg82ymzgzBSTi0tZi1tt

Malware Config

Signatures

  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs

    Application may abuse the accessibility service to prevent their removal.

  • Queries information about active data network 1 TTPs 1 IoCs
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • dinner.dispatched.pierce
    1⤵
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Acquires the wake lock
    • Makes use of the framework's foreground persistence service
    • Performs UI accessibility actions on behalf of the user
    • Queries information about active data network
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4443

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /storage/emulated/0/Config/sys/apps/log/log-2024-11-26.txt

    Filesize

    25B

    MD5

    3b7ea75ecdb8a74d2992a098079fa660

    SHA1

    1f054ff1a3bc78b99586fc6e63dafff501460f42

    SHA256

    9dce2dd9f954dba8abf9be9f5542e2d64716de54a5cd72ed3d051efe4d26fbd4

    SHA512

    4669b9cc3f3be17c2e54f790c3830e75dc74580afb2270fcc3d9763118dd1be362210da1bb8379d570be500ccdf7ef21b50ab8cb7225148ee9ad5ab5549b1baf

  • /storage/emulated/0/Config/sys/apps/log/log-2024-11-26.txt

    Filesize

    25B

    MD5

    ba30336bf53d54ed3c0ea69dd545de8c

    SHA1

    ce99c6724c75b93b7448e2d9fac16ca702a5711f

    SHA256

    2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af

    SHA512

    eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

  • /storage/emulated/0/Config/sys/apps/log/log-2024-11-26.txt

    Filesize

    280B

    MD5

    f65ea5698701546ac3ce4b5d7a25fe24

    SHA1

    d8691f9b217db45a1e0730abc8ce7ad3967617d5

    SHA256

    73d5cb466ddb9421032234ddd8e0eed4b58d4eca245a99f9c598b65eaa4b74df

    SHA512

    f8e1464abcc1c6db0636fdd2f24a66a1ef734b861d0ff40f81fe7316dcb27ac45ed1fdc6ca6cf4031839d1ca66459fbf3627df8149f654bf3b3fba302c3f8f2e

  • /storage/emulated/0/Config/sys/apps/log/log-2024-11-26.txt

    Filesize

    57B

    MD5

    4ec61b5fe351185aa562390fbb1ca7f1

    SHA1

    ec975ddf78d129cb75545b581fde4dd1205f4722

    SHA256

    2ae37b78492992527c00544ea1110e0d487b515439f68421e4caa8a4c698a4a8

    SHA512

    eba55e02f0c089cdc329fe2ae3a2e47af5fee2e57377d77ba8afbc4c1aba954053aae92d97dc0f50da78075aa7ddff27b124b6c28cadcff538a6142af7dfbecb