51baf4bc48db631e887ded88c0beb05b7a2f6f26ad2d122ee7c6cca6678752f5

Analysis

max time kernel
8s
max time network
164s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
14-01-2025 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Undead_Defense_Tycoon_Script.apk
Size

3.2MB
MD5

fc35546a7395a68b6440de033afa789d
SHA1

4afc8724e58084164148b7ce518ede8b203dce3c
SHA256

c1b81966fa17c4e7d5137f13b2f4d04704c97d66a54d57dcfc1f42ad1f4029e7
SHA512

ae32d9e7d7403a6ab0429da69fe4f803001a077327a0f103ccc9bcb90b17973ef10be8dc2cbf1909549a04f1eff5e85c81c2dfc2d99ba7fa93369efa47beca6c
SSDEEP

98304:BaqBN1el9eL+FB8Y2nzDNWbVAneM/EjF+894S:oqX1nk52n05AehERS

Score

7^/10

discovery evasion persistence

Malware Config

Signatures

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex	4303	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.herocraft.game.birdsonwire.freemium/files/oat/x86/b04e7800.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex	4279	com.herocraft.game.birdsonwire.freemium

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.herocraft.game.birdsonwire.freemium

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.herocraft.game.birdsonwire.freemium

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.herocraft.game.birdsonwire.freemium

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.herocraft.game.birdsonwire.freemium

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.herocraft.game.birdsonwire.freemium

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.herocraft.game.birdsonwire.freemium

com.herocraft.game.birdsonwire.freemium
1⤵
- Loads dropped Dex/Jar
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks memory information
PID:4279
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.herocraft.game.birdsonwire.freemium/files/oat/x86/b04e7800.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4303

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.herocraft.game.birdsonwire.freemium/files/KWW

Filesize
413B

MD5
876868134cb6ca0a4594bafaed05379e

SHA1
c4c28bb8be567f4137b4ccce88f9c973d05309f1

SHA256
ebae0565bbf561b29b96a373a514101adf616e4137d66e3db9b78bb3e8936d76

SHA512
b72aa156e69083a558433ceb5cf7ae734279f5a3caee18a75027d42c0de0d5dbd7e6d5fa036cbdad01e7799e185a79d02b154e8ae99406bd4257b3082ea8b43d

Download Submit
/data/data/com.herocraft.game.birdsonwire.freemium/files/PersistedInstallation5131822135481444021tmp

Filesize
90B

MD5
6cee4e8ccdf6001310d1fc72a4941085

SHA1
b7ccfdcc4edbbd849c769dd3c36f959c2a283282

SHA256
2ff04803edbc9cf7838897acb63d226de17cc9d01b53557ed15a27ac51c261c4

SHA512
68a2a870ed51e825322d430adb9d36aa6a9d2d202b3bda6c20bd6f668cb2a85b7fab0dd51da0f63285cb57b7b8baed44d2a247810f3cbb9a989859207fec1aea

Download Submit
/data/data/com.herocraft.game.birdsonwire.freemium/files/PersistedInstallation865348162819617427tmp

Filesize
569B

MD5
7c68cfb0db2391d15be50715b1fbe4f2

SHA1
c3b18ce70cf05b5a4a42460dd1a4b1d35b79d3d1

SHA256
ee9a5eb046e0fab0eeb540c831785a40ef191f6c9819c62e08bd1c12d88b84c5

SHA512
e7d141144bc0c1f8b30072577888ecca00ca21dadcd10c9657d2d58741aaa9db6f3dc2d2a571d70614388e458cb82b50cf1fea58b6d5baa81529f70bb6ef82f7

Download Submit
/data/data/com.herocraft.game.birdsonwire.freemium/files/UMYa

Filesize
242B

MD5
ed7fdc0593617f76bcb045da928277e6

SHA1
80308cad460198f7314e28c202a717c36dca6eb5

SHA256
c0ad644be3b5abd8f6ba4174d7d7f6ff83991a6ea829753fa44ee567b3e9f757

SHA512
843a6f39aecf713e9092252bcc3ca9602ea7a5952db7e4fea4b97cd61e709aa8b3b6f9db0bd2cfe5f278e9c18eb4d88e43b0ed8d0a99aeb0ad109884c75c84e2

Download Submit
/data/data/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex

Filesize
2.3MB

MD5
a2c0379f196c91a175f47b801895518a

SHA1
549b6e1c77021378b4189f736b7eb7437a9d9497

SHA256
35cdc216518a388e7842f6b67a2c65ea06ca5302286087df3a9db29603b9aa21

SHA512
e3ebb67eb0a9c9e13db1dd29474bf93af6e0e3b9607623c0a70672bfb4f2505abc1f2c23e1592175317bc4f384fb7966954f0d37e6f331f7eb724ff5e6be4205

Download Submit
/data/user/0/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex

Filesize
6.4MB

MD5
670d8683a3c1765ced65f8b60bfacdba

SHA1
24bc8f1ec3e925316fa05918fed1962379debe15

SHA256
fc48615db02bf829b738c5efef9cfc368b27c0a40fe69d4fa165cf59b0d6cc9f

SHA512
c6e7c7104c31d2b567874fed9684c172b1dc722d084ab998b0159420554e27ce044ed8b0099194919c18d782ac9d075962c966c602eaaf021f36d9d262bbc9a8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads