51baf4bc48db631e887ded88c0beb05b7a2f6f26ad2d122ee7c6cca6678752f5

Analysis

max time kernel
9s
max time network
158s
platform
android-9_x86
resource
android-x86-arm-20240910-en
resource tags

arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
submitted
14/01/2025, 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FE_Invisible_Troll_Script.apk
Size

3.2MB
MD5

3ff43582aa468b8a8d0e063dcfea73bf
SHA1

5d1d34fcec8f715ce045a5bda04741d40f29001b
SHA256

a6f56581bb7ae7b242fcaab3d97d04ec2c5ac8aa5870e4e64ffbcf0d78899993
SHA512

6af7639bc336015161f3087519e1a365ece0d1e0f5f7f20fe1af3243d1e6c3a0f65e38b50dc70f15cd13a232989b22884ca36bf0151630223d37bdba4f250149
SSDEEP

49152:hrOpp2RqaP3KdsFeHcEKYC4KiJK5ncPjPuE/UpXSkdkIDk5sSEj6QiVterxzrK:hYgv6dsFt0FQnGD/UsrLEjS81PK

Score

7^/10

discovery evasion persistence

Malware Config

Signatures

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex	4389	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.herocraft.game.freemium.catchthecandy/files/oat/x86/f2f8f843.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex	4361	com.herocraft.game.freemium.catchthecandy

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.herocraft.game.freemium.catchthecandy

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.herocraft.game.freemium.catchthecandy

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.herocraft.game.freemium.catchthecandy

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.herocraft.game.freemium.catchthecandy

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.herocraft.game.freemium.catchthecandy

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.herocraft.game.freemium.catchthecandy

com.herocraft.game.freemium.catchthecandy
1⤵
- Loads dropped Dex/Jar
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks memory information
PID:4361
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.herocraft.game.freemium.catchthecandy/files/oat/x86/f2f8f843.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4389

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.herocraft.game.freemium.catchthecandy/files/Iksc

Filesize
383B

MD5
2ffb81a266561a337b05cb3fe3abf9bc

SHA1
4135a7190e02731a0470a23bcade18ecb4c8a8cd

SHA256
924284de6024e7c2bfca22c41bc7bd9942138bdac2251435ed017b203dd0cc22

SHA512
a362697bf3592c1d979ef3871f6381bc1568c81ba4ff2475e6366012e11e2b5a28f8e8aac2a9b37a71040ca7a95a96bdc963983c51f24ec1cc742f331b70f1ad

Download Submit
/data/data/com.herocraft.game.freemium.catchthecandy/files/PersistedInstallation7043033888099906818tmp

Filesize
567B

MD5
5929f119da464fe15f512aea4e3bb7ae

SHA1
47c0de00f203124acdcb4a2d528c40977f639fd5

SHA256
ac9db451601dfbafe90d12448a5f5ddb5fda1526d001f1fa9df9d8f64ad743d4

SHA512
27c3bf75a8051ae1a57ce39279e391f2cc04022afec8b83f8af370545e849cd42639d5ddc5395f630d9e17e57b74b5b0a304055d7c8926413164af42eb06f6b2

Download Submit
/data/data/com.herocraft.game.freemium.catchthecandy/files/PersistedInstallation7841961617515730450tmp

Filesize
90B

MD5
bded484227444ace24fffcd4d0add055

SHA1
8b7851169c4cbbd4c66a00c37b52368d3376c386

SHA256
a8ffe9a54cfeab08057e5aee31b62717be83b75807b9d50da132707d1fd9ec11

SHA512
0dd48f9cd3deac67a75a89003213a90569dd1b6a495e53526a9a156269a85e2e935fb9e8d373c68c2bc8495981c9ff2522eedb60b9a7405d5a681ec6d3e7e603

Download Submit
/data/data/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex

Filesize
2.3MB

MD5
d951efa7f0ca59781f3af35949338902

SHA1
ac853df2b6835dbac7c94eb008ab4657e68eda70

SHA256
5b0a0d3671f6ff3ea0001624a0c157d057965e60891c5335391880fe9b00e183

SHA512
8fbbc1c347ec03478b01ff321d159656abfcad1d9ac3b426382348567c57bbaf1cdb3cac77c38fbcf62e0e17063f170fc9f9bf200a982b940dcad47e30b05617

Download Submit
/data/data/com.herocraft.game.freemium.catchthecandy/files/kNp

Filesize
229B

MD5
afc5830859e0c30baf4510c8cb43cd97

SHA1
f82029564925c40757ba67832c715c234240226c

SHA256
5872c438c660fd2b71e3125301f38b9f855944dcf692350fa037e616d92bebd0

SHA512
9063e64a28a90c42cfee7244bd8bc75f5038fd366bee24205b986d38371f2de966b4f3eadca8c0e66fa223199c9c7d78913a6080288a7d73bab54a5c4d2d3b11

Download Submit
/data/user/0/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex

Filesize
6.4MB

MD5
767a8ce605249b314939882f824f989a

SHA1
7cb1e61d4fa739b92b25d13bcf33bbb00cff9baa

SHA256
26d8b34344e6e61c8a1380e9773109569accb467b36f954a1e5c729a4d701fa5

SHA512
baec83cf6d66fc0dbf13411043c8168acf38b0b66a9c20f9b1ec54d6f5ef21527d22b4c47dd54734dcd5bd85410dc3bb8fe786fb1702443beee9a42e869c4475

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads