4fcce7c445d89d7de943ec0e0c2fc285d4b25a67950ad7d6bcb50dbcbc4ac29b

Resubmissions

18/02/2025, 20:08

250218-ywn8bsxrc1 10

24/01/2025, 04:44

250124-fcwh7azqas 10

24/01/2025, 04:37

250124-e8zp2sznay 10

Analysis

max time kernel
7s
max time network
132s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
24/01/2025, 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fcce7c445d89d7de943ec0e0c2fc285d4b25a67950ad7d6bcb50dbcbc4ac29b.apk
Size

10.5MB
MD5

8ebf4bdf9326073fa0577a2e1950e1af
SHA1

7a30345f421c243cbef4dd42d60f5de45b99d580
SHA256

4fcce7c445d89d7de943ec0e0c2fc285d4b25a67950ad7d6bcb50dbcbc4ac29b
SHA512

006dd16eee88a56657bafed02d5585d8a04bc98139249f9fb0553382d284a23546071f3bff9e39881150d0ba802f92ac26b1fbd8fb6c5b20f1a6cd6301e40243
SSDEEP

196608:3wGdnljZ/MLUBwiwOYTR8dhTVKZZRa+6Gz4+bpRdS388yngsaFf/FYd9r:3VRRZvai3YOBkRTz/RdS3886gl/FYdF

Score

7^/10

evasion

Malware Config

Signatures

Loads dropped Dex/Jar 1 TTPs 2 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/nmrdiw.xhckto.wotzbp/app_sheriff/ccLObl.json	4284	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/nmrdiw.xhckto.wotzbp/app_sheriff/ccLObl.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/nmrdiw.xhckto.wotzbp/app_sheriff/oat/x86/ccLObl.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/nmrdiw.xhckto.wotzbp/app_sheriff/ccLObl.json	4260	nmrdiw.xhckto.wotzbp

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org

nmrdiw.xhckto.wotzbp
1⤵
- Loads dropped Dex/Jar
PID:4260
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/nmrdiw.xhckto.wotzbp/app_sheriff/ccLObl.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/nmrdiw.xhckto.wotzbp/app_sheriff/oat/x86/ccLObl.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4284

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/nmrdiw.xhckto.wotzbp/app_sheriff/ccLObl.json

Filesize
573KB

MD5
53eeb221635303b30aa63f98d92018a5

SHA1
0bc80cd5795806afeb684c6a05d5d3a7ba968262

SHA256
97e086bd422edfb25b19a5c358135bed6f11f201914b9d5f171bb3da4b24eda4

SHA512
626d3acf96b30c202559bb169c46126f0629a549cf568e1b318061434e41273fedb6385a1c91676c95cccc9b8e4a1aa0bb91ff12ba0b1b6df7bf66b597e1782e

Download Submit
/data/data/nmrdiw.xhckto.wotzbp/app_sheriff/ccLObl.json

Filesize
573KB

MD5
04c0f10a3fa92c116a88892b7215cbda

SHA1
595a0efbedb351b9881b56dd4fa6f34a830a7906

SHA256
7a239f0cc770425914abd361298e39858b80264408ed6574a27af83da3c1ab5c

SHA512
49a7ee1b543716ad6340e5845af7ab151af3761c36ccc52c34c61e54b9993cb6b486f416ac18ad2016852bcdf838c835aa2a5de769bf1015ef1c4441d2825198

Download Submit
/data/user/0/nmrdiw.xhckto.wotzbp/app_sheriff/ccLObl.json

Filesize
1.2MB

MD5
f09ebb1f067a981dcf960761e8807117

SHA1
a1c74d99e980dbc9d95444b69c040af946f67945

SHA256
34822af6a552029f9ea2ddc173704d7e70a8d117ce422f9cd42bb4484889c164

SHA512
ce1134031a3dba59cfa1a7dfb76aee3cbed6d473328edc5bd9994a581205f5bb217734f0037fd17f89f6b1969292e216de095294eb367f88b53aee2d344cf27b

Download Submit
/data/user/0/nmrdiw.xhckto.wotzbp/app_sheriff/ccLObl.json

Filesize
1.2MB

MD5
bbdde0270e2573891dd7872eccfe5a06

SHA1
b0ee37a19ab30ae509b1280a217f845d37708743

SHA256
01c2dc0c47a460e49a56282e5a3b0becd0b9f260d60139390ed026f83825b570

SHA512
41d2ef59b64fb00d4d01218ba84fcafb6ce13532e851d7b8232eaba63e7f18c29f0f5089fc0b22889a6a32c77715fb36ca2b2eb49984d0707b1c28f122a01329

Download Submit