5d5cb8d546b0ae37a7982aed181f34d4630c966aaf3eb2318c612267e419dc98

Analysis

max time kernel
149s
max time network
158s
platform
android_x64
resource
android-33-x64-arm64-20240624-en
resource tags

androidarch:arm64arch:x64image:android-33-x64-arm64-20240624-enlocale:en-usos:android-13-x64system
submitted
06-02-2025 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

childapp.apk
Size

18.3MB
MD5

c1eba49d0e1ed645581cdd937b3ac971
SHA1

dc2bfd830824f26eef40a25af2a83e86a2932086
SHA256

433a799f1e44a22a638ba301f0bb64fdcecb1cf052a9295fb1261680273a1d19
SHA512

62ea1705f54ff0831f8c0c6d41b470ce1476e4010ba85ce5c47370410c9e7a48cf54e741b612b1e1471013a1d750420e5aa2ca45d015acf8a9706f45332885d0
SSDEEP

98304:KKTsb+FPxCGnFOXVOkvBLVjmzHzBwTZ0tMH:SGFOl/KzW2G

Score

7^/10

collection credential_access defense_evasion evasion execution persistence

Malware Config

Signatures

Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	skins.mon.cream
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText	skins.mon.cream
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId	skins.mon.cream

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	skins.mon.cream

Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	skins.mon.cream
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	skins.mon.cream
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	skins.mon.cream
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	skins.mon.cream

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	skins.mon.cream

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	skins.mon.cream

skins.mon.cream
1⤵
- Makes use of the framework's Accessibility service
- Acquires the wake lock
- Performs UI accessibility actions on behalf of the user
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Schedules tasks to execute at a specified time
PID:4338

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/storage/emulated/0/Config/sys/apps/log/log-2025-02-06.txt

Filesize
21B

MD5
4b84fe3a078cc351f6ae66c87be77f14

SHA1
373dafc7368e61187d93f16c207ff6acf31f6edd

SHA256
7f3b40b647801ed8cf24bc1d4d404286991b510541be4eadf51eca48c235a58e

SHA512
8e7af32608f9ac93d4ca175d3b85e822fcb7f0695f97dc2e323c88a35668ad21c57ed73a3558434487a421cbcb1291f87dfc3170813195193b99b97d0d5098f6

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2025-02-06.txt

Filesize
25B

MD5
ba30336bf53d54ed3c0ea69dd545de8c

SHA1
ce99c6724c75b93b7448e2d9fac16ca702a5711f

SHA256
2d6988fb5afdaafc4e33fa1f71d6f10c95ab5a49a8ec820add5b13eef05439af

SHA512
eea34ca526e03349e746d3687ea660b4748f0174fe2ffdb65161e232e08630b345e03329614852ce881a71362ba68575e9dd08fa361a416e5b2fb231e21a0a3e

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2025-02-06.txt

Filesize
252B

MD5
663891209b9c69927da022502d9d1a0a

SHA1
404a1c41f5618458e3aca65e6575d3999c6370d5

SHA256
a37c359d908d6453a338538891d13558acb9625b4bf1826778397ce8c4289019

SHA512
2a28902c4afc37f874a1467552738c018a2ccb794d006ecba7e728ad26f3056172b894f9922289993afa13c4a4acc2a5b2595f7b676e70be1e19c18cd696800c

Download Submit
/storage/emulated/0/Config/sys/apps/log/log-2025-02-06.txt

Filesize
65B

MD5
ac2e1b6594c270d647ea5375bd561bd8

SHA1
cd50e64e30cc35b403341a8cc83f28a18c93d243

SHA256
4a2b367f4f65e5a3f37fc8198be8df08e6dc2c6ea102e25051b0f7c37c524ee0

SHA512
ec6b9fed3e198c1f03695ffe373d34e72f2694c1ef9c418e73893d5b670988e1a84dc09942162aeeb94b08470308e6c5d8f8a874613efed89ec79f2e1f6e66ae

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads