Analysis
-
max time kernel
47s -
max time network
127s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
23/02/2025, 23:01
Static task
static1
Behavioral task
behavioral1
Sample
CapCut_Premium.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
CapCut_Premium.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
CapCut_Premium.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral4
Sample
deper.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral5
Sample
deper.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral6
Sample
deper.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
CapCut_Premium.apk
-
Size
10.9MB
-
MD5
548ede0959d30a22484ae452f535a0db
-
SHA1
7b34fc3a7d4f2d6ce38f3f0de08df80ed4859e27
-
SHA256
aba8466f8162846c8adc7be242bb78a346775804de2c14a978d69649b0639c6d
-
SHA512
564feb15f3ff884fee96e3a54793379d969c49d97163d9214707e6c77e50dfe6c61be04dcdb8a444f86ed96844f82a4691093d51f05654ad28ac9c1ad9b618d7
-
SSDEEP
196608:3XeOWRtCAvekoDLWGxXfyzTn9P3m5AC+FX6JagEQVZxkpUSlPJn:3OX/3xYLpxXfyzjtd3FX61PVZx8USlPp
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/tfskbi.ztdwnc.yfprwh/app_veteran/iox.json 4278 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/tfskbi.ztdwnc.yfprwh/app_veteran/iox.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/tfskbi.ztdwnc.yfprwh/app_veteran/oat/x86/iox.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/tfskbi.ztdwnc.yfprwh/app_veteran/iox.json 4251 tfskbi.ztdwnc.yfprwh -
Declares broadcast receivers with permission to handle system events 1 IoCs
description ioc Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN -
Declares services with permission to bind to the system 4 IoCs
description ioc Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.ipify.org 4 api.ipify.org -
Requests dangerous framework permissions 22 IoCs
description ioc Allows an application to send SMS messages. android.permission.SEND_SMS Allows an application to record audio. android.permission.RECORD_AUDIO Allows an application to access any geographic locations persisted in the user's shared collection. android.permission.ACCESS_MEDIA_LOCATION Allows an app to post notifications. android.permission.POST_NOTIFICATIONS Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS Allows an application to receive SMS messages. android.permission.RECEIVE_SMS Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS Allows an application to read the user's call log. android.permission.READ_CALL_LOG Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE Required to be able to access the camera device. android.permission.CAMERA Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES Allows an application to read SMS messages. android.permission.READ_SMS Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE Allows an application to read the user's contacts data. android.permission.READ_CONTACTS
Processes
-
tfskbi.ztdwnc.yfprwh1⤵
- Loads dropped Dex/Jar
PID:4251 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/tfskbi.ztdwnc.yfprwh/app_veteran/iox.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/tfskbi.ztdwnc.yfprwh/app_veteran/oat/x86/iox.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4278
-
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
573KB
MD566733db48d9cba8a319e7e1451336263
SHA1f74be1920661841d7eee576f4be0b8ae2ba028f3
SHA256dfb28b0b140228245af52b34aa9d09cff2925fff9d3d342a741580b75698e091
SHA5124b5f0d8b1421fd8934dcd154ecdaa46f86b157c9973dac5f0808b591195d3a7f061e4ccf0d90942d43921e7178a2161fb07bbb73b4e2b535a5fcaf9472c795a0
-
Filesize
573KB
MD5c491f888e98327a6a43588598dabd1b6
SHA14afdb7524284f7195ddf37ba5e8d1daf0c0b2801
SHA256d0569859013122e742a96e170860862eb814ae93c9aa689db0e0afe4c4084848
SHA5122a1436a153ba0532ea5fab3506fa3c4da30e256b9627bdbaf9d63b6f8298865b6d850e3d990ceb47046b44440bf3b8997937c9f5bc8c4e9ed65f2322a8607a3d
-
Filesize
1KB
MD5ff55971d2cc6ad18985684a2171d18d3
SHA1f41d830e7e79797de5284d8145c426a3b8555950
SHA25601838f95b1d9ad00307ddc83fac31950b757f7fba446fa6b9d8d9ab6b0db5328
SHA5125fc80b1252f3cc107edecfbbcfb1e16bbbca21afa1e00186a7c9038e160e62e8938d7dbb7ef2b1c6767721fe52460dd8d568ffdb89a830f2bd48d164baceed13
-
Filesize
7.3MB
MD5c59b52822aa4d008e2b29372ca143179
SHA19adc650d28dd99e8413c3546de9195fa42aefcd5
SHA256fb6a726e3888842c21f274ccbd64a30962e1cd12d2472aa8c088fb052819b503
SHA512f93c04b9ac5dbf45ef7f4dc1dfd588d45d1a0d5b5959647ab0995d83dbff433d798f84cf9d17e0336a8132a2c5b29b290c5024db2bd641a491c981c9d923a4e2
-
Filesize
1.2MB
MD5686bc5e0a5321eef3e910c95bdb4d06c
SHA17db19a9b3001d82e247c1b21d3bfb500c27e9782
SHA256dac86926a8bd886a8b9451eee45b39927b24395afabfde84f6cd42d5b8d24f91
SHA512bb59a9b8d0e007c7f05570e1ae7f640871b2049ea9e35edb3c967a4f67c6bdc58a7842d8fe3cbc2d99f8b169c3ea69e27a673663bfd2f323ae23b735ca135131
-
Filesize
1.2MB
MD5d83f3b2e9163dbfcf3f0b85d4c8ffda7
SHA143bd3678f168a0f0da2413d4f0de6788c88d34c3
SHA2564b81c2ee643d0f68b2b47733c310b24f47827e01f41aedd8153f449900c4ded3
SHA512a4e8b017d92b827f6ec27b7d13325b353322712b55c925fefdb3869a4558c921c5016c9f87601f544c1a89c4b2137c8aef8be5eebab7277a1f07724efa39dacc