Analysis
-
max time kernel
56s -
max time network
141s -
platform
android_x86 -
resource
android-x86-arm-20240624-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system -
submitted
24/02/2025, 10:24
Static task
static1
Behavioral task
behavioral1
Sample
TikTok18.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral2
Sample
TikTok18.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral3
Sample
TikTok18.apk
Resource
android-x64-arm64-20240624-en
Behavioral task
behavioral4
Sample
deper.apk
Resource
android-x86-arm-20240624-en
Behavioral task
behavioral5
Sample
deper.apk
Resource
android-x64-20240624-en
Behavioral task
behavioral6
Sample
deper.apk
Resource
android-x64-arm64-20240624-en
General
-
Target
TikTok18.apk
-
Size
11.2MB
-
MD5
f20e95261bf244f7b7c8df748fd7885d
-
SHA1
2a5ceeaba1825ccc1c8cdaf86cd0fb6827c3f4f5
-
SHA256
81c8136a260fff29b8e46a620cd1e8d6e88bd8b9f55e0cf8ee0ec952f5292804
-
SHA512
e739a635a19efb641deb6645134084b3dea2ca8d665cd6c2103a10ed1b85b4a7e990aff6c60d76487ed4a23c3cdeb4db1da92d9b0e42987d674b1077bfd20f40
-
SSDEEP
196608:veGPrPXn8o57/mOCq3LoFfret42buc+qiwh+siRjugUU55zmjeQM5QPYCy2LcD:ve2b8oN/tR3Lkry42bYqii+syjbUUvsM
Malware Config
Signatures
-
Loads dropped Dex/Jar 1 TTPs 2 IoCs
Runs executable file dropped to the device during analysis.
ioc pid Process /data/user/0/jueshv.ogktoc.afeufh/app_legal/EM.json 4287 /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/jueshv.ogktoc.afeufh/app_legal/EM.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/jueshv.ogktoc.afeufh/app_legal/oat/x86/EM.odex --compiler-filter=quicken --class-loader-context=& /data/user/0/jueshv.ogktoc.afeufh/app_legal/EM.json 4262 jueshv.ogktoc.afeufh -
Declares broadcast receivers with permission to handle system events 1 IoCs
description ioc Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN -
Declares services with permission to bind to the system 4 IoCs
description ioc Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE Required by input method services to bind with the system. Allows apps to provide custom input methods (keyboards). android.permission.BIND_INPUT_METHOD Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 api.ipify.org 4 api.ipify.org -
Queries the mobile country code (MCC) 1 TTPs 1 IoCs
description ioc Process Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone jueshv.ogktoc.afeufh -
Requests dangerous framework permissions 22 IoCs
description ioc Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS Allows an app to post notifications. android.permission.POST_NOTIFICATIONS Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS Allows an application to access any geographic locations persisted in the user's shared collection. android.permission.ACCESS_MEDIA_LOCATION Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES Allows an application to read SMS messages. android.permission.READ_SMS Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE Allows an application to read the user's call log. android.permission.READ_CALL_LOG Required to be able to access the camera device. android.permission.CAMERA Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM Allows an application to read the user's contacts data. android.permission.READ_CONTACTS Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE Allows an application to send SMS messages. android.permission.SEND_SMS Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS Allows an application to record audio. android.permission.RECORD_AUDIO Allows an application to receive SMS messages. android.permission.RECEIVE_SMS -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
description ioc Process Framework service call android.app.IActivityManager.registerReceiver jueshv.ogktoc.afeufh -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo jueshv.ogktoc.afeufh -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo jueshv.ogktoc.afeufh
Processes
-
jueshv.ogktoc.afeufh1⤵
- Loads dropped Dex/Jar
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks CPU information
- Checks memory information
PID:4262 -
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/jueshv.ogktoc.afeufh/app_legal/EM.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/jueshv.ogktoc.afeufh/app_legal/oat/x86/EM.odex --compiler-filter=quicken --class-loader-context=&2⤵
- Loads dropped Dex/Jar
PID:4287
-
Network
MITRE ATT&CK Mobile v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
573KB
MD585a997cbba7f8670f33e90bf983bfe0f
SHA18e724f0173dfc092642f63ad3a5c6ed844062349
SHA256fbc6f5f898f1fd19efc08a1411d89c9d597beefd1784b58512fa57293926eb4d
SHA5128b0a1d2d13fe5e2cfaf78237da6277bf52a726d171f0a009a5ea30951458de474b25eee1b65efbbe345bff8927878917fb96d14b828019304bdf340554fa4dc4
-
Filesize
573KB
MD50579ae8db6252dce42ac067c0cf85407
SHA199acd4a47b6742cc9d039e22b9658cf58e9f1e6c
SHA256de8c712243e4ce7a9ca1f014275896aab7ae8459b390fd712c48adec5f90cf05
SHA512b717db5f0d8734b9a0c08851c0861f54449df3b9e8b038e7b62d9546d5a030ad12b9a0de3411736b57d7edb081f4c881bab4b561eb6785d14c5637793621c942
-
Filesize
7.0MB
MD529759b117a6ecbb109eb13b61eacc875
SHA1e43ca6077982d51cac30cd400c667e9f49265945
SHA256b35d3b94968603813ae26c35442b7d254c4d670aa299cb7439f083d46ff50bc9
SHA512a21c4265b91fecc60886c3ebe48c47dd15890b6f451e4450e3ba2cc8ba595b3d2f4d8ef4864883d41cef65217f44e2d6a5d34df4bba69832ff77e0413673c0be
-
Filesize
1.2MB
MD5d5f0079169b3339bffde5b7563a6b041
SHA16144077fae08938fca4b03101faade3f21ba71c2
SHA25620fb3d82092c3e3f65511183b486facdb83e1aa3c66523ee7ab6a92b67cc8942
SHA51223143f8d1adb5adc5f30bae5b52e0c7efae8c20c18472b4723225bef96133b64fd5592e3e128286459555fed5ff1fd35863c44d771f72833f20a9c1ef649cc2c
-
Filesize
1.2MB
MD52df15293fa209edd8316911bbee2b6b0
SHA10adb97c4989f1e1933ef6687282c98fa1d7fe132
SHA256eb2bc582b89cf3cc66db3ccf3226d800ea6440c2227fe7a522d4ffff88676875
SHA51210c87cac3deed5cdde24ee46d1a75c911d08e4e24e3e7789a83902e069e5aab0ec9ab9cea58c69f8cf2fd8208f72ee860fa4a97ea30e1135d9591e51c8262118