c6e52bd7d8a1de54e5a6551a7a737c989d93537c1bb440fdf37914c799e77f16

Analysis

max time kernel
296s
max time network
306s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
25/02/2025, 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6e52bd7d8a1de54e5a6551a7a737c989d93537c1bb440fdf37914c799e77f16.apk
Size

23.4MB
MD5

9b4aaaebca0f904234d371475d3dcc6a
SHA1

fdbd2957048a9564a923bda70d68ab292bcb7540
SHA256

c6e52bd7d8a1de54e5a6551a7a737c989d93537c1bb440fdf37914c799e77f16
SHA512

d8ad4d4d10747264e2ef960dcef5e70049ca7eab102fbd02ea07982e01b6af2130f95856694a9ebe0f3bcc3e2512a8bca92f944b1b5aa9f54a0cf5e34ecd67cd
SSDEEP

393216:HehX6Cksss3FNgIuc9zhL9XmENEuEyIlRrU:+hXedsFitchHXT+U

Score

8^/10

banker collection credential_access defense_evasion discovery evasion execution persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 1 IoCs

defense_evasion

System Information Discovery

T1426

ioc	Process
/sbin/su	com.cam321f.mac

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection defense_evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.cam321f.mac

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
banker discovery

Security Software Discovery
T1418.001

Queries information about running processes on the device 1 TTPs 1 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.cam321f.mac

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Reads the contacts stored on the device. 1 TTPs 1 IoCs

collection

Contact List

T1636.003

description	ioc	Process
URI accessed for read	content://com.android.contacts/data/phones	com.cam321f.mac

Reads the content of the SMS messages. 1 TTPs 1 IoCs

collection

SMS Messages

T1636.004

description	ioc	Process
URI accessed for read	content://sms/	com.cam321f.mac

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	raw.githubusercontent.com
22	raw.githubusercontent.com

Makes use of the framework's foreground persistence service 1 TTPs 2 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.cam321f.mac
Framework service call	android.app.IActivityManager.setServiceForeground	com.cam321f.mac:remote

Performs UI accessibility actions on behalf of the user 1 TTPs 2 IoCs

Application may abuse the accessibility service to prevent their removal.

evasion

Prevent Application Removal

T1629.001

ioc	Process
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.cam321f.mac
android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction	com.cam321f.mac

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.cam321f.mac

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.cam321f.mac

Queries the unique device ID (IMEI, MEID, IMSI) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.cam321f.mac

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.cam321f.mac

Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.cam321f.mac

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.cam321f.mac

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.cam321f.mac

com.cam321f.mac
1⤵
- Checks if the Android device is rooted.
- Makes use of the framework's Accessibility service
- Queries information about running processes on the device
- Reads the contacts stored on the device.
- Reads the content of the SMS messages.
- Makes use of the framework's foreground persistence service
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Queries the mobile country code (MCC)
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Checks CPU information
- Checks memory information
PID:4251

com.cam321f.mac:remote
1⤵
- Makes use of the framework's foreground persistence service
PID:4446

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Foreground Persistence

T1541

Hide Artifacts

T1628

User Evasion

T1628.002

Impair Defenses

T1629

Prevent Application Removal

T1629.001

Input Injection

T1516

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Process Discovery

T1424

Software Discovery

T1418

Security Software Discovery

T1418.001

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Protected User Data

T1636

Contact List

T1636.003

SMS Messages

T1636.004

Screen Capture

T1513

Command and Control

Exfiltration

Impact

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.cam321f.mac/app_crashrecord/1004

Filesize
222B

MD5
b5257fadfceaf14ff606b1d7dd371010

SHA1
471beb85fc604427bb7a0ddbbaf3c13e5f136f27

SHA256
b33b82d442b862093656b05df5be1a4ea309839d5467bf601137fcee6ae855d4

SHA512
ebce358064d0d1c8bbb231b439b47811aa73b50ce1630ffd3fb4ea8e446c7caa7274ae84ea4afdd32be7d43a6aa745d34bdf7d8b53cdbae3d6e43b6a0177b192

Download Submit
/data/data/com.cam321f.mac/app_crashrecord/1004

Filesize
58B

MD5
0d210bfb2a0e1f1b4c082a6a0f79de07

SHA1
bb8ed9e364db79d1d9f2fcde3f15091893222faa

SHA256
988722c23d78a46021d0e7ca9deee7aa8bb83288269174ffacb7316f381cca1d

SHA512
536e9867b0df29b15b789f8949be6ab37fcdeccb9d39ded981da7dc2052c9533d0ec0e6f9a5444132977605d372e1463d91bdde41b528ff2ca3f65ab152325c1

Download Submit
/data/data/com.cam321f.mac/cache/wp.jpeg

Filesize
143KB

MD5
5dc1983554a88c2a224ee046bb7314ec

SHA1
5b09273776014bf32fd8aa7bca9ce151d2c7d98f

SHA256
6a4d32e8ef673e70a8a4963124417be10eb09089f3aa049e1e3c7de515c69f21

SHA512
5ce30ef36c25d33f3416006c103608057a9cc88f2d88fe37de3bd895d68a005644d74aca0abd5bef02f2ed17709a38ae249b0dabeaa16d1c46c8a8c9d85c7e88

Download Submit
/data/data/com.cam321f.mac/databases/bugly_db_

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.cam321f.mac/databases/bugly_db_-journal

Filesize
512B

MD5
4c5b482d53c444c4ae02a61deefb0c51

SHA1
ff7d7864b4cd065f3660ee833e676535878845a8

SHA256
a23faf6376d9d450334aa1dd760055188b97b53443b897a32e8b6a0511fee1bf

SHA512
c841034f42a048cc3a8a8af3e02fd6dfd84069b6adf385ed42b23b43658f7f4d5a8c888d837c4c1feecc07e699f3ec1aebdf0e513ae4ae16275bfe5e75aa93e2

Download Submit
/data/data/com.cam321f.mac/databases/bugly_db_-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.cam321f.mac/databases/bugly_db_-wal

Filesize
92KB

MD5
f5ded130396159be2897adf357414c2d

SHA1
ae11ab44dce66729b4af7791d14b7ed20bafef07

SHA256
04b565e1eae1a5c7e34332542f795fffedda19a2aa9e41f2c49154ff62d1be17

SHA512
1db4a442cfe15d08d9e95cb89b22e2e79ddcaf4022975c0b35ec514afa4dcb3b0974198acae841f20ec833199300faefefed9e38b4dc9e4c59b5d0c9d1b70fc3

Download Submit
/data/data/com.cam321f.mac/files/bugly_last_us_up_tm

Filesize
13B

MD5
aa408deb2e2067628f62056ea2b8b219

SHA1
bbbad8844eb5ffb474d1e80c34a377e7fb730adb

SHA256
0d03b62746c464d0be250ac6a04e48d518779acea9020c53c8f0abf7de24b995

SHA512
d3ff81298ebd7fd4316dc002f2f2d4865e11549acfbebb368058079fd113943ea04ad1e9b6526dfb55202ed34b98e437b8b6d0b0423e0d3f13f4091786d3508b

Download Submit
/data/data/com.cam321f.mac/files/mmkv/mmkv.default

Filesize
4KB

MD5
620f0b67a91f7f74151bc5be745b7110

SHA1
1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d

SHA256
ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7

SHA512
2d23913d3759ef01704a86b4bee3ac8a29002313ecc98a7424425a78170f219577822fd77e4ae96313547696ad7d5949b58e12d5063ef2ee063b595740a3a12d

Download Submit
/data/data/com.cam321f.mac/files/profileInstalled

Filesize
24B

MD5
1387786957f5464d1503fbe9e06124a5

SHA1
13eea547a433708462f695db0dea4f7d8af8e23c

SHA256
2f3aa448eecd6b4bac3fe02c7952fffd287a7cd0eb3cf910b2773ea22020489a

SHA512
7ffa1094806a2132800481e5065ac1526f1d22530a939718a088867dbe1d410c541dfd81764318240b27e6fe92e018bc89d1afa2d0fcaa4d1b66aae7c6e1c1ea

Download Submit
/data/data/com.cam321f.mac/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

Filesize
8B

MD5
30be1235aac84e2607443b357d1cc5ae

SHA1
b4d9a43047fb70d9525bc7344076625cb5f960e0

SHA256
88221511b69aca399317b075be2250895c4b43a4d69bd9a515ad5947f121c20a

SHA512
fdf325d7f5992aa22a67743a8b690a7a81be68c8eef0ad43812dd7d2927203b9fcbd4511aeef251bde2c53f423c861590e3cb30519cea6d5b4033e1bdde70ac2

Download Submit
/data/misc/profiles/cur/0/com.cam321f.mac/primary.prof

Filesize
1KB

MD5
027bf4950972c394dab576e3f799c8f2

SHA1
5933accf7e2152da750868aba364d5c84ab25ab5

SHA256
d000a751679b0cd000fb6e0356d51292b3c14a5845e0392984c92ebd6d826f36

SHA512
b3dce7b6178c50c37d373b64d9bcd781627d71cebac3276e88fb15754442ddb4ebd7ae5c698ca8a01e0414a5685bec4d1720682efa88514daed05068bdf10551

Download Submit
/data/misc/profiles/cur/0/com.cam321f.mac/primary.prof

Filesize
13KB

MD5
66348a5119fb7ccc4a81a629bf6513b8

SHA1
119313718cdc531e0bfa9c5c59497d82ffc270c8

SHA256
9d5f980c53462355feb2b6a4c04fc0d39305279088fbfce77302953efeabb1c7

SHA512
4b6a270e2c086cfe576c9780eb820ff0c26f29a227a8192725e0aa779f0233f4612562aae4e13cf2a4135a25d3cc225949aaf5c98c75c8dbfba82f741d9e6125

Download Submit
/storage/emulated/0/Android/data/com.cam321f.mac/files/log_data.idx

Filesize
3KB

MD5
d636e5153ca7fbcb1c815d82eaafca23

SHA1
63517e867901c88acaaeb8fec7b51608a8faf9d2

SHA256
f14bb7b5014b81b7da4dd8092865b9381a4eec026642e97e3fa18d148315cf58

SHA512
ce7971517569e8e74b2293bdfd54422d6aebd5506ef9bd9fbd5a4ae72a013c8498788390c36ae390e94d6194627f7d1da81e1901f0178a8fd3748375947e54a3

Download Submit
/storage/emulated/0/Android/data/com.cam321f.mac/files/log_data_000

Filesize
27KB

MD5
7b2eed328aa9f4d1174045c7c78d286f

SHA1
076f320b1d772457369d448b9f05514fcb11618f

SHA256
b360c4bc1a692430b6ff547aadc7d47d948227ef1e71274035ab4e8667a3c552

SHA512
6aa3211bccffcf0653f4de0d797649db97b82e3ca21be275d828f603120294a32328dfa90c4ff789e865f5fbdbc8e98bac2e55ac9f4f1429b9ace72fa3a4be24

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads