e83f32f70ed8b6d83972eac4225d5ab55734deb95d6e094464730f781b215c6d

Analysis

max time kernel
570s
max time network
602s
platform
android-11_x64
resource
android-x64-arm64-20240910-en
resource tags

arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
submitted
24/03/2025, 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rex.apk
Size

5.9MB
MD5

7592b1770a1d0d5e669f8823d7ce6227
SHA1

afcad66bb5bff1d2398404ff9120b0b0302fa8c8
SHA256

0b9a995068927a901a45dfc103d707f47615ecac92706ae9169f4329b65569a5
SHA512

e8f34c11f88a8d13a5f985b753d6e9f91b21be0e3f92aad30daf98205190a221a92b732701ec94ab1c2c0018eac62e358cee09d37198b88f8907f2d64b6bca0d
SSDEEP

98304:yKd2ZrR7Wa+1Q2EVHlfv0wSZQV6Ipst7YhbDAhtlLxxFKyRbg3O+GCXnmqU:TNY0n9IeZwbDAhtl1eyFImqU

Score

8^/10

collection credential_access defense_evasion discovery impact persistence

Malware Config

Signatures

Checks if the Android device is rooted. 1 TTPs 3 IoCs

defense_evasion

System Information Discovery

T1426

ioc	Process
/system/app/Superuser.apk	com.tencent.mm
/sbin/su	com.tencent.mm
/system/bin/su	com.tencent.mm

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.tencent.mm

Queries the phone number (MSISDN for GSM devices) 1 TTPs
discovery

System Network Configuration Discovery
T1422

Reads the content of the SMS messages. 1 TTPs 1 IoCs

collection

SMS Messages

T1636.004

description	ioc	Process
URI accessed for read	content://sms/	com.tencent.mm

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	api.ipify.org
31	api.ipify.org

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

defense_evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.tencent.mm

Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs

defense_evasion

User Evasion

T1628.002

description	ioc	Process
Intent action	android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS	com.tencent.mm

Checks CPU information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/cpuinfo	com.tencent.mm

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.tencent.mm

com.tencent.mm
1⤵
- Checks if the Android device is rooted.
- Obtains sensitive information copied to the device clipboard
- Reads the content of the SMS messages.
- Makes use of the framework's foreground persistence service
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Checks CPU information
- Checks memory information
PID:4593