Analysis
-
max time kernel
146s -
max time network
150s -
platform
android-11_x64 -
resource
android-x64-arm64-20240910-en -
resource tags
arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system -
submitted
27/03/2025, 14:58
Behavioral task
behavioral1
Sample
ee20d6abcf80df3a02c99b977ae6c948d2449f573daa9204ccc9fab6825883f3.apk
Resource
android-x86-arm-20240910-en
Behavioral task
behavioral2
Sample
ee20d6abcf80df3a02c99b977ae6c948d2449f573daa9204ccc9fab6825883f3.apk
Resource
android-x64-20240910-en
Behavioral task
behavioral3
Sample
ee20d6abcf80df3a02c99b977ae6c948d2449f573daa9204ccc9fab6825883f3.apk
Resource
android-x64-arm64-20240910-en
General
-
Target
ee20d6abcf80df3a02c99b977ae6c948d2449f573daa9204ccc9fab6825883f3.apk
-
Size
1.9MB
-
MD5
44405c5d83122d34d6d8cd8be926e4ac
-
SHA1
dfdcc3747ea7c93e289bcf83c341e65de15fca27
-
SHA256
ee20d6abcf80df3a02c99b977ae6c948d2449f573daa9204ccc9fab6825883f3
-
SHA512
b3e33d0fe710e8f7fa736f43601ad624826fee2a5dc4c1696e024d71cfe54aa8dce03bb6331a6349a863e63373fbfc3b2b9c426028f554b4b97bcf16257649b6
-
SSDEEP
49152:C4z7QDP2llZWltfrb6zYAVEOADgWDHfrFSXT:pUMlZUtfDOE3HfrFSXT
Malware Config
Signatures
-
pid Process 4763 com.example.autoclicker -
Makes use of the framework's Accessibility service 4 TTPs 2 IoCs
Retrieves information displayed on the phone screen using AccessibilityService.
description ioc Process Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId com.example.autoclicker Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText com.example.autoclicker -
Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs
Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.
description ioc Process Framework service call android.content.IClipboard.addPrimaryClipChangedListener com.example.autoclicker -
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 myexternalip.com 22 myexternalip.com 33 myexternalip.com -
Performs UI accessibility actions on behalf of the user 1 TTPs 8 IoCs
Application may abuse the accessibility service to prevent their removal.
ioc Process android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.autoclicker android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.autoclicker android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.autoclicker android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.autoclicker android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.autoclicker android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.autoclicker android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.autoclicker android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction com.example.autoclicker -
Queries information about active data network 1 TTPs 1 IoCs
description ioc Process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.example.autoclicker -
Requests accessing notifications (often used to intercept notifications before users become aware). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.ACTION_NOTIFICATION_LISTENER_SETTINGS com.example.autoclicker -
Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
description ioc Process Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS com.example.autoclicker -
Checks CPU information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/cpuinfo com.example.autoclicker -
Checks memory information 2 TTPs 1 IoCs
description ioc Process File opened for read /proc/meminfo com.example.autoclicker
Processes
-
com.example.autoclicker1⤵
- Removes its main activity from the application launcher
- Makes use of the framework's Accessibility service
- Obtains sensitive information copied to the device clipboard
- Performs UI accessibility actions on behalf of the user
- Queries information about active data network
- Requests accessing notifications (often used to intercept notifications before users become aware).
- Requests disabling of battery optimizations (often used to enable hiding in the background).
- Checks CPU information
- Checks memory information
PID:4763
Network
MITRE ATT&CK Mobile v15
Defense Evasion
Hide Artifacts
2Suppress Application Icon
1User Evasion
1Impair Defenses
1Prevent Application Removal
1Input Injection
1Virtualization/Sandbox Evasion
2System Checks
2Credential Access
Access Notifications
1Clipboard Data
1Input Capture
2GUI Input Capture
1Keylogging
1Discovery
Software Discovery
1Security Software Discovery
1System Information Discovery
2System Network Connections Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ec3c375d1dc47918149f9565dc4d1fd7
SHA152d93d7a885e50104ae0aed92f4b73143eaa9281
SHA256dcb92fd77ad1063325461e274de5b24d3859b2dab61c37a2a5757a21efdd18bc
SHA5128d93aafe4c294751557b3d046e039c06187654550c705fb6afa866fd561eefba59ad969a808abb293a34d00eccc94204614c2d38926b206e0b8d017b180d9eee
-
Filesize
1KB
MD5b132a48bf03b8518b278466c15c3c364
SHA15863676fa645dd272e65e6d3100d620dc3fda334
SHA2564e7f5d47774f9fbed99afad39b95c4c31ab070c9f737576de48a913a32126c42
SHA51264add8ce579d7ce8a69b7044370f7176225b15f805a0f06363f2390fac5659b8d62b09f9b5da0f7402a69701e97de6f12171d03d6ba1a6a81c48b52ff1aa8644
-
Filesize
1KB
MD5618c02376155f8709085b935399c28c1
SHA1a3f11001bffc093eaaf9798c36b95bc20b78bd45
SHA25679ad5fadf2d0cc77b5e7623b6a335b9e6712bc9ceb33ca594d39a45971a0df5c
SHA5123c0f21e86fa786ffe479e8fe9b61eac908781df3a55803e6170cd51bb3750613479e0f30ec1e45241e50192a814eab7fc99056121b866f798e2851c85a04562a
-
Filesize
861B
MD5e21a2da3cb1d4420ae220bbd7308a0df
SHA14b76ab9641a05d1b972f5c7789c5692b26ccb256
SHA2567b3aa9459aa9ff8da7f9e7ce9e26f5db3962900843e5e3199240be1ba3f479dd
SHA5121db0fe813a46827a210a327517d706cc29b843efd5cf1a74c18af92618413851b6598e555eddacae309497ad089a7cbafd8d752a2899d2d6b638f397ae7615b5
-
Filesize
861B
MD5011e88aec73ba5508426a08292a88fe4
SHA18af6df07913885e070583e3ad481ab146406dc9c
SHA25642a29a49918b275380b650f696762f0af516e39b0eed105f6adfeca73cfd0dc1
SHA51220cd84d5c5ab7c2e37c190b2d90be90df133d8fc3f6a7e20159fcd1d7957375681fcd290b81f21f2424725d07444e67b8bdd31a0d59b553ffc630b1cf79e2fe9
-
Filesize
861B
MD550fcd0faed13d5f7b41aa0364323cf10
SHA181e3d709f5e013f931eab6ffa68c27dd6656975a
SHA256635c7f71d3f19167ba8a4ab44d5a5fc650911eb6243658e8e17557c31a0f1d53
SHA512021cf9e0b804960f8975f5a9e240ff5f27f402eb3b790db8ef2a39f5a0a9c2fa46607da406d78a7dc8f8cc2b7aa878abeab35623b6e96093eb22c66673964019
-
Filesize
861B
MD557573f9a890b73c057256942105f998c
SHA111e807269a5a5c256e9452e7ce59fdebb820736f
SHA2565670a0d0ae87025d43cd28f3aad0be0e8b02ec2512c146ebefc6042be7483534
SHA512c38d9451eccc913d5879d3c3cd2092cc83f34eee948103283e6bb4ce97347e6905be5da4702c03e445af9d353b52461114133f3f3ec23f6123ef1ca424883316
-
Filesize
861B
MD5e76aaa4a34552a6011b4869c9d675386
SHA176b9863008c0f106eb284aa695fcfd486c7edf4f
SHA25694963748c53fe1f376abd23e2bf0ae2c9ee2b66c1f3ed91a4f30a73def64dc2c
SHA512817e6c6a305be6a91d874a72cd3bf0c0a0b28780dda62fe605403c9d7fd30e103266801582c94f058e3f3f4449382ae8556feb34943d3e7bb3ed1cfc3b8ee6b1
-
Filesize
861B
MD53726289079d41f4b52fedfaf2c2a0e8d
SHA11c1b1cf38d7e062664b49fb3b2fe77f531d83558
SHA25600df9b454b12344c03f7eaf6daf2eb66f10437869fb307114a9505102c70982f
SHA512dee4a9044304531c90129bd997ef12ca15a9e1d421a0df424f927a617e0b56d85bbe1a20dff8daa790109fd587bc1c423bd8d0d7fb684d3cf9751e862fe8ffdf