Overview

overview

8

Static

static

6

d16a297b20...cf.apk

android-9-x86

8

d16a297b20...cf.apk

android-13-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    28/03/2025, 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d16a297b20a5a637bcba76aaddbb6359a0d7dfd53755d51b9fec327a33231ccf.apk

  • Size

    3.2MB

  • MD5

    8fdb3385a0725c192b85931cd5213b4c

  • SHA1

    4f8ee6473efcbe642786404184425ec5f21e4360

  • SHA256

    d16a297b20a5a637bcba76aaddbb6359a0d7dfd53755d51b9fec327a33231ccf

  • SHA512

    0558be5eafb0d9f0be231cc7377e032bc6660bdb8aba0c265ebfea7fca210b693f4ae7ae5dbade3e993949f7a1950fd1a205336ba3af8aca1d1e47eb99a967da

  • SSDEEP

    98304:R1BCeHq5Wp9OPui4HUk3GhDmdlhVm2wGMD7W2C4mbgjFfyQ+3CbfoB:R1ASgWpSkiDQlC2dIoB

Score
8/10
collectioncredential_accessdefense_evasiondiscoveryevasionexecutionpersistencestealthtrojan

Malware Config

Signatures

  • Removes its main activity from the application launcher 1 TTPs 7 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.marriage.valve
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4257
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.marriage.valve/app_DynamicOptDex/nSsqBoJ.json --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.marriage.valve/app_DynamicOptDex/oat/x86/nSsqBoJ.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4283

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

1
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.marriage.valve/app_DynamicOptDex/nSsqBoJ.json
    Filesize

    315KB

    MD5

    da6b44ae29049c9c56dd81168beeebac

    SHA1

    0d7481baa1665b1495ef5d04819bf8f0b9b33f3a

    SHA256

    2490e6d0c0fc709b585736bbb3db95b02bfcc094db2c82690dc29b1fe6d8d887

    SHA512

    cfc01f87c213dda9313a1498ff31bd72b76f764160c392056d1413fb631acb1492e81d15a9713785540ac85894cbd08f52cdc037fbc628139080a90a59fc6158

    Download Submit

  • /data/data/com.marriage.valve/app_DynamicOptDex/nSsqBoJ.json
    Filesize

    315KB

    MD5

    11ee4f621cd1de11d906dc0ee4921044

    SHA1

    5b4a8eccfdafc542615fd78e9f3df4e1359b45f8

    SHA256

    ec8b7a1ec69bbeed50bacdee1c8872c1bab0d79c769d9f7fe4ebb0e60acfe7f1

    SHA512

    4ff0e96b351b8519a652f124c788202f576b1ac0ab0eb981271296d1120e7db921122b8d2af2be6650d4d0bf2edd036b2482f6f2f94f7dd1d6e39c1f28d566ed

    Download Submit

  • /data/data/com.marriage.valve/app_DynamicOptDex/oat/nSsqBoJ.json.cur.prof
    Filesize

    565B

    MD5

    e9a7deb6666391d1c3e9d03f5d116a96

    SHA1

    6afd9c2804b2d5e7c2984e776ff00dad516a99aa

    SHA256

    9c6debbe931291010935f4c9485137a4a8261f004a1317663801e18413ed3e68

    SHA512

    5f3c0283d2b3a3260cc92c8b1eef06dfaf7aba1663547dfbb0960271286dce291e9f707ec6ffe9692ab896e7552565066948b246c7d5480a20961d97893138ad

    Download Submit

  • /data/user/0/com.marriage.valve/app_DynamicOptDex/nSsqBoJ.json
    Filesize

    623KB

    MD5

    267874bc1c1b97477fd0127f8a680810

    SHA1

    0a334a89440dc9dfd81c2d1b37131fdc6b94f23b

    SHA256

    59ce3f1e9862d52b7d4f9d07a2faaecd63d7f3af0e37d22170b98c40449a446c

    SHA512

    93ce1fdd9dca479cc8fd34c97a7fdbd662a0467084e54eeec5cb7fbdda1e0eaf26e954b7d819546e28647a9054ddcc609a4e80557fc1a26d765b51e4f2b9e0ec

    Download Submit

  • /data/user/0/com.marriage.valve/app_DynamicOptDex/nSsqBoJ.json
    Filesize

    623KB

    MD5

    939f228afb1269609c26a041af42d094

    SHA1

    e6c6b94e84ca012ba1e709764ee0f4ba7968ec47

    SHA256

    fb6003a45a5dcc9d1676745c0f09488f2d844f5ddfef510d44ccfaf7ad03363c

    SHA512

    a4e55fa7756f3efdc42be7e80f1d61568ad0f6e499444cf2ad0c937d3d808f78c7c22efb35d62be96fd3992238749bd675735c8624d65bc7b5dfe1ffc630cb26

    Download Submit