Overview

overview

8

Static

static

6

ca3a203c28...cf.apk

android-9-x86

8

ca3a203c28...cf.apk

android-11-x64

8

Analysis

  • max time kernel
    145s
  • max time network
    165s
  • platform
    android-11_x64
  • resource
    android-x64-arm64-20240910-en
  • resource tags

    arch:armarch:arm64arch:x64arch:x86image:android-x64-arm64-20240910-enlocale:en-usos:android-11-x64system
  • submitted
    28/03/2025, 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca3a203c2810ae366b4be8c6e6cf6efc03f43f53d618cf98bd9ecee3461859cf.apk

  • Size

    3.2MB

  • MD5

    81cc8fd18e70b10fe72d710a7364cbb3

  • SHA1

    49729ec127bfc6b060288d41f6d462c45cd743e8

  • SHA256

    ca3a203c2810ae366b4be8c6e6cf6efc03f43f53d618cf98bd9ecee3461859cf

  • SHA512

    d36cd310fe3e6d4990ca1be03616a2ef3b8b22f86b6f37dad5de0c40a5ff9165cbed2a1143256bed955de204f880dbf368910d338fad4c676b8fcc65ab886ac1

  • SSDEEP

    98304:/AceU5DD9v9H2wP7p+MISjFX1bQ4QaWGVMHCZo1iOQtd:/XdDZ9Ww9lX18MLLd

Score
8/10
collectioncredential_accessdefense_evasionevasionexecutionimpactpersistencestealthtrojan

Malware Config

Signatures

  • Removes its main activity from the application launcher 1 TTPs 4 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 1 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

    Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

    collectioncredential_accessimpact
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.merit.two
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Obtains sensitive information copied to the device clipboard
    • Performs UI accessibility actions on behalf of the user
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4658

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

Lateral Movement

Collection

Clipboard Data

1
T1414

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Data Manipulation

1
T1641

Transmitted Data Manipulation

1
T1641.001

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.merit.two/app_DynamicOptDex/oat/rFH.json.cur.prof
    Filesize

    213B

    MD5

    dbcc686b5ea52218d4fb715317cd0a3e

    SHA1

    555d41f27dcb07ca77cccd9513cc2100cb9e1f1a

    SHA256

    73ddcf83d8962cd9db2dde5822b806685858d02a3c1da130412bbf516e72129c

    SHA512

    87b906d69e24e73d37f2cc8b5db970294b2c831e31769b49c3d922330b1027a6e230321a476b97a6e2a8a867cb7b6031e676b2dfc4ee8cd5851cca67f2cf5c2a

    Download Submit

  • /data/data/com.merit.two/app_DynamicOptDex/rFH.json
    Filesize

    320KB

    MD5

    b60949791ddee789af14480c06e04e8c

    SHA1

    da6472b16c3d44a6aedff737054f5055b33bc71d

    SHA256

    bf71268fcd846856b0f68a8b00a88220a2b38e6f72f5b836b8d6e4c8392f833b

    SHA512

    e82ad76468615932c3821aee996ba52478f42423f7f36d38abf50feab2acf8eb5e62d6c1e4d8460429afc72e56f52fd45cc26347f716a5cc9310fd73fbda7e3b

    Download Submit

  • /data/data/com.merit.two/app_DynamicOptDex/rFH.json
    Filesize

    320KB

    MD5

    b9832d4befe984d46ab28213feb8ed8c

    SHA1

    f86c316319f9daabb5bf7a9cc92579edf7a2de7b

    SHA256

    7671a4476422de375c224cf3816d147422ee683c9ec3d4fb563ffa0cde57653e

    SHA512

    22fe768412a8c07f752c0c8ff8a607166bb6fdf4209b69157e56a66b264324fd462eab09a130ec25e24feeccaee4e3d0cb9b4ec5368c79ee49f8e8fb51e11fa3

    Download Submit

  • /data/user/0/com.merit.two/app_DynamicOptDex/rFH.json
    Filesize

    634KB

    MD5

    1eb567fd5d3355f70ebbc6dbce58c389

    SHA1

    7fa76b5ff901d874f22d2c8b0cfab38220083963

    SHA256

    1df9fceb16991b347374b0b9e47a6780f7aa8826bfb6c9b344fa97947e2f0078

    SHA512

    f30867ae6420ef427ce36b2c209f95bca7733ad71e9e9ce61a18628a6181380576a7b9fc391ab279f5844489bdad5006475c32b72c2028038bf7c14db95db8cf

    Download Submit