Overview

overview

8

Static

static

6

db44a4ae41...04.apk

android-9-x86

8

db44a4ae41...04.apk

android-13-x64

7

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    android-9_x86
  • resource
    android-x86-arm-20240910-en
  • resource tags

    arch:armarch:x86image:android-x86-arm-20240910-enlocale:en-usos:android-9-x86system
  • submitted
    28/03/2025, 22:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db44a4ae419c639b5df217a0409d166ab2cd30b5285577815c5cb9f4fdca4704.apk

  • Size

    3.2MB

  • MD5

    bad2ce50e2b1f3b021d3c9c26f0c6fac

  • SHA1

    0d219dab5fe997d48d122741ea8795226c185715

  • SHA256

    db44a4ae419c639b5df217a0409d166ab2cd30b5285577815c5cb9f4fdca4704

  • SHA512

    003a0e8e398572b7fea4125f0ee2a05f33710b1d55ffc4a496f379659905486b8414ed5586edf83f052cb6162284633d257572601e8f3c4a429b9c4152f8d581

  • SSDEEP

    98304:zvfWauQvPPsowBF7LLuDv+TMGyKoJX+QMDH82C4mbgjFfyaO:zGauQv2XiDAShv

Score
8/10
collectioncredential_accessdefense_evasiondiscoveryevasionexecutionpersistencestealthtrojan

Malware Config

Signatures

  • Removes its main activity from the application launcher 1 TTPs 8 IoCs
    stealthtrojanevasion
  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Makes use of the framework's Accessibility service 4 TTPs 3 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectiondefense_evasioncredential_access
  • Performs UI accessibility actions on behalf of the user 1 TTPs 4 IoCs

    Application may abuse the accessibility service to prevent their removal.

    evasion
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
    discovery
  • Requests disabling of battery optimizations (often used to enable hiding in the background). 1 TTPs 1 IoCs
    defense_evasion
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
    persistence
  • Schedules tasks to execute at a specified time 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

    executionpersistence
  • Checks CPU information 2 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • com.absurd.obscure
    1⤵
    • Removes its main activity from the application launcher
    • Loads dropped Dex/Jar
    • Makes use of the framework's Accessibility service
    • Performs UI accessibility actions on behalf of the user
    • Queries the mobile country code (MCC)
    • Requests disabling of battery optimizations (often used to enable hiding in the background).
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Schedules tasks to execute at a specified time
    • Checks CPU information
    • Checks memory information
    PID:4391
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.absurd.obscure/app_DynamicOptDex/uOF.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.absurd.obscure/app_DynamicOptDex/oat/x86/uOF.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4433

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

1
T1603

Persistence

Event Triggered Execution

1
T1624

Broadcast Receivers

1
T1624.001

Scheduled Task/Job

1
T1603

Privilege Escalation

Defense Evasion

Download New Code at Runtime

1
T1407

Hide Artifacts

2
T1628

Suppress Application Icon

1
T1628.001

User Evasion

1
T1628.002

Impair Defenses

1
T1629

Prevent Application Removal

1
T1629.001

Input Injection

1
T1516

Virtualization/Sandbox Evasion

2
T1633

System Checks

2
T1633.001

Credential Access

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Discovery

System Information Discovery

2
T1426

System Network Configuration Discovery

1
T1422

Lateral Movement

Collection

Input Capture

2
T1417

GUI Input Capture

1
T1417.002

Keylogging

1
T1417.001

Screen Capture

1
T1513

Command and Control

Exfiltration

Impact

Input Injection

1
T1516

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.absurd.obscure/app_DynamicOptDex/oat/uOF.json.cur.prof
    Filesize

    579B

    MD5

    60058113cb0e58d014662f89edb869de

    SHA1

    c12ea379240b38a2f2ec8a5a6442a9a1a3bebbb9

    SHA256

    3520fc79152abb99814eff5ac9a138f869a3c1fc1e2a5f197b1b2235499cf6cd

    SHA512

    e60ec69727d770a29cebfd3289d0f7fbe5de4298e53fa379bb7282e997157c18f807d16190c7eed641f6f1bcc51f79c20b679aa491c26fba9b6914d0b340645e

    Download Submit

  • /data/data/com.absurd.obscure/app_DynamicOptDex/uOF.json
    Filesize

    316KB

    MD5

    eb1abb6935f5a4d6b2072639452f69e9

    SHA1

    0c17be34448a35bc7fefbac758077cbe93c03321

    SHA256

    8208e733bc4e721f3e7e0352ade44c19d0fdbd9add48fdaa9bd5014013288312

    SHA512

    98fbdf9ff39fbf53ff3975944047d6d4b6259d277767e17c6c5b659a1ed13f4b37076dd7b2918701170717c3fd36104a16a0dfb4b5587b1b000818fca577ebaf

    Download Submit

  • /data/data/com.absurd.obscure/app_DynamicOptDex/uOF.json
    Filesize

    316KB

    MD5

    9cb6179ead9d59818349149a9c4953a1

    SHA1

    5fbb98d57466c56586eb8145d9cd0e6862949b03

    SHA256

    b6ca35fe9768361b5c9cf36da8fc5f827d07330ef0f72d11fbee79b945a46291

    SHA512

    3cf7a11ab520a5daaa24ed7855872a4e519929253fbb9da3899cbca488802e762a2faae6293283bfa439a9b3b9a5b9d5d7880a11ced5fe908a1134fe362c68a4

    Download Submit

  • /data/user/0/com.absurd.obscure/app_DynamicOptDex/uOF.json
    Filesize

    623KB

    MD5

    cfa1e66c1b0fb9b35c3bd7497771f0fb

    SHA1

    c3f032b263534a081fca51175a3a5a7744a40a2e

    SHA256

    302ee4c40d2ad81e44033f95b2e2532f2623df874d60a3dbcf46eb1cc3e78ae3

    SHA512

    b9b9c76dca2d3ee61f9c47c24c4184907484f87aae9c8a147200d0c6de92b9676a1d562106b8c98affee4cc6e76a0600e6db5e4d2c060fb164c2e7da1e02d232

    Download Submit

  • /data/user/0/com.absurd.obscure/app_DynamicOptDex/uOF.json
    Filesize

    623KB

    MD5

    68bb413af94442f24515ba659ffe7f48

    SHA1

    f9dbd05d4ec36febaf1ac84bda63f5cf77b42606

    SHA256

    cf05f425bd8d02c2f829c5849257dfc6151c66782984136c3f69babf8880f8c5

    SHA512

    5fb9ba804b61df42f252d7b21e76fe83491f6209e1edf240409348f585e3c91b3fc902f16e515bf42b94f892d8bd3877f86c19ca4f7baedae0820e578c51d88b

    Download Submit