Analysis Overview
SHA256
275d4203f724c8649b02cb312be4c20e9b55fa043516574812e24210e8204a95
Threat Level: Known bad
The file 275d4203f724c8649b02cb312be4c20e9b55fa043516574812e24210e8204a95.apk was found to be: Known bad.
Malicious Activity Summary
FluBot
FluBot Payload
Requests dangerous framework permissions
Loads dropped Dex/Jar
Requests enabling of the accessibility settings.
Reads name of network operator
Uses Crypto APIs (Might try to encrypt user data).
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2021-08-11 12:26
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2021-08-11 12:26
Reported
2021-08-11 12:28
Platform
android-x64
Max time kernel
892319s
Max time network
125s
Command Line
Signatures
FluBot
FluBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.iqiyi.i18n/app_apkprotector_dex/classes-v1.bin | N/A | N/A |
| N/A | /data/user/0/com.iqiyi.i18n/app_apkprotector_dex/classes-v1.bin | N/A | N/A |
Requests enabling of the accessibility settings.
| Description | Indicator | Process | Target |
| Intent action | android.settings.ACCESSIBILITY_SETTINGS | N/A | N/A |
Reads name of network operator
| Description | Indicator | Process | Target |
| Framework API call | android.telephony.TelephonyManager.getNetworkOperatorName | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.iqiyi.i18n
Network
| Country | Destination | Domain | Proto |
| N/A | 1.1.1.1:853 | tcp | |
| N/A | 216.239.35.8:123 | time.android.com | udp |
| N/A | 1.1.1.1:853 | tcp | |
| N/A | 194.58.112.174:80 | sqhrpytcpudojpd.ru | tcp |
| N/A | 87.106.18.146:80 | ivnxfjnsybvsbly.ru | tcp |
| N/A | 85.214.228.140:80 | gfoafycavdytdrv.ru | tcp |
| N/A | 186.145.238.42:80 | gjujgxolvbnjktc.ru | tcp |
| N/A | 186.145.238.42:80 | gjujgxolvbnjktc.ru | tcp |
| N/A | 186.145.238.42:80 | gjujgxolvbnjktc.ru | tcp |
| N/A | 186.145.238.42:80 | gjujgxolvbnjktc.ru | tcp |
| N/A | 186.145.238.42:80 | gjujgxolvbnjktc.ru | tcp |
Files
/data/user/0/com.iqiyi.i18n/app_apkprotector_dex/classes-v1.bin
| MD5 | 60b28e463f010c3c441ff7500fa07933 |
| SHA1 | 452409673ac4a52fc967e9674718ebc92586e08a |
| SHA256 | c878f569215f440bd8565092a3545c0b8d0beebd6cfdaa320177df035492ae6d |
| SHA512 | 832add4d164a6d4151993ce4622ab6cc399ccbe89d1a677af5fee50bde3c69c0d474a17492f0e3433a6cc46f016bf9daded39c1aad3d1785a4f7422214bd3f35 |
/data/user/0/com.iqiyi.i18n/app_apkprotector_dex/classes-v1.bin
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.iqiyi.i18n/app_apkprotector_dex/classes-v1.bin
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.iqiyi.i18n/shared_prefs/DHL.xml
| MD5 | 07b8ad57428916ee7f8c8b17a4276132 |
| SHA1 | 58337b4e4875965540df7e11c903e35b569b60f6 |
| SHA256 | f2ee57636483a367b2bb8b1d2bd732e4322e2cfed3a60da6fc257241707ab145 |
| SHA512 | 4804e00b20ab81ea6d2ecd1c6f984c4fee8ebb2db4adb593524b5ec66dd9a1a5c890426f5418fd4c89b8f9f8afd401f77265e67a414da76ab470982da232018f |
/data/user/0/com.iqiyi.i18n/shared_prefs/DHL.xml
| MD5 | 1ab780fc32fce109eaf9e1ddf82038a9 |
| SHA1 | cb09a1d11a7c097304788424e2336e5d02dcfe15 |
| SHA256 | 33b44613edaabece1c0e1fde1842146e88cda7673f44fee66bbe20e8b4e09bb6 |
| SHA512 | b28f1f8791b1558615690493f55f6bef5ab802fc18ae1cd5815b87f44c4de43d6cb277414dad4d062d36cc7cf6026dc8993154352c7c42abeed263c1bb26dedc |