Analysis Overview
SHA256
991fa28524eeda6f8fe3430c1d44a7ef42c4240c275e630548e2eda73789b469
Threat Level: Known bad
The file 991fa28524eeda6f8fe3430c1d44a7ef42c4240c275e630548e2eda73789b469.apk was found to be: Known bad.
Malicious Activity Summary
FluBot
FluBot Payload
Requests dangerous framework permissions
Loads dropped Dex/Jar
Requests enabling of the accessibility settings.
Reads name of network operator
Uses Crypto APIs (Might try to encrypt user data).
Uses reflection
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2021-08-17 10:25
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2021-08-17 10:25
Reported
2021-08-17 10:27
Platform
android-x64
Max time kernel
1403458s
Max time network
117s
Command Line
Signatures
FluBot
FluBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.tencent.mobileqq/app_DynamicOptDex/btJiFwP.json | N/A | N/A |
| N/A | /data/user/0/com.tencent.mobileqq/app_DynamicOptDex/btJiFwP.json | N/A | N/A |
Requests enabling of the accessibility settings.
| Description | Indicator | Process | Target |
| Intent action | android.settings.ACCESSIBILITY_SETTINGS | N/A | N/A |
Reads name of network operator
| Description | Indicator | Process | Target |
| Framework API call | android.telephony.TelephonyManager.getNetworkOperatorName | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Uses reflection
| Description | Indicator | Process | Target |
| Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
Processes
com.tencent.mobileqq
Network
| Country | Destination | Domain | Proto |
| N/A | 1.1.1.1:853 | tcp | |
| N/A | 1.1.1.1:853 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 87.106.18.146:80 | bmwedwslangtayb.ru | tcp |
| N/A | 194.58.112.174:80 | eprwfthrquwdmlk.ru | tcp |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 216.239.35.12:123 | time.android.com | udp |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 85.214.228.140:80 | emkbnbttbufjhax.ru | tcp |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 179.38.113.242:80 | gurjealmokihfsa.ru | tcp |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 104.16.249.249:443 | tcp | |
| N/A | 179.38.113.242:80 | gurjealmokihfsa.ru | tcp |
| N/A | 179.38.113.242:80 | gurjealmokihfsa.ru | tcp |
| N/A | 179.38.113.242:80 | gurjealmokihfsa.ru | tcp |
| N/A | 179.38.113.242:80 | gurjealmokihfsa.ru | tcp |
| N/A | 179.38.113.242:80 | gurjealmokihfsa.ru | tcp |
Files
/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/btJiFwP.json
| MD5 | c76a33c8c0cad41b82d0d8d6e88ec7ac |
| SHA1 | ed844413b06f6e2fbba087cd8dfee9ce0d36b815 |
| SHA256 | 2b5330a23d4fa7031d0d90e3146ec674d2353b25476d259c9d34ad429005fed8 |
| SHA512 | 3e19d1ccdb5857a5f87092039f3d7a88e4655d4db53419b6e516a55baf594775bc0d44755df9d15f330b337638e5226c303096e75f664fcad4f5bf14bf03df68 |
/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/btJiFwP.json
| MD5 | 4751e30d80997c4507c34d00e79f3df3 |
| SHA1 | 1060c4762b297f401fa59cad99d3ba5d776c7e9a |
| SHA256 | efe09ee103b3f8716493dba38909fb3b7b1c5ab71ce6a1eb1520cf861321ca56 |
| SHA512 | 9ea225a3b0d9901f6002b2c28375f26fcb7b70e9bd97728507c082e91ac059e9ed73b323a0fb4aee6a106336c86a9ab7a9f7fba2b621919e71f1a3bd3bafbff9 |
/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/btJiFwP.json
| MD5 | c76a33c8c0cad41b82d0d8d6e88ec7ac |
| SHA1 | ed844413b06f6e2fbba087cd8dfee9ce0d36b815 |
| SHA256 | 2b5330a23d4fa7031d0d90e3146ec674d2353b25476d259c9d34ad429005fed8 |
| SHA512 | 3e19d1ccdb5857a5f87092039f3d7a88e4655d4db53419b6e516a55baf594775bc0d44755df9d15f330b337638e5226c303096e75f664fcad4f5bf14bf03df68 |
/data/user/0/com.tencent.mobileqq/app_DynamicOptDex/oat/btJiFwP.json.cur.prof
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.tencent.mobileqq/shared_prefs/UPS.xml
| MD5 | 3667e937146afe85c8eb06938d8c1a5d |
| SHA1 | 1cbb6b198af375e1c10b9dfdde6ecd5cc18b1289 |
| SHA256 | 69a71982a4e729dc2acdc7f317ae987dee9fd49e85a1b7e7a312e2f0b66284c7 |
| SHA512 | 3625426d6e511cc95ce1ff4c518eee24b3f4846f58f5dfead471fc37716b96fa58e033266ae89fa1da0feed48dd7671fe4c833009f243817080af650eb3c0d59 |
/data/user/0/com.tencent.mobileqq/shared_prefs/UPS.xml
| MD5 | cf57012bd2d221b3d8499f27e44a58c5 |
| SHA1 | d077b9a5f9964f16a9da8d886d1d096a442f0c5d |
| SHA256 | 2a37fa9c321a101751e90eafded02b80224461d3e9a718532c983db4a0401575 |
| SHA512 | 087191cef4ebe404f6fd8ab2ac2ea4378ccb62e0c141a5ba1e27e84b0c908975c3bea9d789715fe004d0209a52081b62942e942fdf223891fd572847aa7255cf |