Analysis Overview
SHA256
6095140ebd9bd139530107f1eb4e50a8f023dada2e2d2f1845fbe1500c8de1b8
Threat Level: Known bad
The file 6095140ebd9bd139530107f1eb4e50a8f023dada2e2d2f1845fbe1500c8de1b8.apk was found to be: Known bad.
Malicious Activity Summary
FluBot
FluBot Payload
Requests dangerous framework permissions
Loads dropped Dex/Jar
Requests enabling of the accessibility settings.
Reads name of network operator
Uses Crypto APIs (Might try to encrypt user data).
Uses reflection
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2021-08-17 07:30
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2021-08-17 07:30
Reported
2021-08-17 07:33
Platform
android-x64
Max time kernel
1392958s
Max time network
125s
Command Line
Signatures
FluBot
FluBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin | N/A | N/A |
| N/A | /data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin | N/A | N/A |
Requests enabling of the accessibility settings.
| Description | Indicator | Process | Target |
| Intent action | android.settings.ACCESSIBILITY_SETTINGS | N/A | N/A |
Reads name of network operator
| Description | Indicator | Process | Target |
| Framework API call | android.telephony.TelephonyManager.getNetworkOperatorName | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Uses reflection
| Description | Indicator | Process | Target |
| Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
| Acesses field javax.security.auth.x500.X500Principal.thisX500Name | N/A | N/A | N/A |
Processes
com.tencent.mm
Network
| Country | Destination | Domain | Proto |
| N/A | 1.1.1.1:853 | tcp | |
| N/A | 216.239.35.0:123 | time.android.com | udp |
| N/A | 1.1.1.1:853 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 61.36.14.230:80 | updolikflgqtabg.ru | tcp |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 104.16.248.249:443 | tcp | |
| N/A | 61.36.14.230:80 | updolikflgqtabg.ru | tcp |
| N/A | 61.36.14.230:80 | updolikflgqtabg.ru | tcp |
| N/A | 61.36.14.230:80 | updolikflgqtabg.ru | tcp |
| N/A | 61.36.14.230:80 | updolikflgqtabg.ru | tcp |
| N/A | 61.36.14.230:80 | updolikflgqtabg.ru | tcp |
Files
/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin
| MD5 | 7b8948d91629874c0f306a7ded0f6fb6 |
| SHA1 | 1ddfa9be8cc79d4829de6ca14f7e3c80f2334092 |
| SHA256 | 543aef990fd57ca3af8c272018106620fd9316e0b3dbb3383baae53f567c04f0 |
| SHA512 | 19c5c7515913bc841d3c04a632ac0bc6f71f5b6c02ef740683241b32e021bb0c7c98116f1958bbeecb1bfafce92749e9333ffceebab8deed5790ac3b83bc9326 |
/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.tencent.mm/app_apkprotector_dex/classes-v1.bin
| MD5 | dd00ec74f90316b4c1eb5ac57865d66b |
| SHA1 | 1744e7524664a7a08c803b7799370e783163529b |
| SHA256 | d078d295308ac9fc559fe8ef64ed7b0daeffa220fff82352cbf8a751828e1ddd |
| SHA512 | 8c835227df714e7fa601b9dabac5aad73a6b13fdfbf5306e1fd963570a0715f56c7895dc53b934d4b6bfd9cb73742b55729f41a635113a7e3f0dc40cdf1080f8 |
/data/user/0/com.tencent.mm/shared_prefs/DHL.xml
| MD5 | 36c873b969b85fabda42da460d1ea8ed |
| SHA1 | 7f3b2b8743aaf097c41d72c81c46acb878fd395b |
| SHA256 | f8fde7c479073cfc40bf3ee74399c14f06793d3cb744bf87daf771575b8e486a |
| SHA512 | 587a95de103554d0756ff73031102701c278faa65b52d4c26b49368f9ce2fd5d8ee6220f6af059e29092a16b0b6ad1c620e58484298deb1025ed8808cd232d6c |
/data/user/0/com.tencent.mm/shared_prefs/DHL.xml
| MD5 | 5a5b8fd486b8c27d6cea8ce6315a6c3c |
| SHA1 | 97ffd8c5a36ac44239a143fb5a2ec88a0362b2ab |
| SHA256 | d7dc18dee4930d9c83fcc01708419303b3651e271b841dda6b78cac0f76348ba |
| SHA512 | d43f0993a05050707e6fd73f4fa7aae69e9397d9c34f81e758eed7383036274f41f122ef4a4732afbae958a2b198384b09d00a13e5f9e717d42f16470a642f10 |