Analysis Overview
SHA256
cbf737a0af39171fb82e2291b6c2a64145383b0c1c88e90793f56b4b247e5083
Threat Level: Known bad
The file cbf737a0af39171fb82e2291b6c2a64145383b0c1c88e90793f56b4b247e5083.apk was found to be: Known bad.
Malicious Activity Summary
FluBot
FluBot Payload
Loads dropped Dex/Jar
Requests enabling of the accessibility settings.
Requests dangerous framework permissions
Uses reflection
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2021-10-14 11:13
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2021-10-14 11:13
Reported
2021-10-14 11:18
Platform
android-x86-arm
Max time kernel
2122704s
Command Line
Signatures
FluBot
FluBot Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.qiyi.video/joaghbfhbp/bkcvhhszbbhsbhG/base.apk.sljnmpo1.bxo | N/A | N/A |
| N/A | /data/user/0/com.qiyi.video/joaghbfhbp/bkcvhhszbbhsbhG/base.apk.sljnmpo1.bxo | N/A | N/A |
Requests enabling of the accessibility settings.
| Description | Indicator | Process | Target |
| Intent action | android.settings.ACCESSIBILITY_SETTINGS | N/A | N/A |
Uses reflection
| Description | Indicator | Process | Target |
| Invokes method android.view.ViewGroup.makeOptionalFitsSystemWindows | N/A | N/A | N/A |
| Acesses field com.android.okhttp.internal.tls.OkHostnameVerifier.INSTANCE | N/A | N/A | N/A |
Processes
com.qiyi.video
com.qiyi.video
/system/bin/dex2oat
Network
Files
/data/user/0/com.qiyi.video/joaghbfhbp/bkcvhhszbbhsbhG/jYhsdbcz.fcla
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.qiyi.video/joaghbfhbp/bkcvhhszbbhsbhG/tmp-base.apk.sljnmpo1270896663472615045.bxo
| MD5 | b8a504c91d38b2fe121a096bc93fd3b0 |
| SHA1 | 5c032a5f279aab096d1365cce9b3f25c9d793247 |
| SHA256 | 658a89a0a33688cfa23ea3ed8a6337951646e9d21068601873307a446a9c9295 |
| SHA512 | f6e7f6ecb448ffd810024216d1a15533c2b29ae0bb7e76773295bb8a4768c0567a925222dd5b082b4b792ee715d15065308147a43e103cba6a3fb988dbfdf881 |
/data/user/0/com.qiyi.video/joaghbfhbp/bkcvhhszbbhsbhG/base.apk.sljnmpo1.bxo.x86.flock
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.qiyi.video/joaghbfhbp/bkcvhhszbbhsbhG/oat/x86/base.apk.sljnmpo1.vdex
| MD5 | 28e86720ba6b6e8dad72c76fe0724b0e |
| SHA1 | 5fead6e876b958ccf4e300771f7edfd7af9e9750 |
| SHA256 | 890505d257f65c1711a571e1da7e4de37fd6e145cdf92bc29b78445050ecec6a |
| SHA512 | c09934c005f7b1dc24821420bcb8f9dbfaaff5df81b1d2acddff128a1dcf711751cc365561b22998593b3b378c5f557e3cfa5fdbcd9654e54c2cecb4cb20a31b |
/data/user/0/com.qiyi.video/joaghbfhbp/bkcvhhszbbhsbhG/oat/x86/base.apk.sljnmpo1.odex
| MD5 | f32d4ae497029986c696a158d1dba3ac |
| SHA1 | b791f8539b6efbe3d02b3a468f06c5cbc9f957cd |
| SHA256 | ebc1b876739db362fc068952079d65be80be253789cbd975f686f2e535cfcf67 |
| SHA512 | 08e2e59b875290e2da8c4fdfae9f89a47afc2289109f4f5d88eda2a02d0f2fac2044cfaec9f9aba1738b333d5551c8393e31a8e4e9454a56b22778ceb6b1e874 |
/data/user/0/com.qiyi.video/shared_prefs/multidex.version.xml
| MD5 | e43e4f33f603f953b750dea6b275716c |
| SHA1 | 5338594754a79538ca991c7b828798e8d814581a |
| SHA256 | fcff6383ce4d1a31f98c34cd47c1988410d7d2fcee40042abae6be48f6a60fa8 |
| SHA512 | 25831b1f78a7fb64446d5b6733ed2482a6cce15d5903f95f698dcc2cfd7eb5f41fcebbc7b10c073071e1b7cb41b7b3dd99ecfa1c7720bca770dc7194b42f8437 |
/data/user/0/com.qiyi.video/joaghbfhbp/bkcvhhszbbhsbhG/base.apk.sljnmpo1.bxo
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.qiyi.video/joaghbfhbp/bkcvhhszbbhsbhG/base.apk.sljnmpo1.bxo
| MD5 | fffdd50a8dc902d0f846980583a076b3 |
| SHA1 | 65b4d0a8ef7c248f2c7a358eccb209b7ce6b9a82 |
| SHA256 | 1abb3e36860ec47e0d7ecab2215e0934474e4f55809280157e1edaba6e47eee3 |
| SHA512 | aa5d323ee4145ee26f5665bcca4ec99115e5d37d2b2def9406e88638f6bb5d57208a994b3023571499014a06db29bcb1efc23760bed5f301a814f87fdde6a529 |
/data/user/0/com.qiyi.video/shared_prefs/Voicemail.xml
| MD5 | 1e4db15344c6ee6c03af017a28a623c2 |
| SHA1 | 3ee89880a99c198553d5dc0e1cc6adc85ee4bdb0 |
| SHA256 | 31aed20dd8d8dba7f8309db8e50dbe135eb4f37f398a6b1b03516fe8e316c1cf |
| SHA512 | 54f8f09f71c756455b18727b3f54503b9a050077ca86d11aabca054e71a0c21b69fbdeb9e2b9aac667990da8f3d73503a2d7478c394c97aadfdc865ca82aa316 |