Analysis Overview
SHA256
2b43af46398ece7b9e1e41bb7c2e2ff3ec227edb38283bea7622115bb76a7823
Threat Level: Known bad
The file 2B43AF46398ECE7B9E1E41BB7C2E2FF3EC227EDB38283BEA7622115BB76A7823.apk was found to be: Known bad.
Malicious Activity Summary
Cerberus
Makes use of the framework's Accessibility service.
Requests dangerous framework permissions
Removes a system notification.
Listens for changes in the sensor environment (might be used to detect emulation).
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-06-02 09:39
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-02 09:39
Reported
2022-06-02 09:42
Platform
android-x86-arm-20220310-en
Max time kernel
600527s
Max time network
108s
Command Line
Signatures
Cerberus
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Listens for changes in the sensor environment (might be used to detect emulation).
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Processes
com.ytnfrar.rtom
Network
| Country | Destination | Domain | Proto |
| NL | 142.251.39.106:80 | play.googleapis.com | tcp |
| US | 1.1.1.1:53 | alt8-mtalk.google.com | udp |
| US | 64.233.171.188:5228 | alt8-mtalk.google.com | tcp |
| NL | 172.217.168.227:80 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| NL | 142.250.179.174:443 | udp | |
| US | 1.1.1.1:53 | alt1-mtalk.google.com | udp |
| US | 142.250.150.188:5228 | alt1-mtalk.google.com | tcp |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.142:443 | android.apis.google.com | tcp |
| NL | 142.250.179.164:80 | tcp | |
| NL | 142.251.36.36:80 | tcp | |
| NL | 172.217.168.227:80 | tcp | |
| US | 1.1.1.1:53 | lanadelrey.top | udp |
Files
/data/user/0/com.ytnfrar.rtom/app_webview/variations_seed_new
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.ytnfrar.rtom/shared_prefs/WebViewChromiumPrefs.xml
| MD5 | 21223e9184445fe043476484cd8cb1f9 |
| SHA1 | 2b4813f849121d60ba35eb0889080668bb62c778 |
| SHA256 | bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af |
| SHA512 | be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48 |
/data/user/0/com.ytnfrar.rtom/app_webview/variations_stamp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.ytnfrar.rtom/app_webview/webview_data.lock
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.ytnfrar.rtom/app_webview/Web Data
| MD5 | dc79f9ce5f3ab5270b33e61119dfc959 |
| SHA1 | 1844bf222a5144b513dcf2fb50a18c011701c647 |
| SHA256 | 47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65 |
| SHA512 | 18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e |
/data/user/0/com.ytnfrar.rtom/app_webview/Web Data-journal
| MD5 | 654c960c24702739b79921b171892e49 |
| SHA1 | e919da8119f951a9c139931246ee04c8dc2463ed |
| SHA256 | 799c703acd41d39006cf61a2b6ac3c19d555f6304bb61b0c986dff9459c08c61 |
| SHA512 | 42cac057eaa461dff4a2636ff5b5effeb70f85850c18b11ab33dd736b7a256565b9c73ff12aceea4b4a177bba8fdc960c3e359da8b3b843c4ecbb0d1955dd8af |
/data/user/0/com.ytnfrar.rtom/app_webview/metrics_guid
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.ytnfrar.rtom/app_webview/metrics_guid
| MD5 | 2488ac28cb4f5013ad12318de93ed92e |
| SHA1 | 26766285370c6bc798841216c0c7caa7da895925 |
| SHA256 | 8dfe597f09b59f85d96e5472704fc0c8b79b23893c2b571993c37137b082d59e |
| SHA512 | 9af7ba79c00659fc48f1bb56dba6a6909d8c3ace300a4cadef443b5f4f62a5ebaeedc79e6bae47adc3bcd7e5a6d346d0fe9dc28497c2e63594b60b183d480fc5 |
/data/user/0/com.ytnfrar.rtom/app_webview/GPUCache/index
| MD5 | 93027d42b314432c4216e6cfca48b384 |
| SHA1 | 43448dd8102979c3926828182579691945eedd4e |
| SHA256 | 3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c |
| SHA512 | a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e |
/data/user/0/com.ytnfrar.rtom/app_webview/GPUCache/index-dir/temp-index
| MD5 | cfc459dc42e4567c3bd3ba330de53f25 |
| SHA1 | e73ceb1ceab1d4317509a9645f6716e17645bb5a |
| SHA256 | 6cc4d1d880bee17aee2b24ac85d6b559f45e4c8db1893c33312083a23066afef |
| SHA512 | e27bf1b5065d0083a7123ad35c387ca7856ab85ccdb054f0990f7358ea537eabf99d94c1a1b994d92d779194d5aa97dbbf791382bf4274db628e2d512fdfac35 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-02 09:39
Reported
2022-06-02 09:43
Platform
android-x64-20220310-en
Max time kernel
600583s
Max time network
182s
Command Line
Signatures
Cerberus
Listens for changes in the sensor environment (might be used to detect emulation).
| Description | Indicator | Process | Target |
| Framework API call | android.hardware.SensorManager.registerListener | N/A | N/A |
Processes
com.ytnfrar.rtom
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| NL | 216.58.214.10:443 | tcp | |
| NL | 216.58.214.10:443 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| NL | 216.58.214.10:443 | tcp | |
| NL | 142.250.179.168:443 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| NL | 142.250.179.142:443 | tcp | |
| NL | 142.250.179.168:443 | tcp | |
| NL | 216.58.214.10:443 | tcp | |
| NL | 172.217.168.202:443 | tcp | |
| NL | 142.251.36.35:443 | tcp | |
| NL | 172.217.168.234:443 | tcp | |
| NL | 142.250.179.194:443 | tcp | |
| NL | 216.58.214.10:443 | tcp | |
| NL | 142.250.179.142:443 | tcp | |
| NL | 142.250.179.142:443 | tcp | |
| NL | 216.58.214.10:443 | tcp |
Files
/data/user/0/com.ytnfrar.rtom/app_webview/variations_seed_new
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.ytnfrar.rtom/shared_prefs/WebViewChromiumPrefs.xml
| MD5 | 6ef709b8536878951e87c29a1518fc2b |
| SHA1 | 24376c70b00152501b3d98df61fa7db435339172 |
| SHA256 | 10b13d894f36d4391fcc31313a244d5f6cd89c8e8c03347282e281c4af13c0a6 |
| SHA512 | 96547eff6779251a5c4941e812ec56ed273e9270265005723e1f2864688b04f3b852a90145fba4ea0ddf1e02b39d99e33d28f761b07a04d46e0e4257d8909ff9 |
/data/user/0/com.ytnfrar.rtom/app_webview/variations_stamp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.ytnfrar.rtom/app_webview/webview_data.lock
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.ytnfrar.rtom/app_webview/metrics_guid
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.ytnfrar.rtom/app_webview/metrics_guid
| MD5 | 46b551cf97754757936fe1543da87e8c |
| SHA1 | 195a4c64842a7e9a784d357f9a8c29d6004ec481 |
| SHA256 | 31eab5149f5ff70fcaff333e24ec71b71ebb4ebd0954678d140df15c527f5f06 |
| SHA512 | 32635ed7102d88063da89716e3c81f2a835627f417f63f47b83d7b553dcb00a2a6ea2f9cdbe56be22cdec344c6162e8be9cf4f50ef9a87f9e0f491c67e7c8964 |
/data/user/0/com.ytnfrar.rtom/app_webview/Web Data
| MD5 | b663831f8cc130493476d94f2d7a5330 |
| SHA1 | 043a1956ab8e40821d67043f8a9110a8eb36fb93 |
| SHA256 | c109aa8bfc364d5fd0756f1c9d35ee3d6df31325061ac70d8469f28cfc882ab7 |
| SHA512 | e8ee923192cdf16318febdc23362f3eeaf5c914b923f80cd3a91a2e83e94bced54460d4ef1e54accc26a7d54b89e2e10c00097e60002cf6427298dc5f18fed16 |
/data/user/0/com.ytnfrar.rtom/app_webview/Web Data-journal
| MD5 | 14f5705433a3c070790c179588becc81 |
| SHA1 | 0ee99e55103588eb5b77b40b1279a2b16789222e |
| SHA256 | 61c29e2327403d457d160c609c6e026a554a06e4961c302bd5154940dc34cb36 |
| SHA512 | f68f53537b80fe375df368953b6e66007f8784e567e316197161b8c69322f891947d50f46d299f49fe984383524809edc00b83ea7624e7358c317cee2ad3d508 |
/data/user/0/com.ytnfrar.rtom/cache/org.chromium.android_webview/Code Cache/js/index
| MD5 | 6d7d499960179766cd4261d12dacc411 |
| SHA1 | e6f8553b0015e12b23cc551afe98763f3b1c9bed |
| SHA256 | c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182 |
| SHA512 | 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547 |
/data/user/0/com.ytnfrar.rtom/cache/org.chromium.android_webview/Code Cache/js/index-dir/temp-index
| MD5 | 5fe7d9617f681be5d45d4c0b32f8a325 |
| SHA1 | 8e8101c60b7cb3708ab08aa4e858b0ed08eef1e3 |
| SHA256 | 223e67744ae4f06778ac4e48a527e9fc0f9b30e6db5c1c85b87c6615d3242606 |
| SHA512 | 9bc8398d23c7fac6c6426785aebf35d976212e473e4ddc4556bed45ab261a3c775a1ad6cc1bafd9fd3b0c33b069d65cb77e73383953bb1ab20661e0ceef4dfaa |
/data/user/0/com.ytnfrar.rtom/app_webview/GPUCache/index
| MD5 | 6d7d499960179766cd4261d12dacc411 |
| SHA1 | e6f8553b0015e12b23cc551afe98763f3b1c9bed |
| SHA256 | c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182 |
| SHA512 | 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547 |
/data/user/0/com.ytnfrar.rtom/app_webview/GPUCache/index-dir/temp-index
| MD5 | 7419cf8aeabf90c1c6be92e63bf178dc |
| SHA1 | ae0e5c42bc7736e85438c1616a64f2865f1f121e |
| SHA256 | f002b5f9844e21e3261fc76fa1ddb9301a92f8700f5ae90e066fcfeb5de6f752 |
| SHA512 | a25ba856da92d957dd39624aeaaeaa3ee832d25e0b806d98b2b68fc93a71c77a345f0d3d58b92a90d6250e0b59d1127a8f75f70aabd16d151954b0f36d7bbf4a |
/data/user/0/com.ytnfrar.rtom/cache/WebView/Crashpad/settings.dat
| MD5 | 65561f6f8a2e22b8ceaac89106c455a4 |
| SHA1 | fc5354f6dd3dab84e7a6ba8984bf9fa36bb53586 |
| SHA256 | 0b5713532c567afa9984df43025fd3f4eb9644af34d11a0346eb0f7b5fcbcdf4 |
| SHA512 | 8d91ce1409cbf826599230e3e7493a4d342ab0292e2eabd76c28e0e9f2a1ca7afed36208a40d9f36f777bac167303ea0b211fa05435a4b154179496cdfeb8a74 |
/data/user/0/com.ytnfrar.rtom/app_webview/.com.google.Chrome.PVkKKr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral3
Detonation Overview
Submitted
2022-06-02 09:39
Reported
2022-06-02 09:39
Platform
android-x64-arm64-20220310-en