Analysis Overview
SHA256
7dcb987d39106ebb91cde38cdb87e43377963014722a4d49b2c49370ad54ae82
Threat Level: Known bad
The file 7DCB987D39106EBB91CDE38CDB87E43377963014722A4D49B2C49370AD54AE82.apk was found to be: Known bad.
Malicious Activity Summary
Alienbot
Makes use of the framework's Accessibility service.
Requests dangerous framework permissions
Loads dropped Dex/Jar
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-06-03 06:30
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Reported
0001-01-01 00:00
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-03 06:30
Reported
2022-06-03 07:38
Platform
android-x64-20220310-en
Max time kernel
679479s
Max time network
172s
Command Line
Signatures
Alienbot
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/Kyk.json | N/A | N/A |
| N/A | /data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/Kyk.json | N/A | N/A |
Processes
lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| NL | 216.58.214.8:443 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 188.114.96.0:443 | tcp | |
| NL | 142.251.39.104:443 | tcp | |
| NL | 172.217.168.206:443 | tcp | |
| NL | 172.217.168.202:443 | tcp | |
| NL | 142.251.36.2:443 | tcp | |
| NL | 172.217.168.202:443 | tcp | |
| NL | 172.217.168.202:443 | tcp | |
| NL | 142.251.36.10:443 | tcp | |
| NL | 172.217.168.202:443 | tcp |
Files
/data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/Kyk.json
| MD5 | 9a50331ca013d3490f29a6d332394abb |
| SHA1 | 0a41cedc0a8288a2ba1b8ec2c8fcc48ccc061fcb |
| SHA256 | 136a06e4d715455a817a70ab6b8162e187b224e11041a73b5e14e9ea6d8d3551 |
| SHA512 | d004b02652ae4c260aaa71fc6a771fd1e4281166e24860f5db34e0bc8f38de826220064325ecde28fd4824d6c0a05b6b8f7dac3e3de5f551c45a645f949d1398 |
/data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/Kyk.json
| MD5 | 5eec4c66cd3b761348a9a8dc665afd6a |
| SHA1 | f1d8c01316c5d522ff2e1847835a6b5ee8cd50bb |
| SHA256 | ee39b5b0bd3584c8e5ee8ac84e97887323f7cb7fb336b3c54fac18b7e8f20747 |
| SHA512 | 319cfba47d0111c02de98454c64931d1e7827aa8a2912d6d836f52d6bf0ef710ed9ca4ef8aa51eab18e1467ada87a1ca7c072bbacde4d04607a7317146e396be |
/data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/Kyk.json
| MD5 | 5eec4c66cd3b761348a9a8dc665afd6a |
| SHA1 | f1d8c01316c5d522ff2e1847835a6b5ee8cd50bb |
| SHA256 | ee39b5b0bd3584c8e5ee8ac84e97887323f7cb7fb336b3c54fac18b7e8f20747 |
| SHA512 | 319cfba47d0111c02de98454c64931d1e7827aa8a2912d6d836f52d6bf0ef710ed9ca4ef8aa51eab18e1467ada87a1ca7c072bbacde4d04607a7317146e396be |
/data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/oat/Kyk.json.cur.prof
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral3
Detonation Overview
Submitted
2022-06-03 06:30
Reported
2022-06-03 07:23
Platform
android-x64-arm64-20220310-en
Max time kernel
678579s
Max time network
170s
Command Line
Signatures
Alienbot
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/Kyk.json | N/A | N/A |
| N/A | /data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/Kyk.json | N/A | N/A |
Processes
lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
getprop ro.miui.ui.version.name
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:853 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.251.36.8:443 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.251.36.10:80 | play.googleapis.com | tcp |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| NL | 216.58.208.104:443 | tcp |
Files
/data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/Kyk.json
| MD5 | 9a50331ca013d3490f29a6d332394abb |
| SHA1 | 0a41cedc0a8288a2ba1b8ec2c8fcc48ccc061fcb |
| SHA256 | 136a06e4d715455a817a70ab6b8162e187b224e11041a73b5e14e9ea6d8d3551 |
| SHA512 | d004b02652ae4c260aaa71fc6a771fd1e4281166e24860f5db34e0bc8f38de826220064325ecde28fd4824d6c0a05b6b8f7dac3e3de5f551c45a645f949d1398 |
/data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/Kyk.json
| MD5 | 5eec4c66cd3b761348a9a8dc665afd6a |
| SHA1 | f1d8c01316c5d522ff2e1847835a6b5ee8cd50bb |
| SHA256 | ee39b5b0bd3584c8e5ee8ac84e97887323f7cb7fb336b3c54fac18b7e8f20747 |
| SHA512 | 319cfba47d0111c02de98454c64931d1e7827aa8a2912d6d836f52d6bf0ef710ed9ca4ef8aa51eab18e1467ada87a1ca7c072bbacde4d04607a7317146e396be |
/data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/Kyk.json
| MD5 | 5eec4c66cd3b761348a9a8dc665afd6a |
| SHA1 | f1d8c01316c5d522ff2e1847835a6b5ee8cd50bb |
| SHA256 | ee39b5b0bd3584c8e5ee8ac84e97887323f7cb7fb336b3c54fac18b7e8f20747 |
| SHA512 | 319cfba47d0111c02de98454c64931d1e7827aa8a2912d6d836f52d6bf0ef710ed9ca4ef8aa51eab18e1467ada87a1ca7c072bbacde4d04607a7317146e396be |
/data/user/0/lkwzr.nqbmmkomdijrxzuyzhmqtsz.bmpczafrei/app_DynamicOptDex/oat/Kyk.json.cur.prof
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |