Analysis Overview
SHA256
5bb714a7ae9542e717211bc4f865c9015e14e2909a426706656ec118131f9b95
Threat Level: Likely malicious
The file 5bb714a7ae9542e717211bc4f865c9015e14e2909a426706656ec118131f9b95 was found to be: Likely malicious.
Malicious Activity Summary
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
Makes use of the framework's Accessibility service.
Acquires the wake lock.
Requests dangerous framework permissions
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data).
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-06-15 10:30
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-15 10:30
Reported
2022-06-15 10:34
Platform
android-x86-arm-20220310-en
Max time kernel
1726827s
Max time network
148s
Command Line
Signatures
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
| Description | Indicator | Process | Target |
| Framework service call | android.content.pm.IPackageManager.getInstalledApplications | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.seeturn9
Network
| Country | Destination | Domain | Proto |
| NL | 142.251.36.42:80 | play.googleapis.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 173.194.202.188:5228 | tcp | |
| US | 173.194.202.188:5228 | tcp | |
| US | 1.1.1.1:53 | alt8-mtalk.google.com | udp |
| US | 142.250.115.188:5228 | alt8-mtalk.google.com | tcp |
| US | 1.1.1.1:53 | alt8-mtalk.google.com | udp |
| US | 142.250.115.188:5228 | alt8-mtalk.google.com | tcp |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-15 10:30
Reported
2022-06-15 10:34
Platform
android-x64-20220310-en
Max time kernel
1726831s
Max time network
158s
Command Line
Signatures
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.seeturn9
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2022-06-15 10:30
Reported
2022-06-15 10:31
Platform
android-x64-arm64-20220310-en