Analysis Overview
SHA256
b12dd66de4d180d4bbf4ae23f66bac875b3a9da455d9010720f0840541366490
Threat Level: Known bad
The file cryptoapp.apk was found to be: Known bad.
Malicious Activity Summary
malibot
Makes use of the framework's Accessibility service.
Requests dangerous framework permissions
Acquires the wake lock.
Looks up external IP address via web service
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-06-30 05:11
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-30 05:11
Reported
2022-06-30 05:14
Platform
android-x86-arm-20220621-en
Max time kernel
3003670s
Max time network
154s
Command Line
Signatures
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Processes
werwerwee.qwetrydsf.yfdefes
Network
| Country | Destination | Domain | Proto |
| NL | 142.250.179.142:443 | tcp | |
| NL | 142.250.179.195:443 | tcp | |
| NL | 216.58.208.99:443 | tcp | |
| NL | 142.250.179.195:443 | tcp | |
| NL | 142.250.179.195:443 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| NL | 142.251.39.98:443 | tcp | |
| NL | 142.251.39.104:443 | tcp | |
| NL | 142.250.179.142:443 | udp | |
| NL | 216.58.214.2:443 | tcp | |
| US | 104.18.115.97:443 | icanhazip.com | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| NL | 172.217.168.232:443 | tcp | |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| NL | 216.58.208.110:443 | tcp | |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
Files
/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml
| MD5 | 20837fd8daf2a2de8d6c4ccd8e90653a |
| SHA1 | 7ac08617bd4585151c239325aea243d9eca586f7 |
| SHA256 | e05f0ae0ee70ef2efac07e999da273b5f506462b67549f9080f6cdf469d70cec |
| SHA512 | a4fd7ac1ce847a84fe4f47c2e7079f00b16b86213fe840b70e3a55992a043da99ca6fe1c9a723e709e2ee3985ed3b7c5a299d1cf5b29e8228f3f81d3cbb6876a |
/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml
| MD5 | 5cb0f79f329d68334f33e63750d88a49 |
| SHA1 | 85428f62ef95c797f08ec410ba4fe84c91e817d1 |
| SHA256 | d79335b3b09224ffbb05b0a7d45d12d4bc1f2e7bd9263a7e5377fe3c1bc3604b |
| SHA512 | 039caa2de53e409b5b0db890149a612fc84bb726c9479aee85027838607d062feb6894fb0e24a2eb400b3917989ebf644153ad4fe83b0bd4632d74d3dac1569d |
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-30 05:11
Reported
2022-06-30 05:15
Platform
android-x64-20220621-en
Max time network
161s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| NL | 142.251.39.98:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| NL | 142.251.36.10:443 | tcp | |
| NL | 142.251.36.10:443 | tcp | |
| NL | 142.251.36.10:443 | tcp | |
| NL | 142.251.36.14:443 | udp | |
| NL | 142.251.36.40:443 | tcp | |
| NL | 172.217.168.238:443 | tcp | |
| NL | 142.250.179.170:443 | tcp | |
| NL | 142.250.179.131:443 | tcp | |
| NL | 142.250.179.170:443 | tcp | |
| NL | 142.251.36.10:443 | tcp | |
| NL | 142.251.36.10:443 | tcp | |
| NL | 142.251.36.42:443 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| NL | 172.217.168.238:443 | tcp | |
| NL | 142.251.36.10:443 | tcp | |
| NL | 172.217.168.238:443 | tcp | |
| US | 1.1.1.1:853 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2022-06-30 05:11
Reported
2022-06-30 05:14
Platform
android-x64-arm64-20220621-en
Max time kernel
3003673s
Max time network
164s
Command Line
Signatures
malibot
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Processes
werwerwee.qwetrydsf.yfdefes
Network
| Country | Destination | Domain | Proto |
| NL | 142.250.179.195:443 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 216.58.214.2:443 | tcp | |
| NL | 142.250.179.134:443 | tcp | |
| NL | 142.251.39.104:443 | tcp | |
| NL | 142.250.179.138:443 | tcp | |
| NL | 172.217.168.194:443 | tcp | |
| NL | 142.250.179.138:443 | tcp | |
| NL | 142.251.36.35:443 | tcp | |
| NL | 142.250.179.138:443 | tcp | |
| US | 104.18.115.97:443 | icanhazip.com | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| NL | 142.251.36.40:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| NL | 172.217.168.238:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| NL | 142.250.179.170:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| NL | 216.58.214.4:443 | udp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| NL | 216.58.208.106:443 | tcp | |
| NL | 142.250.179.138:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp | |
| RU | 5.101.0.44:443 | tcp |
Files
/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml
| MD5 | 20837fd8daf2a2de8d6c4ccd8e90653a |
| SHA1 | 7ac08617bd4585151c239325aea243d9eca586f7 |
| SHA256 | e05f0ae0ee70ef2efac07e999da273b5f506462b67549f9080f6cdf469d70cec |
| SHA512 | a4fd7ac1ce847a84fe4f47c2e7079f00b16b86213fe840b70e3a55992a043da99ca6fe1c9a723e709e2ee3985ed3b7c5a299d1cf5b29e8228f3f81d3cbb6876a |
/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml
| MD5 | 40629fd218a1921144fccde51155abc1 |
| SHA1 | 259981316f38f3b538443eac60839b8b0268c774 |
| SHA256 | edc51de6ea378118e3aee11c10db88b84059deeaaed9434cfe4154d73b149306 |
| SHA512 | 013143b1efeca433127b20ae5ff045259ff19ce90729a66c218921d825293038747f5251043fd511533263eddb8f7ada758b75f62981044da872e2e5322b0943 |
/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.device.prefs.xml
| MD5 | 3c16cb4832deadb43a96abc38eb13af4 |
| SHA1 | 7bcd9e314b0c3eae16aabe46a3aba681c5c516f9 |
| SHA256 | 3f0ed1762d4f00d55093d9f6244be7cdf0298e5fde7e090421a2e66f2302ca91 |
| SHA512 | 296f96a5b57add3dafc8d8b0eeb0333ff79497ac8451ce97d37ed7e72e88e01e6c65b5779c812bbedc7f956125fc734a38852c01727e0274adba27d2a5890007 |
/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml
| MD5 | 40e6801daac7f1acd559c527a34cdf6d |
| SHA1 | 832ac9144f5b1d76b309c0228e63d0878e8a8f7d |
| SHA256 | a7d09131de77bab23af3f8f10290af517d6f0bafe3c0257b108edf837f3097e5 |
| SHA512 | 77a0e86e62336afda48a3d51c2b4a79e32003a77efcccb0f2619e827c787701c258e8b29bcf3f994555d00a05e8039f2461caec57fef90e7a631f99d9630a1db |
/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/launcher.db
| MD5 | 7b871ca00b8bd1ca218ac0bd2e3d9c92 |
| SHA1 | 9e6399c04781b15d9f37684aeca03a7e353a9d85 |
| SHA256 | 18eb86ff1e51ccc7ddc3fac1d986d012e891abf133e041dd467d18c0a55d732c |
| SHA512 | 518806fd0b424fd4a655223c272279770b3a2691e6b0e7fa132ee6518ed0f5933db6bc578195b33ba8c63bc3549b7ba0a1d2840d32ae76957e37e0e7de09a2d3 |
/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/launcher.db-journal
| MD5 | ee5c6bc438210ab23ad69ea7ceb473cd |
| SHA1 | 4a872eff294ce4dfcb6eaaeda67a4448a3a482a9 |
| SHA256 | 1aa936681cd790051e7be0cfa7ceee6431a950b63119b37c88f96b5828678b26 |
| SHA512 | 3558b6b1514317944d8440ac2be7eea351e3a9d2fa6bfdf16fb5c0884c11574d4b2e1bbe993a5d69e893aa69d7da4efbdec727dc490a361fdcfbc9e1fc027617 |
/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml
| MD5 | a44c2fb81476599162792952dc18e93d |
| SHA1 | 8b2dd43570ac7ccda7648c90f13788c1d507e51c |
| SHA256 | 8f27506efdf280d6a67f8cd3fd10307cc597e7dd40315f0cb100b171e432b0a7 |
| SHA512 | fe17a9cb751a4c4c7185e178b66a91e1113e4bddaa49429a0d36e1e2137a08d0bd8ec5531602debd1ae6e48a8e7a468d5b6ed47d8122608f755809d4b13f1734 |
/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.managedusers.prefs.xml
| MD5 | 9781ca003f10f8d0c9c1945b63fdca7f |
| SHA1 | 4156cf5dc8d71dbab734d25e5e1598b37a5456f4 |
| SHA256 | 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793 |
| SHA512 | 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03 |
/data/user/0/werwerwee.qwetrydsf.yfdefes/files/downgrade_schema.json
| MD5 | 70435833064f71228d8d001901b56873 |
| SHA1 | 2d68b64360bb323366fadab675f387c74b42a23a |
| SHA256 | 73353cdbb7fbf2ee224948f35a950ad7bbaad5269b59471e690b34988ecc19e2 |
| SHA512 | fb7642c1c01aeacc3d5748b8be977ef272e7e9325cfd9e64b8638d4be84ff030cab8483a92ea677ffc246223df81e4b2c544e121943ac9acc8e79b6255b5b55a |
/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml
| MD5 | 40e6801daac7f1acd559c527a34cdf6d |
| SHA1 | 832ac9144f5b1d76b309c0228e63d0878e8a8f7d |
| SHA256 | a7d09131de77bab23af3f8f10290af517d6f0bafe3c0257b108edf837f3097e5 |
| SHA512 | 77a0e86e62336afda48a3d51c2b4a79e32003a77efcccb0f2619e827c787701c258e8b29bcf3f994555d00a05e8039f2461caec57fef90e7a631f99d9630a1db |
/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/app_icons.db
| MD5 | 161523450a470330265bf8ff98f2ded8 |
| SHA1 | e29137d1e367fda458d5c7946e600f8b60d97dde |
| SHA256 | d33d965849bb902629f7b983873b83b624c2de8a58f502ab373596f32ab18982 |
| SHA512 | dd5cb932ddd500b65d9731395637ec65c403668402eb84d110b4043473f155cc0d1d23d3a3d6ede5387cc2dd0e621609afa475cea13ae222bbf16bd62a340794 |
/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/app_icons.db-journal
| MD5 | a27db5a03d599a9c179e085e955e8209 |
| SHA1 | afe84e1d4e05f8dd86a3914cad7b62d2775fd59d |
| SHA256 | 1aa450ef9011e3c4f50b0dca541091312d67d45ad6f26b489d3e28edaea91d38 |
| SHA512 | 2a5411508951b507402ab4442575ff7bf49e2384c4287751a55bbb957314b2aa987e3545494c9ed7e2e250ea85ebf2c3fc38b5f752213e6206cd8cda75403978 |
/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/widgetpreviews.db
| MD5 | 0678e6e6b1f4348088d4da865feed17f |
| SHA1 | bb776ff575af7d93e0d673a42a23072e74e06956 |
| SHA256 | 1620d357c5776920f359a8791327d4bb155107ee0b7278ebf8cd810595376d8b |
| SHA512 | 77b3dac14800fcfb6af4822ec77b0f85db66c626d72463e405fbfe5b90ae99a4a9096a877a08ccd5494e07d4c86e08be0ce9cf3d86af87445f7380e5730602de |
/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/widgetpreviews.db-journal
| MD5 | a230198b1881635662cb309e3bc26509 |
| SHA1 | 9037db35676c2aab7eeb47a71cf354c6b3fe03bc |
| SHA256 | b3cc355d793022993bc700f1913d1a7bbe173e1aa86841207320f4e9320d8ff3 |
| SHA512 | e5290b59540852474e13f54f98c541933444a7f6840e1e0fce296536b8a9901f2dcbb5a228002d12d2e946d01f0c65353680e4ca77ee9c56afc0902f4e9c2fdc |