Malware Analysis Report

2025-01-19 05:32

Sample ID 220704-d3qdragdc8
Target cryptoapp.apk
SHA256 b12dd66de4d180d4bbf4ae23f66bac875b3a9da455d9010720f0840541366490
Tags
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b12dd66de4d180d4bbf4ae23f66bac875b3a9da455d9010720f0840541366490

Threat Level: Likely malicious

The file cryptoapp.apk was found to be: Likely malicious.

Malicious Activity Summary


Makes use of the framework's Accessibility service.

Requests dangerous framework permissions

Acquires the wake lock.

Looks up external IP address via web service

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-07-04 03:32

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-04 03:32

Reported

2022-07-04 03:35

Platform

android-x86-arm-20220621-en

Max time kernel

3343288s

Max time network

158s

Command Line

werwerwee.qwetrydsf.yfdefes

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A
N/A icanhazip.com N/A N/A

Processes

werwerwee.qwetrydsf.yfdefes

Network

Country Destination Domain Proto
NL 142.250.179.194:443 tcp
NL 142.251.36.34:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 icanhazip.com udp
US 104.18.114.97:443 icanhazip.com tcp
US 1.1.1.1:53 xireycicin.xyz udp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
NL 142.250.179.195:443 tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
US 1.1.1.1:853 tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
US 157.240.214.11:443 tcp
NL 95.101.78.209:80 a.espncdn.com tcp
NL 2.21.41.5:443 tcp
US 157.240.214.174:443 tcp
BE 87.248.116.11:443 tcp
NL 91.198.174.192:443 tcp
US 151.101.1.16:443 tcp
NL 142.250.179.142:443 android.apis.google.com tcp
NL 142.251.36.35:443 tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
NL 216.58.208.106:443 semanticlocation-pa.googleapis.com tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
US 157.240.214.11:443 tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
US 1.1.1.1:853 tcp
IE 87.248.100.216:443 tcp
IE 87.248.100.216:443 tcp
IE 52.50.162.124:443 tcp
NL 216.58.208.106:443 semanticlocation-pa.googleapis.com tcp
IE 52.48.206.8:443 tcp
BE 87.248.116.11:443 tcp
BE 87.248.116.11:443 tcp
BE 87.248.116.11:443 tcp
BE 87.248.116.11:443 tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
IE 52.48.206.8:443 tcp
IE 188.125.72.139:443 tcp
IE 188.125.72.139:443 tcp
IE 212.82.100.137:443 tcp
BE 87.248.116.11:443 tcp
US 152.199.16.2:443 tcp
US 18.65.39.56:443 tcp
IE 87.248.100.216:443 tcp
US 152.195.51.15:443 tcp
US 152.199.23.180:443 tcp
BE 87.248.116.11:443 tcp
BE 87.248.116.11:443 tcp
IE 212.82.100.182:443 tcp
IE 212.82.100.182:443 tcp
IE 212.82.100.182:443 tcp
IE 212.82.100.182:443 tcp
IE 212.82.100.182:443 tcp
IE 212.82.100.182:443 tcp
DE 18.156.0.31:443 tcp
US 44.198.6.76:443 tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
IE 87.248.100.215:443 tcp
IE 87.248.100.215:443 tcp
IE 188.125.72.139:443 tcp
IE 212.82.100.137:443 tcp
IE 188.125.72.139:443 tcp
BE 87.248.116.11:443 tcp
NL 65.9.86.31:443 tcp
BE 87.248.116.11:443 tcp
BE 87.248.116.11:443 tcp
IE 212.82.100.182:443 tcp
DE 3.126.56.137:443 tcp
US 50.57.31.206:443 tcp
NL 172.217.168.226:443 tcp
DK 77.243.60.138:443 tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
US 157.240.214.11:443 tcp
NL 142.251.36.36:443 tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp

Files

/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml

MD5 20837fd8daf2a2de8d6c4ccd8e90653a
SHA1 7ac08617bd4585151c239325aea243d9eca586f7
SHA256 e05f0ae0ee70ef2efac07e999da273b5f506462b67549f9080f6cdf469d70cec
SHA512 a4fd7ac1ce847a84fe4f47c2e7079f00b16b86213fe840b70e3a55992a043da99ca6fe1c9a723e709e2ee3985ed3b7c5a299d1cf5b29e8228f3f81d3cbb6876a

/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml

MD5 5cb0f79f329d68334f33e63750d88a49
SHA1 85428f62ef95c797f08ec410ba4fe84c91e817d1
SHA256 d79335b3b09224ffbb05b0a7d45d12d4bc1f2e7bd9263a7e5377fe3c1bc3604b
SHA512 039caa2de53e409b5b0db890149a612fc84bb726c9479aee85027838607d062feb6894fb0e24a2eb400b3917989ebf644153ad4fe83b0bd4632d74d3dac1569d

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-04 03:32

Reported

2022-07-04 03:35

Platform

android-x64-20220621-en

Max time network

135s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 142.251.36.10:443 tcp
NL 142.251.36.10:443 tcp
N/A 224.0.0.251:5353 udp
NL 142.250.179.206:443 tcp
NL 172.217.168.234:443 tcp
NL 172.217.168.234:443 tcp
NL 142.251.36.34:443 tcp
NL 142.251.36.10:443 tcp
NL 142.250.179.170:80 play.googleapis.com tcp
NL 172.217.168.200:443 tcp
NL 216.58.208.110:443 tcp
US 1.1.1.1:853 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2022-07-04 03:32

Reported

2022-07-04 03:35

Platform

android-x64-arm64-20220621-en

Max time kernel

3343289s

Max time network

159s

Command Line

werwerwee.qwetrydsf.yfdefes

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Processes

werwerwee.qwetrydsf.yfdefes

Network

Country Destination Domain Proto
NL 142.250.179.195:443 tcp
NL 142.251.36.3:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
NL 142.251.36.35:443 tcp
NL 216.58.214.14:443 udp
NL 216.58.214.14:443 tcp
US 104.18.115.97:443 icanhazip.com tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
NL 172.217.168.232:443 tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
US 1.1.1.1:853 tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp
RU 5.101.0.44:443 xireycicin.xyz tcp

Files

/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml

MD5 20837fd8daf2a2de8d6c4ccd8e90653a
SHA1 7ac08617bd4585151c239325aea243d9eca586f7
SHA256 e05f0ae0ee70ef2efac07e999da273b5f506462b67549f9080f6cdf469d70cec
SHA512 a4fd7ac1ce847a84fe4f47c2e7079f00b16b86213fe840b70e3a55992a043da99ca6fe1c9a723e709e2ee3985ed3b7c5a299d1cf5b29e8228f3f81d3cbb6876a

/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml

MD5 40629fd218a1921144fccde51155abc1
SHA1 259981316f38f3b538443eac60839b8b0268c774
SHA256 edc51de6ea378118e3aee11c10db88b84059deeaaed9434cfe4154d73b149306
SHA512 013143b1efeca433127b20ae5ff045259ff19ce90729a66c218921d825293038747f5251043fd511533263eddb8f7ada758b75f62981044da872e2e5322b0943

/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.device.prefs.xml

MD5 eea26fe916f5300d543d104c507cb5a2
SHA1 b5c7318f2247a995b46f0de583a73033a85ee0f5
SHA256 63e6248cbcfbb6d6ea72dd66a1c878823b70f1f2a05fa3f51880bdb015258acf
SHA512 1a6f885deb27d3ba40e9a82f26298cadd4809cfd8174f634f1e0df75d12ba6c4cd251b76d6132a40ea1c5b20afc01ff6a1a57032ecded355551bf9431243fecb

/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml

MD5 40e6801daac7f1acd559c527a34cdf6d
SHA1 832ac9144f5b1d76b309c0228e63d0878e8a8f7d
SHA256 a7d09131de77bab23af3f8f10290af517d6f0bafe3c0257b108edf837f3097e5
SHA512 77a0e86e62336afda48a3d51c2b4a79e32003a77efcccb0f2619e827c787701c258e8b29bcf3f994555d00a05e8039f2461caec57fef90e7a631f99d9630a1db

/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/launcher.db

MD5 c911d474683116237ea09ab2dad6c7af
SHA1 d27e3498be910425adfabd803d6e4d11f5b50aed
SHA256 6a64a51754e8f2f58c37cdfdba998f7dc16b9f6982303e3a7d22aa11e44ffd34
SHA512 bd0f41f4499eafc8035d9438e7bff35dad68ec441b1d83f46b3904be411f653eb121cbaca82d8380ce59167f3b25c1cbc4bcaed2e558b61ceac81b724eee55a8

/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/launcher.db-journal

MD5 0f7b8f581bbb8d92ca1f4721efba2fb2
SHA1 b7fd33084106e4249efdfc2c3e5bdb58a1388221
SHA256 f078e30eee8f3156fae78dcd23c5cad0b4dbdf508498b3d06134f5b06d04ab76
SHA512 c381ac0d50af871a5897b4dd26908d74fab3bc6c2a095423224335a36dee7c07d01e6397f3b6a30b122f445457ce3241fe85aba95f000caf85895ed092b41988

/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml

MD5 a44c2fb81476599162792952dc18e93d
SHA1 8b2dd43570ac7ccda7648c90f13788c1d507e51c
SHA256 8f27506efdf280d6a67f8cd3fd10307cc597e7dd40315f0cb100b171e432b0a7
SHA512 fe17a9cb751a4c4c7185e178b66a91e1113e4bddaa49429a0d36e1e2137a08d0bd8ec5531602debd1ae6e48a8e7a468d5b6ed47d8122608f755809d4b13f1734

/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.managedusers.prefs.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/data/user/0/werwerwee.qwetrydsf.yfdefes/files/downgrade_schema.json

MD5 70435833064f71228d8d001901b56873
SHA1 2d68b64360bb323366fadab675f387c74b42a23a
SHA256 73353cdbb7fbf2ee224948f35a950ad7bbaad5269b59471e690b34988ecc19e2
SHA512 fb7642c1c01aeacc3d5748b8be977ef272e7e9325cfd9e64b8638d4be84ff030cab8483a92ea677ffc246223df81e4b2c544e121943ac9acc8e79b6255b5b55a

/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml

MD5 40e6801daac7f1acd559c527a34cdf6d
SHA1 832ac9144f5b1d76b309c0228e63d0878e8a8f7d
SHA256 a7d09131de77bab23af3f8f10290af517d6f0bafe3c0257b108edf837f3097e5
SHA512 77a0e86e62336afda48a3d51c2b4a79e32003a77efcccb0f2619e827c787701c258e8b29bcf3f994555d00a05e8039f2461caec57fef90e7a631f99d9630a1db

/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/app_icons.db

MD5 e5ee1a848be9ff1a3dc1a5002b5b0678
SHA1 ff592d5805e5b40f49eb52d8fb5c254af202a40f
SHA256 2360ac275259b4968dc51400c1f2d820ef3a81245a107f16cfe85f52477ecbb5
SHA512 e3cc9a6b6ab47938c4912265ff5deaa9068f8e6e091f68f494150ddbd07c282acda2dc6b547fc70722b8afee13b2f4186c93f6571288ef01ce3074c56097507c

/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/app_icons.db-journal

MD5 3b9bb7e377a6d15222b0c8c641eb1ea5
SHA1 6259a6229e2b948b5cd7cad1355fb47845d7731c
SHA256 d1ceae807b9ab1e04ce35988235206193f754691a3ac749e78831f27ab7c6c6a
SHA512 14fe05a42ed1cf69a8daeee78a53dedf7b90a1804ddc884903ba0c589ec0683210b09ebd3dfc8b72301f324855112ccef342270725a8382ecdd1d82ab0d9cc24

/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/widgetpreviews.db

MD5 0678e6e6b1f4348088d4da865feed17f
SHA1 bb776ff575af7d93e0d673a42a23072e74e06956
SHA256 1620d357c5776920f359a8791327d4bb155107ee0b7278ebf8cd810595376d8b
SHA512 77b3dac14800fcfb6af4822ec77b0f85db66c626d72463e405fbfe5b90ae99a4a9096a877a08ccd5494e07d4c86e08be0ce9cf3d86af87445f7380e5730602de

/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/widgetpreviews.db-journal

MD5 98653121324fe2005418247ce812c574
SHA1 ee54649c036b5af51261ee51f049b1a1dee46228
SHA256 9cb4d8a08c5dcd14adc05e5a9abe71e8f778af441a38626515797a7beb1423a9
SHA512 a1c0e09b0299c1064d1d1e3e1b5761246a84ba32c79aaa3e6f3ec500b1a626a771ecbe4a6b56a7099745e54b760bc137b28f0d5fde822db8e5a313967d70be4a