Analysis Overview
SHA256
b12dd66de4d180d4bbf4ae23f66bac875b3a9da455d9010720f0840541366490
Threat Level: Likely malicious
The file cryptoapp.apk was found to be: Likely malicious.
Malicious Activity Summary
Makes use of the framework's Accessibility service.
Requests dangerous framework permissions
Acquires the wake lock.
Looks up external IP address via web service
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-07-04 03:32
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-04 03:32
Reported
2022-07-04 03:35
Platform
android-x86-arm-20220621-en
Max time kernel
3343288s
Max time network
158s
Command Line
Signatures
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
| N/A | icanhazip.com | N/A | N/A |
Processes
werwerwee.qwetrydsf.yfdefes
Network
| Country | Destination | Domain | Proto |
| NL | 142.250.179.194:443 | tcp | |
| NL | 142.251.36.34:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | icanhazip.com | udp |
| US | 104.18.114.97:443 | icanhazip.com | tcp |
| US | 1.1.1.1:53 | xireycicin.xyz | udp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| NL | 142.250.179.195:443 | tcp | |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.142:443 | android.apis.google.com | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| US | 1.1.1.1:853 | tcp | |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| US | 157.240.214.11:443 | tcp | |
| NL | 95.101.78.209:80 | a.espncdn.com | tcp |
| NL | 2.21.41.5:443 | tcp | |
| US | 157.240.214.174:443 | tcp | |
| BE | 87.248.116.11:443 | tcp | |
| NL | 91.198.174.192:443 | tcp | |
| US | 151.101.1.16:443 | tcp | |
| NL | 142.250.179.142:443 | android.apis.google.com | tcp |
| NL | 142.251.36.35:443 | tcp | |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| NL | 216.58.208.106:443 | semanticlocation-pa.googleapis.com | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| US | 157.240.214.11:443 | tcp | |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| US | 1.1.1.1:853 | tcp | |
| IE | 87.248.100.216:443 | tcp | |
| IE | 87.248.100.216:443 | tcp | |
| IE | 52.50.162.124:443 | tcp | |
| NL | 216.58.208.106:443 | semanticlocation-pa.googleapis.com | tcp |
| IE | 52.48.206.8:443 | tcp | |
| BE | 87.248.116.11:443 | tcp | |
| BE | 87.248.116.11:443 | tcp | |
| BE | 87.248.116.11:443 | tcp | |
| BE | 87.248.116.11:443 | tcp | |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| IE | 52.48.206.8:443 | tcp | |
| IE | 188.125.72.139:443 | tcp | |
| IE | 188.125.72.139:443 | tcp | |
| IE | 212.82.100.137:443 | tcp | |
| BE | 87.248.116.11:443 | tcp | |
| US | 152.199.16.2:443 | tcp | |
| US | 18.65.39.56:443 | tcp | |
| IE | 87.248.100.216:443 | tcp | |
| US | 152.195.51.15:443 | tcp | |
| US | 152.199.23.180:443 | tcp | |
| BE | 87.248.116.11:443 | tcp | |
| BE | 87.248.116.11:443 | tcp | |
| IE | 212.82.100.182:443 | tcp | |
| IE | 212.82.100.182:443 | tcp | |
| IE | 212.82.100.182:443 | tcp | |
| IE | 212.82.100.182:443 | tcp | |
| IE | 212.82.100.182:443 | tcp | |
| IE | 212.82.100.182:443 | tcp | |
| DE | 18.156.0.31:443 | tcp | |
| US | 44.198.6.76:443 | tcp | |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| IE | 87.248.100.215:443 | tcp | |
| IE | 87.248.100.215:443 | tcp | |
| IE | 188.125.72.139:443 | tcp | |
| IE | 212.82.100.137:443 | tcp | |
| IE | 188.125.72.139:443 | tcp | |
| BE | 87.248.116.11:443 | tcp | |
| NL | 65.9.86.31:443 | tcp | |
| BE | 87.248.116.11:443 | tcp | |
| BE | 87.248.116.11:443 | tcp | |
| IE | 212.82.100.182:443 | tcp | |
| DE | 3.126.56.137:443 | tcp | |
| US | 50.57.31.206:443 | tcp | |
| NL | 172.217.168.226:443 | tcp | |
| DK | 77.243.60.138:443 | tcp | |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| US | 157.240.214.11:443 | tcp | |
| NL | 142.251.36.36:443 | tcp | |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
Files
/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml
| MD5 | 20837fd8daf2a2de8d6c4ccd8e90653a |
| SHA1 | 7ac08617bd4585151c239325aea243d9eca586f7 |
| SHA256 | e05f0ae0ee70ef2efac07e999da273b5f506462b67549f9080f6cdf469d70cec |
| SHA512 | a4fd7ac1ce847a84fe4f47c2e7079f00b16b86213fe840b70e3a55992a043da99ca6fe1c9a723e709e2ee3985ed3b7c5a299d1cf5b29e8228f3f81d3cbb6876a |
/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml
| MD5 | 5cb0f79f329d68334f33e63750d88a49 |
| SHA1 | 85428f62ef95c797f08ec410ba4fe84c91e817d1 |
| SHA256 | d79335b3b09224ffbb05b0a7d45d12d4bc1f2e7bd9263a7e5377fe3c1bc3604b |
| SHA512 | 039caa2de53e409b5b0db890149a612fc84bb726c9479aee85027838607d062feb6894fb0e24a2eb400b3917989ebf644153ad4fe83b0bd4632d74d3dac1569d |
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-04 03:32
Reported
2022-07-04 03:35
Platform
android-x64-20220621-en
Max time network
135s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| NL | 142.251.36.10:443 | tcp | |
| NL | 142.251.36.10:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.250.179.206:443 | tcp | |
| NL | 172.217.168.234:443 | tcp | |
| NL | 172.217.168.234:443 | tcp | |
| NL | 142.251.36.34:443 | tcp | |
| NL | 142.251.36.10:443 | tcp | |
| NL | 142.250.179.170:80 | play.googleapis.com | tcp |
| NL | 172.217.168.200:443 | tcp | |
| NL | 216.58.208.110:443 | tcp | |
| US | 1.1.1.1:853 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2022-07-04 03:32
Reported
2022-07-04 03:35
Platform
android-x64-arm64-20220621-en
Max time kernel
3343289s
Max time network
159s
Command Line
Signatures
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Processes
werwerwee.qwetrydsf.yfdefes
Network
| Country | Destination | Domain | Proto |
| NL | 142.250.179.195:443 | tcp | |
| NL | 142.251.36.3:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| NL | 142.251.36.35:443 | tcp | |
| NL | 216.58.214.14:443 | udp | |
| NL | 216.58.214.14:443 | tcp | |
| US | 104.18.115.97:443 | icanhazip.com | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| NL | 172.217.168.232:443 | tcp | |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| US | 1.1.1.1:853 | tcp | |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
| RU | 5.101.0.44:443 | xireycicin.xyz | tcp |
Files
/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml
| MD5 | 20837fd8daf2a2de8d6c4ccd8e90653a |
| SHA1 | 7ac08617bd4585151c239325aea243d9eca586f7 |
| SHA256 | e05f0ae0ee70ef2efac07e999da273b5f506462b67549f9080f6cdf469d70cec |
| SHA512 | a4fd7ac1ce847a84fe4f47c2e7079f00b16b86213fe840b70e3a55992a043da99ca6fe1c9a723e709e2ee3985ed3b7c5a299d1cf5b29e8228f3f81d3cbb6876a |
/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml
| MD5 | 40629fd218a1921144fccde51155abc1 |
| SHA1 | 259981316f38f3b538443eac60839b8b0268c774 |
| SHA256 | edc51de6ea378118e3aee11c10db88b84059deeaaed9434cfe4154d73b149306 |
| SHA512 | 013143b1efeca433127b20ae5ff045259ff19ce90729a66c218921d825293038747f5251043fd511533263eddb8f7ada758b75f62981044da872e2e5322b0943 |
/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.device.prefs.xml
| MD5 | eea26fe916f5300d543d104c507cb5a2 |
| SHA1 | b5c7318f2247a995b46f0de583a73033a85ee0f5 |
| SHA256 | 63e6248cbcfbb6d6ea72dd66a1c878823b70f1f2a05fa3f51880bdb015258acf |
| SHA512 | 1a6f885deb27d3ba40e9a82f26298cadd4809cfd8174f634f1e0df75d12ba6c4cd251b76d6132a40ea1c5b20afc01ff6a1a57032ecded355551bf9431243fecb |
/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml
| MD5 | 40e6801daac7f1acd559c527a34cdf6d |
| SHA1 | 832ac9144f5b1d76b309c0228e63d0878e8a8f7d |
| SHA256 | a7d09131de77bab23af3f8f10290af517d6f0bafe3c0257b108edf837f3097e5 |
| SHA512 | 77a0e86e62336afda48a3d51c2b4a79e32003a77efcccb0f2619e827c787701c258e8b29bcf3f994555d00a05e8039f2461caec57fef90e7a631f99d9630a1db |
/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/launcher.db
| MD5 | c911d474683116237ea09ab2dad6c7af |
| SHA1 | d27e3498be910425adfabd803d6e4d11f5b50aed |
| SHA256 | 6a64a51754e8f2f58c37cdfdba998f7dc16b9f6982303e3a7d22aa11e44ffd34 |
| SHA512 | bd0f41f4499eafc8035d9438e7bff35dad68ec441b1d83f46b3904be411f653eb121cbaca82d8380ce59167f3b25c1cbc4bcaed2e558b61ceac81b724eee55a8 |
/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/launcher.db-journal
| MD5 | 0f7b8f581bbb8d92ca1f4721efba2fb2 |
| SHA1 | b7fd33084106e4249efdfc2c3e5bdb58a1388221 |
| SHA256 | f078e30eee8f3156fae78dcd23c5cad0b4dbdf508498b3d06134f5b06d04ab76 |
| SHA512 | c381ac0d50af871a5897b4dd26908d74fab3bc6c2a095423224335a36dee7c07d01e6397f3b6a30b122f445457ce3241fe85aba95f000caf85895ed092b41988 |
/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml
| MD5 | a44c2fb81476599162792952dc18e93d |
| SHA1 | 8b2dd43570ac7ccda7648c90f13788c1d507e51c |
| SHA256 | 8f27506efdf280d6a67f8cd3fd10307cc597e7dd40315f0cb100b171e432b0a7 |
| SHA512 | fe17a9cb751a4c4c7185e178b66a91e1113e4bddaa49429a0d36e1e2137a08d0bd8ec5531602debd1ae6e48a8e7a468d5b6ed47d8122608f755809d4b13f1734 |
/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.managedusers.prefs.xml
| MD5 | 9781ca003f10f8d0c9c1945b63fdca7f |
| SHA1 | 4156cf5dc8d71dbab734d25e5e1598b37a5456f4 |
| SHA256 | 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793 |
| SHA512 | 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03 |
/data/user/0/werwerwee.qwetrydsf.yfdefes/files/downgrade_schema.json
| MD5 | 70435833064f71228d8d001901b56873 |
| SHA1 | 2d68b64360bb323366fadab675f387c74b42a23a |
| SHA256 | 73353cdbb7fbf2ee224948f35a950ad7bbaad5269b59471e690b34988ecc19e2 |
| SHA512 | fb7642c1c01aeacc3d5748b8be977ef272e7e9325cfd9e64b8638d4be84ff030cab8483a92ea677ffc246223df81e4b2c544e121943ac9acc8e79b6255b5b55a |
/data/user/0/werwerwee.qwetrydsf.yfdefes/shared_prefs/com.android.launcher3.prefs.xml
| MD5 | 40e6801daac7f1acd559c527a34cdf6d |
| SHA1 | 832ac9144f5b1d76b309c0228e63d0878e8a8f7d |
| SHA256 | a7d09131de77bab23af3f8f10290af517d6f0bafe3c0257b108edf837f3097e5 |
| SHA512 | 77a0e86e62336afda48a3d51c2b4a79e32003a77efcccb0f2619e827c787701c258e8b29bcf3f994555d00a05e8039f2461caec57fef90e7a631f99d9630a1db |
/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/app_icons.db
| MD5 | e5ee1a848be9ff1a3dc1a5002b5b0678 |
| SHA1 | ff592d5805e5b40f49eb52d8fb5c254af202a40f |
| SHA256 | 2360ac275259b4968dc51400c1f2d820ef3a81245a107f16cfe85f52477ecbb5 |
| SHA512 | e3cc9a6b6ab47938c4912265ff5deaa9068f8e6e091f68f494150ddbd07c282acda2dc6b547fc70722b8afee13b2f4186c93f6571288ef01ce3074c56097507c |
/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/app_icons.db-journal
| MD5 | 3b9bb7e377a6d15222b0c8c641eb1ea5 |
| SHA1 | 6259a6229e2b948b5cd7cad1355fb47845d7731c |
| SHA256 | d1ceae807b9ab1e04ce35988235206193f754691a3ac749e78831f27ab7c6c6a |
| SHA512 | 14fe05a42ed1cf69a8daeee78a53dedf7b90a1804ddc884903ba0c589ec0683210b09ebd3dfc8b72301f324855112ccef342270725a8382ecdd1d82ab0d9cc24 |
/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/widgetpreviews.db
| MD5 | 0678e6e6b1f4348088d4da865feed17f |
| SHA1 | bb776ff575af7d93e0d673a42a23072e74e06956 |
| SHA256 | 1620d357c5776920f359a8791327d4bb155107ee0b7278ebf8cd810595376d8b |
| SHA512 | 77b3dac14800fcfb6af4822ec77b0f85db66c626d72463e405fbfe5b90ae99a4a9096a877a08ccd5494e07d4c86e08be0ce9cf3d86af87445f7380e5730602de |
/data/user/0/werwerwee.qwetrydsf.yfdefes/databases/widgetpreviews.db-journal
| MD5 | 98653121324fe2005418247ce812c574 |
| SHA1 | ee54649c036b5af51261ee51f049b1a1dee46228 |
| SHA256 | 9cb4d8a08c5dcd14adc05e5a9abe71e8f778af441a38626515797a7beb1423a9 |
| SHA512 | a1c0e09b0299c1064d1d1e3e1b5761246a84ba32c79aaa3e6f3ec500b1a626a771ecbe4a6b56a7099745e54b760bc137b28f0d5fde822db8e5a313967d70be4a |