Analysis Overview
SHA256
6fc6cf09595331f0191f2b2bb86b3bf64b04dd6b02e3f342a308e1b59d1e0863
Threat Level: Shows suspicious behavior
The file 6fc6cf09595331f0191f2b2bb86b3bf64b04dd6b02e3f342a308e1b59d1e0863 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Acquires the wake lock.
Tries to add a device administrator.
Requests dangerous framework permissions
Reads information about phone network operator.
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-10-29 09:03
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-29 09:03
Reported
2022-10-29 13:15
Platform
android-x86-arm-20220823-en
Max time kernel
602001s
Max time network
130s
Command Line
Signatures
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Tries to add a device administrator.
| Description | Indicator | Process | Target |
| Intent action | android.app.action.ADD_DEVICE_ADMIN | N/A | N/A |
Reads information about phone network operator.
Processes
com.fbsmanager.umgr
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 142.251.39.106:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 172.217.168.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | jabber.co.nz | udp |
| US | 1.1.1.1:53 | swissjabber.eu | udp |
| US | 1.1.1.1:53 | jabber.de | udp |
| DE | 85.214.240.221:5222 | jabber.de | tcp |
| US | 1.1.1.1:53 | zsim.de | udp |
| TR | 31.3.3.7:5222 | zsim.de | tcp |
| US | 1.1.1.1:53 | lightwitch.org | udp |
| IT | 93.49.206.14:5222 | lightwitch.org | tcp |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-29 09:03
Reported
2022-10-29 13:15
Platform
android-x64-20220823-en
Max time kernel
601868s
Max time network
130s
Command Line
Signatures
Reads information about phone network operator.
Processes
com.fbsmanager.umgr
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | jabber.co.nz | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.142:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | jabber.co.nz | udp |
| US | 1.1.1.1:53 | swissjabber.eu | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.250.179.200:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | swissjabber.eu | udp |
| US | 1.1.1.1:53 | lightwitch.org | udp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| US | 1.1.1.1:53 | uvovhzqsueaoo | udp |
| US | 1.1.1.1:53 | tndihpo | udp |
| US | 1.1.1.1:53 | ewhwrdgdvkwc | udp |
| US | 1.1.1.1:53 | lightwitch.org | udp |
| US | 1.1.1.1:53 | ewhwrdgdvkwc | udp |
| US | 1.1.1.1:53 | jabberd.eu | udp |
| US | 1.1.1.1:53 | jabberd.eu | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2022-10-29 09:03
Reported
2022-10-29 13:15
Platform
android-x64-arm64-20220823-en
Max time kernel
602030s
Max time network
163s
Command Line
Signatures
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Tries to add a device administrator.
| Description | Indicator | Process | Target |
| Intent action | android.app.action.ADD_DEVICE_ADMIN | N/A | N/A |
Reads information about phone network operator.
Processes
com.fbsmanager.umgr
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.142:443 | android.apis.google.com | tcp |
| NL | 142.250.179.206:443 | android.apis.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 172.217.168.226:443 | tcp | |
| NL | 142.251.39.102:443 | tcp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 142.250.179.202:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | lightwitch.org | udp |
| IT | 93.49.206.14:5222 | lightwitch.org | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.251.39.104:443 | ssl.google-analytics.com | tcp |
| NL | 142.251.36.42:80 | play.googleapis.com | tcp |
| US | 1.1.1.1:53 | jabberd.eu | udp |
| US | 1.1.1.1:53 | jabber.de | udp |
| DE | 85.214.240.221:5222 | jabber.de | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 216.58.214.14:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | zsim.de | udp |
| IT | 93.49.206.14:5222 | lightwitch.org | tcp |