539ecdb4614dfbdb2c6f6f2251eb97f4ad1a77baaad1605ce2c1b4c52882e053

Analysis

max time kernel
3226159s
max time network
130s
platform
android_x86
resource
android-x86-arm-20220823-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20220823-enlocale:en-usos:android-9-x86system
submitted
27/11/2022, 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

539ecdb4614dfbdb2c6f6f2251eb97f4ad1a77baaad1605ce2c1b4c52882e053.apk
Size

862KB
MD5

7a6997797dde6f8d94c7c94503831f9a
SHA1

be05c1e1bb38d4758e8531c3ef2acb4832369874
SHA256

539ecdb4614dfbdb2c6f6f2251eb97f4ad1a77baaad1605ce2c1b4c52882e053
SHA512

0827db64e776faf466878d3bd09cada8c948eef6ee77297ca11c2c02349203bcf49340c0f68751b8c75b1d929998793e588ce143e92d5c1469e6f6faa6117195
SSDEEP

12288:3LjnJbuT90RvvgYdNjPug/nk1/6mEgnle7luZgA054vxXnsbbtW9T4JsK351iTX1:3Xxk6RHVdn5knc17WpCtW9TcbpgTX1

Score

8^/10

ransomware

Malware Config

Signatures

Requests cell location 1 IoCs

Uses Android APIs to to get current cell location.

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.we.fd.qes

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/data/com.we.fd.qes/msdkconfig.ini.jar	4178	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/data/com.we.fd.qes/msdkconfig.ini.jar --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/data/com.we.fd.qes/oat/x86/msdkconfig.ini.odex --compiler-filter=quicken --class-loader-context=&
/data/data/com.we.fd.qes/msdkconfig.ini.jar	3977	com.we.fd.qes

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.we.fd.qes

com.we.fd.qes
1⤵
- Requests cell location
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data).
PID:3977
- /system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/data/com.we.fd.qes/msdkconfig.ini.jar --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/data/com.we.fd.qes/oat/x86/msdkconfig.ini.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4178
- chmod 777 /storage/emulated/0/.downloads
  2⤵
  PID:4255
- /system/bin/sh
  2⤵
  PID:4227
- - ls -l /sbin/su
    3⤵
    PID:4305
- - ls -l /system/sbin/su
    3⤵
    PID:4396
- - ls -l /system/bin/su
    3⤵
    PID:4512
- - ls -l /system/xbin/su
    3⤵
    PID:4539
- - ls -l /odm/bin/su
    3⤵
    PID:4558
- - ls -l /vendor/bin/su
    3⤵
    PID:4576
- - ls -l /vendor/xbin/su
    3⤵
    PID:4594
- chmod 777 /storage/emulated/0/.downloads
  2⤵
  PID:4292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.we.fd.qes/msdkconfig.ini

Filesize
402KB

MD5
32ef69f8fc08cc5819ffd6851dbfe57f

SHA1
0f502d093b370a5b0010db0c417e82001785ae61

SHA256
85db5476b6ae1cc1d37cefc0cd19d25717c31bd3727d5e33a61e9e8c73de7cb8

SHA512
afac15fb215efe0fbdc3e5ec7b105aad61824a51ebd23d3036dd9a9bc4d96e376fd03dff99debc1a18d75bfccc424cae2143410f1b331e100182396ed03dd185

Download Submit
/data/data/com.we.fd.qes/msdkconfig.ini.jar

Filesize
402KB

MD5
d7c06c987a5b5c6afb518b510b4f0620

SHA1
ddbb1d7c10917b949435f43169d9e9978dcd3fbb

SHA256
3cbcd8de1a654d85b49ac9b7e7af8a43bd81e0af2ec166810c009637a4aeb9b8

SHA512
e680f5b411ce0c3b372453a5ce47de1efafc6c30d313c9b2a867112fc53bdf0bc12a5edef32f6244e35264190eb0820133f766a73697d94547a6411d843adc00

Download Submit
/data/data/com.we.fd.qes/msdkconfig.ini.jar

Filesize
987KB

MD5
308ed3cf8d4e0dce72b7c079b7eab0e6

SHA1
9aea4325442218fca771553e4bc167e4f4d23aa6

SHA256
e7ca9978666aed98c6e9b600c633d505e167fa8e68a237f4547e6dbb2da27905

SHA512
3e0d85c83523c0a0714f14d6944e4b3299988e86255ec990660f42263e6ac7f4856a299d223ff047a3e40949e4d5bf2fd187e3f4f614cb9c0efcd47abb98b1b7

Download Submit
/data/data/com.we.fd.qes/msdkconfig.ini.jar

Filesize
987KB

MD5
308ed3cf8d4e0dce72b7c079b7eab0e6

SHA1
9aea4325442218fca771553e4bc167e4f4d23aa6

SHA256
e7ca9978666aed98c6e9b600c633d505e167fa8e68a237f4547e6dbb2da27905

SHA512
3e0d85c83523c0a0714f14d6944e4b3299988e86255ec990660f42263e6ac7f4856a299d223ff047a3e40949e4d5bf2fd187e3f4f614cb9c0efcd47abb98b1b7

Download Submit
/data/user/0/com.we.fd.qes/databases/qy_db_pay

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/user/0/com.we.fd.qes/databases/qy_db_pay-journal

Filesize
524B

MD5
8459c9b698d88febcbcc98395b57a77e

SHA1
d5d5cc8a8ae43229139b87331f3472fdc430fe8e

SHA256
6ad3b2f079c998a76851b7e8237570280b3e41bc20bd37c317b9a9eddb5dc483

SHA512
67c1fe6126360a17082d25e022fbe1766df6cdc1cf30389b9cd5ebfae9e49de54cd0daa94456f4df18c6a2840bc3630fd2960543a4b9d20ceb6a5bd1bd075ae6

Download Submit
/data/user/0/com.we.fd.qes/databases/qy_db_pay-shm

Filesize
8B

MD5
7dea362b3fac8e00956a4952a3d4f474

SHA1
05fe405753166f125559e7c9ac558654f107c7e9

SHA256
af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc

SHA512
1b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b

Download Submit
/data/user/0/com.we.fd.qes/databases/qy_db_pay-wal

Filesize
64KB

MD5
cbb78c1e44e0322155544ae27b026863

SHA1
1171d3002de4d5022db50e1e66ac89d8b35d77eb

SHA256
934e79826b9f39ef4f1dad0831205246bf75f775edf027397753ba642b9fe2e3

SHA512
cc2f8d570c83faa4e5dfb92ece8aa9698d80a5d8fab56bb2a0d3c063a5fd4256505ed8287e7e3efba468b59897ceec71c7e5aa01dbe8c8a13ad82a3d4abccadd

Download Submit
/data/user/0/com.we.fd.qes/files/.imprint

Filesize
910B

MD5
ab1d3b9757c212b68af5bd253c11c67b

SHA1
754c87a30f908c735cacf0ce51400ceecaf4c8bc

SHA256
5031e6c44447b1021bc4d25c5c7c4aa96c40726eb972fd7313b8b339e7425e7a

SHA512
e116095276103a66e369c90fe9e2cc6b50aac53daf14c97320792ac7871c7fa749b8f71b1303230b386e738a83f35ea6eb58cac421e94486d7f35d95c331b499

Download Submit
/data/user/0/com.we.fd.qes/files/umeng_it.cache

Filesize
310B

MD5
e1011d6c6aa5041c116a4a718aff05ef

SHA1
42a15dd1140607cc271ced399f7f519907cb55c4

SHA256
97edd981dbe7a58d6da605b51f4d929104803f06cf390c11f2b7f42a13bf95f4

SHA512
1fabc4219993b397ecad7cf1963cc35b6b2272c3b313e52736fbe00f5dccc2433f446d8d73a428eaf5df04d71ea2f0b6b056ece7c740df3e8331bbec9815eb85

Download Submit