c4ed72bd08e0651a9f75d075ba59d0465c0e8a62315b99fa3d797df7d94b5f34

Analysis

max time kernel
3172754s
max time network
132s
platform
android_x86
resource
android-x86-arm-20220823-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20220823-enlocale:en-usos:android-9-x86system
submitted
27-11-2022 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4ed72bd08e0651a9f75d075ba59d0465c0e8a62315b99fa3d797df7d94b5f34.apk
Size

1.2MB
MD5

65be50c4deae1d09a000330961bc11e6
SHA1

a3c93db191f46c9621c89edaa31823956c6b2404
SHA256

c4ed72bd08e0651a9f75d075ba59d0465c0e8a62315b99fa3d797df7d94b5f34
SHA512

cbe77dcd02626538a4d2fa030f6f474c05e48af94620645a1514527a05aaaeb0751b0a3dd2148aeb9c1c6b164e3894159bbae2792bb5c802383cdea4f8883e2b
SSDEEP

24576:gBACmwB2WpeTXszSEHOoHIaKzxhpxzZ52HhsRwscrZN/vqV8KMBJVRYsyF:geCFB2lrsz5HOokx7mh4WnniqVYsyF

Score

8^/10

ransomware

Malware Config

Signatures

Requests cell location 1 IoCs
Uses Android APIs to to get current cell location.

Processes:

com.ba.tw2

description ioc process

Framework service call com.android.internal.telephony.ITelephony.getCellLocation com.ba.tw2

description	ioc	process
Framework service call	com.android.internal.telephony.ITelephony.getCellLocation	com.ba.tw2

Loads dropped Dex/Jar 2 IoCs

Runs executable file dropped to the device during analysis.

Processes:

/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/data/com.ba.tw2/wuhahah.data.data.jar --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/data/com.ba.tw2/oat/x86/wuhahah.data.data.odex --compiler-filter=quicken --class-loader-context=&com.ba.tw2

ioc	pid	process
/data/data/com.ba.tw2/wuhahah.data.data.jar	4151	/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/data/com.ba.tw2/wuhahah.data.data.jar --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/data/com.ba.tw2/oat/x86/wuhahah.data.data.odex --compiler-filter=quicken --class-loader-context=&
/data/data/com.ba.tw2/wuhahah.data.data.jar	4065	com.ba.tw2

Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data). 1 IoCs
ransomware

Processes:

com.ba.tw2

description ioc process

Framework API call javax.crypto.Cipher.doFinal com.ba.tw2

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	com.ba.tw2

com.ba.tw2
1⤵
- Requests cell location
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data).
PID:4065

/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/data/com.ba.tw2/wuhahah.data.data.jar --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/data/com.ba.tw2/oat/x86/wuhahah.data.data.odex --compiler-filter=quicken --class-loader-context=&
2⤵
- Loads dropped Dex/Jar
PID:4151

chmod 777 /storage/emulated/0/.downloads
2⤵
PID:4242

/system/bin/sh
2⤵
PID:4270

ls -l /sbin/su
3⤵
PID:4350

ls -l /system/sbin/su
3⤵
PID:4376

ls -l /system/bin/su
3⤵
PID:4463

ls -l /system/xbin/su
3⤵
PID:4490

ls -l /odm/bin/su
3⤵
PID:4508

ls -l /vendor/bin/su
3⤵
PID:4526

ls -l /vendor/xbin/su
3⤵
PID:4545

chmod 777 /storage/emulated/0/.downloads
2⤵
PID:4336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.ba.tw2/oat/x86/wuhahah.data.data.odex
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/data/com.ba.tw2/oat/x86/wuhahah.data.data.vdex
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/data/com.ba.tw2/wuhahah.data.data
Filesize
412KB

MD5
57acfa1d2a44cec86d40adb181a762bf

SHA1
dd4d3f499b9d1efbe3ae31c13a310828ea3c8f39

SHA256
673de3132ab9cbf98dd68e47ac6468378ea1768847ec4fa5081f42cc8a055b54

SHA512
4444712265f0d6b59ba10c9d651dc20e2c7244cdc3298ebf4aab0118840d15b23501770ef20eea791904782c0cf6b2cdf28fd391d24ea4bd0d42f8040a60a74d

Download Submit
/data/data/com.ba.tw2/wuhahah.data.data.jar
Filesize
412KB

MD5
0207bdb972c175917dad8c18bacf33ba

SHA1
747b8f5196d11d6845d88d336dcdd86491218eb1

SHA256
2631f2f139b60a8da8658cb398bba98e1a4197c3eec49ea4ff67947a4fd26bc2

SHA512
577fde9203d083931f6644f7425a9d980dff8006da64cc8de2b353659fd86e7df4352439bbd7b201c964367cd3309d49589e1596a528d47983182c14c9a4db1d

Download Submit
/data/data/com.ba.tw2/wuhahah.data.data.jar
Filesize
1005KB

MD5
840fd19054df3135c4201fdc16bceb62

SHA1
3aa433b6e13cdd8687265289a5f22ee2b1e9b5c8

SHA256
ac8f73755cf9c7a574f0727b82bcafec74ad5ea81f67ec1de65ec4adbd3db427

SHA512
4df4028eea689c6ed0e964da41fa28d83bd189459d1db3f18357e0f5d598f22f0e405035f9477d339553f549b23fff14a5abe0612d21bfddd23df91150191dfc

Download Submit
/data/data/com.ba.tw2/wuhahah.data.data.jar
Filesize
1005KB

MD5
840fd19054df3135c4201fdc16bceb62

SHA1
3aa433b6e13cdd8687265289a5f22ee2b1e9b5c8

SHA256
ac8f73755cf9c7a574f0727b82bcafec74ad5ea81f67ec1de65ec4adbd3db427

SHA512
4df4028eea689c6ed0e964da41fa28d83bd189459d1db3f18357e0f5d598f22f0e405035f9477d339553f549b23fff14a5abe0612d21bfddd23df91150191dfc

Download Submit
/data/data/com.ba.tw2/wuhahah.data.data.jar.x86.flock
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/data/user/0/com.ba.tw2/databases/DD.db
Filesize
24KB

MD5
5c887b798c8a1c8dd464278788029c04

SHA1
299982a75550625eb1ed4795c3facff14573c5f6

SHA256
abc2c9aa3173b497934d0a0d694b88152b04d3395054a87d02f10406d6023773

SHA512
b051e45d6fa4f2c204390a222ae00e4ba1f1d7ddbb57bb772de1b577c251515e9db0d1d008df6b9128562e04eb7eebcce5b4909f6140e413d1d2915eb2826c20

Download Submit
/data/user/0/com.ba.tw2/databases/DD.db-journal
Filesize
524B

MD5
e784d544ed96d054c0715108dab4be55

SHA1
c9d44dc9df7af0f4923a6daa38620f5aa9a3fb61

SHA256
955d2860994734b571c35679085b00ca1f66170cfb9a6f8d57a89f956cb0dbf1

SHA512
07658f40435f909fe24ea834bf42643b85fa3024c3ccffec95918f9c70a00a0667fa3b783b9873bc14d409a4576b2ecd0d5a17a059679f4e38aff014a6fbf0af

Download Submit
/data/user/0/com.ba.tw2/databases/DD.db-shm
Filesize
8B

MD5
7dea362b3fac8e00956a4952a3d4f474

SHA1
05fe405753166f125559e7c9ac558654f107c7e9

SHA256
af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc

SHA512
1b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b

Download Submit
/data/user/0/com.ba.tw2/databases/DD.db-wal
Filesize
40KB

MD5
494eb85a01652bc7aed0f46d8dc31827

SHA1
24505e02cb1ecf45553278fa2c2c97f6c3018ee0

SHA256
ebf7c1cadbd157e0a57a2aabdc1d9b74cc6825443ab8a63e211e948f01338fa9

SHA512
f14afa3e37cf7c65c04b10b9f18fe9f1e5d495c219ff005c6afa4b6962edd7a1156edae9e6f4a487fe75581487c1d3fe23909d07067992c839b3723351b2ac22

Download Submit
/data/user/0/com.ba.tw2/databases/qy_db_pay
Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/user/0/com.ba.tw2/databases/qy_db_pay-journal
Filesize
524B

MD5
2552dd25e6bc2e29933114fec5c40df8

SHA1
e71aaf4cd6497ab16f98b8123aae3c195010d817

SHA256
b02a6740dd0a2f09a84ed7a8694e14253b9b940c745786ce6667cf91b59d1262

SHA512
009dc7d36aa2f104962b52dd3eda1e7f3e3e9bc003a89a6dd408281678a6ed8fdf0ac69296a3fdaa32db5f8fcf84ec2069164ca615b667dff67215b7855aa72a

Download Submit
/data/user/0/com.ba.tw2/databases/qy_db_pay-shm
Filesize
8B

MD5
7dea362b3fac8e00956a4952a3d4f474

SHA1
05fe405753166f125559e7c9ac558654f107c7e9

SHA256
af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc

SHA512
1b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b

Download Submit
/data/user/0/com.ba.tw2/databases/qy_db_pay-wal
Filesize
64KB

MD5
c966989d52ee82823c7b9a695ae1a7cd

SHA1
dd79e3cc1b1022895934646e1a549cd9593a3d3b

SHA256
c64693594c9357c09f138611c64ad643363b18a2fe7d63d27ac66c6af4f7d28d

SHA512
3f2c3e79453bb2352aad28debaff955817728b790b018d7735400cad520834e57fcc1718812f3a6738b36d493e4fc021d004bbe642e4f85ec4821f8a372d4e7a

Download Submit
/data/user/0/com.ba.tw2/files/.imprint
Filesize
910B

MD5
6e4ac591f2d77ec48fcc1db8ea4de0ea

SHA1
1bb3aad3adaeda296187d66f6538b1ba5827e858

SHA256
d06b63842734944a1e4806dafac033f406db1df374de9e2a0593f1c773d1744a

SHA512
0360d03fe35bfc18e4e619ab4f3c6fc38a014d8aa62139980425fe8f26a1bcacb8c78a1c28bb5c2ad18bea0ca14b9766ebad6b88a97dbcc806ddc28ac6d92831

Download Submit
/data/user/0/com.ba.tw2/files/umeng_it.cache
Filesize
310B

MD5
48a6fd7fa5aaf0de3f30268ae7750804

SHA1
93ff3e54db2a57957d74c2e01e5505f18533a935

SHA256
87e08acaeb405ca84eabaae413f24230bde01c6c74624e7abe52c59bdb34000b

SHA512
d75998aef78ab548115a5b1a46395d3c942b21ed6cb62a5b21da5a98c08dbd97b25ad7927f2e01cc691eca65f958bdd018ea571ccccd659d5b4b31cc18c935c7

Download Submit
/storage/emulated/0/com.ba.tw2.start.times/com.ba.tw2
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit