Analysis Overview
SHA256
ff8c2bcbe5beafcaf4aca4b1078d755e26e584b9e8cf5473a021b06dab84d48a
Threat Level: Known bad
The file Document PDF Scanner.apk was found to be: Known bad.
Malicious Activity Summary
joker
Requests dangerous framework permissions
Loads dropped Dex/Jar
Legitimate hosting services abused for malware hosting/C2
Reads information about phone network operator.
Removes a system notification.
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-12-13 08:46
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-12-13 08:46
Reported
2022-12-13 08:48
Platform
android-x86-arm-20220823-en
Max time kernel
175315s
Max time network
134s
Command Line
Signatures
joker
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.hddoc.hink/app_qinhd/nearby | N/A | N/A |
| N/A | /data/user/0/com.hddoc.hink/app_qinhd/nearby | N/A | N/A |
| N/A | /data/user/0/com.hddoc.hink/files/beaming | N/A | N/A |
| N/A | /data/user/0/com.hddoc.hink/files/ionsxg | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
Reads information about phone network operator.
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Processes
com.hddoc.hink
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 1.1.1.1:53 | android.apis.google.com | udp |
| N/A | 142.251.39.110:443 | android.apis.google.com | tcp |
| N/A | 142.251.39.110:443 | android.apis.google.com | tcp |
| N/A | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| N/A | 142.250.179.170:443 | infinitedata-pa.googleapis.com | tcp |
| N/A | 1.1.1.1:53 | android.apis.google.com | udp |
| N/A | 142.251.39.110:443 | android.apis.google.com | tcp |
| N/A | 1.1.1.1:53 | sites.google.com | udp |
| N/A | 142.250.179.174:443 | sites.google.com | tcp |
| N/A | 1.1.1.1:53 | sightly.oss-ap-northeast-1.aliyuncs.com | udp |
| N/A | 47.91.8.57:80 | sightly.oss-ap-northeast-1.aliyuncs.com | tcp |
| N/A | 1.1.1.1:53 | cxjus.oss-ap-southeast-1.aliyuncs.com | udp |
| N/A | 161.117.155.70:80 | cxjus.oss-ap-southeast-1.aliyuncs.com | tcp |
| N/A | 1.1.1.1:853 | tcp | |
| N/A | 1.1.1.1:853 | tcp |
Files
/data/user/0/com.hddoc.hink/app_qinhd/nearby
| MD5 | 4a9788fc71243aee107a17d86aad635e |
| SHA1 | 7a710267fb5fdfc01542feff78748c041f5f2a40 |
| SHA256 | 1a586e5f6da6d824a163b7c954f603ce146be866d3e0fad0f27c7de092641a7b |
| SHA512 | e73e132ce909835855987d9f8c2a0306f645e77b27dd1d9077450d6f162f6e8d9d6e7de2a3cbe4ebecb6dc0db62ed3cb7e43277870282aa5d6e0bc0b19f2dc9f |
/data/user/0/com.hddoc.hink/app_qinhd/nearby.x86.flock
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.hddoc.hink/app_qinhd/nearby
| MD5 | 4a9788fc71243aee107a17d86aad635e |
| SHA1 | 7a710267fb5fdfc01542feff78748c041f5f2a40 |
| SHA256 | 1a586e5f6da6d824a163b7c954f603ce146be866d3e0fad0f27c7de092641a7b |
| SHA512 | e73e132ce909835855987d9f8c2a0306f645e77b27dd1d9077450d6f162f6e8d9d6e7de2a3cbe4ebecb6dc0db62ed3cb7e43277870282aa5d6e0bc0b19f2dc9f |
/data/user/0/com.hddoc.hink/app_qinhd/nearby
| MD5 | 4a9788fc71243aee107a17d86aad635e |
| SHA1 | 7a710267fb5fdfc01542feff78748c041f5f2a40 |
| SHA256 | 1a586e5f6da6d824a163b7c954f603ce146be866d3e0fad0f27c7de092641a7b |
| SHA512 | e73e132ce909835855987d9f8c2a0306f645e77b27dd1d9077450d6f162f6e8d9d6e7de2a3cbe4ebecb6dc0db62ed3cb7e43277870282aa5d6e0bc0b19f2dc9f |
/data/user/0/com.hddoc.hink/app_qinhd/oat/nearby.cur.prof
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.hddoc.hink/files/beaming
| MD5 | 6d13d7c94d8a2d5184182f0dff473593 |
| SHA1 | c84e555455310cd4632039f5b80104094e15908e |
| SHA256 | b1df50f31196de33f10a206b796cb7a8ba1c25c77b84d081ba2142ea4ecbcd06 |
| SHA512 | ecf76c2003bd3ab75a5fb635d9ed539a96bc4a520afb8da141f6348d0e3d4a354b032f9ba0496ec75f35c4f5f4ab15df6dae8db0f241b7764a204ecc62029b43 |
/data/user/0/com.hddoc.hink/files/beaming.x86.flock
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.hddoc.hink/files/beaming
| MD5 | 843cafaf40c65eec713a7ff2a135a9c8 |
| SHA1 | 92259ba6953fb90c86c143c31b4c806be85ac99c |
| SHA256 | 4c3fd5b304f20c52594f18b6759477208edd72331a03c81e6d2fed45ab3b35a8 |
| SHA512 | beedef02ad85eebb50412732405b8138bcfcc0d2544915bc91c0165a7477651d14b707ab9cff74ee16728e8277b9b1bb21d1b4b34c50c0ab7820f080740267e7 |
/data/user/0/com.hddoc.hink/files/oat/beaming.cur.prof
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.hddoc.hink/files/ionsxg
| MD5 | 0d4e0388ddad6dfab2e1d43c0c339ad0 |
| SHA1 | a097d295281c4796030ad3a8d6a24cefc8ac53b3 |
| SHA256 | 409633ccb7463620e5f774ed0b466839f5aaa8f8005082af67bb7bbfbbf1a8b0 |
| SHA512 | 381e7b5b19ff133c96550e860e66e5d61ee75bf73be268d7eeffdd5200b59e293ac979a07a303eb3d2e9b4f6b20acdb0335398f0b13c4c64a48b184c8e273d3a |
/data/user/0/com.hddoc.hink/files/ionsxg.x86.flock
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.hddoc.hink/files/ionsxg
| MD5 | 25b621b14e9bdb8d3009a25ac15b2997 |
| SHA1 | fab787ef17d4b1fd8ba506ac433c90933685972b |
| SHA256 | d1491805efe37e08dd402d82d7e03b74c27dd21b00963aaebf1eba373d803b56 |
| SHA512 | be560e695ca2b63672381b47738c5ce9963ca1b2ad3ad42c723e464d0f48ed6d67fb1b98197f597219e8272ba0c67a7d375ee05ef7d34f665dc4d3da58b69355 |
/data/user/0/com.hddoc.hink/files/oat/ionsxg.cur.prof
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.hddoc.hink/app_webview/variations_seed_new
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.hddoc.hink/app_webview/variations_stamp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.hddoc.hink/app_webview/webview_data.lock
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.hddoc.hink/shared_prefs/WebViewChromiumPrefs.xml
| MD5 | 21223e9184445fe043476484cd8cb1f9 |
| SHA1 | 2b4813f849121d60ba35eb0889080668bb62c778 |
| SHA256 | bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af |
| SHA512 | be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48 |
/data/user/0/com.hddoc.hink/app_webview/Web Data
| MD5 | dc79f9ce5f3ab5270b33e61119dfc959 |
| SHA1 | 1844bf222a5144b513dcf2fb50a18c011701c647 |
| SHA256 | 47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65 |
| SHA512 | 18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e |
/data/user/0/com.hddoc.hink/app_webview/metrics_guid
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.hddoc.hink/app_webview/metrics_guid
| MD5 | 1e793cbd537b1f96769d31b648d92f68 |
| SHA1 | 7a49890795504c3220bd53bbca3ca21a7fa0e2a9 |
| SHA256 | f42125c7085b645e43117be42dc9ab1a76892a51f27444965624716e5dc2fcf4 |
| SHA512 | b447e19d55c085d85cb6ef652e206df47ae56af17a0fbf5ba2e011fde7ac5694f2fb8fe8678116e065eec151f8f2029fa6d31cba6e800a4f07ac9f28ec4f09c9 |
/data/user/0/com.hddoc.hink/app_webview/Web Data-journal
| MD5 | 022629f117c26946a00ae1ddefa3524a |
| SHA1 | e373d8822773a596c092ab5c9e6c34d29c5aaf14 |
| SHA256 | a7389130987eb6e846e261182bddcd0a2c3fc85161512ada64ec91b3b36a9486 |
| SHA512 | b0b66eb17e03d3aaba30e6711a67c98a9bf9886453105e3edaed173f425cf4df0ca420e3904c7b91ac2d71686a92fd493227ec19e8e313b2b20b58aba6a7f7e2 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-12-13 08:46
Reported
2022-12-13 08:48
Platform
android-x64-20220823-en
Max time kernel
178901s
Max time network
161s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
Processes
com.hddoc.hink
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 1.1.1.1:53 | sites.google.com | udp |
| N/A | 1.1.1.1:53 | android.apis.google.com | udp |
| N/A | 216.58.208.110:443 | android.apis.google.com | tcp |
| N/A | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| N/A | 1.1.1.1:53 | sites.google.com | udp |
| N/A | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| N/A | 1.1.1.1:53 | ssl.google-analytics.com | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2022-12-13 08:46
Reported
2022-12-13 08:48
Platform
android-x64-arm64-20220823-en
Max time kernel
178903s
Max time network
145s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
Processes
com.hddoc.hink
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 142.250.179.142:443 | tcp | |
| N/A | 142.250.179.142:443 | tcp | |
| N/A | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| N/A | 1.1.1.1:53 | android.apis.google.com | udp |
| N/A | 1.1.1.1:53 | sites.google.com | udp |
| N/A | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| N/A | 1.1.1.1:53 | android.apis.google.com | udp |
| N/A | 172.217.168.238:443 | android.apis.google.com | tcp |
| N/A | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| N/A | 216.58.214.8:443 | ssl.google-analytics.com | tcp |