Malware Analysis Report

2024-10-18 22:59

Sample ID 221213-kpavgaec89
Target Document PDF Scanner.apk
SHA256 ff8c2bcbe5beafcaf4aca4b1078d755e26e584b9e8cf5473a021b06dab84d48a
Tags
joker evasion infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ff8c2bcbe5beafcaf4aca4b1078d755e26e584b9e8cf5473a021b06dab84d48a

Threat Level: Known bad

The file Document PDF Scanner.apk was found to be: Known bad.

Malicious Activity Summary

joker evasion infostealer trojan

joker

Requests dangerous framework permissions

Loads dropped Dex/Jar

Legitimate hosting services abused for malware hosting/C2

Reads information about phone network operator.

Removes a system notification.

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-13 08:46

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-13 08:46

Reported

2022-12-13 08:48

Platform

android-x86-arm-20220823-en

Max time kernel

175315s

Max time network

134s

Command Line

com.hddoc.hink

Signatures

joker

infostealer trojan joker

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.hddoc.hink/app_qinhd/nearby N/A N/A
N/A /data/user/0/com.hddoc.hink/app_qinhd/nearby N/A N/A
N/A /data/user/0/com.hddoc.hink/files/beaming N/A N/A
N/A /data/user/0/com.hddoc.hink/files/ionsxg N/A N/A

Legitimate hosting services abused for malware hosting/C2

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

com.hddoc.hink

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
N/A 1.1.1.1:53 android.apis.google.com udp
N/A 142.251.39.110:443 android.apis.google.com tcp
N/A 142.251.39.110:443 android.apis.google.com tcp
N/A 1.1.1.1:53 infinitedata-pa.googleapis.com udp
N/A 142.250.179.170:443 infinitedata-pa.googleapis.com tcp
N/A 1.1.1.1:53 android.apis.google.com udp
N/A 142.251.39.110:443 android.apis.google.com tcp
N/A 1.1.1.1:53 sites.google.com udp
N/A 142.250.179.174:443 sites.google.com tcp
N/A 1.1.1.1:53 sightly.oss-ap-northeast-1.aliyuncs.com udp
N/A 47.91.8.57:80 sightly.oss-ap-northeast-1.aliyuncs.com tcp
N/A 1.1.1.1:53 cxjus.oss-ap-southeast-1.aliyuncs.com udp
N/A 161.117.155.70:80 cxjus.oss-ap-southeast-1.aliyuncs.com tcp
N/A 1.1.1.1:853 tcp
N/A 1.1.1.1:853 tcp

Files

/data/user/0/com.hddoc.hink/app_qinhd/nearby

MD5 4a9788fc71243aee107a17d86aad635e
SHA1 7a710267fb5fdfc01542feff78748c041f5f2a40
SHA256 1a586e5f6da6d824a163b7c954f603ce146be866d3e0fad0f27c7de092641a7b
SHA512 e73e132ce909835855987d9f8c2a0306f645e77b27dd1d9077450d6f162f6e8d9d6e7de2a3cbe4ebecb6dc0db62ed3cb7e43277870282aa5d6e0bc0b19f2dc9f

/data/user/0/com.hddoc.hink/app_qinhd/nearby.x86.flock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.hddoc.hink/app_qinhd/nearby

MD5 4a9788fc71243aee107a17d86aad635e
SHA1 7a710267fb5fdfc01542feff78748c041f5f2a40
SHA256 1a586e5f6da6d824a163b7c954f603ce146be866d3e0fad0f27c7de092641a7b
SHA512 e73e132ce909835855987d9f8c2a0306f645e77b27dd1d9077450d6f162f6e8d9d6e7de2a3cbe4ebecb6dc0db62ed3cb7e43277870282aa5d6e0bc0b19f2dc9f

/data/user/0/com.hddoc.hink/app_qinhd/nearby

MD5 4a9788fc71243aee107a17d86aad635e
SHA1 7a710267fb5fdfc01542feff78748c041f5f2a40
SHA256 1a586e5f6da6d824a163b7c954f603ce146be866d3e0fad0f27c7de092641a7b
SHA512 e73e132ce909835855987d9f8c2a0306f645e77b27dd1d9077450d6f162f6e8d9d6e7de2a3cbe4ebecb6dc0db62ed3cb7e43277870282aa5d6e0bc0b19f2dc9f

/data/user/0/com.hddoc.hink/app_qinhd/oat/nearby.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.hddoc.hink/files/beaming

MD5 6d13d7c94d8a2d5184182f0dff473593
SHA1 c84e555455310cd4632039f5b80104094e15908e
SHA256 b1df50f31196de33f10a206b796cb7a8ba1c25c77b84d081ba2142ea4ecbcd06
SHA512 ecf76c2003bd3ab75a5fb635d9ed539a96bc4a520afb8da141f6348d0e3d4a354b032f9ba0496ec75f35c4f5f4ab15df6dae8db0f241b7764a204ecc62029b43

/data/user/0/com.hddoc.hink/files/beaming.x86.flock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.hddoc.hink/files/beaming

MD5 843cafaf40c65eec713a7ff2a135a9c8
SHA1 92259ba6953fb90c86c143c31b4c806be85ac99c
SHA256 4c3fd5b304f20c52594f18b6759477208edd72331a03c81e6d2fed45ab3b35a8
SHA512 beedef02ad85eebb50412732405b8138bcfcc0d2544915bc91c0165a7477651d14b707ab9cff74ee16728e8277b9b1bb21d1b4b34c50c0ab7820f080740267e7

/data/user/0/com.hddoc.hink/files/oat/beaming.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.hddoc.hink/files/ionsxg

MD5 0d4e0388ddad6dfab2e1d43c0c339ad0
SHA1 a097d295281c4796030ad3a8d6a24cefc8ac53b3
SHA256 409633ccb7463620e5f774ed0b466839f5aaa8f8005082af67bb7bbfbbf1a8b0
SHA512 381e7b5b19ff133c96550e860e66e5d61ee75bf73be268d7eeffdd5200b59e293ac979a07a303eb3d2e9b4f6b20acdb0335398f0b13c4c64a48b184c8e273d3a

/data/user/0/com.hddoc.hink/files/ionsxg.x86.flock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.hddoc.hink/files/ionsxg

MD5 25b621b14e9bdb8d3009a25ac15b2997
SHA1 fab787ef17d4b1fd8ba506ac433c90933685972b
SHA256 d1491805efe37e08dd402d82d7e03b74c27dd21b00963aaebf1eba373d803b56
SHA512 be560e695ca2b63672381b47738c5ce9963ca1b2ad3ad42c723e464d0f48ed6d67fb1b98197f597219e8272ba0c67a7d375ee05ef7d34f665dc4d3da58b69355

/data/user/0/com.hddoc.hink/files/oat/ionsxg.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.hddoc.hink/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.hddoc.hink/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.hddoc.hink/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.hddoc.hink/shared_prefs/WebViewChromiumPrefs.xml

MD5 21223e9184445fe043476484cd8cb1f9
SHA1 2b4813f849121d60ba35eb0889080668bb62c778
SHA256 bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af
SHA512 be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

/data/user/0/com.hddoc.hink/app_webview/Web Data

MD5 dc79f9ce5f3ab5270b33e61119dfc959
SHA1 1844bf222a5144b513dcf2fb50a18c011701c647
SHA256 47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65
SHA512 18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

/data/user/0/com.hddoc.hink/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.hddoc.hink/app_webview/metrics_guid

MD5 1e793cbd537b1f96769d31b648d92f68
SHA1 7a49890795504c3220bd53bbca3ca21a7fa0e2a9
SHA256 f42125c7085b645e43117be42dc9ab1a76892a51f27444965624716e5dc2fcf4
SHA512 b447e19d55c085d85cb6ef652e206df47ae56af17a0fbf5ba2e011fde7ac5694f2fb8fe8678116e065eec151f8f2029fa6d31cba6e800a4f07ac9f28ec4f09c9

/data/user/0/com.hddoc.hink/app_webview/Web Data-journal

MD5 022629f117c26946a00ae1ddefa3524a
SHA1 e373d8822773a596c092ab5c9e6c34d29c5aaf14
SHA256 a7389130987eb6e846e261182bddcd0a2c3fc85161512ada64ec91b3b36a9486
SHA512 b0b66eb17e03d3aaba30e6711a67c98a9bf9886453105e3edaed173f425cf4df0ca420e3904c7b91ac2d71686a92fd493227ec19e8e313b2b20b58aba6a7f7e2

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-13 08:46

Reported

2022-12-13 08:48

Platform

android-x64-20220823-en

Max time kernel

178901s

Max time network

161s

Command Line

com.hddoc.hink

Signatures

Legitimate hosting services abused for malware hosting/C2

Processes

com.hddoc.hink

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
N/A 1.1.1.1:53 sites.google.com udp
N/A 1.1.1.1:53 android.apis.google.com udp
N/A 216.58.208.110:443 android.apis.google.com tcp
N/A 1.1.1.1:53 ssl.google-analytics.com udp
N/A 1.1.1.1:53 sites.google.com udp
N/A 1.1.1.1:53 ssl.google-analytics.com udp
N/A 1.1.1.1:53 ssl.google-analytics.com udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2022-12-13 08:46

Reported

2022-12-13 08:48

Platform

android-x64-arm64-20220823-en

Max time kernel

178903s

Max time network

145s

Command Line

com.hddoc.hink

Signatures

Legitimate hosting services abused for malware hosting/C2

Processes

com.hddoc.hink

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
N/A 142.250.179.142:443 tcp
N/A 142.250.179.142:443 tcp
N/A 1.1.1.1:53 infinitedata-pa.googleapis.com udp
N/A 1.1.1.1:53 android.apis.google.com udp
N/A 1.1.1.1:53 sites.google.com udp
N/A 1.1.1.1:53 ssl.google-analytics.com udp
N/A 1.1.1.1:53 android.apis.google.com udp
N/A 172.217.168.238:443 android.apis.google.com tcp
N/A 1.1.1.1:53 ssl.google-analytics.com udp
N/A 216.58.214.8:443 ssl.google-analytics.com tcp

Files

N/A