Malware Analysis Report

2024-09-09 16:38

Sample ID 230111-lntfvsff3y
Target b6249fa996cb4046bdab37bab5e3b4d43c79ea537f119040c3b3e138149897fd.apk
SHA256 b6249fa996cb4046bdab37bab5e3b4d43c79ea537f119040c3b3e138149897fd
Tags
evasion
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b6249fa996cb4046bdab37bab5e3b4d43c79ea537f119040c3b3e138149897fd

Threat Level: Likely malicious

The file b6249fa996cb4046bdab37bab5e3b4d43c79ea537f119040c3b3e138149897fd.apk was found to be: Likely malicious.

Malicious Activity Summary

evasion

Makes use of the framework's Accessibility service.

Acquires the wake lock.

Requests enabling of the accessibility settings.

Requests dangerous framework permissions

Reads information about phone network operator.

Removes a system notification.

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2023-01-11 09:41

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-11 09:41

Reported

2023-01-11 09:42

Platform

android-x86-arm-20220823-en

Max time kernel

2684288s

Max time network

83s

Command Line

com.pdffiller.l2f

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

com.pdffiller.l2f

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
N/A 1.1.1.1:53 android.apis.google.com udp
N/A 142.251.39.110:443 android.apis.google.com tcp
N/A 142.251.39.110:443 android.apis.google.com tcp
N/A 1.1.1.1:53 infinitedata-pa.googleapis.com udp
N/A 142.251.39.106:443 infinitedata-pa.googleapis.com tcp
N/A 1.1.1.1:53 android.apis.google.com udp
N/A 1.1.1.1:853 tcp
N/A 1.1.1.1:853 tcp
N/A 1.1.1.1:853 tcp
N/A 149.154.167.99:443 t.me tcp

Files

/data/user/0/com.pdffiller.l2f/shared_prefs/config.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/data/user/0/com.pdffiller.l2f/shared_prefs/com.pdffiller.l2f_preferences.xml

MD5 9f47baf3a9a6194affde23f6045a061d
SHA1 5f7777d88f68d11406d777a6221b79c66de22837
SHA256 8300e9295420e9621c996b1e23bdc1c65a6707f72e12b73309667f7762917f50
SHA512 cf224e18a29b3794f07cf96cdb1bbaf1ddaa6c56867429b02e93a173f262377721244383c2aad24ed46c6e9411e0ad8f4fdd7828de7c45c561fabb01836f9348

/data/user/0/com.pdffiller.l2f/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.pdffiller.l2f/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.pdffiller.l2f/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.pdffiller.l2f/shared_prefs/WebViewChromiumPrefs.xml

MD5 21223e9184445fe043476484cd8cb1f9
SHA1 2b4813f849121d60ba35eb0889080668bb62c778
SHA256 bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af
SHA512 be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

/data/user/0/com.pdffiller.l2f/app_webview/Web Data

MD5 dc79f9ce5f3ab5270b33e61119dfc959
SHA1 1844bf222a5144b513dcf2fb50a18c011701c647
SHA256 47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65
SHA512 18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

/data/user/0/com.pdffiller.l2f/app_webview/Web Data-journal

MD5 57435ed1bd60dbbc87782676f49fb496
SHA1 ecc35fb814a4c999e0c3a7928083e44cb8e5a24c
SHA256 33fc32fd618d4afe707a169e977fe3cf969003eb82d90f6d7ba26e87ccfd15de
SHA512 ae400d697da5783b9df21987a9dc6c02e4ffa6af01912be13b2576e63ee2c43812fb3420625bd9725f1e199319ef925b3bb409b4e166662ba2b6c401c646fb26

/data/user/0/com.pdffiller.l2f/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.pdffiller.l2f/app_webview/metrics_guid

MD5 757a1847a0b8c5b35486b914318a125d
SHA1 c0e2d9da4453c0cb779e9c4167f72b7141ac415f
SHA256 8a6a26157907c04765c7de8276c5fe15f58d2f79ddecb0ffec732f2c85d08ee0
SHA512 7d1f1ce1a04d421b78f11477a0225e3127c7d44ad32022f3a5010e5219b103aacd37b619ee45ea5b0a7c71319006cd6cadcdf509a9de3b6c397f0b8bbbb62916

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-11 09:41

Reported

2023-01-11 09:44

Platform

android-x64-arm64-20220823-en

Max time kernel

2687967s

Max time network

154s

Command Line

com.pdffiller.l2f

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests enabling of the accessibility settings.

Description Indicator Process Target
Intent action android.settings.ACCESSIBILITY_SETTINGS N/A N/A

Processes

com.pdffiller.l2f

Network

Country Destination Domain Proto
N/A 1.1.1.1:53 android.apis.google.com udp
N/A 1.1.1.1:53 android.apis.google.com udp
N/A 1.1.1.1:53 android.apis.google.com udp
N/A 216.58.214.14:443 android.apis.google.com tcp
N/A 142.250.179.174:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
N/A 172.217.168.226:443 tcp
N/A 142.251.39.102:443 tcp
N/A 216.58.208.106:80 play.googleapis.com tcp
N/A 1.1.1.1:53 infinitedata-pa.googleapis.com udp
N/A 172.217.168.202:80 www.googleapis.com tcp
N/A 1.1.1.1:53 android.apis.google.com udp
N/A 142.251.36.14:443 android.apis.google.com tcp
N/A 1.1.1.1:53 ssl.google-analytics.com udp
N/A 1.1.1.1:53 infinitedata-pa.googleapis.com udp
N/A 142.251.36.14:443 android.apis.google.com tcp
N/A 1.1.1.1:53 infinitedata-pa.googleapis.com udp
N/A 216.58.214.10:443 infinitedata-pa.googleapis.com tcp
N/A 1.1.1.1:53 t.me udp
N/A 149.154.167.99:443 t.me tcp
N/A 1.1.1.1:53 ssl.google-analytics.com udp

Files

/data/user/0/com.pdffiller.l2f/shared_prefs/config.xml

MD5 9781ca003f10f8d0c9c1945b63fdca7f
SHA1 4156cf5dc8d71dbab734d25e5e1598b37a5456f4
SHA256 3325d2a819fdd8062c2cdc48a09b995c9b012915bcdf88b1cf9742a7f057c793
SHA512 25a9877e274e0e9df29811825bd4f680fa0bf0ae6219527e4f1dcd17d0995d28b2926192d961a06ee5bef2eed73b3f38ec4ffdd0a1cda7ff2a10dc5711ffdf03

/data/user/0/com.pdffiller.l2f/shared_prefs/com.pdffiller.l2f_preferences.xml

MD5 9f47baf3a9a6194affde23f6045a061d
SHA1 5f7777d88f68d11406d777a6221b79c66de22837
SHA256 8300e9295420e9621c996b1e23bdc1c65a6707f72e12b73309667f7762917f50
SHA512 cf224e18a29b3794f07cf96cdb1bbaf1ddaa6c56867429b02e93a173f262377721244383c2aad24ed46c6e9411e0ad8f4fdd7828de7c45c561fabb01836f9348

/data/user/0/com.pdffiller.l2f/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.pdffiller.l2f/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.pdffiller.l2f/app_webview/webview_data.lock

MD5 d57f47ded29b06df5c9a65bcd52589e8
SHA1 2e33ffde89dea4fb231971e59a13b8f69836f878
SHA256 94ac8017c95541b975a494d1b2049244d942ec30c94d6c49f3604a5ba54e92dc
SHA512 890614f7a139b652d29e7867b6fc16dfd02444d71a1a407a2dc85c273c779b3a5f65fe25b509e5644080554e2c1ff1b3b25bfea217f44888f9d1013fa8aacbe0

/data/user/0/com.pdffiller.l2f/shared_prefs/WebViewChromiumPrefs.xml

MD5 97ccd9a2b2063143df56b6937f961ca4
SHA1 5e78a91ae5df289ce83443cb7d5589dd3504fb5d
SHA256 248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd
SHA512 86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

/data/user/0/com.pdffiller.l2f/app_webview/Default/Web Data

MD5 a48cd9324b1f8754b07f00d863b840f3
SHA1 11c6614775b35a58f440971dfc87c8aaac6d6173
SHA256 8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420
SHA512 35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

/data/user/0/com.pdffiller.l2f/app_webview/Default/Web Data-journal

MD5 22516d819e4c660f40015fc8cae98707
SHA1 dc288061a775acf4b51fca9d934d3bbf1803bb8f
SHA256 3150584f323bf80563333d28dce3a951963eb82a8654bd7dfc027c15a95e2b55
SHA512 fb82fe1158a3e06a0058dc36c28b500bf4210aaf2c45698ffa85ce9d5d9d196e07c7d2abd1acc9991f1b6977a7063994171c025e0a7b17d521e9b82d0af1dadd

/data/user/0/com.pdffiller.l2f/cache/WebView/Default/HTTP Cache/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.pdffiller.l2f/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.pdffiller.l2f/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index

MD5 198ae5fd4f1ff1ae40f4ccd90ff8a5a6
SHA1 e68f6c06f1a152eab0b36396af6ca8cc64d59e3d
SHA256 06ae051367678381df119e01787ef889ccee2c6728f7c2da53d531cccc4a2036
SHA512 b7283ee443d6599537c800039cc0199ec4cfb7c53149f6a4b65ae87889eb1c5d0f89c5eb6fff6bf4d9e552e5a45c614f05753ffb3e9376219fd0ccac9a3fd002

/data/user/0/com.pdffiller.l2f/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index

MD5 40412952ce1156c3d763c937f57877ea
SHA1 b0e16b0095ab73d04c4dbcb0e0262defe5f0ad8b
SHA256 38fcd137000ab8e2efcb871a79990129dec88431d663d4d1e2d7c80cba4a4332
SHA512 5188cec0c578591a789cc497b427c65976f49a6b1074cbdcba081dac4c513e1444a81aff1f929e18e452ccd9dc9ab017c90f1edea83a40644f0a0dc003e498c2

/data/user/0/com.pdffiller.l2f/cache/WebView/Crashpad/settings.dat

MD5 45c4faeca59bc364063e0fc4c3665899
SHA1 2921294c6e16b8734f2a3f728fad6c69c8331bcc
SHA256 a90991c92eee85190979417b3907fb3b3f60f89ba2e09012d7a1433f932dee4b
SHA512 4904811269b523ad169f74722028a6760c27a6b1e8b0da62d7ed8754446f24ac5f01f5a9be0e2e196a37957129942630150e6760a8038b531e972d98d1b30d77

/data/user/0/com.pdffiller.l2f/cache/WebView/font_unique_name_table.pb

MD5 f080fa2a56ab5479d58063e5ea871447
SHA1 4b3fd57a98916fa5784305b76ba30af26b5253d9
SHA256 0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815
SHA512 8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

/data/user/0/com.pdffiller.l2f/app_webview/.com.google.Chrome.idcAHu

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e