Analysis Overview
SHA256
0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8
Threat Level: Likely malicious
The file 0b72c22517fdefd4cf0466d8d4c634ca73b7667d378be688efe131af4ac3aed8_unpacked.zip was found to be: Likely malicious.
Malicious Activity Summary
Makes use of the framework's Accessibility service.
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
Requests enabling of the accessibility settings.
Requests dangerous framework permissions
Acquires the wake lock.
Reads information about phone network operator.
Removes a system notification.
Uses Crypto APIs (Might try to encrypt user data).
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2023-02-06 11:15
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-06 11:15
Reported
2023-02-06 11:18
Platform
android-x86-arm-20220823-en
Max time kernel
641466s
Max time network
158s
Command Line
Signatures
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
| Description | Indicator | Process | Target |
| Framework service call | android.content.pm.IPackageManager.getInstalledApplications | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Requests enabling of the accessibility settings.
| Description | Indicator | Process | Target |
| Intent action | android.settings.ACCESSIBILITY_SETTINGS | N/A | N/A |
Reads information about phone network operator.
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.rduzmauwns.jieliysagr
com.rduzmauwns.jieliysagr:remote
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 172.217.168.234:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| NL | 216.58.214.10:443 | semanticlocation-pa.googleapis.com | tcp |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
Files
/data/user/0/com.rduzmauwns.jieliysagr/app_webview/variations_seed_new
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.rduzmauwns.jieliysagr/app_webview/variations_stamp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.rduzmauwns.jieliysagr/app_webview/webview_data.lock
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.rduzmauwns.jieliysagr/shared_prefs/WebViewChromiumPrefs.xml
| MD5 | 21223e9184445fe043476484cd8cb1f9 |
| SHA1 | 2b4813f849121d60ba35eb0889080668bb62c778 |
| SHA256 | bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af |
| SHA512 | be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48 |
/data/user/0/com.rduzmauwns.jieliysagr/app_webview/Web Data
| MD5 | dc79f9ce5f3ab5270b33e61119dfc959 |
| SHA1 | 1844bf222a5144b513dcf2fb50a18c011701c647 |
| SHA256 | 47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65 |
| SHA512 | 18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e |
/data/user/0/com.rduzmauwns.jieliysagr/app_webview/metrics_guid
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.rduzmauwns.jieliysagr/app_webview/metrics_guid
| MD5 | 8b86508fdf8506833a83e294b6dac49c |
| SHA1 | bcb3ef5837080f3b3abe0894db542ba1a60d042e |
| SHA256 | 10c659617aa1d738bd46db8ea494e8c7f5117ac9c410c7132e94f3e0c0555de6 |
| SHA512 | 434a0e366f71e8098e8419b0326a30570afac0ed90b197e7a99f4599fbc3f07ea4804e26128818ba7930905fb91a7b686d36e4a118fbde16cd54f715bb884d7f |
/data/user/0/com.rduzmauwns.jieliysagr/app_webview/Web Data-journal
| MD5 | 9b3f882d919fbac6ca8774607bc460e3 |
| SHA1 | 89f15177ca3609626c7bc2cb1bbfb171ba5379ef |
| SHA256 | 268e536cab6a17f0abede0df5be8876fc9522fe45c1a0489567163e4aacff252 |
| SHA512 | a6c3aee240f6844f85078e83f012ff4f45d544702c2e132fc7d49ec3262983dce9e855f2ead5873ee0aded3bc4aece4e2ca7285da8c5ea6af5430dcdec385a2f |
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-06 11:15
Reported
2023-02-06 11:18
Platform
android-x64-20220823-en
Max time kernel
645066s
Max time network
159s
Command Line
Signatures
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.rduzmauwns.jieliysagr
com.rduzmauwns.jieliysagr:remote
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 216.58.208.106:443 | semanticlocation-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 216.58.214.14:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
Files
/data/user/0/com.rduzmauwns.jieliysagr/app_webview/variations_seed_new
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.rduzmauwns.jieliysagr/app_webview/variations_stamp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.rduzmauwns.jieliysagr/app_webview/webview_data.lock
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.rduzmauwns.jieliysagr/shared_prefs/WebViewChromiumPrefs.xml
| MD5 | 6ef709b8536878951e87c29a1518fc2b |
| SHA1 | 24376c70b00152501b3d98df61fa7db435339172 |
| SHA256 | 10b13d894f36d4391fcc31313a244d5f6cd89c8e8c03347282e281c4af13c0a6 |
| SHA512 | 96547eff6779251a5c4941e812ec56ed273e9270265005723e1f2864688b04f3b852a90145fba4ea0ddf1e02b39d99e33d28f761b07a04d46e0e4257d8909ff9 |
/data/user/0/com.rduzmauwns.jieliysagr/app_webview/metrics_guid
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.rduzmauwns.jieliysagr/app_webview/metrics_guid
| MD5 | 55e5e2117a740613f6b050101a505a87 |
| SHA1 | cd812e003b2e51727aa59596aace7a1a4587a1b3 |
| SHA256 | be371b4a6b540c81a1562a905279b1bde5683092705998b523c79417eb889c5b |
| SHA512 | 10fb5159a63cf2b9929af76c3ab1f5282f98c4d5e66b29f0c665f11e23ff88134d4153f29fd23ea3124ab964cd01b63273c7ac1df0ffe397d18ed4a49d28fc66 |
/data/user/0/com.rduzmauwns.jieliysagr/app_webview/Web Data
| MD5 | b663831f8cc130493476d94f2d7a5330 |
| SHA1 | 043a1956ab8e40821d67043f8a9110a8eb36fb93 |
| SHA256 | c109aa8bfc364d5fd0756f1c9d35ee3d6df31325061ac70d8469f28cfc882ab7 |
| SHA512 | e8ee923192cdf16318febdc23362f3eeaf5c914b923f80cd3a91a2e83e94bced54460d4ef1e54accc26a7d54b89e2e10c00097e60002cf6427298dc5f18fed16 |
/data/user/0/com.rduzmauwns.jieliysagr/app_webview/Web Data-journal
| MD5 | 767caf10abd2cd0b885795a5c8ec030e |
| SHA1 | 04addcc8bf7ee792ed3d605a3a0efff636d49568 |
| SHA256 | e63cda601da18d39d15cbf30a79b4161592c007356fe301f0703ff959e96d03e |
| SHA512 | 6a1ca5aa5621a367f9ff2257daf0698f84540bfcc7b9b801b43bff744b79452af695bcc17c222bf465f5b6b040845a078a31a8fdef18ef7a8277046cc50a6306 |
/data/user/0/com.rduzmauwns.jieliysagr/cache/org.chromium.android_webview/Code Cache/js/index
| MD5 | 6d7d499960179766cd4261d12dacc411 |
| SHA1 | e6f8553b0015e12b23cc551afe98763f3b1c9bed |
| SHA256 | c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182 |
| SHA512 | 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547 |
/data/user/0/com.rduzmauwns.jieliysagr/cache/org.chromium.android_webview/Code Cache/js/index-dir/temp-index
| MD5 | 83f35afd9e16f5496e22c3e2e3ddeeeb |
| SHA1 | 23fbc8a940b7aae7572f537396b6aa3396293a55 |
| SHA256 | f1096e2e85edffac717e865bab00cf48ba0ffc34836a923a520de207637f9077 |
| SHA512 | 8adb0cec3bec5854e4a9258231f6d53aa2f4a01fea38662772d9c97ca78218e6818cd761f2fbd7a5f832ede14e62f46c5910a6fb2f8ee880f76959df34aa6e0f |
/data/user/0/com.rduzmauwns.jieliysagr/cache/WebView/Crashpad/settings.dat
| MD5 | cfedc4150d4ecfc186101a35bdc0adc6 |
| SHA1 | e97d6aa3ba185e3665a5ca45c100606a02b3a6dd |
| SHA256 | b15209f79b348eef8deebee83adcc9153856f1c00dacdf30431f51f2d075d946 |
| SHA512 | d6bcf0d2ea53d32e32913e721cbebc88b2174d2475d2635e490f6ebb25e4f3249c20f0dfbbcbfe1f63c97edb8f1dd310919a8d4e0e3a86e8d1cad14ee8e170a2 |
/data/user/0/com.rduzmauwns.jieliysagr/app_webview/.com.google.Chrome.oXqFc6
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral3
Detonation Overview
Submitted
2023-02-06 11:15
Reported
2023-02-06 11:19
Platform
android-x64-arm64-20220823-en
Max time network
180s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.208.110:443 | android.apis.google.com | tcp |
| NL | 142.250.179.206:443 | android.apis.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.250.179.170:80 | play.googleapis.com | tcp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| DE | 142.250.185.170:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| NL | 142.251.39.109:443 | accounts.google.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.208.110:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | imzlcqxjpjqpdbh | udp |
| US | 1.1.1.1:53 | nzaufiao | udp |
| US | 1.1.1.1:53 | dqgcabx | udp |
| US | 1.1.1.1:53 | growth-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | lh3-dz.googleusercontent.com | udp |
| NL | 216.58.214.1:443 | lh3-dz.googleusercontent.com | tcp |
| US | 1.1.1.1:53 | lh3.googleusercontent.com | udp |
| GB | 216.58.208.110:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | dqgcabx | udp |
| US | 1.1.1.1:53 | imzlcqxjpjqpdbh | udp |
| US | 1.1.1.1:53 | mdh-pa.googleapis.com | udp |
| NL | 142.251.36.10:443 | mdh-pa.googleapis.com | tcp |