Malware Analysis Report

2025-01-23 12:43

Sample ID 230529-rk8z2acf6s
Target c01b464dea561c3c5e084eac0276a1f1.apk
SHA256 2baadf48069e44b89f4cb749105eabe87c32b0a45669cef246e8e3a46a3b3ec3
Tags
evasion spynote
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2baadf48069e44b89f4cb749105eabe87c32b0a45669cef246e8e3a46a3b3ec3

Threat Level: Known bad

The file c01b464dea561c3c5e084eac0276a1f1.apk was found to be: Known bad.

Malicious Activity Summary

evasion spynote

Spynote family

Makes use of the framework's Accessibility service.

Acquires the wake lock.

Requests dangerous framework permissions

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-05-29 14:16

Signatures

Spynote family

spynote

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-29 14:16

Reported

2023-05-29 14:19

Platform

android-x64-20220823-en

Max time kernel

1742755s

Max time network

160s

Command Line

ash.conflicts.mistakes

Signatures

N/A

Processes

ash.conflicts.mistakes

ash.conflicts.mistakes:remote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
US 1.1.1.1:53 dibaqu.vip udp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 172.217.168.232:443 ssl.google-analytics.com tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
US 1.1.1.1:53 android.apis.google.com udp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
US 1.1.1.1:53 android.apis.google.com udp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2023-05-29.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/ash.conflicts.mistakes/shared_prefs/ash.conflicts.mistakes.xml

MD5 e0ae18ee51f8080061f538d00a4a2b1f
SHA1 b39e93a0da5a827e9154142070e5eb93eb2a6314
SHA256 cb60eb5f68387d91f47eecbf64f465400f1d0dfd29dca34c2f7835a381f2c1ee
SHA512 646b099795a1e9232a3548f78cd3e0025695f2cfd002cb9eae73c0ce14c64dc253ad3ceb7dd53e6289b38b5f556ed511c103e99c197c0685f80361aa0d97c96e

/data/user/0/ash.conflicts.mistakes/shared_prefs/ProtectedApps.xml

MD5 214fb59450fb63c2eba0eb00cbef71bb
SHA1 d55306c66d10c8256ced135b9a245fb3de50b096
SHA256 29cd87115f57a3d714e8f666d08c6d1bd53fd644a77b8172dfa29ac2aea1bf46
SHA512 83c6d8af079e1224d78056316e5bebc3947871194afe325493599131b82fc6a381cc7c72ab93378ddcca3ab6b5ed9c14c6da2e73086e29d48c6dafa550a1622b

Analysis: behavioral3

Detonation Overview

Submitted

2023-05-29 14:16

Reported

2023-05-29 14:19

Platform

android-x64-arm64-20220823-en

Max time kernel

1742759s

Max time network

162s

Command Line

ash.conflicts.mistakes

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

ash.conflicts.mistakes

ash.conflicts.mistakes:remote

Network

Country Destination Domain Proto
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.46:443 android.apis.google.com tcp
NL 142.251.36.46:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
NL 142.250.179.170:80 play.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
US 1.1.1.1:53 growth-pa.googleapis.com udp
NL 142.251.36.42:443 growth-pa.googleapis.com tcp
US 1.1.1.1:53 lh3-dz.googleusercontent.com udp
NL 142.250.179.161:443 lh3-dz.googleusercontent.com tcp
US 1.1.1.1:53 lh3.googleusercontent.com udp
NL 142.250.179.161:443 lh3.googleusercontent.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 172.217.168.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 dibaqu.vip udp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
US 1.1.1.1:53 accounts.google.com udp
NL 142.251.36.45:443 accounts.google.com tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
US 1.1.1.1:53 ylhrzdd udp
US 1.1.1.1:53 mtlzuerhaw udp
US 1.1.1.1:53 dhizgcyycwjmh udp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
US 1.1.1.1:53 ylhrzdd udp
US 1.1.1.1:53 mtlzuerhaw udp
US 1.1.1.1:53 dhizgcyycwjmh udp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
US 1.1.1.1:53 update.googleapis.com udp
HK 43.154.116.147:4000 dibaqu.vip tcp
US 1.1.1.1:53 update.googleapis.com udp
NL 142.250.179.195:443 update.googleapis.com tcp
US 1.1.1.1:53 edgedl.me.gvt1.com udp
HK 43.154.116.147:4000 dibaqu.vip tcp
US 1.1.1.1:53 edgedl.me.gvt1.com udp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
US 1.1.1.1:53 edgedl.me.gvt1.com udp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2023-05-29.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/ash.conflicts.mistakes/shared_prefs/ash.conflicts.mistakes.xml

MD5 e0ae18ee51f8080061f538d00a4a2b1f
SHA1 b39e93a0da5a827e9154142070e5eb93eb2a6314
SHA256 cb60eb5f68387d91f47eecbf64f465400f1d0dfd29dca34c2f7835a381f2c1ee
SHA512 646b099795a1e9232a3548f78cd3e0025695f2cfd002cb9eae73c0ce14c64dc253ad3ceb7dd53e6289b38b5f556ed511c103e99c197c0685f80361aa0d97c96e

/data/user/0/ash.conflicts.mistakes/shared_prefs/ProtectedApps.xml

MD5 214fb59450fb63c2eba0eb00cbef71bb
SHA1 d55306c66d10c8256ced135b9a245fb3de50b096
SHA256 29cd87115f57a3d714e8f666d08c6d1bd53fd644a77b8172dfa29ac2aea1bf46
SHA512 83c6d8af079e1224d78056316e5bebc3947871194afe325493599131b82fc6a381cc7c72ab93378ddcca3ab6b5ed9c14c6da2e73086e29d48c6dafa550a1622b

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-29 14:16

Reported

2023-05-29 14:19

Platform

android-x86-arm-20220823-en

Max time kernel

1742755s

Max time network

158s

Command Line

ash.conflicts.mistakes

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

ash.conflicts.mistakes

ash.conflicts.mistakes:remote

Network

Country Destination Domain Proto
NL 142.250.179.202:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.251.36.42:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.39.110:443 android.apis.google.com tcp
US 1.1.1.1:53 dibaqu.vip udp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
US 1.1.1.1:853 tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
US 1.1.1.1:853 tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp
HK 43.154.116.147:4000 dibaqu.vip tcp

Files

/data/user/0/ash.conflicts.mistakes/shared_prefs/ash.conflicts.mistakes.xml

MD5 e0ae18ee51f8080061f538d00a4a2b1f
SHA1 b39e93a0da5a827e9154142070e5eb93eb2a6314
SHA256 cb60eb5f68387d91f47eecbf64f465400f1d0dfd29dca34c2f7835a381f2c1ee
SHA512 646b099795a1e9232a3548f78cd3e0025695f2cfd002cb9eae73c0ce14c64dc253ad3ceb7dd53e6289b38b5f556ed511c103e99c197c0685f80361aa0d97c96e

/storage/emulated/0/Config/sys/apps/log/log-2023-05-29.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/ash.conflicts.mistakes/shared_prefs/ProtectedApps.xml

MD5 214fb59450fb63c2eba0eb00cbef71bb
SHA1 d55306c66d10c8256ced135b9a245fb3de50b096
SHA256 29cd87115f57a3d714e8f666d08c6d1bd53fd644a77b8172dfa29ac2aea1bf46
SHA512 83c6d8af079e1224d78056316e5bebc3947871194afe325493599131b82fc6a381cc7c72ab93378ddcca3ab6b5ed9c14c6da2e73086e29d48c6dafa550a1622b