Malware Analysis Report

2024-10-19 13:02

Sample ID 230801-nhn1asge81
Target Lol.apk
SHA256 238cdfbab88cbcb6b1a2379b2a18c993640c1f498c4cb0e9faef408331f41c0b
Tags
hook evasion infostealer ransomware rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

238cdfbab88cbcb6b1a2379b2a18c993640c1f498c4cb0e9faef408331f41c0b

Threat Level: Known bad

The file Lol.apk was found to be: Known bad.

Malicious Activity Summary

hook evasion infostealer ransomware rat stealth trojan

Hook

Makes use of the framework's Accessibility service.

Removes its main activity from the application launcher

Acquires the wake lock.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Uses Crypto APIs (Might try to encrypt user data).

Removes a system notification.

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-08-01 11:24

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-01 11:24

Reported

2023-08-01 11:26

Platform

android-x64-arm64-20230621-en

Max time kernel

2967040s

Max time network

109s

Command Line

com.dogilowopuna.zico

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json N/A N/A

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.dogilowopuna.zico

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
DE 172.217.23.206:443 tcp
DE 172.217.23.206:443 tcp
DE 172.217.23.206:443 tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
GB 216.58.208.106:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
DE 172.217.23.200:443 ssl.google-analytics.com tcp
RU 193.233.196.2:3434 tcp
NL 142.250.179.202:80 play.googleapis.com tcp
RU 193.233.196.2:3434 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.206:443 android.apis.google.com tcp
RU 193.233.196.2:3434 tcp
NL 142.251.36.10:80 firebaseinstallations.googleapis.com tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
DE 172.217.23.205:443 accounts.google.com tcp
RU 193.233.196.2:3434 tcp
US 1.1.1.1:53 sprduzfuk udp
US 1.1.1.1:53 xgnquwirvbbrxi udp
US 1.1.1.1:53 klhxdvok udp
RU 193.233.196.2:3434 tcp
US 1.1.1.1:53 klhxdvok udp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp

Files

/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json

MD5 9bfea1b2027ec1635c3590e0ea14e3cf
SHA1 9cc1ea7f49e361961be1f5d2ab43658d41f86d59
SHA256 f2620b302348120f00c9bd7a3e0a6cbef991b484edcdcdd915fbbd13ac861eb4
SHA512 4e17d67bcd5f5361a3d9b27f4fbc29969b25a2686edffa9872e7bca1a6528b4eaaf7f90541eda8d31583d8e515b1a20d4d1b20dd4a88c9e83e07d91d525de4a1

/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json

MD5 cf80a0964d7adb2dc9ab389185abcff1
SHA1 a630b6d63b9be79f2fe9f2fc38c91fcbc1d8d6ea
SHA256 f90f95cb686db2f9ce0607038438527e3665ca8e33c38fd168834f6d96def4ed
SHA512 ef1a6f7c47772fd49ae2fda552df4f54fea83e30c99980ae8e0863b4abcfe2d7cb9869449962129cb560760d49ee6349add36e6ca7417e6cf0e9f99d86a3ee53

/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/oat/pskPXGY.json.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.dogilowopuna.zico/no_backup/androidx.work.workdb

MD5 e579a6b00eef1318f9166352228eba18
SHA1 76988896854f0139083e77862eea1a4846cf039f
SHA256 4b34cf505050facf47aa7936e4e7667e1969105665c632b3eefe7ecddf9a6935
SHA512 c47632e957d87727bf6504a82ca7a44d8da24d30cd997a0f449a96e4f97c656a1b4d9da3fcd827e2a48c59677688da0b872358ebd0f9369d898d1b8ec18d5699

/data/user/0/com.dogilowopuna.zico/no_backup/androidx.work.workdb-journal

MD5 2fbc345788082fc3a09eae316ffa073d
SHA1 983fc70098987ee3575694806191274ebcab5556
SHA256 bbcdc7f90bd55e9a0610e4faeeb59e59cdfc7c7e8c89c3544d2701fa0b502902
SHA512 d23608a37f8a2386ea84dcb7f5e277c41c026f3dec84c1030d93436848fe822baea8488cea7eb670391fe8c6ae2b9bd240f195fbd7f811ddd8f75221c2317866

/data/user/0/com.dogilowopuna.zico/no_backup/androidx.work.workdb-wal

MD5 6ff0ab4c5aec70ef7c17726f9990a08d
SHA1 8f7239043d8d5a211cc9bf568a9a4e94bcea4d2f
SHA256 9f139687c270051b01520cb9cb115297ad2ea85d58f74ac31add6ae87597c727
SHA512 964e7b8899915be0e3678d49794a2706868ab50b670385fcf7ddd70a106f0b0dbb3d4c828fcf42d8b2ab923dbd172359fca4c7eb330f05403bd27898985a4a7a

/data/user/0/com.dogilowopuna.zico/no_backup/androidx.work.workdb-shm

MD5 4ae71336e44bf9bf79d2752e234818a5
SHA1 e129f27c5103bc5cc44bcdf0a15e160d445066ff
SHA256 374708fff7719dd5979ec875d56cd2286f6d3cf7ec317a3b25632aab28ec37bb
SHA512 0b6cbac838dfe7f47ea1bd0df00ec282fdf45510c92161072ccfb84035390c4da743d9c3b954eaa1b0f86fc9861b23cc6c8667ab232c11c686432ebb5c8c3f27

/data/user/0/com.dogilowopuna.zico/shared_prefs/settings.xml

MD5 78a2c63a0ec2f947097c8b764fb49e30
SHA1 e38dcf9d6a39c0f58cdabfcbd5dd4954817a7869
SHA256 7aaf74896c69acb15d2b36290e8bc74f6090e1b51ceab19400018fa7ed87285b
SHA512 96acd80ce5b0a1bd286f688de13b8b5ed9f2cfc73f034c2928a3d7a360a100e54c7a3239a45d7f81969585cc40b6fa9ab3ec4f7fa487e49efb1954b14d66484b

/data/user/0/com.dogilowopuna.zico/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.dogilowopuna.zico/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.dogilowopuna.zico/shared_prefs/WebViewChromiumPrefs.xml

MD5 97ccd9a2b2063143df56b6937f961ca4
SHA1 5e78a91ae5df289ce83443cb7d5589dd3504fb5d
SHA256 248ff7928128015b1cfe3e6517c8f9b8c9511bfb8c8baf44fc1370640eac61fd
SHA512 86c05a5bb3d7eedea390664796966e9e5a5bf846c85808da54407788a76b3ee25b91428242a1e76d8765bfe51e1ba3636617fbab6e7dbb39fcc433e07c3fcd3b

/data/user/0/com.dogilowopuna.zico/app_webview/webview_data.lock

MD5 e6fa26b6d3d1993e97d959cc5e5ac92c
SHA1 6ac705123e50dbde85cb3c03fb70166218d9984d
SHA256 b5030271d02265428f4b98c22b17ea591e1b46862e2440058062ff0dad5508ee
SHA512 f2ea304cf3f14d4a058f46c7831680f0c1c669b624d2a262cda395b09cdc80b04bf82271649c02f09c1800f3a0f252d4719316ad9e3496b406599525803b8b73

/data/user/0/com.dogilowopuna.zico/app_webview/Default/Web Data

MD5 a48cd9324b1f8754b07f00d863b840f3
SHA1 11c6614775b35a58f440971dfc87c8aaac6d6173
SHA256 8859a216183793485d4699bf69d7ed96904679834188d07b9a70424d47eb1420
SHA512 35fa712f0af4a5eeed7e00e4e59ed5027dc6609d268462fe79d92043be9ae0c5961ce9e1d2f64b1a196c9b6aa6242b8b83817b3ee4c1058596c58a99c45478b1

/data/user/0/com.dogilowopuna.zico/app_webview/Default/Web Data-journal

MD5 51da6241a006d298e53b67f181c14005
SHA1 f849e12dae577ad90726d66072f8cdb92ee33c71
SHA256 bbbba61f8251ee34a19dadfa81d09d7404756dc8a9ecc0d344d8f2e924df81d9
SHA512 472be862b14c5f6dfb9684097c8d361c99ff7328d3c4d90afb09feec7c0f9a9661398552551eb9193628dbcdd178651d0238e1d1e57078177195b4b2b28bba21

/data/user/0/com.dogilowopuna.zico/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.dogilowopuna.zico/cache/WebView/Default/HTTP Cache/Code Cache/js/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.dogilowopuna.zico/app_webview/Default/GPUCache/index

MD5 6d7d499960179766cd4261d12dacc411
SHA1 e6f8553b0015e12b23cc551afe98763f3b1c9bed
SHA256 c96ac03cfdbc6f4c1bdcdf764f1a6573f852e7aae5ef405969516b93ed271182
SHA512 6526c668477a01a850b8757b77dd3e7be27ad1991f5cf777685efcb03a21f31b71f6eae00f326931599baae4b16360e33e3d0f2894f1b2c1753391df02a14547

/data/user/0/com.dogilowopuna.zico/app_webview/Default/GPUCache/index-dir/temp-index

MD5 6060cfa4be247713f9364ff94aadd3d4
SHA1 eaeaa0de6a238fafc9f2875052208a96a30d5a44
SHA256 8f8efba74814f9107e86e98e60bb20a04638b422182db4436deafe3c5e796224
SHA512 740938404d750ad5f8f16bb293206fd02ca77ae2cdd81dc793692733a151d083ba26419afd8a2315402564f7c4b6ffde11a86ce238885d179fe1e32ead07e4c9

/data/user/0/com.dogilowopuna.zico/cache/WebView/Default/HTTP Cache/Code Cache/wasm/index-dir/temp-index

MD5 e7652003bc7b490e7b2bc317b563f240
SHA1 a06ad892a06deedc40f9470f3efbf38df3b23428
SHA256 adbc81c0d9edc7766e5af3ed94587fa79d875f3e3758ac1f050eb0eb43f4ea87
SHA512 6f63788b9a7e4c275d249dcb345aad4802e90b2a8d952857430e287606c19b086efaf7535b9b97f3b94901cd1900d2b43749a67866558eb3a102367197677b10

/data/user/0/com.dogilowopuna.zico/cache/WebView/Default/HTTP Cache/Code Cache/js/index-dir/temp-index

MD5 63c9974b5a5b2a56365a1425144a0739
SHA1 17c6d495c359417c8f25347b6f997661feefef0b
SHA256 fbd4da2643d20f168f0201dc0a185c5a03eeb9c7c2e219efb09f2d543e6ebb8b
SHA512 548a13c0bc2d0d59b35eb1ad9cf7c75e81f61652076ed46e5c03fde19d7569503d51cf0deb65432ac070028b65262dd8a0fe3214db5b5f2c6107f1f565c0a7c7

/data/user/0/com.dogilowopuna.zico/cache/WebView/Crashpad/settings.dat

MD5 dee1a45430ac47dfcd5a84c6e2cc72c2
SHA1 bcd1ad2bbe70b79ecbc26414e9bbe1d6fef25d98
SHA256 8a30cd2b28f4f6f357c197b99536270aa38f716242f76d03d301af663c722ed6
SHA512 c99781976896d175772fd75d3f74b3c35ca09f4afc213556cd14b4419b73a95fde4bc7c457518511ba270a54ac01be0a775e0439eb474c257a314a1813964aa2

/data/user/0/com.dogilowopuna.zico/cache/WebView/font_unique_name_table.pb

MD5 f080fa2a56ab5479d58063e5ea871447
SHA1 4b3fd57a98916fa5784305b76ba30af26b5253d9
SHA256 0aa374bc456330fd1b5daf18d25b4bb8e2df1998dfa85466f2c31843ff56e815
SHA512 8aee3186a95b389d39882620b7c4199a29aa50580aa98a381b2931a934de6406943c89d4d00ebeabff21e2b03b4a4adcc01e37e32a2335c4838be24bdbf61936

/data/user/0/com.dogilowopuna.zico/app_webview/Default/Session Storage/LOG

MD5 f61f15d64c84e69e46bf56b92cf221b8
SHA1 eeb150d138f8cad1b785a8dacc891e4c92ee0091
SHA256 7fd51aa3787c43979dd67aa8459d74f8759e80737edea597ba78cae4c405f4cb
SHA512 5d4291214e398631b5d9a25c701e5492a7e59e054c34193fbf1213a688224fdd7add59b74f8b2e5c488eb251274cc51262479e95c65b73835fea262a013de371

/data/user/0/com.dogilowopuna.zico/app_webview/Default/Session Storage/LOCK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.dogilowopuna.zico/app_webview/Default/Session Storage/MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

/data/user/0/com.dogilowopuna.zico/app_webview/Default/Session Storage/000001.dbtmp

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

/data/user/0/com.dogilowopuna.zico/app_webview/Default/Session Storage/000003.log

MD5 9f7eadc15e13d0608b4e4d590499ae2e
SHA1 afb27f5c20b117031328e12dd3111a7681ff8db5
SHA256 5c3a5b578ab9fe853ead7040bc161929ea4f6902073ba2b8bb84487622b98923
SHA512 88455784c705f565c70fa0a549c54e2492976e14643e9dd0a8e58c560d003914313df483f096bd33ec718aeec7667b8de063a73627aa3436ba6e7e562e565b3f

/data/user/0/com.dogilowopuna.zico/app_webview/.com.google.Chrome.O2gN6b

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e