Analysis Overview
SHA256
238cdfbab88cbcb6b1a2379b2a18c993640c1f498c4cb0e9faef408331f41c0b
Threat Level: Known bad
The file Lol.apk was found to be: Known bad.
Malicious Activity Summary
Hook
Makes use of the framework's Accessibility service.
Acquires the wake lock.
Loads dropped Dex/Jar
Requests dangerous framework permissions
Reads information about phone network operator.
Removes a system notification.
Uses Crypto APIs (Might try to encrypt user data).
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-08-01 11:42
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
| Allows an app to access location in the background. | android.permission.ACCESS_BACKGROUND_LOCATION | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-01 11:42
Reported
2023-08-01 11:45
Platform
android-x86-arm-20230621-en
Max time kernel
2968154s
Max time network
127s
Command Line
Signatures
Hook
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json | N/A | N/A |
| N/A | /data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json | N/A | N/A |
Reads information about phone network operator.
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.dogilowopuna.zico
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/oat/x86/pskPXGY.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 142.250.179.138:443 | infinitedata-pa.googleapis.com | tcp |
| RU | 193.233.196.2:3434 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| NL | 142.250.179.138:443 | semanticlocation-pa.googleapis.com | tcp |
| RU | 193.233.196.2:3434 | tcp | |
| RU | 193.233.196.2:3434 | tcp | |
| RU | 193.233.196.2:3434 | tcp | |
| RU | 193.233.196.2:3434 | tcp | |
| RU | 193.233.196.2:3434 | tcp | |
| RU | 193.233.196.2:3434 | tcp | |
| RU | 193.233.196.2:3434 | tcp | |
| RU | 193.233.196.2:3434 | tcp | |
| RU | 193.233.196.2:3434 | tcp | |
| RU | 193.233.196.2:3434 | tcp | |
| RU | 193.233.196.2:3434 | tcp | |
| RU | 193.233.196.2:3434 | tcp | |
| US | 1.1.1.1:53 | clients3.google.com | udp |
| DE | 172.217.23.206:443 | clients3.google.com | tcp |
| DE | 172.217.23.206:443 | clients3.google.com | tcp |
| DE | 172.217.23.206:443 | clients3.google.com | tcp |
| DE | 172.217.23.206:443 | clients3.google.com | tcp |
| US | 1.1.1.1:53 | lh6.googleusercontent.com | udp |
| NL | 142.251.36.1:443 | lh6.googleusercontent.com | tcp |
| NL | 142.251.36.1:443 | lh6.googleusercontent.com | tcp |
| RU | 193.233.196.2:3434 | tcp | |
| RU | 193.233.196.2:3434 | tcp | |
| RU | 193.233.196.2:3434 | tcp | |
| RU | 193.233.196.2:3434 | tcp |
Files
/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json
| MD5 | 9bfea1b2027ec1635c3590e0ea14e3cf |
| SHA1 | 9cc1ea7f49e361961be1f5d2ab43658d41f86d59 |
| SHA256 | f2620b302348120f00c9bd7a3e0a6cbef991b484edcdcdd915fbbd13ac861eb4 |
| SHA512 | 4e17d67bcd5f5361a3d9b27f4fbc29969b25a2686edffa9872e7bca1a6528b4eaaf7f90541eda8d31583d8e515b1a20d4d1b20dd4a88c9e83e07d91d525de4a1 |
/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json.x86.flock
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/oat/x86/pskPXGY.vdex
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/oat/x86/pskPXGY.odex
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json
| MD5 | cf80a0964d7adb2dc9ab389185abcff1 |
| SHA1 | a630b6d63b9be79f2fe9f2fc38c91fcbc1d8d6ea |
| SHA256 | f90f95cb686db2f9ce0607038438527e3665ca8e33c38fd168834f6d96def4ed |
| SHA512 | ef1a6f7c47772fd49ae2fda552df4f54fea83e30c99980ae8e0863b4abcfe2d7cb9869449962129cb560760d49ee6349add36e6ca7417e6cf0e9f99d86a3ee53 |
/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json
| MD5 | 7ffa71e1e1ae0b4b47d6be864fc29366 |
| SHA1 | 8f19d6ff1a28b1737f298a22c19009782ef84331 |
| SHA256 | 593b12a640d78ee06f6b74458c7f456eaff676b68dca095de5feeb86adeae18e |
| SHA512 | f017f92ccbb379f7fae44df3473c12b03200081263c9f5187b929db49887f4af0498f46697cb51cfab0901f5b04c133f10b7d7b2291a8832a9e7f1b9082f5d9d |
/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/oat/pskPXGY.json.cur.prof
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.dogilowopuna.zico/no_backup/androidx.work.workdb
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/user/0/com.dogilowopuna.zico/no_backup/androidx.work.workdb-journal
| MD5 | b0cc64427b26e9810ceb20db49fc114e |
| SHA1 | 2bf497f912d711fc0f7464cb82947a353c22a60a |
| SHA256 | 16ce03340b18c10dbe91a83e4d35c4625cb18867d78a4be3b12dd9685520cecc |
| SHA512 | 9e53b922a41208f5e693e31d47a896daa555217d09ac4793234c7219c938401f1c7ce7d190c20501dfb205b7bb488a4ab15d94df49365fb736139ca532ab7b22 |
/data/user/0/com.dogilowopuna.zico/no_backup/androidx.work.workdb-wal
| MD5 | 90fbf4ae47f6cd37c38cedd860961941 |
| SHA1 | e3d0503b9f395cd40a01d6b17df66e1ff395bfc0 |
| SHA256 | ce02bfba243cf92c860eb913ad2e9915bcaa04b14ac740bbae06590dc1a7b3c0 |
| SHA512 | c0143ac040e95a043bc17a394d5ff9a8b9db52375dd441e6075c2a0235000124d806b216dd27a3b5129b87959aa0f0948e1ebe022001f29ef2ec022611203477 |
/data/user/0/com.dogilowopuna.zico/no_backup/androidx.work.workdb-shm
| MD5 | 7dea362b3fac8e00956a4952a3d4f474 |
| SHA1 | 05fe405753166f125559e7c9ac558654f107c7e9 |
| SHA256 | af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc |
| SHA512 | 1b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b |
/data/user/0/com.dogilowopuna.zico/shared_prefs/settings.xml
| MD5 | 78a2c63a0ec2f947097c8b764fb49e30 |
| SHA1 | e38dcf9d6a39c0f58cdabfcbd5dd4954817a7869 |
| SHA256 | 7aaf74896c69acb15d2b36290e8bc74f6090e1b51ceab19400018fa7ed87285b |
| SHA512 | 96acd80ce5b0a1bd286f688de13b8b5ed9f2cfc73f034c2928a3d7a360a100e54c7a3239a45d7f81969585cc40b6fa9ab3ec4f7fa487e49efb1954b14d66484b |
/data/user/0/com.dogilowopuna.zico/app_webview/variations_seed_new
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.dogilowopuna.zico/app_webview/variations_stamp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.dogilowopuna.zico/app_webview/webview_data.lock
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.dogilowopuna.zico/shared_prefs/WebViewChromiumPrefs.xml
| MD5 | 21223e9184445fe043476484cd8cb1f9 |
| SHA1 | 2b4813f849121d60ba35eb0889080668bb62c778 |
| SHA256 | bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af |
| SHA512 | be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48 |
/data/user/0/com.dogilowopuna.zico/app_webview/metrics_guid
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.dogilowopuna.zico/app_webview/metrics_guid
| MD5 | 56af6c639d610f6b613dffd4e1ab2b14 |
| SHA1 | 9fcad9c359dbd7edefef482587cc897a7dca91f8 |
| SHA256 | 1e423a9d13dd40b429196809e0d5e2c764fa6cc6ef693f1817b985f50232e343 |
| SHA512 | 082bd6087843240c81edf2e8220ff0448d7611e3904142eef4a93121ad3d78641b73f5bafa1e9ec6f1c11c1d17bbf060902a74b3930b36c98b929f8d972c08c1 |
/data/user/0/com.dogilowopuna.zico/app_webview/Web Data
| MD5 | dc79f9ce5f3ab5270b33e61119dfc959 |
| SHA1 | 1844bf222a5144b513dcf2fb50a18c011701c647 |
| SHA256 | 47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65 |
| SHA512 | 18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e |
/data/user/0/com.dogilowopuna.zico/app_webview/Web Data-journal
| MD5 | f9dc477ee343fc9b5e844669572bcb23 |
| SHA1 | dc689374a05041e01370604239f5270136ff1704 |
| SHA256 | 07587ad077c1f52bef1bbf1d1a1212516a22f34947215d0fdf642cfe459a7bad |
| SHA512 | 300876580bd3c0fcea1d4f4d419d4d5f158e96b78234af1c15579b8b088d0cb9a2c06f6c125cd470bee1b36370ac8fb383ef9e6d437b1e0cb16ff35e71e7a90b |
/data/user/0/com.dogilowopuna.zico/app_webview/GPUCache/index
| MD5 | 93027d42b314432c4216e6cfca48b384 |
| SHA1 | 43448dd8102979c3926828182579691945eedd4e |
| SHA256 | 3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c |
| SHA512 | a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e |
/data/user/0/com.dogilowopuna.zico/app_webview/GPUCache/index-dir/temp-index
| MD5 | 34032e0b15dac37f5028577857c8bc9f |
| SHA1 | 1021e274532fee245b06c3309d5e70a8c2c474a1 |
| SHA256 | 0f73e642a22b2f7c697259f4bc80bf3125d9c480c1d056a3a3d78209659dd429 |
| SHA512 | 3821356d7e786c2bfa2caf1d6ce759d3260f731f2897d8b44ab8741cbf2e0810c2b17fdd26c2a1011e7521950b7426e09d4122307126b8648666a7253636523f |
/data/user/0/com.dogilowopuna.zico/app_webview/GPUCache/index-dir/temp-index
| MD5 | 2fcc8b3af2d85361587325ec87645693 |
| SHA1 | e4cd51af7d5667ea1de0bf88a76816d4488caa17 |
| SHA256 | b5fba09824a0869836fa8b491e034c9136e3e03453317b8f5774bf0df2183783 |
| SHA512 | 6fa8fd825052df85927e4a07b1797f94a4bc158a206cab665c0ee10ac9a80652d27a2358deb2dc66f27fae0cbb54fae9ef98a2f21064e5d7ef7e7fc6d9408e92 |