Malware Analysis Report

2024-10-19 13:02

Sample ID 230801-nvdp4agf6v
Target Lol.apk
SHA256 238cdfbab88cbcb6b1a2379b2a18c993640c1f498c4cb0e9faef408331f41c0b
Tags
hook evasion infostealer ransomware rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

238cdfbab88cbcb6b1a2379b2a18c993640c1f498c4cb0e9faef408331f41c0b

Threat Level: Known bad

The file Lol.apk was found to be: Known bad.

Malicious Activity Summary

hook evasion infostealer ransomware rat trojan

Hook

Makes use of the framework's Accessibility service.

Acquires the wake lock.

Loads dropped Dex/Jar

Requests dangerous framework permissions

Reads information about phone network operator.

Removes a system notification.

Uses Crypto APIs (Might try to encrypt user data).

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-08-01 11:42

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-01 11:42

Reported

2023-08-01 11:45

Platform

android-x86-arm-20230621-en

Max time kernel

2968154s

Max time network

127s

Command Line

com.dogilowopuna.zico

Signatures

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json N/A N/A
N/A /data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.dogilowopuna.zico

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/oat/x86/pskPXGY.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.250.179.138:443 infinitedata-pa.googleapis.com tcp
RU 193.233.196.2:3434 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
NL 142.250.179.138:443 semanticlocation-pa.googleapis.com tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
US 1.1.1.1:53 clients3.google.com udp
DE 172.217.23.206:443 clients3.google.com tcp
DE 172.217.23.206:443 clients3.google.com tcp
DE 172.217.23.206:443 clients3.google.com tcp
DE 172.217.23.206:443 clients3.google.com tcp
US 1.1.1.1:53 lh6.googleusercontent.com udp
NL 142.251.36.1:443 lh6.googleusercontent.com tcp
NL 142.251.36.1:443 lh6.googleusercontent.com tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp
RU 193.233.196.2:3434 tcp

Files

/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json

MD5 9bfea1b2027ec1635c3590e0ea14e3cf
SHA1 9cc1ea7f49e361961be1f5d2ab43658d41f86d59
SHA256 f2620b302348120f00c9bd7a3e0a6cbef991b484edcdcdd915fbbd13ac861eb4
SHA512 4e17d67bcd5f5361a3d9b27f4fbc29969b25a2686edffa9872e7bca1a6528b4eaaf7f90541eda8d31583d8e515b1a20d4d1b20dd4a88c9e83e07d91d525de4a1

/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json.x86.flock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/oat/x86/pskPXGY.vdex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/oat/x86/pskPXGY.odex

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json

MD5 cf80a0964d7adb2dc9ab389185abcff1
SHA1 a630b6d63b9be79f2fe9f2fc38c91fcbc1d8d6ea
SHA256 f90f95cb686db2f9ce0607038438527e3665ca8e33c38fd168834f6d96def4ed
SHA512 ef1a6f7c47772fd49ae2fda552df4f54fea83e30c99980ae8e0863b4abcfe2d7cb9869449962129cb560760d49ee6349add36e6ca7417e6cf0e9f99d86a3ee53

/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/pskPXGY.json

MD5 7ffa71e1e1ae0b4b47d6be864fc29366
SHA1 8f19d6ff1a28b1737f298a22c19009782ef84331
SHA256 593b12a640d78ee06f6b74458c7f456eaff676b68dca095de5feeb86adeae18e
SHA512 f017f92ccbb379f7fae44df3473c12b03200081263c9f5187b929db49887f4af0498f46697cb51cfab0901f5b04c133f10b7d7b2291a8832a9e7f1b9082f5d9d

/data/user/0/com.dogilowopuna.zico/app_DynamicOptDex/oat/pskPXGY.json.cur.prof

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.dogilowopuna.zico/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/user/0/com.dogilowopuna.zico/no_backup/androidx.work.workdb-journal

MD5 b0cc64427b26e9810ceb20db49fc114e
SHA1 2bf497f912d711fc0f7464cb82947a353c22a60a
SHA256 16ce03340b18c10dbe91a83e4d35c4625cb18867d78a4be3b12dd9685520cecc
SHA512 9e53b922a41208f5e693e31d47a896daa555217d09ac4793234c7219c938401f1c7ce7d190c20501dfb205b7bb488a4ab15d94df49365fb736139ca532ab7b22

/data/user/0/com.dogilowopuna.zico/no_backup/androidx.work.workdb-wal

MD5 90fbf4ae47f6cd37c38cedd860961941
SHA1 e3d0503b9f395cd40a01d6b17df66e1ff395bfc0
SHA256 ce02bfba243cf92c860eb913ad2e9915bcaa04b14ac740bbae06590dc1a7b3c0
SHA512 c0143ac040e95a043bc17a394d5ff9a8b9db52375dd441e6075c2a0235000124d806b216dd27a3b5129b87959aa0f0948e1ebe022001f29ef2ec022611203477

/data/user/0/com.dogilowopuna.zico/no_backup/androidx.work.workdb-shm

MD5 7dea362b3fac8e00956a4952a3d4f474
SHA1 05fe405753166f125559e7c9ac558654f107c7e9
SHA256 af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc
SHA512 1b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b

/data/user/0/com.dogilowopuna.zico/shared_prefs/settings.xml

MD5 78a2c63a0ec2f947097c8b764fb49e30
SHA1 e38dcf9d6a39c0f58cdabfcbd5dd4954817a7869
SHA256 7aaf74896c69acb15d2b36290e8bc74f6090e1b51ceab19400018fa7ed87285b
SHA512 96acd80ce5b0a1bd286f688de13b8b5ed9f2cfc73f034c2928a3d7a360a100e54c7a3239a45d7f81969585cc40b6fa9ab3ec4f7fa487e49efb1954b14d66484b

/data/user/0/com.dogilowopuna.zico/app_webview/variations_seed_new

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.dogilowopuna.zico/app_webview/variations_stamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.dogilowopuna.zico/app_webview/webview_data.lock

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.dogilowopuna.zico/shared_prefs/WebViewChromiumPrefs.xml

MD5 21223e9184445fe043476484cd8cb1f9
SHA1 2b4813f849121d60ba35eb0889080668bb62c778
SHA256 bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af
SHA512 be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

/data/user/0/com.dogilowopuna.zico/app_webview/metrics_guid

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/com.dogilowopuna.zico/app_webview/metrics_guid

MD5 56af6c639d610f6b613dffd4e1ab2b14
SHA1 9fcad9c359dbd7edefef482587cc897a7dca91f8
SHA256 1e423a9d13dd40b429196809e0d5e2c764fa6cc6ef693f1817b985f50232e343
SHA512 082bd6087843240c81edf2e8220ff0448d7611e3904142eef4a93121ad3d78641b73f5bafa1e9ec6f1c11c1d17bbf060902a74b3930b36c98b929f8d972c08c1

/data/user/0/com.dogilowopuna.zico/app_webview/Web Data

MD5 dc79f9ce5f3ab5270b33e61119dfc959
SHA1 1844bf222a5144b513dcf2fb50a18c011701c647
SHA256 47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65
SHA512 18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

/data/user/0/com.dogilowopuna.zico/app_webview/Web Data-journal

MD5 f9dc477ee343fc9b5e844669572bcb23
SHA1 dc689374a05041e01370604239f5270136ff1704
SHA256 07587ad077c1f52bef1bbf1d1a1212516a22f34947215d0fdf642cfe459a7bad
SHA512 300876580bd3c0fcea1d4f4d419d4d5f158e96b78234af1c15579b8b088d0cb9a2c06f6c125cd470bee1b36370ac8fb383ef9e6d437b1e0cb16ff35e71e7a90b

/data/user/0/com.dogilowopuna.zico/app_webview/GPUCache/index

MD5 93027d42b314432c4216e6cfca48b384
SHA1 43448dd8102979c3926828182579691945eedd4e
SHA256 3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c
SHA512 a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e

/data/user/0/com.dogilowopuna.zico/app_webview/GPUCache/index-dir/temp-index

MD5 34032e0b15dac37f5028577857c8bc9f
SHA1 1021e274532fee245b06c3309d5e70a8c2c474a1
SHA256 0f73e642a22b2f7c697259f4bc80bf3125d9c480c1d056a3a3d78209659dd429
SHA512 3821356d7e786c2bfa2caf1d6ce759d3260f731f2897d8b44ab8741cbf2e0810c2b17fdd26c2a1011e7521950b7426e09d4122307126b8648666a7253636523f

/data/user/0/com.dogilowopuna.zico/app_webview/GPUCache/index-dir/temp-index

MD5 2fcc8b3af2d85361587325ec87645693
SHA1 e4cd51af7d5667ea1de0bf88a76816d4488caa17
SHA256 b5fba09824a0869836fa8b491e034c9136e3e03453317b8f5774bf0df2183783
SHA512 6fa8fd825052df85927e4a07b1797f94a4bc158a206cab665c0ee10ac9a80652d27a2358deb2dc66f27fae0cbb54fae9ef98a2f21064e5d7ef7e7fc6d9408e92