Analysis Overview
SHA256
f1625cee7ce79d2ee091fddf945521c71d2dd911af433ca428599fcd83fbf040
Threat Level: Known bad
The file f1625cee7ce79d2ee091fddf945521c71d2dd911af433ca428599fcd83fbf040.bin was found to be: Known bad.
Malicious Activity Summary
Ginp
Makes use of the framework's Accessibility service.
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
Loads dropped Dex/Jar
Requests enabling of the accessibility settings.
Requests dangerous framework permissions
Acquires the wake lock.
Requests disabling of battery optimizations (often used to enable hiding in the background).
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2023-08-15 22:00
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-15 22:00
Reported
2023-08-15 22:05
Platform
android-x86-arm-20230621-en
Max time kernel
4214991s
Max time network
139s
Command Line
Signatures
Ginp
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
| Description | Indicator | Process | Target |
| Framework service call | android.content.pm.IPackageManager.getInstalledApplications | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json | N/A | N/A |
| N/A | /data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json | N/A | N/A |
| N/A | /data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json | N/A | N/A |
Processes
toast.rebel.dove
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/toast.rebel.dove/app_DynamicOptDex/oat/x86/XB.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.250.179.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | pottershat.top | udp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| DE | 172.217.23.202:443 | semanticlocation-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | dopestteam.cc | udp |
Files
/data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json
| MD5 | 8a5a18bb9dea5eb83ff1746c0a0c343d |
| SHA1 | ec005efa785a2f7953492b22b5be5ca37eb961f1 |
| SHA256 | baa990b3acebeb944f9b74a944897797118cedeb3b67b040f91ad781999e5311 |
| SHA512 | 83255d9f4332a67c335c6873095e7fd01ec0da080b791f414e10bf52fcc06a0999c582deb0cf1f4c4f3e3039639f4c89fd4392dd5f4b601f593d44ac74826a97 |
/data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json.x86.flock
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json
| MD5 | 2ee3515fa3f34fd24a2b6a11578626b6 |
| SHA1 | 4b4debd0ab2df85c4c28261818cb5a7c9a85c762 |
| SHA256 | 607491fcbd43ea5bd9b2a0ed43bb468a9f2dfd50fb01ed2b1d1c75d474f1425e |
| SHA512 | 5d2b4b623adb6796afd3f19c71b0e650a1e22d2f3c7ce1b56801464f350271aba7fe75fe7a425d1279943f82fa400801f5bf97a122cbd629dbd0f2a78466e838 |
/data/user/0/toast.rebel.dove/app_DynamicOptDex/oat/x86/XB.vdex
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/toast.rebel.dove/app_DynamicOptDex/oat/x86/XB.odex
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json
| MD5 | 2ee3515fa3f34fd24a2b6a11578626b6 |
| SHA1 | 4b4debd0ab2df85c4c28261818cb5a7c9a85c762 |
| SHA256 | 607491fcbd43ea5bd9b2a0ed43bb468a9f2dfd50fb01ed2b1d1c75d474f1425e |
| SHA512 | 5d2b4b623adb6796afd3f19c71b0e650a1e22d2f3c7ce1b56801464f350271aba7fe75fe7a425d1279943f82fa400801f5bf97a122cbd629dbd0f2a78466e838 |
/data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json
| MD5 | aa60a8fc03d716b08686009fed61ac7b |
| SHA1 | c7ef0c10f0a518ffabaf9373a2d13c2d042366cb |
| SHA256 | 6a0a4dc4069bebd5c9e11632bf1c66e03698bf1ef022fb4c2f3d7ac10654242a |
| SHA512 | 776716d9155659fc912513d8dbf770027a747ea9c6d7457b681efb3869f6a3e6a4e18d9c55c410ae885ab01e97d26778b1937fee4fe20da566c8e8855f610787 |
/data/user/0/toast.rebel.dove/app_DynamicOptDex/oat/XB.json.cur.prof
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral3
Detonation Overview
Submitted
2023-08-15 22:00
Reported
2023-08-15 22:05
Platform
android-x64-arm64-20230621-en
Max time kernel
4214960s
Max time network
170s
Command Line
Signatures
Ginp
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
| Description | Indicator | Process | Target |
| Framework service call | android.content.pm.IPackageManager.getInstalledApplications | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json | N/A | N/A |
| N/A | /data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json | N/A | N/A |
Requests enabling of the accessibility settings.
| Description | Indicator | Process | Target |
| Intent action | android.settings.ACCESSIBILITY_SETTINGS | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Processes
toast.rebel.dove
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 172.217.23.206:443 | tcp | |
| DE | 172.217.23.206:443 | tcp | |
| DE | 172.217.23.206:443 | tcp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | pottershat.top | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.251.36.40:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 142.250.179.138:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | pottershat.top | udp |
| US | 1.1.1.1:53 | pottershat.top | udp |
| US | 1.1.1.1:53 | pottershat.top | udp |
| US | 1.1.1.1:53 | pottershat.top | udp |
| US | 1.1.1.1:53 | pottershat.top | udp |
| US | 1.1.1.1:53 | pottershat.top | udp |
| US | 1.1.1.1:53 | pottershat.top | udp |
| US | 1.1.1.1:53 | pottershat.top | udp |
| US | 1.1.1.1:53 | dopestteam.cc | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | dopestteam.cc | udp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| GB | 216.58.208.109:443 | accounts.google.com | tcp |
| US | 1.1.1.1:53 | zhvmkcpidzcgk | udp |
| US | 1.1.1.1:53 | uwnzaoxn | udp |
| US | 1.1.1.1:53 | olkyxbczrnrpupx | udp |
| US | 1.1.1.1:53 | zhvmkcpidzcgk | udp |
| US | 1.1.1.1:53 | uwnzaoxn | udp |
Files
/data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json
| MD5 | 8a5a18bb9dea5eb83ff1746c0a0c343d |
| SHA1 | ec005efa785a2f7953492b22b5be5ca37eb961f1 |
| SHA256 | baa990b3acebeb944f9b74a944897797118cedeb3b67b040f91ad781999e5311 |
| SHA512 | 83255d9f4332a67c335c6873095e7fd01ec0da080b791f414e10bf52fcc06a0999c582deb0cf1f4c4f3e3039639f4c89fd4392dd5f4b601f593d44ac74826a97 |
/data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json
| MD5 | 2ee3515fa3f34fd24a2b6a11578626b6 |
| SHA1 | 4b4debd0ab2df85c4c28261818cb5a7c9a85c762 |
| SHA256 | 607491fcbd43ea5bd9b2a0ed43bb468a9f2dfd50fb01ed2b1d1c75d474f1425e |
| SHA512 | 5d2b4b623adb6796afd3f19c71b0e650a1e22d2f3c7ce1b56801464f350271aba7fe75fe7a425d1279943f82fa400801f5bf97a122cbd629dbd0f2a78466e838 |
/data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json
| MD5 | 2ee3515fa3f34fd24a2b6a11578626b6 |
| SHA1 | 4b4debd0ab2df85c4c28261818cb5a7c9a85c762 |
| SHA256 | 607491fcbd43ea5bd9b2a0ed43bb468a9f2dfd50fb01ed2b1d1c75d474f1425e |
| SHA512 | 5d2b4b623adb6796afd3f19c71b0e650a1e22d2f3c7ce1b56801464f350271aba7fe75fe7a425d1279943f82fa400801f5bf97a122cbd629dbd0f2a78466e838 |
/data/user/0/toast.rebel.dove/app_DynamicOptDex/oat/XB.json.cur.prof
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral7
Detonation Overview
Submitted
2023-08-15 22:00
Reported
2023-08-15 22:00
Platform
debian9-armhf-en-20211208
Max time kernel
2s
Command Line
Signatures
Processes
/tmp/libglog_init.so
[/tmp/libglog_init.so]
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2023-08-15 22:00
Reported
2023-08-15 22:01
Platform
debian9-armhf-20221125-en
Max time kernel
1s
Command Line
Signatures
Processes
/tmp/libjsinspector.so
[/tmp/libjsinspector.so]
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2023-08-15 22:00
Reported
2023-08-15 22:01
Platform
debian9-armhf-20221125-en
Max time kernel
2s
Max time network
0s
Command Line
Signatures
Processes
/tmp/libvlcjni.so
[/tmp/libvlcjni.so]
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2023-08-15 22:00
Reported
2023-08-15 22:00
Platform
debian9-mipsbe-en-20211208
Max time kernel
2s
Command Line
Signatures
Processes
/tmp/libjsinspector.so
[/tmp/libjsinspector.so]
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-15 22:00
Reported
2023-08-15 22:02
Platform
android-x64-20230621-en
Max time kernel
4214779s
Max time network
82s
Command Line
Signatures
Ginp
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json | N/A | N/A |
| N/A | /data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json | N/A | N/A |
Processes
toast.rebel.dove
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | g.tenor.com | udp |
| US | 1.1.1.1:53 | pottershat.top | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.251.36.8:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | dopestteam.cc | udp |
| US | 1.1.1.1:53 | dopestteam.cc | udp |
Files
/data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json
| MD5 | 8a5a18bb9dea5eb83ff1746c0a0c343d |
| SHA1 | ec005efa785a2f7953492b22b5be5ca37eb961f1 |
| SHA256 | baa990b3acebeb944f9b74a944897797118cedeb3b67b040f91ad781999e5311 |
| SHA512 | 83255d9f4332a67c335c6873095e7fd01ec0da080b791f414e10bf52fcc06a0999c582deb0cf1f4c4f3e3039639f4c89fd4392dd5f4b601f593d44ac74826a97 |
/data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json
| MD5 | 2ee3515fa3f34fd24a2b6a11578626b6 |
| SHA1 | 4b4debd0ab2df85c4c28261818cb5a7c9a85c762 |
| SHA256 | 607491fcbd43ea5bd9b2a0ed43bb468a9f2dfd50fb01ed2b1d1c75d474f1425e |
| SHA512 | 5d2b4b623adb6796afd3f19c71b0e650a1e22d2f3c7ce1b56801464f350271aba7fe75fe7a425d1279943f82fa400801f5bf97a122cbd629dbd0f2a78466e838 |
/data/user/0/toast.rebel.dove/app_DynamicOptDex/XB.json
| MD5 | 2ee3515fa3f34fd24a2b6a11578626b6 |
| SHA1 | 4b4debd0ab2df85c4c28261818cb5a7c9a85c762 |
| SHA256 | 607491fcbd43ea5bd9b2a0ed43bb468a9f2dfd50fb01ed2b1d1c75d474f1425e |
| SHA512 | 5d2b4b623adb6796afd3f19c71b0e650a1e22d2f3c7ce1b56801464f350271aba7fe75fe7a425d1279943f82fa400801f5bf97a122cbd629dbd0f2a78466e838 |
/data/user/0/toast.rebel.dove/app_DynamicOptDex/oat/XB.json.cur.prof
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral4
Detonation Overview
Submitted
2023-08-15 22:00
Reported
2023-08-15 22:03
Platform
win7-20230712-en
Max time kernel
119s
Max time network
132s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\chrome_100_percent.js
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-08-15 22:00
Reported
2023-08-15 22:03
Platform
win10v2004-20230703-en
Max time kernel
123s
Max time network
133s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\chrome_100_percent.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.135.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2023-08-15 22:00
Reported
2023-08-15 22:01
Platform
ubuntu1804-amd64-20230621-en
Max time kernel
3s
Command Line
Signatures
Processes
/tmp/libglog_init.so
[/tmp/libglog_init.so]
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2023-08-15 22:00
Reported
2023-08-15 22:00
Platform
debian9-mipsbe-20221125-en
Max time kernel
1s
Command Line
Signatures
Processes
/tmp/libglog_init.so
[/tmp/libglog_init.so]
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2023-08-15 22:00
Reported
2023-08-15 22:00
Platform
debian9-mipsel-en-20211208
Max time kernel
2s
Command Line
Signatures
Processes
/tmp/libglog_init.so
[/tmp/libglog_init.so]
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2023-08-15 22:00
Reported
2023-08-15 22:00
Platform
ubuntu1804-amd64-20230621-en
Max time kernel
3s
Command Line
Signatures
Processes
/tmp/libjsinspector.so
[/tmp/libjsinspector.so]
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2023-08-15 22:00
Reported
2023-08-15 22:01
Platform
debian9-mipsel-20221111-en
Max time kernel
1s
Command Line
Signatures
Processes
/tmp/libjsinspector.so
[/tmp/libjsinspector.so]