Malware Analysis Report

2024-10-19 13:03

Sample ID 231002-1w4n5agf89
Target c462c3e4715ba097fdf645932917aa907413a5ca538a468f790d2dde1e92fd1d.bin
SHA256 c462c3e4715ba097fdf645932917aa907413a5ca538a468f790d2dde1e92fd1d
Tags
ermac hook banker evasion infostealer ransomware rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c462c3e4715ba097fdf645932917aa907413a5ca538a468f790d2dde1e92fd1d

Threat Level: Known bad

The file c462c3e4715ba097fdf645932917aa907413a5ca538a468f790d2dde1e92fd1d.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker evasion infostealer ransomware rat trojan

Ermac

Ermac2 payload

Hook

Makes use of the framework's Accessibility service.

Requests dangerous framework permissions

Loads dropped Dex/Jar

Acquires the wake lock.

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data).

Removes a system notification.

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-10-02 22:00

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-02 22:00

Reported

2023-10-02 22:03

Platform

android-x86-arm-20230831-en

Max time kernel

4067098s

Max time network

148s

Command Line

com.bulosinehipibe.zusu

Signatures

Ermac

banker trojan infostealer ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json N/A N/A
N/A /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.bulosinehipibe.zusu

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/x86/ebFl.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.138:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
DE 172.217.23.202:443 infinitedata-pa.googleapis.com tcp
NL 142.251.36.42:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 null udp
NL 172.217.168.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.14:443 android.apis.google.com tcp

Files

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json

MD5 f49e8a788e53b7e1e054248ab571c0b1
SHA1 f5a870ef0e19e332381c3c17bdc2a8333c86e733
SHA256 85e8aa0f6f3e5c386265aa4e7d381930102f05e25d2e64f34cc53ae77ef026cd
SHA512 0ff996ac719a0924e92dc38da15f71c1f995f82687e4dcd3a1c8786eee22f19f7083928a569d538f04500cb13112778cc5ae8e575b36048829c426ad7bcb6ea6

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json

MD5 95a42313a143c59ccd0a59e25b4c65f7
SHA1 48ce701e20e847a74ee6a82d7de330e0ec6a9a2f
SHA256 2e4884470436bc7d3d5f6e957ffcccd27575da27e32f4ea9548f50aa463910a9
SHA512 ab4f1efe0b4b1409a2062a4f8e9fc18146f33fb4b5d7a2c24f790fc9298894e9e3b42b0e4b4d105f53297ef19643be352892eb53a0279a807fab591434f4cbaa

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json

MD5 bcced22f9ce50fbd79a55d02a81fc1be
SHA1 1f719a83fed54f6c79e05734b6b98e70310279e0
SHA256 eda752974c1a92f0e49db42ba3862d4e9364ae21e8747597d2c248f8884b43d3
SHA512 e4822a57339a336f7486a2dd2ad1f5855703890d4f2f3c0de2b6eab5012d71328992a1b4ad7a414608d5a06cb5d266dfeb8448f3002829632ce5a02d3f9a4065

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json

MD5 c606ec25071927dab1e8f62707aaa23f
SHA1 04f3da363fbd9c6a2ea940449c7d4d962d7b7288
SHA256 6b79194574e6c32b7979c028d7c34d4328713034f948dc32a5e7bb32e2835b50
SHA512 47e9afb1cf021d7630affc28417c05f1f5e8896d8856930ed9fde923db67eaea3334c1a523a1d1401d4eec1f2a8997f8bcecaa03e7cfa9dfcb8701cde8cc2605

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal

MD5 49a3c1dfe08e84b6efe022163a9a2ad0
SHA1 b2b5e31d0469cf36c07157ea3955eb75494eddd3
SHA256 c4421050ec8d9694c6ea2ecc73413c35962b1ab213356b5d064e39e8c909b39e
SHA512 bbf636c1ba4fc4cc1d5a473e2eed1cf581348a0cff1e13332c56b276208e54d06e02ad5f549b3ccdcd11f8f69da9938423dd37d8f82e71601a07b3b56f4ebff6

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 431ee91f016d86e236d3048a2f441f72
SHA1 05a690e5af7a51c648f2621153a46dade0ea7223
SHA256 0d4337f8a3fa0a99ec3ff74f1c786af8c0804223755a19f9a9d3b3fe447ff1c6
SHA512 09b37d452efeeae5ab3a143bfa3b1af95d35262aa337b245537f0bcc26fcbb2a1881ae03cedad42771777fbaad360364d0653eafa42c501a3fe08c7d86d5d4b1

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 a6906299c9c9bda16bfb2dde41576c44
SHA1 ff5d04b4335f0fb78f8b77eda7f8e2e96d74c675
SHA256 bf922c887d4c870eeb6ea1d4a1d28503d53afa59264a284c302f2249bca7bfda
SHA512 56aa8ebae0e686811d1eb7dc7f95606a59844f006eb6488017197a5473d6f32ea7c7ac47a8477649b1c5aea6262da299da678258b96592ea29a611d88936a71b

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 549ea90b157fc50830d8b42a2907cf04
SHA1 916368bd8aff06e19da0ea266f45c156633128b2
SHA256 79a250c99b4eea450a4f28a81edc92d7e5fbfe7a02ff9cfeeb00dac500373312
SHA512 6b2e783b29596666cb5ac293db8816bf2381c7c3b601d4879da8aa5b9f9a70d85e696986dedbf808e181f13271b165e1445ce22ff8608c0cfa34a48c0b7508cc

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/ebFl.json.cur.prof

MD5 9f63b5c495728f98d94e11327a3f4a80
SHA1 52c0b659a10b05dd628ded637d9671a8b5f59049
SHA256 1a60572a1f13fa067ac8181e3bcae3d624d0da7319a744073301327eb1315849
SHA512 887cfc2ebd4ba3b3bffa9e14e8d1a135f8f9c2ff6724995d3567a6737abcb6e6ae69d29235cdbd337cdca5b86f200e8e4ef87feaef607edc3181ec142952c151

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/ebFl.json.cur.prof

MD5 6cf68fe3039278b3d924e57f3b5d8f14
SHA1 6e6464d9a48731d48674cfc5f47078177f311838
SHA256 66f34aec507c50ea7914d5ea3211fc2e7dc333d725741956e4c035b1b76aa26b
SHA512 6006babef0be34aef2788d676ec68ffdf51b9473f0eb805e7d74ad4f71e2aaa8e0ca1f6427d58d7bb0d447d75109320c04ebaeb82bfa046cda849ebdf6908fb7

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-02 22:00

Reported

2023-10-02 22:03

Platform

android-x64-20230831-en

Max time kernel

4066981s

Max time network

161s

Command Line

com.bulosinehipibe.zusu

Signatures

Ermac

banker trojan infostealer ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json] N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.bulosinehipibe.zusu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
DE 172.217.23.202:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.250.179.136:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 perlmp.com udp
NL 194.169.175.243:3434 perlmp.com tcp
NL 142.251.39.100:443 tcp
NL 142.250.179.142:443 tcp
NL 194.169.175.243:3434 perlmp.com tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 194.169.175.243:3434 perlmp.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
NL 194.169.175.243:3434 perlmp.com tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp
NL 194.169.175.243:3434 perlmp.com tcp

Files

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json

MD5 f49e8a788e53b7e1e054248ab571c0b1
SHA1 f5a870ef0e19e332381c3c17bdc2a8333c86e733
SHA256 85e8aa0f6f3e5c386265aa4e7d381930102f05e25d2e64f34cc53ae77ef026cd
SHA512 0ff996ac719a0924e92dc38da15f71c1f995f82687e4dcd3a1c8786eee22f19f7083928a569d538f04500cb13112778cc5ae8e575b36048829c426ad7bcb6ea6

/data/data/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json

MD5 95a42313a143c59ccd0a59e25b4c65f7
SHA1 48ce701e20e847a74ee6a82d7de330e0ec6a9a2f
SHA256 2e4884470436bc7d3d5f6e957ffcccd27575da27e32f4ea9548f50aa463910a9
SHA512 ab4f1efe0b4b1409a2062a4f8e9fc18146f33fb4b5d7a2c24f790fc9298894e9e3b42b0e4b4d105f53297ef19643be352892eb53a0279a807fab591434f4cbaa

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json

MD5 bcced22f9ce50fbd79a55d02a81fc1be
SHA1 1f719a83fed54f6c79e05734b6b98e70310279e0
SHA256 eda752974c1a92f0e49db42ba3862d4e9364ae21e8747597d2c248f8884b43d3
SHA512 e4822a57339a336f7486a2dd2ad1f5855703890d4f2f3c0de2b6eab5012d71328992a1b4ad7a414608d5a06cb5d266dfeb8448f3002829632ce5a02d3f9a4065

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal

MD5 63598172f740023de91139da62fec662
SHA1 be35758a57d58233dbc880ee499f121bd999269b
SHA256 2b9f1ab3c87a76c886d16dd04008602c9f6190c1cf533a136dff9e5f8802f86a
SHA512 a22f07b0473254bba7e69a25598b1d731ae7770d492848b77e91f17563613a694909e7d2dba15a69f1e0cb6bc7d85091dc5d5084dcb21c17129f5f24d26b9177

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 7d99810494a1701b629627f3f11711bc
SHA1 3ab599c0d474154e3f8d72e8734970a56139201f
SHA256 6ef6d32b9bbf9c5af9133a6b1b3de02821d12b17b5dee59380e1a0cab692fc79
SHA512 2ddc85d177b2398b2ae4121fc6e05081d39ac9384189bfa6b3177409b5ebee3fcdd6a1d5bf6f8f8b57442c14f4a027ad4846f3f4969238d2abe72f2b0743b53f

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 e506d694ba12d1fa6a60ac230d3d9575
SHA1 f8b59982b5622324daf0d77e2850f992a01c309a
SHA256 38b5f0724c633e3229ab2922c0e92eddefa79e76b65482f4645808fceec5de0e
SHA512 9fd8c07254e294a971ff658297640bdf3d44d26332a894dff82c97dcf8c2da19fb3a60d32387970270600f79f669e7394b2dee02683d5db048474cc87aa750a4

/data/data/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 bfb84fe7ccaf0946e099184711966a88
SHA1 09b25aa13d5803d213e1dfdf223de8aa650ae9c6
SHA256 e85e64ba7438cd747c39de1b011c9d663b02678a6c5b467cfd272dd8704e4dbe
SHA512 7069889192deb6c78e80ccf204a84fcee0f22f7dcab44d154d6be20afdbda395d605e1a58eb39f8044fe800841bcb1049c43541b20d6fd88cde935ab21407816

[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json]

MD5 bcced22f9ce50fbd79a55d02a81fc1be
SHA1 1f719a83fed54f6c79e05734b6b98e70310279e0
SHA256 eda752974c1a92f0e49db42ba3862d4e9364ae21e8747597d2c248f8884b43d3
SHA512 e4822a57339a336f7486a2dd2ad1f5855703890d4f2f3c0de2b6eab5012d71328992a1b4ad7a414608d5a06cb5d266dfeb8448f3002829632ce5a02d3f9a4065

Analysis: behavioral3

Detonation Overview

Submitted

2023-10-02 22:00

Reported

2023-10-02 22:04

Platform

android-x64-arm64-20230831-en

Max time kernel

4067063s

Max time network

136s

Command Line

com.bulosinehipibe.zusu

Signatures

Ermac

banker trojan infostealer ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json N/A N/A
N/A [anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json] N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.bulosinehipibe.zusu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.251.39.110:443 tcp
NL 172.217.168.238:443 tcp
NL 142.250.179.142:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.174:443 android.apis.google.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 null udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 null udp
US 1.1.1.1:53 null udp
US 1.1.1.1:53 null udp

Files

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json

MD5 f49e8a788e53b7e1e054248ab571c0b1
SHA1 f5a870ef0e19e332381c3c17bdc2a8333c86e733
SHA256 85e8aa0f6f3e5c386265aa4e7d381930102f05e25d2e64f34cc53ae77ef026cd
SHA512 0ff996ac719a0924e92dc38da15f71c1f995f82687e4dcd3a1c8786eee22f19f7083928a569d538f04500cb13112778cc5ae8e575b36048829c426ad7bcb6ea6

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json

MD5 95a42313a143c59ccd0a59e25b4c65f7
SHA1 48ce701e20e847a74ee6a82d7de330e0ec6a9a2f
SHA256 2e4884470436bc7d3d5f6e957ffcccd27575da27e32f4ea9548f50aa463910a9
SHA512 ab4f1efe0b4b1409a2062a4f8e9fc18146f33fb4b5d7a2c24f790fc9298894e9e3b42b0e4b4d105f53297ef19643be352892eb53a0279a807fab591434f4cbaa

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json

MD5 bcced22f9ce50fbd79a55d02a81fc1be
SHA1 1f719a83fed54f6c79e05734b6b98e70310279e0
SHA256 eda752974c1a92f0e49db42ba3862d4e9364ae21e8747597d2c248f8884b43d3
SHA512 e4822a57339a336f7486a2dd2ad1f5855703890d4f2f3c0de2b6eab5012d71328992a1b4ad7a414608d5a06cb5d266dfeb8448f3002829632ce5a02d3f9a4065

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-journal

MD5 ed4817dab93e10db32104ca6012c5bf4
SHA1 a5f62bbd3cf3a0bbf99e4cf5ca4e41ca4f739d31
SHA256 fa2bcdcf8ea29f8b5b45a4638b91a9e2d9dbe5b46d2fd5d7df1f3c62b4aa9e81
SHA512 749c9065d630c758de4e743ed7a39aeeac7391ba97e551e944280b67613e007b5ac7edcee0b4327d2e5954eede15a544d2f8e9de88d194a5ff18b3961d79ea21

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 9670b3fe13d203a0dc829f6353779cdd
SHA1 942a476f265d413f99ddcd44a2a3423318ad6f8e
SHA256 0be3a20aed21d37d2210a0b4642a1709bb8cf65e766048c4aefef96f101c6862
SHA512 af307285965fbf6e9e87f1514470aadc6433c40058de2c99df22a2983832ead85c840aae57538fe99954973416153637738fdff62722697ea92199de4e039dfb

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 08db7bab8c5a2d304115c2d5ef54d56a
SHA1 42065f3a20996867f945f43e0c3df4a1da3ee546
SHA256 2535371686978b1bc43808241564ef4f27baa7f073019d552645ac5445b13c0f
SHA512 25b57a9a94067ffb0a898ff84a5f9f8cd98044926b04e5d3160bfd92c3ed2ded87552aae3ac780678423c1d4742d59403ff0ee090561a96b77365476a515d87d

/data/user/0/com.bulosinehipibe.zusu/no_backup/androidx.work.workdb-wal

MD5 5ca8f1611460fd587ae46792fd159fc2
SHA1 bbfb05ccd297b99702fccc94c021bf0fec0f371c
SHA256 4ade813d5ed76e99e602b93bc62fa8057d4aa33f1dcf5a89eaafb715358257c0
SHA512 ecfd434c3851546cc2f489a2ad25369ec456163fc1bbca164d8f78895bff766b57d08f930236eb90a470332c6d029caf2becff65413783c46ca9cb9d7ca3d117

/data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/oat/ebFl.json.cur.prof

MD5 477c73683b0defb787e68df63c44d188
SHA1 bba7f2c32feb58633ec1d80a0f88dfc920f8b9c7
SHA256 8f40b5809fe2409ffcf3ba0f2e1474899e322c9da2ec17e3d96bc9eac6c5dad4
SHA512 c1729ba58851aadedee7dc1b77a7a934b26fe9620cabb9a3cf57b6a54028757ea9b053a2b7dcfdfad32d39d6099a27cdc78f3a34c8f8fc9bc34a02564a777be0

[anon:dalvik-classes.dex extracted in memory from /data/user/0/com.bulosinehipibe.zusu/app_DynamicOptDex/ebFl.json]

MD5 bcced22f9ce50fbd79a55d02a81fc1be
SHA1 1f719a83fed54f6c79e05734b6b98e70310279e0
SHA256 eda752974c1a92f0e49db42ba3862d4e9364ae21e8747597d2c248f8884b43d3
SHA512 e4822a57339a336f7486a2dd2ad1f5855703890d4f2f3c0de2b6eab5012d71328992a1b4ad7a414608d5a06cb5d266dfeb8448f3002829632ce5a02d3f9a4065

Analysis: behavioral4

Detonation Overview

Submitted

2023-10-02 22:00

Reported

2023-10-02 22:03

Platform

win7-20230831-en

Max time kernel

117s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-10-02 22:00

Reported

2023-10-02 22:03

Platform

win10v2004-20230915-en

Max time kernel

125s

Max time network

131s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\template.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 254.209.247.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

N/A