Analysis Overview
SHA256
8c4a2a5b5b55e5eb9fa279a316d678878958b7ee4ba69706d6d9c09e27cd7bed
Threat Level: Shows suspicious behavior
The file ay_1000.apk was found to be: Shows suspicious behavior.
Malicious Activity Summary
Declares services with permission to bind to the system
Requests dangerous framework permissions
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-22 17:48
Signatures
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by VPN services to bind with the system. Allows apps to provision VPN services. | android.permission.BIND_VPN_SERVICE | N/A | N/A |
| Required by VPN services to bind with the system. Allows apps to provision VPN services. | android.permission.BIND_VPN_SERVICE | N/A | N/A |
| Required by quick settings tile services to bind with the system. Allows apps to add custom tiles to the quick settings menu. | android.permission.BIND_QUICK_SETTINGS_TILE | N/A | N/A |
| Required by VPN services to bind with the system. Allows apps to provision VPN services. | android.permission.BIND_VPN_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-22 17:48
Reported
2024-02-22 17:50
Platform
android-x86-arm-20240221-en
Max time kernel
68s
Max time network
82s
Command Line
Signatures
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.giraffe
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | wxstat.com | udp |
| CN | 47.102.184.251:8080 | tcp | |
| HK | 27.124.21.144:8091 | 27.124.21.144 | tcp |
| CN | 119.122.10.2:80 | tcp | |
| HK | 172.247.174.180:8080 | 172.247.174.180 | tcp |
| CN | 183.6.28.6:8080 | tcp | |
| US | 1.1.1.1:53 | cfg.imtt.qq.com | udp |
| HK | 43.135.106.117:443 | cfg.imtt.qq.com | tcp |
| US | 1.1.1.1:53 | x1.goofficex.com | udp |
| US | 1.1.1.1:53 | z1.goofficez.com | udp |
| HK | 172.247.174.178:443 | z1.goofficez.com | tcp |
| HK | 27.124.21.135:443 | x1.goofficex.com | tcp |
| HK | 27.124.21.135:443 | x1.goofficex.com | tcp |
| US | 1.1.1.1:53 | log.tbs.qq.com | udp |
| HK | 27.124.21.135:443 | x1.goofficex.com | tcp |
| HK | 129.226.107.80:443 | log.tbs.qq.com | tcp |
| HK | 27.124.21.135:443 | x1.goofficex.com | tcp |
| HK | 27.124.21.135:443 | x1.goofficex.com | tcp |
| HK | 27.124.21.135:443 | x1.goofficex.com | tcp |
| HK | 27.124.21.135:443 | x1.goofficex.com | tcp |
| HK | 27.124.21.135:443 | x1.goofficex.com | tcp |
| HK | 43.135.106.117:443 | cfg.imtt.qq.com | tcp |
| US | 1.1.1.1:53 | s.outlook8.net | udp |
| HK | 195.130.202.136:443 | s.outlook8.net | tcp |
| HK | 195.130.202.136:443 | s.outlook8.net | tcp |
| HK | 195.130.202.136:443 | s.outlook8.net | tcp |
| GB | 142.250.200.14:443 | tcp | |
| GB | 142.250.200.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.14:443 | android.apis.google.com | tcp |
| GB | 216.58.213.10:443 | tcp |
Files
/data/data/com.giraffe/no_backup/.flurryNoBackup/installationNum
| MD5 | 453064760b95c70e7040b5e0fdd414e1 |
| SHA1 | 29ee6395118a896fc47c7f5f48b03789a4cd2880 |
| SHA256 | 204a9040cb473f9f222d531bb6790659ce2c8179c8edfcbc48dc1013343ae891 |
| SHA512 | 84f56dfe352d8686aaf8492155b0481aa0911e39a546e1b2735b9655b47ff5c10ea8960167ece78d6f6f2b59d8d264fd89e30fab55b43d270b8afe6b7f57c0c7 |
/storage/emulated/0/booster/jph-1/logs.txt
| MD5 | e157011c38c8fe958bde3c48dc47fb68 |
| SHA1 | 300ab0fcdfd8d154baab8736a059d1d636470e76 |
| SHA256 | 9d66f8a86c3cf91d539361f35740dcdd35289ab439107afdc009fd7dad763fef |
| SHA512 | 4c42ec43a452a1d730ba02b3c09a4464e692426c24c108e9ec4f9bc70f2305626fef7d2e05588b2a23b97a12a647ea8d8df3c865f7e1a2ccbd40c9233e145bad |
/storage/emulated/0/Android/data/com.giraffe/files/tbslog/tbslog.txt
| MD5 | f8c98b78b0ec41ca5c37ee0a182f04bb |
| SHA1 | f5d7d3b8988fb69e3275d2fa509b208a735dc699 |
| SHA256 | f2651da3d58c028f1f2168299dc607522a7f36a2f32e30f3657d50ec5726772b |
| SHA512 | a5feea7edf77ba615d5542cf9da22eab11a7f64737d9d1cc039a181c72f41227364f7fc2fa9c449a32f4afbdfb3a3d3fc690087aab6ca928ee9fb30262396f05 |
/data/data/com.giraffe/vars/--_KEY_IS_FIRST_RUN
| MD5 | b026324c6904b2a9cb4b88d6d61c81d1 |
| SHA1 | e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e |
| SHA256 | 4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865 |
| SHA512 | 3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686 |
/storage/emulated/0/.taobao_android
| MD5 | 2106ae0b052f7d190ae276f933f82798 |
| SHA1 | 90a3afbfc46135a11143c0a0a3654cee4c7719de |
| SHA256 | 58699806d4a0633eb924e6d6176084ac7a3b5502afddce35d0a13b4f7af2de9f |
| SHA512 | 3bbf5319e40b682fe956ed38d76dcdd001e06f8d46ca9a1970f598eedba4088cad0ab254860bf48835dcf943ee20436def7ac0fa1525b47acb5d4245b68b4ec1 |
/storage/emulated/0/booster/http-image-cache/images-new/v2.ols100.1/42/mguTjNQFO7VHbU7fYBQmrGg6oQo.5095300306742997371.tmp
| MD5 | 7e3d314f8dd21e6fb5f8b55ec39f8e0e |
| SHA1 | fad0b0fe4bea3c3a139cfc9fbda1cde115773863 |
| SHA256 | 1dcc07775ef64ccf80673a8193f0ea6dc84f6c218b5ffb2e46e7cefbcd83d72e |
| SHA512 | 9419480e210b6152b19592a7b460d05d61a1fb733a47455497e5e37e1ef3e5b8c069c8d0d8b6c0506325aa556686e3bad0e649a4a0995c7612948351a593b373 |
/storage/emulated/0/booster/http-image-cache/images-new/v2.ols100.1/56/GjKnN6pIAnJT-b9_dn2sUpplttk.3137934713136608956.tmp
| MD5 | 36af8374aae849ff6e967aca569b3a58 |
| SHA1 | 8df61c7a6a96b5d23b8ac019e591463f48f7e980 |
| SHA256 | f8235282ce7b39b4823d9a0787f99bc7e5bbd13c9bdba674946f188c28ada0ef |
| SHA512 | e7669f34bbe11abf647f99b505b428176c0d8671c0205e91ea04be693818ebfec5c514dc947e4d5b4d79f309bc1053b45b22bc0229312e11199b241cd5794896 |
/storage/emulated/0/booster/http-image-cache/images-new/v2.ols100.1/38/QDhhNmQzXkIwhrUx94xwlHB_1LM.5067086357263520923.tmp
| MD5 | 0843fcb40708c6357174b4e0959315bc |
| SHA1 | 85123119e340b8da8f62972f6ce69e4f93c60f72 |
| SHA256 | cc558b2319a15983614a4408d29b9903634750460ca588ee55cb5f0997bde1dd |
| SHA512 | 03bf9188050e678d00ca2cd662f944550c4e610e9a4d92ad189a4b7d51807103b5f02d886c9569057097dfae08ac9840800531b1d56aa465589f91e4f4b3de20 |
/storage/emulated/0/booster/http-image-cache/images-new/v2.ols100.1/18/8LkT_NCux7pts7vxUyPEbzdkd78.5443611869783972282.tmp
| MD5 | 1598b0ac6b85d0143924799c88a826c5 |
| SHA1 | 263d82aa6f84a1f3c2714628d2dcd3f17e44441e |
| SHA256 | 106c82a044129505a06428c87bdf132f7ce5fb14aabcbfb8af1deacd5f334663 |
| SHA512 | b638f19407b4e3f4a987577e4708defefed28791d55c40cc6b792a6ca3dd0443152e317441f9acbacd58a80e0635193241ea166669a88a06ccbfeca1df52141d |
/storage/emulated/0/booster/http-image-cache/images-new/v2.ols100.1/83/8ZtMl4fKdGxizt13ueYTbbMiUho.6473013054237698618.tmp
| MD5 | fa055269e04bf87f735d1a77ce925dd1 |
| SHA1 | 2fd8d89227bc3b8d2681f3179bd24f56aa11ce2d |
| SHA256 | 632f5cfc15e6d3e01248b555633c76083d238ecc6dad2cc36605bf9c1198b9f4 |
| SHA512 | a1491624efe2f91ed0e1eb6bac627c5b600e72c738eec1e27243fbddd8b2377233a39b8c374110fd058aded322b062b10e71e75ad421529c7b2dc5a454bbecfc |