Malware Analysis Report

2025-08-11 06:04

Sample ID 240222-wdtnzsdc3y
Target ay_1000.apk
SHA256 8c4a2a5b5b55e5eb9fa279a316d678878958b7ee4ba69706d6d9c09e27cd7bed
Tags
discovery
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

8c4a2a5b5b55e5eb9fa279a316d678878958b7ee4ba69706d6d9c09e27cd7bed

Threat Level: Shows suspicious behavior

The file ay_1000.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Declares services with permission to bind to the system

Requests dangerous framework permissions

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 17:48

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A
Required by quick settings tile services to bind with the system. Allows apps to add custom tiles to the quick settings menu. android.permission.BIND_QUICK_SETTINGS_TILE N/A N/A
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 17:48

Reported

2024-02-22 17:50

Platform

android-x86-arm-20240221-en

Max time kernel

68s

Max time network

82s

Command Line

com.giraffe

Signatures

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.giraffe

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 wxstat.com udp
CN 47.102.184.251:8080 tcp
HK 27.124.21.144:8091 27.124.21.144 tcp
CN 119.122.10.2:80 tcp
HK 172.247.174.180:8080 172.247.174.180 tcp
CN 183.6.28.6:8080 tcp
US 1.1.1.1:53 cfg.imtt.qq.com udp
HK 43.135.106.117:443 cfg.imtt.qq.com tcp
US 1.1.1.1:53 x1.goofficex.com udp
US 1.1.1.1:53 z1.goofficez.com udp
HK 172.247.174.178:443 z1.goofficez.com tcp
HK 27.124.21.135:443 x1.goofficex.com tcp
HK 27.124.21.135:443 x1.goofficex.com tcp
US 1.1.1.1:53 log.tbs.qq.com udp
HK 27.124.21.135:443 x1.goofficex.com tcp
HK 129.226.107.80:443 log.tbs.qq.com tcp
HK 27.124.21.135:443 x1.goofficex.com tcp
HK 27.124.21.135:443 x1.goofficex.com tcp
HK 27.124.21.135:443 x1.goofficex.com tcp
HK 27.124.21.135:443 x1.goofficex.com tcp
HK 27.124.21.135:443 x1.goofficex.com tcp
HK 43.135.106.117:443 cfg.imtt.qq.com tcp
US 1.1.1.1:53 s.outlook8.net udp
HK 195.130.202.136:443 s.outlook8.net tcp
HK 195.130.202.136:443 s.outlook8.net tcp
HK 195.130.202.136:443 s.outlook8.net tcp
GB 142.250.200.14:443 tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 216.58.213.10:443 tcp

Files

/data/data/com.giraffe/no_backup/.flurryNoBackup/installationNum

MD5 453064760b95c70e7040b5e0fdd414e1
SHA1 29ee6395118a896fc47c7f5f48b03789a4cd2880
SHA256 204a9040cb473f9f222d531bb6790659ce2c8179c8edfcbc48dc1013343ae891
SHA512 84f56dfe352d8686aaf8492155b0481aa0911e39a546e1b2735b9655b47ff5c10ea8960167ece78d6f6f2b59d8d264fd89e30fab55b43d270b8afe6b7f57c0c7

/storage/emulated/0/booster/jph-1/logs.txt

MD5 e157011c38c8fe958bde3c48dc47fb68
SHA1 300ab0fcdfd8d154baab8736a059d1d636470e76
SHA256 9d66f8a86c3cf91d539361f35740dcdd35289ab439107afdc009fd7dad763fef
SHA512 4c42ec43a452a1d730ba02b3c09a4464e692426c24c108e9ec4f9bc70f2305626fef7d2e05588b2a23b97a12a647ea8d8df3c865f7e1a2ccbd40c9233e145bad

/storage/emulated/0/Android/data/com.giraffe/files/tbslog/tbslog.txt

MD5 f8c98b78b0ec41ca5c37ee0a182f04bb
SHA1 f5d7d3b8988fb69e3275d2fa509b208a735dc699
SHA256 f2651da3d58c028f1f2168299dc607522a7f36a2f32e30f3657d50ec5726772b
SHA512 a5feea7edf77ba615d5542cf9da22eab11a7f64737d9d1cc039a181c72f41227364f7fc2fa9c449a32f4afbdfb3a3d3fc690087aab6ca928ee9fb30262396f05

/data/data/com.giraffe/vars/--_KEY_IS_FIRST_RUN

MD5 b026324c6904b2a9cb4b88d6d61c81d1
SHA1 e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e
SHA256 4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865
SHA512 3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686

/storage/emulated/0/.taobao_android

MD5 2106ae0b052f7d190ae276f933f82798
SHA1 90a3afbfc46135a11143c0a0a3654cee4c7719de
SHA256 58699806d4a0633eb924e6d6176084ac7a3b5502afddce35d0a13b4f7af2de9f
SHA512 3bbf5319e40b682fe956ed38d76dcdd001e06f8d46ca9a1970f598eedba4088cad0ab254860bf48835dcf943ee20436def7ac0fa1525b47acb5d4245b68b4ec1

/storage/emulated/0/booster/http-image-cache/images-new/v2.ols100.1/42/mguTjNQFO7VHbU7fYBQmrGg6oQo.5095300306742997371.tmp

MD5 7e3d314f8dd21e6fb5f8b55ec39f8e0e
SHA1 fad0b0fe4bea3c3a139cfc9fbda1cde115773863
SHA256 1dcc07775ef64ccf80673a8193f0ea6dc84f6c218b5ffb2e46e7cefbcd83d72e
SHA512 9419480e210b6152b19592a7b460d05d61a1fb733a47455497e5e37e1ef3e5b8c069c8d0d8b6c0506325aa556686e3bad0e649a4a0995c7612948351a593b373

/storage/emulated/0/booster/http-image-cache/images-new/v2.ols100.1/56/GjKnN6pIAnJT-b9_dn2sUpplttk.3137934713136608956.tmp

MD5 36af8374aae849ff6e967aca569b3a58
SHA1 8df61c7a6a96b5d23b8ac019e591463f48f7e980
SHA256 f8235282ce7b39b4823d9a0787f99bc7e5bbd13c9bdba674946f188c28ada0ef
SHA512 e7669f34bbe11abf647f99b505b428176c0d8671c0205e91ea04be693818ebfec5c514dc947e4d5b4d79f309bc1053b45b22bc0229312e11199b241cd5794896

/storage/emulated/0/booster/http-image-cache/images-new/v2.ols100.1/38/QDhhNmQzXkIwhrUx94xwlHB_1LM.5067086357263520923.tmp

MD5 0843fcb40708c6357174b4e0959315bc
SHA1 85123119e340b8da8f62972f6ce69e4f93c60f72
SHA256 cc558b2319a15983614a4408d29b9903634750460ca588ee55cb5f0997bde1dd
SHA512 03bf9188050e678d00ca2cd662f944550c4e610e9a4d92ad189a4b7d51807103b5f02d886c9569057097dfae08ac9840800531b1d56aa465589f91e4f4b3de20

/storage/emulated/0/booster/http-image-cache/images-new/v2.ols100.1/18/8LkT_NCux7pts7vxUyPEbzdkd78.5443611869783972282.tmp

MD5 1598b0ac6b85d0143924799c88a826c5
SHA1 263d82aa6f84a1f3c2714628d2dcd3f17e44441e
SHA256 106c82a044129505a06428c87bdf132f7ce5fb14aabcbfb8af1deacd5f334663
SHA512 b638f19407b4e3f4a987577e4708defefed28791d55c40cc6b792a6ca3dd0443152e317441f9acbacd58a80e0635193241ea166669a88a06ccbfeca1df52141d

/storage/emulated/0/booster/http-image-cache/images-new/v2.ols100.1/83/8ZtMl4fKdGxizt13ueYTbbMiUho.6473013054237698618.tmp

MD5 fa055269e04bf87f735d1a77ce925dd1
SHA1 2fd8d89227bc3b8d2681f3179bd24f56aa11ce2d
SHA256 632f5cfc15e6d3e01248b555633c76083d238ecc6dad2cc36605bf9c1198b9f4
SHA512 a1491624efe2f91ed0e1eb6bac627c5b600e72c738eec1e27243fbddd8b2377233a39b8c374110fd058aded322b062b10e71e75ad421529c7b2dc5a454bbecfc