Analysis Overview
SHA256
0f548db33ca237a4b6ccc8c3ce9ea5a1f2470f5ef42222474131f66bb3c4660e
Threat Level: Likely malicious
The file b25a4b632098db2aa0a075bda3958b27 was found to be: Likely malicious.
Malicious Activity Summary
Removes its main activity from the application launcher
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Loads dropped Dex/Jar
Declares services with permission to bind to the system
Requests dangerous framework permissions
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-04 14:24
Signatures
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. | android.permission.BIND_NOTIFICATION_LISTENER_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-04 14:24
Reported
2024-03-04 14:27
Platform
android-x86-arm-20240221-en
Max time kernel
7s
Max time network
138s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
com.coderzheaven.englishtenses
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.201.110:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.14:443 | android.apis.google.com | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-04 14:24
Reported
2024-03-04 14:27
Platform
android-x64-20240221-en
Max time kernel
7s
Max time network
154s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
com.coderzheaven.englishtenses
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.232:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.178.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.14:443 | android.apis.google.com | tcp |
| GB | 216.58.213.4:443 | tcp | |
| GB | 216.58.213.4:443 | tcp | |
| GB | 142.250.178.14:443 | tcp | |
| GB | 216.58.212.226:443 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-04 14:24
Reported
2024-03-04 14:27
Platform
android-x64-arm64-20240221-en
Max time kernel
7s
Max time network
140s
Command Line
Signatures
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
| Description | Indicator | Process | Target |
| Framework service call | android.content.pm.IPackageManager.getInstalledApplications | N/A | N/A |
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.coderzheaven.englishtenses/cache/1886048100/995207931.jar | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.coderzheaven.englishtenses
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.14:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.213.10:443 | udp | |
| GB | 142.250.200.46:443 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.179.232:443 | ssl.google-analytics.com | tcp |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp |
Files
/data/user/0/com.coderzheaven.englishtenses/cache/1886048100/995207931.jar
| MD5 | b07ffe0320cf0e17d339c0acf602827b |
| SHA1 | 17ba68e36b05031b4347f9944ed5c7aca7a9ab49 |
| SHA256 | 3316464c72617dd76bd25c2b9317a933df16e0a6106ccf04f784d00f89f93300 |
| SHA512 | ebd788c85442b723b9f6f48597b8388ee8ae655afb30cf53573e52a89563085b523f8d24f3aa2ceee80b5fa744a2984033a2a7731de2020b0606b289b3be07e1 |
/data/user/0/com.coderzheaven.englishtenses/cache/1886048100/995207931.jar
| MD5 | 49d1df425360d08325642cd98a6ed502 |
| SHA1 | 45608a5882909560ba790c78132e868890beb2f5 |
| SHA256 | fba2086e98188153fd7fad31fea508b19d454a74314a532c5f287fa374bb6032 |
| SHA512 | 4ec0c2d834e4ebf8807214a2f7de12e4d02be4fa22b0b32faac965859ab56488772db36d72320d77aac4f8daa56fe58237f09d60c4830d862ba8243ec2a9750e |