Analysis Overview
SHA256
4b20bf30e3f1a2acca6d5f1afdf4775eab72da7e1c9ba58d551b91fac4fd3aa6
Threat Level: Likely malicious
The file b72d2fc730fd7eaf0b922624adcfa91f was found to be: Likely malicious.
Malicious Activity Summary
Removes its main activity from the application launcher
Requests dangerous framework permissions
Acquires the wake lock
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-06 10:18
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. | android.permission.PROCESS_OUTGOING_CALLS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-06 10:18
Reported
2024-03-06 10:20
Platform
android-x86-arm-20240221-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Processes
com.tencent.system
chmod 777 /data/data/com.tencent.system/files/xtech_app
chmod 777 /data/data/com.tencent.system/files/daemon
com.tencent.system:process1
com.tencent.system:checkroot
su -c id
com.tencent.system:checkroot
su -c id
com.tencent.system:checkroot
su -c id
com.tencent.system:checkroot
su -c id
com.tencent.system:checkroot
su -c id
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 142.250.178.10:443 | semanticlocation-pa.googleapis.com | tcp |
| CN | 124.117.238.231:19989 | tcp | |
| GB | 142.250.200.14:443 | tcp | |
| GB | 142.250.200.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| GB | 216.58.213.10:443 | semanticlocation-pa.googleapis.com | tcp |
| CN | 124.117.238.231:19989 | tcp |
Files
/data/data/com.tencent.system/files/busybox
| MD5 | 38051de1af7c11f138c3014fc5b4bbbf |
| SHA1 | 3975ff218a207c0dc603d7847ae19d277426ee61 |
| SHA256 | ce9ac842dda26190135c0e0b193772aafdd8f9c160055bed8f5853496a20a7fb |
| SHA512 | f8ffac05ead41e939b064b2df5f24f8f5e5ed27064a6a743e0a8b021f8d1cb2b402f715cecfc987f6c923002a23303701470af031a99dc43376f23f0ec030f4a |
/data/data/com.tencent.system/files/daemon
| MD5 | 552e94069a5730b29e719e47a12d5403 |
| SHA1 | 16d27fb95dc75bd1ac08dee18b68cfce9375b90c |
| SHA256 | 04164d2327a06ab507200cc3f8be9f4ad4fa93557c17606525eb046d0dd2c89e |
| SHA512 | 0020f6d31b056f4790ef818123d700a63e2389d1bf4593f717c4ffbab5d3d00f3f28b3fdb014072807c08b52b9f77e0b07479be3cf399cae221480ef47a2f5f4 |
/data/data/com.tencent.system/files/xtech
| MD5 | dab02e406ca86a984267e6466a27e5a1 |
| SHA1 | 137eb11ec78e34cd2c530d54bd406d44a679d29b |
| SHA256 | 5ec1c3dd8638a3f41500b859854c89641658237bdd93cd9b51e3fd0fad2e4cb7 |
| SHA512 | 0c10df727d14cf1d6ec16123a170f9271a8886abe259b0566385d30e4c0f0a38daf9e7f62a52365b2001e4ca9e0876fe965a9be7d5f751bf126419521a108d2d |
/data/data/com.tencent.system/files/xtech_app
| MD5 | 9c2bca7aed931c7be95210b22de655c5 |
| SHA1 | f543579faeb05c5141659a2f2ac8825107d8cc18 |
| SHA256 | 4dad9f19a430bc6a9a02a1fa55132b39fdd91899c3b493407ff9104bd250919b |
| SHA512 | bbf418aba9a97f8ffa0d4c2d96cb854add1dc33d1c32a7de38e67a16551d166295fc906c2eb0b56ddf023f1a36b35a970fef54d11c7b9def218f029b523777ff |