Analysis Overview
SHA256
d63a834a3187fae69e34c5a85fe147046a1252624b339591fea12f96b4d8d60f
Threat Level: Likely malicious
The file c09bc12ca7b36f922f0e5c5af136a78c was found to be: Likely malicious.
Malicious Activity Summary
Removes its main activity from the application launcher
Loads dropped Dex/Jar
Declares services with permission to bind to the system
Requests dangerous framework permissions
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-11 12:38
Signatures
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-11 12:38
Reported
2024-03-11 12:40
Platform
android-x86-arm-20240221-en
Max time kernel
137s
Max time network
140s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar | N/A | N/A |
| N/A | /data/user/0/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.lima.bjmfd.wsmfmedwuya
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.lima.bjmfd.wsmfmedwuya/app_tfile/oat/x86/fields.odex --compiler-filter=quicken --class-loader-context=&
com.lima.bjmfd.wsmfmedwuya:RemoteProcess
getprop ro.miui.ui.version.name
com.lima.bjmfd.wsmfmedwuya:guard
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | api.adsnative123.com | udp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.178.14:443 | android.apis.google.com | tcp |
| GB | 172.217.169.10:443 | tcp |
Files
/data/data/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar
| MD5 | 07f164db880c1b6691b5c54862e9a3c4 |
| SHA1 | 6dd9102eff0b0134fb9bbafd0122bfae719565fd |
| SHA256 | 2e6db810857d45da5ea6f084812401401f0f7a2bd6e7c3a7a96c7d46995551fe |
| SHA512 | 46bec2510d5ed27d54248f32556d2b7969d0e2557f17fe2f1f6f18177e2dbfc42598cfe555d44b38a2bc2480212aec036f4a4df392ca39dafe09a830b03f93f9 |
/data/user/0/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar
| MD5 | 35926f0158766813027fbfe1ab5b1125 |
| SHA1 | 8f166af95ff940dc45b933462ee7ffdf30dd5d06 |
| SHA256 | 47a1ed442aa97ce2a6c313cbd64547cd506b809593745707d3fc9585f6a6c3f4 |
| SHA512 | b0fb1d19eedb27b3efda5354ac947db9ec89901d0f5c5b9a64325f2d74f4e11f5330f984bb9a9e5ad1c2d3abcd62e1516d94e7778d273ed5df51993dc9573ba3 |
/data/user/0/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar
| MD5 | c5a85e582687f87ae272d29669f86ac2 |
| SHA1 | 6a43b5324e2da8211ccaa66827b299d37eb9fa2f |
| SHA256 | 352258d4187366e7254fbd5aa8c80e8f89e31b41fe9e903ca5dac027ca3d04ec |
| SHA512 | d1183315453b6dcf1265694d8dcf45bbc2aa3d131dfa904a1ddf7b9f8d818d63a3d42d365f5f671c4c500c16ba98abb1131cb475299cc3805bec055d8a02f506 |
/data/data/com.lima.bjmfd.wsmfmedwuya/databases/tbcom.lima.bjmfd.wsmfmedwuya-journal
| MD5 | ee0a39457d15b0a4e9df2db193d26e91 |
| SHA1 | 89afa4b81452abc971c4fe1c1a23e0c9a13afec7 |
| SHA256 | 234ccee16bd3dd1960c234b61b5dc296dc67ef06f38c938d42d4e3c80b7af9dd |
| SHA512 | b7a41b9be2fd2ee350a8877ff75ce293b97cf66ff1bc92c318fea9f9f903531260577ef68ae0c78a5c253b0519e08c278e082aeda25ef1d80d6e78a11ce8d327 |
/data/data/com.lima.bjmfd.wsmfmedwuya/databases/tbcom.lima.bjmfd.wsmfmedwuya
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.lima.bjmfd.wsmfmedwuya/databases/tbcom.lima.bjmfd.wsmfmedwuya-wal
| MD5 | 1e671d8c9a4b599ddabf3e614229a704 |
| SHA1 | 820fb914f80b867d57046cee743441ea64827d81 |
| SHA256 | 9a1962fe865b903039478b1950ae8e822036ade3d266fe4d3c4e2616bd70943a |
| SHA512 | f29683eb587e4fe6e70c220ee1e3965724f02b1077c32ee124bb36d93730826ccce969e613d7e58e47db07c1c2ee6a37a8a9fc983026bf9bd79e1489ebe7708c |
/storage/emulated/0/Download/sdsid
| MD5 | b8c37e33defde51cf91e1e03e51657da |
| SHA1 | dd01903921ea24941c26a48f2cec24e0bb0e8cc7 |
| SHA256 | fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71 |
| SHA512 | e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-11 12:38
Reported
2024-03-11 12:40
Platform
android-x64-20240221-en
Max time kernel
153s
Max time network
147s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar | N/A | N/A |
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.lima.bjmfd.wsmfmedwuya
com.lima.bjmfd.wsmfmedwuya:RemoteProcess
com.lima.bjmfd.wsmfmedwuya:guard
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | api.adsnative123.com | udp |
| GB | 142.250.178.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp | |
| GB | 172.217.169.78:443 | tcp | |
| GB | 142.250.200.34:443 | tcp | |
| GB | 216.58.213.10:443 | tcp |
Files
/data/data/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar
| MD5 | 07f164db880c1b6691b5c54862e9a3c4 |
| SHA1 | 6dd9102eff0b0134fb9bbafd0122bfae719565fd |
| SHA256 | 2e6db810857d45da5ea6f084812401401f0f7a2bd6e7c3a7a96c7d46995551fe |
| SHA512 | 46bec2510d5ed27d54248f32556d2b7969d0e2557f17fe2f1f6f18177e2dbfc42598cfe555d44b38a2bc2480212aec036f4a4df392ca39dafe09a830b03f93f9 |
/data/user/0/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar
| MD5 | 35926f0158766813027fbfe1ab5b1125 |
| SHA1 | 8f166af95ff940dc45b933462ee7ffdf30dd5d06 |
| SHA256 | 47a1ed442aa97ce2a6c313cbd64547cd506b809593745707d3fc9585f6a6c3f4 |
| SHA512 | b0fb1d19eedb27b3efda5354ac947db9ec89901d0f5c5b9a64325f2d74f4e11f5330f984bb9a9e5ad1c2d3abcd62e1516d94e7778d273ed5df51993dc9573ba3 |
/data/data/com.lima.bjmfd.wsmfmedwuya/databases/tbcom.lima.bjmfd.wsmfmedwuya-journal
| MD5 | d0d0ba26ac021e6368c1f39600f1d908 |
| SHA1 | 01373966a4e94f140c02732f997f5ba0ce4cd954 |
| SHA256 | 849661603b1097144a9688b750f1db1e4b7145b468d7ba200a298183ca81e22d |
| SHA512 | 037bd58e63eb994694e0b1e08ed2af391f0134be3ae718323cc0b59f5c1e3a22856ecb4cf66b1b4a9c1fc315a9242f8f05cf540e74942ccc875e89770573307b |
/data/data/com.lima.bjmfd.wsmfmedwuya/databases/tbcom.lima.bjmfd.wsmfmedwuya
| MD5 | 163b0e3f017becbc89b9d7f330b78f09 |
| SHA1 | 1ef9cd8ac8655190468d0ccece0a4738634ab0f9 |
| SHA256 | cf01452c3b494692386f6c5faac340eb3eb894bd416391002d56645aa8a9ea36 |
| SHA512 | 6a85a30d16fa58a4fbbb05d469778ee69ca79deaa74316ccb5be3ee07fdf78dde22e95db3edb1b88b18478e8747047445f85baaf9556b9a1e55d9a02a80baffd |
/data/data/com.lima.bjmfd.wsmfmedwuya/databases/tbcom.lima.bjmfd.wsmfmedwuya-journal
| MD5 | a4633ce94205a4f2d7ca649311fdbfb0 |
| SHA1 | 09138d8049aa4e2ee33581dbba9a88a6a8bf9909 |
| SHA256 | bd213ec5c652c5d1afd0fbe70d0e014b1d51adf3570ecc814fda650266eea8ac |
| SHA512 | 290467cb44883ce28bb693048d4c770bfb9f52e51def7b39fac8df811fa061ea86bc3460ecac9018d3f7542cf8d29a4947dfeb1f85b2519b58b01538b08a91c6 |
/data/data/com.lima.bjmfd.wsmfmedwuya/databases/tbcom.lima.bjmfd.wsmfmedwuya-journal
| MD5 | 3184e8d74a73318e248999c14d52fcca |
| SHA1 | a8f33646f96ea99e787303343d2377ce01c90439 |
| SHA256 | eb29bf80eae393a2441631ce9fea87d102f41b2e01a69401fb9af875ba3c9e97 |
| SHA512 | e5462b5573b1d32c2deab881e428a0cd32269f37aa152d65e09f264586e01b5550ef000a0f9b9e2bd678f76401c3e1a621f042529042327189c5fd212081c1a5 |
/storage/emulated/0/Download/sdsid
| MD5 | b8c37e33defde51cf91e1e03e51657da |
| SHA1 | dd01903921ea24941c26a48f2cec24e0bb0e8cc7 |
| SHA256 | fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71 |
| SHA512 | e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7 |
/data/data/com.lima.bjmfd.wsmfmedwuya/app_tfile/oat/fields.jar.cur.prof
| MD5 | 55a4a53784369c527cafb31ca5fa625d |
| SHA1 | 8e7dbf092ab840d6365b76faa57d04e9272174e9 |
| SHA256 | 20872e83b6189b0545fb4b2a317c8adecc0a57474d04fd03e6e35eb52fc2d36f |
| SHA512 | 16cf958a4016a0e3eab6f4feb153a3517b9295f13497dc0a04a753c7af3959452197d63495d488800b5ee6afe7a85ba69cb035ae804259b665953ce872b24b48 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-11 12:38
Reported
2024-03-11 12:40
Platform
android-x64-arm64-20240221-en
Max time kernel
149s
Max time network
145s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar | N/A | N/A |
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.lima.bjmfd.wsmfmedwuya
com.lima.bjmfd.wsmfmedwuya:RemoteProcess
com.lima.bjmfd.wsmfmedwuya:guard
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.10:443 | udp | |
| GB | 142.250.200.14:443 | udp | |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.213.8:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | api.adsnative123.com | udp |
| GB | 142.250.200.4:443 | tcp | |
| GB | 142.250.200.4:443 | tcp |
Files
/data/user/0/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar
| MD5 | 07f164db880c1b6691b5c54862e9a3c4 |
| SHA1 | 6dd9102eff0b0134fb9bbafd0122bfae719565fd |
| SHA256 | 2e6db810857d45da5ea6f084812401401f0f7a2bd6e7c3a7a96c7d46995551fe |
| SHA512 | 46bec2510d5ed27d54248f32556d2b7969d0e2557f17fe2f1f6f18177e2dbfc42598cfe555d44b38a2bc2480212aec036f4a4df392ca39dafe09a830b03f93f9 |
/data/user/0/com.lima.bjmfd.wsmfmedwuya/app_tfile/fields.jar
| MD5 | 35926f0158766813027fbfe1ab5b1125 |
| SHA1 | 8f166af95ff940dc45b933462ee7ffdf30dd5d06 |
| SHA256 | 47a1ed442aa97ce2a6c313cbd64547cd506b809593745707d3fc9585f6a6c3f4 |
| SHA512 | b0fb1d19eedb27b3efda5354ac947db9ec89901d0f5c5b9a64325f2d74f4e11f5330f984bb9a9e5ad1c2d3abcd62e1516d94e7778d273ed5df51993dc9573ba3 |
/data/user/0/com.lima.bjmfd.wsmfmedwuya/databases/tbcom.lima.bjmfd.wsmfmedwuya-journal
| MD5 | 50bb6eb6d7ff818049c7d9535e6524ca |
| SHA1 | 99e918ef106bdb50373d98e7f3ee002cf1865506 |
| SHA256 | c48025d42ca028520c8becffc6e5d4700ba1a706f9861a3113b20bcea0c58e53 |
| SHA512 | 8917c866ce85b4f603b3978e9c6396794cb6e3ea90e60cc412aa9d18f16b1aa7661d6160f774a607d02743a102157bbbf67e1518d9314a25f81477de27883d71 |
/data/user/0/com.lima.bjmfd.wsmfmedwuya/databases/tbcom.lima.bjmfd.wsmfmedwuya
| MD5 | f41f531c07d4141546a531ff9caffdcd |
| SHA1 | 9dcac5aed06972d0ff6bd4cc1f1cdff85b36d3f5 |
| SHA256 | bb8dee5b5c3779f175abbd142722eb0022b98d374783aa80145b34614a4de646 |
| SHA512 | e0c8d1a820cb4c098e45776e8b50ea8c83944ef2e3f005cb0acbfc07688974d370f78100ae022f62564fc4c12acfdc43b710c18ca1c30f4f575bc08b9b12d2d4 |
/data/user/0/com.lima.bjmfd.wsmfmedwuya/databases/tbcom.lima.bjmfd.wsmfmedwuya-journal
| MD5 | a036b665b3ed155ff1e9446cadf483ec |
| SHA1 | f00cf88b84ab3aa7eeca80ee558db47aea4f2a18 |
| SHA256 | 3c78da761ae75a2d725803b9b08fcc606ec7da8d68e5c5e797d1f599e2d6c1e1 |
| SHA512 | 725d025beae798e9d64a9092b3977ffd44ee9e0f04720fe08b2052193bf51b5d7c2ced6f57424da6c3603dae3e2fcba82f6109b31f35a9efe4bf358ea55d06da |
/data/user/0/com.lima.bjmfd.wsmfmedwuya/databases/tbcom.lima.bjmfd.wsmfmedwuya-journal
| MD5 | 337490f91f7289ff503230a52aa64a30 |
| SHA1 | e6ebd753bde248bfe52aca812baa44874cb53044 |
| SHA256 | c7fbaa18a9685d16e0c8680ebfd24bd70f9c45b68973c99c6b7db72a3495b820 |
| SHA512 | 54fd2772053c1bca81a00aef5e780cc94a82af1adc5b94691a15ac9bf09f84f3ff9b92ee2328905c351166fd2b9d60aebe6e627c2e1e886bcf286a16b2320f3f |
/storage/emulated/0/Download/sdsid
| MD5 | b8c37e33defde51cf91e1e03e51657da |
| SHA1 | dd01903921ea24941c26a48f2cec24e0bb0e8cc7 |
| SHA256 | fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71 |
| SHA512 | e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7 |