Analysis Overview
SHA256
7c6000a4724f1c7c0b2d577e4c94f0cb494b7e65d901d1b7de66f9e1dd368929
Threat Level: Likely malicious
The file c248c63c7832ca58587b1453b5a46d20 was found to be: Likely malicious.
Malicious Activity Summary
Removes its main activity from the application launcher
Loads dropped Dex/Jar
Reads information about phone network operator.
Declares services with permission to bind to the system
Requests dangerous framework permissions
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-12 02:59
Signatures
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-12 02:59
Reported
2024-03-12 03:02
Platform
android-x64-20240221-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar | N/A | N/A |
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.osaka.qwmqqfq.ctipfreq
com.osaka.qwmqqfq.ctipfreq:RemoteProcess
com.osaka.qwmqqfq.ctipfreq:guard
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.179.232:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | api.adsnative123.com | udp |
| GB | 142.250.178.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.14:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | api.adsnative123.com | udp |
| GB | 216.58.213.4:443 | tcp | |
| GB | 216.58.213.4:443 | tcp | |
| GB | 142.250.178.14:443 | tcp | |
| GB | 216.58.212.226:443 | tcp |
Files
/data/data/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar
| MD5 | cceb8db3b057d24673d49eda229e9892 |
| SHA1 | b18f6353b2156410249079a3b7b86ef3a530e8ee |
| SHA256 | e900cb4c3fe9d8f45196a7457e9645c65b0f3cde820f4161950252cff67a4d97 |
| SHA512 | 4a42cde3165a706e823caa1362001ed8aa647caf22325a4f2554c64fc4ebcd79afe44fe5eab5474221806f26e7aca9d2901026de6e597ef62fe867f123e4bd57 |
/data/user/0/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar
| MD5 | 73b11c4c10150bbd4f29ad012dc11dde |
| SHA1 | 65c83ad32c29f9811c32eda75d7fcdc92ef42dda |
| SHA256 | 52132037e9b950a9cb48d6374ee2c6747a6bfe776e13a726395771f1b40ee9da |
| SHA512 | 3e53b1ee22a00e60896da86d2695195e0965c93d190c4d1c0dba2eb5c611d670ee7693a9f8756858255e2b170cb82a753719dd4d6a827af437309b7a1dcc6f01 |
/data/data/com.osaka.qwmqqfq.ctipfreq/databases/tbcom.osaka.qwmqqfq.ctipfreq-journal
| MD5 | 60c46befb03aa5318f7ba102400d055b |
| SHA1 | d9bf1c22615ab3da3ebc2772032d5efbf5534227 |
| SHA256 | d5137ca5dfb726ffaebf75bf5fd85ab33978d60aaf3dbfc7301659702657d22e |
| SHA512 | d910800595c105adabff025d23c774c1b5f831a50a38b346a6d0dd1f3995d84be9e9df0c900e4dc4c7220592e0e0f462a5641d6d9f73bf7a89f630afde1353fc |
/data/data/com.osaka.qwmqqfq.ctipfreq/databases/tbcom.osaka.qwmqqfq.ctipfreq
| MD5 | 163b0e3f017becbc89b9d7f330b78f09 |
| SHA1 | 1ef9cd8ac8655190468d0ccece0a4738634ab0f9 |
| SHA256 | cf01452c3b494692386f6c5faac340eb3eb894bd416391002d56645aa8a9ea36 |
| SHA512 | 6a85a30d16fa58a4fbbb05d469778ee69ca79deaa74316ccb5be3ee07fdf78dde22e95db3edb1b88b18478e8747047445f85baaf9556b9a1e55d9a02a80baffd |
/data/data/com.osaka.qwmqqfq.ctipfreq/databases/tbcom.osaka.qwmqqfq.ctipfreq-journal
| MD5 | 05397d0ee45b65bf118b1464b614efa1 |
| SHA1 | c4cb294f97daabd1c2b622f0c6930c72cdc05fdf |
| SHA256 | d1e4847e52faff855287a4d8c5a2553f225f5aae00fbe6f9d77d6e318215693a |
| SHA512 | 5763902a9812dcb395d589a7ff71d917a95ac127fe1985a3724ce778c2f272e14e1869f48cf0f94cd636da1144a3d6f3fc752d5b14e97d1b85337ae96ffccd87 |
/data/data/com.osaka.qwmqqfq.ctipfreq/databases/tbcom.osaka.qwmqqfq.ctipfreq-journal
| MD5 | b491d94915ae5bdb814f19800249b53b |
| SHA1 | 412519868ae27fc797d8838645c795202e3edf5a |
| SHA256 | 71527be13748f80bc4bc2de9f50bba82f52ae132083dd6dd855c90764f945b55 |
| SHA512 | d6b346a04570dc09aa41e41947dafa0382acdc482852d21b3d5aa655aec2e38eb1b41b2fcadc35536e9462d5ef421693d7e586e4c9c58c4e34b53bf6cb9ca929 |
/storage/emulated/0/Download/sdsid
| MD5 | b8c37e33defde51cf91e1e03e51657da |
| SHA1 | dd01903921ea24941c26a48f2cec24e0bb0e8cc7 |
| SHA256 | fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71 |
| SHA512 | e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7 |
/data/data/com.osaka.qwmqqfq.ctipfreq/app_tfile/oat/fields.jar.cur.prof
| MD5 | 6de41202d76cfb91657a014430e7f33d |
| SHA1 | 1c066a98ee1dae3493881522b42a6978ef72ffee |
| SHA256 | 51491488aa5999f64c4d74c50676559497e9890b2a3978cdc8f07dc782e945ec |
| SHA512 | 765ef4f4ca7a832af8677b8cb38b705a5cf809b6d321f7d86bcb03471d5e55d8c9b8dc04dbad9f89b10febd5e87b29d29e1bd36fa91259ba00ea863ad1225236 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-12 02:59
Reported
2024-03-12 03:02
Platform
android-x64-arm64-20240221-en
Max time kernel
154s
Max time network
132s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar | N/A | N/A |
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.osaka.qwmqqfq.ctipfreq
com.osaka.qwmqqfq.ctipfreq:RemoteProcess
com.osaka.qwmqqfq.ctipfreq:guard
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.200.46:443 | tcp | |
| GB | 142.250.200.46:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.179.234:443 | udp | |
| GB | 172.217.169.46:443 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.201.104:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | api.adsnative123.com | udp |
| GB | 216.58.212.228:443 | tcp | |
| GB | 216.58.212.228:443 | tcp |
Files
/data/user/0/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar
| MD5 | cceb8db3b057d24673d49eda229e9892 |
| SHA1 | b18f6353b2156410249079a3b7b86ef3a530e8ee |
| SHA256 | e900cb4c3fe9d8f45196a7457e9645c65b0f3cde820f4161950252cff67a4d97 |
| SHA512 | 4a42cde3165a706e823caa1362001ed8aa647caf22325a4f2554c64fc4ebcd79afe44fe5eab5474221806f26e7aca9d2901026de6e597ef62fe867f123e4bd57 |
/data/user/0/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar
| MD5 | 73b11c4c10150bbd4f29ad012dc11dde |
| SHA1 | 65c83ad32c29f9811c32eda75d7fcdc92ef42dda |
| SHA256 | 52132037e9b950a9cb48d6374ee2c6747a6bfe776e13a726395771f1b40ee9da |
| SHA512 | 3e53b1ee22a00e60896da86d2695195e0965c93d190c4d1c0dba2eb5c611d670ee7693a9f8756858255e2b170cb82a753719dd4d6a827af437309b7a1dcc6f01 |
/data/user/0/com.osaka.qwmqqfq.ctipfreq/databases/tbcom.osaka.qwmqqfq.ctipfreq-journal
| MD5 | 68c383cf86a1d3d15b29fe3f6d565dc0 |
| SHA1 | e6fe87b01f5ab96f19554f46c729d5b964d2fb25 |
| SHA256 | 8f394aabfb3411ebbe5f8e44a06fc2982d8492c15aa3de38088f149016743ab2 |
| SHA512 | 2ce306cfa7d665d7fcccef10c1bef7e93c056fa3380979cb350abd486c71385fc790b914b8f30781ff61a05f8ba0eac6c29a1ac044579abb0e20700e1a74dd31 |
/data/user/0/com.osaka.qwmqqfq.ctipfreq/databases/tbcom.osaka.qwmqqfq.ctipfreq
| MD5 | f41f531c07d4141546a531ff9caffdcd |
| SHA1 | 9dcac5aed06972d0ff6bd4cc1f1cdff85b36d3f5 |
| SHA256 | bb8dee5b5c3779f175abbd142722eb0022b98d374783aa80145b34614a4de646 |
| SHA512 | e0c8d1a820cb4c098e45776e8b50ea8c83944ef2e3f005cb0acbfc07688974d370f78100ae022f62564fc4c12acfdc43b710c18ca1c30f4f575bc08b9b12d2d4 |
/data/user/0/com.osaka.qwmqqfq.ctipfreq/databases/tbcom.osaka.qwmqqfq.ctipfreq-journal
| MD5 | a60b5e5c1dd5eaaa5bfd55219d9ee8ca |
| SHA1 | 875456d3089b5e2de8665e1f65b47318ed140dbb |
| SHA256 | 28bcbf977ac76f873fd4fc7b7714af95cbcf078e0885e7a5be84ac0ce36db2cd |
| SHA512 | 28b2e658be7e82f3998cd5b282a028ddb715c1b7f2b2a8a953eefce7a73342b34a69e912fd64710dde2837f933b496f0fa1082f01f978526375b35d1ad953c14 |
/data/user/0/com.osaka.qwmqqfq.ctipfreq/databases/tbcom.osaka.qwmqqfq.ctipfreq-journal
| MD5 | 34e44315ced64d9dff09dc266dcf1cfb |
| SHA1 | fc5be1d1b4d9a5596433778c2d8aeef9a18c38ca |
| SHA256 | bf882a5c4a2e105bdc3b2ad167389206c97192462c2429b2976cd212ad83ead6 |
| SHA512 | 48a6a1265359a562f5ff6c1d74598b9a677e7555af83fe37425890008f5a8283abeaee5ddd83d0f0fb56401071d6d46e864bfaf1731cf541d30538d519378004 |
/storage/emulated/0/Download/sdsid
| MD5 | b8c37e33defde51cf91e1e03e51657da |
| SHA1 | dd01903921ea24941c26a48f2cec24e0bb0e8cc7 |
| SHA256 | fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71 |
| SHA512 | e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-12 02:59
Reported
2024-03-12 03:02
Platform
android-x86-arm-20240221-en
Max time kernel
147s
Max time network
130s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar | N/A | N/A |
| N/A | /data/user/0/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.osaka.qwmqqfq.ctipfreq
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.osaka.qwmqqfq.ctipfreq/app_tfile/oat/x86/fields.odex --compiler-filter=quicken --class-loader-context=&
com.osaka.qwmqqfq.ctipfreq:RemoteProcess
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | api.adsnative123.com | udp |
| GB | 142.250.178.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.169.14:443 | android.apis.google.com | tcp |
Files
/data/data/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar
| MD5 | cceb8db3b057d24673d49eda229e9892 |
| SHA1 | b18f6353b2156410249079a3b7b86ef3a530e8ee |
| SHA256 | e900cb4c3fe9d8f45196a7457e9645c65b0f3cde820f4161950252cff67a4d97 |
| SHA512 | 4a42cde3165a706e823caa1362001ed8aa647caf22325a4f2554c64fc4ebcd79afe44fe5eab5474221806f26e7aca9d2901026de6e597ef62fe867f123e4bd57 |
/data/user/0/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar
| MD5 | 73b11c4c10150bbd4f29ad012dc11dde |
| SHA1 | 65c83ad32c29f9811c32eda75d7fcdc92ef42dda |
| SHA256 | 52132037e9b950a9cb48d6374ee2c6747a6bfe776e13a726395771f1b40ee9da |
| SHA512 | 3e53b1ee22a00e60896da86d2695195e0965c93d190c4d1c0dba2eb5c611d670ee7693a9f8756858255e2b170cb82a753719dd4d6a827af437309b7a1dcc6f01 |
/data/user/0/com.osaka.qwmqqfq.ctipfreq/app_tfile/fields.jar
| MD5 | 4654f352b1b2095d54e0945af0e3948c |
| SHA1 | 4819b9827e70025c72a74869a85c996d92603931 |
| SHA256 | 71c5cdeeaea45916c993908370cb7b1d60911d8e233dc9d1def0e75915e4548e |
| SHA512 | a58ba607dbdb9af50beb9bec719e24c7d4e457e6bd9a6ef71460b0ee629f002788ac8a93d2d18728304c695fca3ac000138f19427c064cd66c628dab8a839ce3 |
/data/data/com.osaka.qwmqqfq.ctipfreq/databases/tbcom.osaka.qwmqqfq.ctipfreq-journal
| MD5 | b20b796013f67e1a3c0b9ca2a8db6c98 |
| SHA1 | c1de77674c0f2bebf301a19f95c3a40ee405f824 |
| SHA256 | d2050ce12017bb20d480161b523620d6bd82634e46b92a6e685a08c45f16c3b6 |
| SHA512 | 2e10f5b0ae24f41d639d175f60e90855a0b966d11662abb9f14be430993f1fe9e643bc5b77fe2ab7fc01b94a7471ce17c8384ec589ecd5670b785c5935ecbf0e |
/data/data/com.osaka.qwmqqfq.ctipfreq/databases/tbcom.osaka.qwmqqfq.ctipfreq
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/com.osaka.qwmqqfq.ctipfreq/databases/tbcom.osaka.qwmqqfq.ctipfreq-wal
| MD5 | 8dcfe42c4fe1ceed6d9818140bdc7908 |
| SHA1 | ddeb51e011cd84efdb0aa943a88d7cd6131afec2 |
| SHA256 | 8869c8f9f440a2b5faf29a8c3119c93c3fba2ffaf4877a7f93e7a4029f5529ca |
| SHA512 | f5a453c72c3e5298fa6416b1f9b8f58f292cda68a5356397b9d9d2aa54a05e8aecf66c3f0f9260122c98c594ea78d7029bd15911471fd543fb8e149c9ec02977 |
/storage/emulated/0/Download/sdsid
| MD5 | b8c37e33defde51cf91e1e03e51657da |
| SHA1 | dd01903921ea24941c26a48f2cec24e0bb0e8cc7 |
| SHA256 | fe675fe7aaee830b6fed09b64e034f84dcbdaeb429d9cccd4ebb90e15af8dd71 |
| SHA512 | e3d0e2ef3cab0dab2c12f297e3bc618f6b976aced29b3a301828c6f9f1e1aabbe6dab06e1f899c9c2ae2ca86caa330115218817f4ce36d333733cb2b4c7afde7 |
/data/data/com.osaka.qwmqqfq.ctipfreq/app_tfile/oat/fields.jar.cur.prof
| MD5 | 32a4520c9cad04b1cd62f76af786c3e9 |
| SHA1 | 1be52c0960e291f9452e8458b602a4fc1837b2b6 |
| SHA256 | d098125bd4518f25cd38fddd6ac78b2b077d5d921aa40e6998a6c99734ee71d1 |
| SHA512 | 9b742d4159ea119907852abe676383a7c432ea981434e0353e870a5a913d1364635c42e10c471bda8268d9e177f567e0db0fd469feb74456e785d8fe28c564d7 |