7e4c1ddfa772ca27691eaf3b78df63cd8a0b83952502275ce774346eb3ada191

Analysis

max time kernel
115s
max time network
130s
platform
android_x86
resource
android-x86-arm-20240221-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
submitted
13/03/2024, 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e4c1ddfa772ca27691eaf3b78df63cd8a0b83952502275ce774346eb3ada191.apk
Size

12.5MB
MD5

e5bb1615d7cb12810ce07816b3d269fb
SHA1

25d1365514d4e756e10dc55fdac301f1790b64f3
SHA256

7e4c1ddfa772ca27691eaf3b78df63cd8a0b83952502275ce774346eb3ada191
SHA512

39d8fa3edef592148f9d9d58d17476f4dedccb8cae9ee8d2fc8f5cdf11e131472eeae285a7b42f32b71ec33495b29d6643932a4aaf1eaf994fed1759cbbf5367
SSDEEP

393216:BMuLplR6OZPkvSGkAjLrWKg1C9NNKJsC4xlK1/9vDin:TLplOvSw2bkVFTCAn

Score

7^/10

evasion

Malware Config

Signatures

Loads dropped Dex/Jar 1 TTPs 8 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/edmonton.ext.jar	4503	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/edmonton.ext.jar --output-vdex-fd=47 --oat-fd=55 --oat-location=/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/oat/x86/edmonton.ext.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/edmonton.ext.jar	4461	com.limolabs.edmonton
/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/edmonton.dat.jar	4532	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/edmonton.dat.jar --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/oat/x86/edmonton.dat.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/edmonton.dat.jar	4461	com.limolabs.edmonton
/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/xrrzCpXsT.dex	4555	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/xrrzCpXsT.dex --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/oat/x86/xrrzCpXsT.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/xrrzCpXsT.dex	4461	com.limolabs.edmonton
/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/edmonton.ext.jar	4461	com.limolabs.edmonton
/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/edmonton.dat.jar	4461	com.limolabs.edmonton

Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.limolabs.edmonton

com.limolabs.edmonton
1⤵
- Loads dropped Dex/Jar
- Uses Crypto APIs (Might try to encrypt user data)
PID:4461
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/edmonton.ext.jar --output-vdex-fd=47 --oat-fd=55 --oat-location=/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/oat/x86/edmonton.ext.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4503
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/edmonton.dat.jar --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/oat/x86/edmonton.dat.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4532
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/xrrzCpXsT.dex --output-vdex-fd=47 --oat-fd=48 --oat-location=/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/oat/x86/xrrzCpXsT.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4555

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/edmonton.dat.jar

Filesize
2KB

MD5
049ae8efc43fa3a3504c650c3da1dbeb

SHA1
1ce2447302b1b03172a0290bd262d29654fb1c46

SHA256
16c4848b097233af59deb3a4ddab7fad7030d8b4d10a2b1dddfedc8e004f5590

SHA512
82560592e6acd6ad44911e5f00b3a231ae59b59fadaf627ed4ec76cf0a91cdf86649d867aaa90e38a03c894838c92a082f8fb0d0fd5309ceb3c6734f34d42e41

Download Submit
/data/data/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/xrrzCpXsT.dex

Filesize
2KB

MD5
0fcbd489d2d61e996f7c561ac6ac1ba8

SHA1
b2afd13fca0a814e4d1804cbf7da1414e1013478

SHA256
0aa3756d1ef53181fc12e7381488a079506c55ce038b6e75abfcd46cb808c457

SHA512
38f138d24f343d2334c553c9e669dbf362cd03b6828ddc43a0772a1b44f2f8564ddacab494c6068c32416e5e44c0796895d8621fb5aaa3330945e40faaa936db

Download Submit
/data/data/com.limolabs.edmonton/code_cache/flutter_engine/9d5b21729ff53dbf8eadd8bc97e0e30d77abec95/skia/b4d60f807dbd034edf9fae1233aa1784f6c36d5c/CAZAAAACBAAAAAAAAAAGKAAAAAJQAAIA777777Y4AAIQAEYAAEAP777777777777AAAAAABAABMAAAAAAAAAAAAAAABAAAAAGQAFKAA.temp

Filesize
1KB

MD5
dd1c9903a02b3ea7f12db5bac1704d88

SHA1
41d09698b73b590ecb01ac7783b3dbe434168a61

SHA256
66aee2b6574473bd2fcbe43b8e2937cec4da239f75b5acbf7371aeb8c090c74b

SHA512
84ee0cba0ebe661065acd6b889d955de2aa4d23f3d5b6f8a617ffa36b9489e5f72bdb256d588cb496fff03c76148f2adffe79509f0c9c73dea29166acab8aa3c

Download Submit
/data/data/com.limolabs.edmonton/code_cache/flutter_engine/9d5b21729ff53dbf8eadd8bc97e0e30d77abec95/skia/b4d60f807dbd034edf9fae1233aa1784f6c36d5c/CAZAAAECA4AAAAAAAAAEOAAAAAJQAAIA777777Y4AAIQB7777777777777777777EAAFQAAAAAAAAAAAAAAAEAAAAAYAAVIA.temp

Filesize
792B

MD5
40096fa02086acf7b52dcc2d5a1c2a4f

SHA1
35edc727ffc8043781e1c49d86899126cb45cd0b

SHA256
a05d4bd49b0b68818d9576d7fc258b40608340dcfb6fea93bfc73737050144e6

SHA512
e90995305d70f4567dddffe99407d794a49cedc46089e9e19a8947a707e75aaa492ee26f509bb1b0f0ae5d338917dc83a01b22c821cad42b67ea7dd6b374f400

Download Submit
/data/data/com.limolabs.edmonton/code_cache/flutter_engine/9d5b21729ff53dbf8eadd8bc97e0e30d77abec95/skia/b4d60f807dbd034edf9fae1233aa1784f6c36d5c/CAZACAACB4AAAAAAAAAGOAAAAAJQAAIA777777Y4AAIQAEYAAEAP777777777777EAAFQAAAAAAAAKAAIYAAIAAAAAYAANAABAAAAABYAA4AABAAAAAAAAAAABCAAHQAAQAAAAAAAAAAAAB4AA6AAPAAHQAAAAAALQADYAAEAAAAAAAAAAAAEAAAABWAAVIA.temp

Filesize
2KB

MD5
6dacfa16038be5bff5d1524d4b6bf7ac

SHA1
bac6d11de946edf517141ca1a0460dcd6425ec42

SHA256
9654bccd1fd5399b6b2bc710a748a7a3a811b96e64e11a1b6d7d64296a2c78d4

SHA512
37165e0cc5033020cdc50c718f990cb4a10421d0e0f0fc48caf65d84425e87fa955709f714a804d5310efaff776a77dc670c6f4ac0488a2e0db1e1ba36fa9e66

Download Submit
/data/data/com.limolabs.edmonton/databases/OneSignal.db-journal

Filesize
512B

MD5
573c00440a78a92df2e97ffc78e21b84

SHA1
a5bdede057f85f9df82693ee447edab11d68da8a

SHA256
8eef2150f1e6a491cfd711ed902e3a092d9024d500f86a098b7d1e92bddada6d

SHA512
91cf78d41b7400481213331108cc92f470680cd0cf424880882e562fdd772fa59c80abb27d38fff48b30b3d49fa5996a37754f1d226a2ca267f9423bcaf56eec

Download Submit
/data/data/com.limolabs.edmonton/databases/OneSignal.db-wal

Filesize
64KB

MD5
d29eabbe33e479bd0a6454cdf9955aca

SHA1
2d2c793397280b471af5464a81d435383a24d9b6

SHA256
301b7768c428366059485e56c04d09bbffc9a4159954354d2fc4d4b74d95f184

SHA512
0678e938cfd9d30c3d856ec3d4c401c1338601e39aa99e33726c1ffefed95134b33d62203335f2159a722de6ca1c035217e9421c7ccb8a4caf140ad4bcc1b5a6

Download Submit
/data/data/com.limolabs.edmonton/databases/a

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/com.limolabs.edmonton/databases/a-journal

Filesize
512B

MD5
b886290f34a034d4a40e95facb62351d

SHA1
c02b4cd30512b1e2588728f35dc5f3b5139828b0

SHA256
5d54201459f9716f96445df04a2a08c2ceaf60a2d2e748b45af69694c0286e09

SHA512
c558d4e92611efa6366052d8472205787f6ea10ff840226ab2992ecf64a0f67ed743668f169bbcf624d79578dab4785305bf24167657aa6596d91d73cd62da13

Download Submit
/data/data/com.limolabs.edmonton/databases/a-wal

Filesize
16KB

MD5
cf2cd66e4736eeeab1f2ead16dc1b7ce

SHA1
f62134d641d46597b207b870f1fa0c78fd52d100

SHA256
b4feb169ce6eb338ff6fe5ec12919ca88dc83f93f7bdf83420a29b73057e4380

SHA512
a2e3f51f42d1ed6ceb5dab0145ef25f9b89c2d81ece6808a94b52c9869f3925e3c2c5ae619651c0c54bc25ee283e29c83739a6ec2547829cd19950c856cc527c

Download Submit
/data/data/com.limolabs.edmonton/databases/edmonton.db

Filesize
96KB

MD5
7c588fdc0ee3ab449183ada953c31394

SHA1
1b72b2feb5440214a63310172caf7e2e61b5c46c

SHA256
3c50c77e242b9295c9f2aa749c2e955e8f6cf47d2ee775573e7718da91ec990e

SHA512
ac7fdff821cad49ddb34a148674a0c1cb6695cc575f1a8bc46f381fd941f9d641d33ba3ceb607db99ba0bfa74f98c6b8dbefef049e6363bdeea91f37f3a93aeb

Download Submit
/data/data/com.limolabs.edmonton/databases/google_app_measurement_local.db

Filesize
16KB

MD5
6a1f91b682709efeccc1a27bb510f4ec

SHA1
18e94181d4f3113c0537e814785b3529feb03225

SHA256
54af92c5a02e0da0b37fb073e8bab25e3965506894dfa153f3eb15565435e439

SHA512
89cd55520dbefd7ec19fc466eec9a6db2bdc6afcfe06913f31720f0bcf01c2fe92526d81257df92eda25a871a3e0dd728a403bcb985096777ece6e05ac5daa30

Download Submit
/data/data/com.limolabs.edmonton/databases/google_app_measurement_local.db

Filesize
16KB

MD5
7e8389badd4bef9b753e664f554e7a0a

SHA1
26ac805e9260c933d4a47265a4df037561f055e1

SHA256
5cef3bdd1efb97b2077dc560c9079de4b2acebdedcf83bf8b882d4c1d214e7ee

SHA512
7f9eef603811a9adc8ac5ea8472da42ad344da3611a9feeb8b9f2c96f9b2a9186ec173736af43edc2a9b047aa81750f52c16ed68d7b4202bbd9f7a09200cb40d

Download Submit
/data/data/com.limolabs.edmonton/databases/google_app_measurement_local.db

Filesize
16KB

MD5
44693692da738db6eb133cf0e4cde91b

SHA1
e6bda56494c325d8d37ad89552263ae85d9b0550

SHA256
8fe0ac9db76d4a2dcd3b3d54c0efedcd223e25aabf716506493d50e243a7a2d4

SHA512
b34ddfe1ae343b1b12f7029ae476a0ba8e1b4043ccb520afb412b3f71335ef679bf29723c9a5c00af7e922e9982d5b3af54b2ed779da8cb601f378e5b9d26be5

Download Submit
/data/data/com.limolabs.edmonton/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
413b912c596ff7aefc6dbfa5ce3e73d4

SHA1
b0d9760c27ffd909b4fcef5b722c359e761e2c38

SHA256
c702b4dee6dcfd0a5de0434e2dbb201b11911784b12250f06b4f42169d1bfffd

SHA512
6aae89da04839aa41854f333bdc78ffee5c573c7f06043970094c1199708cd95e02bb6185dda1068cd9065e06289c05a6c254ef347f0be28b3003de10a8bc4ab

Download Submit
/data/data/com.limolabs.edmonton/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
c4f20a3f0b772e1bc2fc7476372e4b23

SHA1
34d25352008ea087bf8d232387e5b2771c0cd53b

SHA256
8a81efc5e1ae5842e96f104396f1bf401d190ff606fbc95d1283fc3498540382

SHA512
3e39bcc984646a87b79a6c83097c00e27530babf6fc727a6771b7f2abc85c8c2eb56071430dd2e1ed6918deb70d2a5181ec724574c7389bd656559de529bce6e

Download Submit
/data/data/com.limolabs.edmonton/databases/google_app_measurement_local.db-wal

Filesize
4KB

MD5
506b321613f6be7c57fec0a76ad36ce4

SHA1
6c3416efe63a300370e01ddc5c490fc9952b6703

SHA256
7a32c71b5ebb20cccd0a3443a94014a2490a50893a53d1273df44945b6a41ead

SHA512
bdcb7d335f7107da3caa6e58024dc5768964174d77113f82378b8f0c5bf1cfb5822241e2b04040e3f197b4e2449af43f4817bee08ae52a233b2b5c0e6b9450a9

Download Submit
/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/edmonton.dat.jar

Filesize
6KB

MD5
21486c8b21745b02a88fde1b044514ee

SHA1
bbfce6c338f367a9fcd50974e21094c1058f2aa9

SHA256
6ca9c305f07daf382f93b7420340c28e5fc0d5ff4f026b90ca3f3561f43b887f

SHA512
08a5d536d0fefbf56ef611094d768b2fbe3f3e8f3197e44473f09449cad451f4b69a2c940f334133519fe1eea231cc570720a75a844409bc958d5bd1f642bb76

Download Submit
/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/edmonton.dat.jar

Filesize
6KB

MD5
c2975c1e845f99249f758912b6eee293

SHA1
7ba0ef346c28c2950d9bc42d7ee6f13bedb98175

SHA256
3bb7f7250b9441edae1862f79095a9e1db4e5d75d9176df74fae8d862cc94645

SHA512
8b57e0d13e5f86a66f0e3aaa15dd1c5952e0e783051719d1752c45ec6919a8ad30db9f999ecd0002ca4a5ec14709b44953ebe5e9f35e399b11648b58c8ab39b8

Download Submit
/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/edmonton.ext.jar

Filesize
6.3MB

MD5
f85adddd54466fe9890d68d2338af9dd

SHA1
e055a274650a4c1908ad93dbb0059a0b04a62fa5

SHA256
9dd9654fe94ac0677b9444724bb7fe780ee08b1efa979af132eeb9e0f1f08f6e

SHA512
617b92297e90f2984cbef9eb523d406bd1f86181da5227a1dd32a5c74bdb56b832ec53fe51702874a6288a140fbb042fac7c7b6b79deca30c5b366a274beb247

Download Submit
/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/edmonton.ext.jar

Filesize
6.3MB

MD5
47cd7bbf75e32c13f4bfb23915a3fd0e

SHA1
2869e7e4dd545fa11ef8c6bb6325f1a50231e60d

SHA256
68ce8ab05f649fcdbd8d6f99a4ac879e45478fa131f7b4a7c70fdd06f59bb1d2

SHA512
1072f9ff91a816fe38e0fd9cc7d8bfa9cf429ba7b5c3520a1e4d36c8938be4d6b2e6b9182850ad26230b089b911fa411bc02f312132d6f20701eee1b08e5d9d6

Download Submit
/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/xrrzCpXsT.dex

Filesize
4KB

MD5
0549cdd13e4782ca7c02dc4d3bbcb67a

SHA1
91b3dc0ef257c58fe9b2ef4ac73f78f611aab0d7

SHA256
620adf9de0509c91943876be17934f5e34cfa03f31da7861c505867798e9ebb3

SHA512
7268aa2de2f72c5f8bfefc4b42dbc9c66e62c52d91b76ae3a61b19497d1254f325141ddd5967f50bb0d2671eef063fc38b285ae26832eb35d9a88bae88bfecfc

Download Submit
/data/user/0/com.limolabs.edmonton/app_di1wplviho2fcvoyldi/xrrzCpXsT.dex

Filesize
4KB

MD5
5725c01e3b9ad94add77186b155f31c2

SHA1
55c56d76e1f354199a22e5dfd1dea666496468e0

SHA256
f55dbc2175954bbe9f9ae74c6802babffa0338a16e197eb8b836611ad1d6707b

SHA512
e6e100ce0a866697ca91b186e4456ea0f67ed6d96864984e242fa8b33ee35cbcd4a441a3b95df18cb5ca249f09b0db485978bbbfd77c5a089dd8dc52dad982fa

Download Submit