Analysis Overview
SHA256
7e8157b0009fe5300675b8b46b823eb5f482c8c7e11c870cbf256fda9cd5da12
Threat Level: Likely malicious
The file d1aecc73a6b35f6144fc7f3254665375 was found to be: Likely malicious.
Malicious Activity Summary
Removes its main activity from the application launcher
Requests dangerous framework permissions
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-17 19:28
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to collect component usage statistics. | android.permission.PACKAGE_USAGE_STATS | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-17 19:28
Reported
2024-03-17 19:31
Platform
android-x86-arm-20240221-en
Max time kernel
7s
Max time network
131s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
com.android.zh
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | en.snowfox.112gs.com | udp |
| US | 173.239.5.6:8088 | en.snowfox.112gs.com | tcp |
| US | 74.206.228.78:8088 | en.snowfox.112gs.com | tcp |
| US | 173.239.8.164:8088 | en.snowfox.112gs.com | tcp |
| GB | 142.250.178.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
Files
/data/data/com.android.zh/files/com.android.zh/.sffileprovider/sf_file_provider.dat
| MD5 | ebdeb5c0943cae935beff903b070dc8f |
| SHA1 | 3e10b0482c9d182dd56584db4d06b054b51bb6fa |
| SHA256 | 6ee35da1cb1864d749e35363d2e10ecb9bf140a56c07023fabd2d9c4892908c2 |
| SHA512 | 6908454cd0c29457c1f400cc87589c8cf57690ef5ec42d0d134aab28639fe054b34f5b149ee69b331ac06e1a7b84b5d09459fb19ab8c2dc08af02e34ca32d2d4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-17 19:28
Reported
2024-03-17 19:31
Platform
android-x64-20240221-en
Max time kernel
7s
Max time network
152s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
com.android.zh
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | en.snowfox.112gs.com | udp |
| US | 173.239.5.6:8088 | en.snowfox.112gs.com | tcp |
| US | 74.206.228.78:8088 | en.snowfox.112gs.com | tcp |
| US | 173.239.8.164:8088 | en.snowfox.112gs.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.201.104:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| GB | 216.58.212.228:443 | tcp | |
| GB | 216.58.212.228:443 | tcp | |
| GB | 216.58.212.228:443 | tcp | |
| GB | 216.58.212.228:443 | tcp | |
| GB | 172.217.169.66:443 | tcp | |
| GB | 172.217.169.14:443 | tcp |
Files
/data/data/com.android.zh/files/com.android.zh/.sffileprovider/sf_file_provider.dat
| MD5 | ebdeb5c0943cae935beff903b070dc8f |
| SHA1 | 3e10b0482c9d182dd56584db4d06b054b51bb6fa |
| SHA256 | 6ee35da1cb1864d749e35363d2e10ecb9bf140a56c07023fabd2d9c4892908c2 |
| SHA512 | 6908454cd0c29457c1f400cc87589c8cf57690ef5ec42d0d134aab28639fe054b34f5b149ee69b331ac06e1a7b84b5d09459fb19ab8c2dc08af02e34ca32d2d4 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-17 19:28
Reported
2024-03-17 19:31
Platform
android-x64-arm64-20240221-en
Max time kernel
7s
Max time network
145s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Processes
com.android.zh
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.14:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.213.10:443 | udp | |
| GB | 142.250.200.46:443 | udp | |
| GB | 172.217.169.74:443 | tcp | |
| GB | 172.217.169.74:443 | tcp | |
| US | 1.1.1.1:53 | en.snowfox.112gs.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| US | 74.206.228.78:8088 | en.snowfox.112gs.com | tcp |
| US | 173.239.8.164:8088 | en.snowfox.112gs.com | tcp |
| US | 173.239.5.6:8088 | en.snowfox.112gs.com | tcp |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp |
Files
/data/user/0/com.android.zh/files/com.android.zh/.sffileprovider/sf_file_provider.dat
| MD5 | ebdeb5c0943cae935beff903b070dc8f |
| SHA1 | 3e10b0482c9d182dd56584db4d06b054b51bb6fa |
| SHA256 | 6ee35da1cb1864d749e35363d2e10ecb9bf140a56c07023fabd2d9c4892908c2 |
| SHA512 | 6908454cd0c29457c1f400cc87589c8cf57690ef5ec42d0d134aab28639fe054b34f5b149ee69b331ac06e1a7b84b5d09459fb19ab8c2dc08af02e34ca32d2d4 |