Overview

overview

10

Static

static

10

a40c7cabf8...c0.apk

android-9-x86

8

a40c7cabf8...c0.apk

android-13-x64

Analysis

  • max time kernel
    47s
  • max time network
    137s
  • platform
    android_x86
  • resource
    android-x86-arm-20240221-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240221-enlocale:en-usos:android-9-x86system
  • submitted
    10/04/2024, 13:10 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a40c7cabf874517f5d3d069e0377fa9348e10344000e39717c1a6571939ba7c0.apk

  • Size

    29.1MB

  • MD5

    54a85378f28085923115ee44f540ff8a

  • SHA1

    2e40f7fd49fa8538879f90a85300247fbf2f8f67

  • SHA256

    a40c7cabf874517f5d3d069e0377fa9348e10344000e39717c1a6571939ba7c0

  • SHA512

    853d315b460f899c3b4e7e2d6e071763dea1f4c58f8ea1547d8a234eda12e7ee8a1b2c4c5f51f7f4074061f3c50dc5e1892e33520d0b7eec3a82e3f1c4c74917

  • SSDEEP

    393216:bjd8b3Stod1v3uFwCPwmSPk3biaOhECW1Fypl+W9ESATkXQY0/rBxqHoyvc2IG6a:ZbKhE3cYQAYA/q3Qq2w2AA+1Aphm

Score
8/10
collectiondiscoveryevasionpersistence

Malware Config

Signatures

  • Makes use of the framework's Accessibility service 2 TTPs 1 IoCs

    Retrieves information displayed on the phone screen using AccessibilityService.

    collectionevasion
  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

    evasionpersistence
  • Queries information about running processes on the device. 1 TTPs 1 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

    discovery
  • Reads the contacts stored on the device. 1 TTPs 1 IoCs
    collection
  • Reads the content of the call log. 1 TTPs 1 IoCs
    collection
  • Uses Crypto APIs (Might try to encrypt user data) 1 IoCs

Processes

  • com.secure.vpn
    1⤵
    • Makes use of the framework's Accessibility service
    • Makes use of the framework's foreground persistence service
    • Queries information about running processes on the device.
    • Reads the contacts stored on the device.
    • Reads the content of the call log.
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4242

Network

  • flag-us
    DNS
    semanticlocation-pa.googleapis.com
    Remote address:
    1.1.1.1:53
    Request
    semanticlocation-pa.googleapis.com
    IN A
    Response
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.42
    semanticlocation-pa.googleapis.com
    IN A
    142.250.180.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.234
    semanticlocation-pa.googleapis.com
    IN A
    172.217.169.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.200.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.187.202
    semanticlocation-pa.googleapis.com
    IN A
    216.58.213.10
    semanticlocation-pa.googleapis.com
    IN A
    142.250.178.10
    semanticlocation-pa.googleapis.com
    IN A
    216.58.201.106
    semanticlocation-pa.googleapis.com
    IN A
    216.58.212.202
    semanticlocation-pa.googleapis.com
    IN A
    216.58.204.74
    semanticlocation-pa.googleapis.com
    IN A
    142.250.179.234
    semanticlocation-pa.googleapis.com
    IN A
    172.217.16.234
  • flag-us
    DNS
    d1pijg9qb98hxx.cloudfront.net
    Remote address:
    1.1.1.1:53
    Request
    d1pijg9qb98hxx.cloudfront.net
    IN A
    Response
    d1pijg9qb98hxx.cloudfront.net
    IN A
    13.224.245.68
    d1pijg9qb98hxx.cloudfront.net
    IN A
    13.224.245.117
    d1pijg9qb98hxx.cloudfront.net
    IN A
    13.224.245.87
    d1pijg9qb98hxx.cloudfront.net
    IN A
    13.224.245.31
  • flag-gb
    POST
    https://d1pijg9qb98hxx.cloudfront.net/user/login
    Remote address:
    13.224.245.68:443
    Request
    POST /user/login HTTP/2.0
    host: d1pijg9qb98hxx.cloudfront.net
    content-type: application/x-www-form-urlencoded
    content-length: 410
    accept-encoding: gzip
    user-agent: okhttp/4.9.0
    Response
    HTTP/2.0 200
    content-type: application/json
    content-length: 56
    date: Wed, 10 Apr 2024 13:11:36 GMT
    cache-control: no-cache, no-store, must-revalidate
    expires: 0
    pragma: no-cache
    vary: Origin
    vary: Origin
    vary: Access-Control-Request-Method
    vary: Access-Control-Request-Headers
    content-security-policy: default-src https:;
    x-content-type-options: nosniff
    strict-transport-security: max-age=31536000;
    x-cache: Miss from cloudfront
    via: 1.1 1b05f9178c1c0be702b00f1d1f0bcff6.cloudfront.net (CloudFront)
    x-amz-cf-pop: LHR62-C3
    x-amz-cf-id: RAtRY6xPUdkjiyFM5jHgyGcp8XnOJzKyIqZW-QbBNqGDSbEV69_gjg==
  • flag-us
    DNS
    ft8hua063okwfdcu21pw.de
    Remote address:
    1.1.1.1:53
    Request
    ft8hua063okwfdcu21pw.de
    IN A
    Response
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.178.14
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
  • 142.250.200.42:443
    semanticlocation-pa.googleapis.com
    tls
    1.8kB
     6.3kB
     12
    13
  • 13.224.245.68:443
    https://d1pijg9qb98hxx.cloudfront.net/user/login
    tls, http2
    2.4kB
     7.6kB
     17
    17

    HTTP Request

    POST https://d1pijg9qb98hxx.cloudfront.net/user/login

    HTTP Response

    200
  • 142.250.200.14:443
    tls, https
    858 B
     40 B
     1
    1
  • 142.250.178.14:443
    android.apis.google.com
    tls
    4.7kB
     8.6kB
     15
    22
  • 224.0.0.251:5353
    3.7kB
     11
  • 1.1.1.1:53
    semanticlocation-pa.googleapis.com
    dns
    80 B
     288 B
     1
    1

    DNS Request

    semanticlocation-pa.googleapis.com

    DNS Response

    142.250.200.42
    142.250.180.10
    142.250.187.234
    172.217.169.74
    142.250.200.10
    142.250.187.202
    216.58.213.10
    142.250.178.10
    216.58.201.106
    216.58.212.202
    216.58.204.74
    142.250.179.234
    172.217.16.234

  • 1.1.1.1:53
    d1pijg9qb98hxx.cloudfront.net
    dns
    75 B
     139 B
     1
    1

    DNS Request

    d1pijg9qb98hxx.cloudfront.net

    DNS Response

    13.224.245.68
    13.224.245.117
    13.224.245.87
    13.224.245.31

  • 1.1.1.1:53
    ft8hua063okwfdcu21pw.de
    dns
    69 B
     132 B
     1
    1

    DNS Request

    ft8hua063okwfdcu21pw.de

  • 1.1.1.1:53
    android.apis.google.com
    dns
    138 B
     109 B
     2
    1

    DNS Request

    android.apis.google.com

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.178.14

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.secure.vpn/cache/rndseq
    Filesize

    48B

    MD5

    00efe599e2fb55cfa3286a61a580725a

    SHA1

    dbe8a31de8bc383b59713a70087352a1f192a091

    SHA256

    17527a66bcc2424c13c7ae8a7e7e26947cdc97011451cdbceec25032a4a2423d

    SHA512

    ddffa6e5fae1f40bef37b4c5d347d51a127de3fd74748079bcd958a1dd00841df5d12eb6bc8bd399df5788ef4f40a19e79725066ac278f84eb5c492208ffa618

    Download Submit

  • /data/data/com.secure.vpn/databases/MonDB
    Filesize

    140KB

    MD5

    11cdae334eb513f8d7c83c3d9f9eba3a

    SHA1

    a5923d603aab35b7bc8c02c2a9c5fa7ec9a29842

    SHA256

    49541eab2d57c17fc70c9df7a664f4fced4b4a687fcdf85e75a086aafed7b934

    SHA512

    a31802a38a6611902974eea67c9fb975a7bc589f670ea3052ddcbd196a3e8af17e5b5e8ea711b931b641aa8c890a7fa51423d7e121b270f1f911f820dfdcdbfc

    Download Submit

  • /data/data/com.secure.vpn/databases/MonDB-journal
    Filesize

    512B

    MD5

    ca71da855d9c09a19bf938268b04c544

    SHA1

    ab45bdfecfc241e38cf46df25553795a2f500617

    SHA256

    01efb3f923e372b5ca402b3ff0a2d97294722403d746495ea06b18fc3723b3aa

    SHA512

    22807ce91d7f08811c10420a67e1299572478759523668150bc06f3e4cbec56c22b82bbf17da146328b0422dc9e272de1c80e6f9f54a441f7a336d7345d0dd6b

    Download Submit

  • /data/data/com.secure.vpn/databases/MonDB-wal
    Filesize

    16KB

    MD5

    dcda0e5930d3e65b3da789567704a071

    SHA1

    ebd4380771a0cf67379b436889c31efb1121dd0a

    SHA256

    c752f93152089320832a8c02f7ceb12a04d367b27f9d9df59064a7afeac67650

    SHA512

    a36908728321c67ece6c93c4b2c924b7129d7260ab3c231a3c3cdaf1321a3365afd1212d9c1bbd83f846cbf39d1861ce4ef2a4a2c193fe4dcf735f4c23cdd38a

    Download Submit

  • /data/data/com.secure.vpn/databases/MonDB-wal
    Filesize

    152KB

    MD5

    6924dcc99fe5f555a26bc8e9c03d7bcb

    SHA1

    1748682d4f9209335963559e28ad39c05f3b915c

    SHA256

    671e1d623571520077cfad3105215d4f4a07ee5f77bf8b95a23c76d2ed887f4b

    SHA512

    b75b46f18497b3603f305a4d88e197aedeccce084bd729e922dad40fa8c57c481190990cf82291841df8927afeff8a74cd1b013137bdbe6fc9efd9c2eb98d323

    Download Submit

  • /data/data/com.secure.vpn/databases/MonDB-wal
    Filesize

    410KB

    MD5

    42c482efbe8fef74df374a8dabd868e5

    SHA1

    cf7762c7d1c81a55f862700d50f0ee6552217b14

    SHA256

    037471f622e6c9c53111b7a5ceeea7edbb96738f5027bf0ce3c17515055004a1

    SHA512

    8763681ad43c71a0f67ef0112168bffeed19bff993b5b440accffe9975b19a6c727dfaa819459ba298e6a6207b03ca44158867b7a2cd9c7a067e29d9f0a25397

    Download Submit

  • /data/data/com.secure.vpn/databases/anchorfree-ucr.db-journal
    Filesize

    512B

    MD5

    b2050282e978646845cfe280ffc7b543

    SHA1

    500aa76a36f5a7d47b53bdc39b38edf98641d147

    SHA256

    cf8a0433fa03bb9ff2a27c3a895cfa0296399422faa6dfef18b1fbe3b1a8d47c

    SHA512

    6ecb5094fa959fe9337fa07870f1a318ed77c27ff58b59aa26db840ca8c6d9e0bfc07e0b96ae8f4c508763f6bfb3c4067c31f33c56160f5f5524bce50f869d24

    Download Submit

  • /data/data/com.secure.vpn/databases/anchorfree-ucr.db-wal
    Filesize

    32KB

    MD5

    223e6897ada8a0e35c008515b70db2bc

    SHA1

    8939afad79670bd46a5608a3a5ca39bb51123453

    SHA256

    fb0aac453f5751124b4a0ea157e89eb6e86899f758ef49c428f31873a7d4f732

    SHA512

    6cb78c5336ce6c84521f9abbdea177ccfe10ef51eba465bfeeecdf700b297fa626ccf3800d26b95541372afa55bc4641282329d85a28e84d2344a69d3103934c

    Download Submit

  • /data/data/com.secure.vpn/databases/key_value_store.db
    Filesize

    4KB

    MD5

    f2b4b0190b9f384ca885f0c8c9b14700

    SHA1

    934ff2646757b5b6e7f20f6a0aa76c7f995d9361

    SHA256

    0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

    SHA512

    ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

    Download Submit

  • /data/data/com.secure.vpn/databases/key_value_store.db-journal
    Filesize

    512B

    MD5

    f658a96a01329a82d25dd57119c1f855

    SHA1

    1eb768242f26d73c2c08f594a4ec3956341b5ffc

    SHA256

    c9fe325f5c07045f91cd19b25ebeddfd6b0b759e88f505705758d29b4b67cb87

    SHA512

    9550711745dc2ad0029a4fe762a2d1bfff0fe9f74e13262d2c521ae81efd0554a0ec864451145e0c40d48ca80c1e2524717d5b8d084e1ebb7943366e6a37c600

    Download Submit

  • /data/data/com.secure.vpn/databases/key_value_store.db-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

    Download Submit

  • /data/data/com.secure.vpn/databases/key_value_store.db-wal
    Filesize

    209KB

    MD5

    4d769156cc1ed256338f2bbf167dda72

    SHA1

    c6e4702344697387469a4e7a68cb89b96ca3321a

    SHA256

    18fce54417f0e1c187f4061c3e3f72576a3a6943fc0c3891c714189a77885c89

    SHA512

    e33b22bb72ca7f02741fd0735e2fe54579cbfce5f0f468b92462c5092a04361f9168551b1a49c6f8d79222c917ab516b2b64a7db799b55f559132b1a13931d3f

    Download Submit

  • /data/data/com.secure.vpn/no_backup/androidx.work.workdb-journal
    Filesize

    512B

    MD5

    720d524d0cd685925f106becc0c5eace

    SHA1

    3870afece293479244b4a32995000f818672959b

    SHA256

    17b35c19fd6001a31839d2c47ed77629a47e2a4ddf6a4c2deeb199c900baaba6

    SHA512

    43bb04e4d33825a6d8cd0ce080912204ebce206dc9fd64efbc83412e6d59ef48625bca995d5db5197faf6099eb57355b33a5ef569aaf5d6e28020420a39d5dfa

    Download Submit

  • /data/data/com.secure.vpn/no_backup/androidx.work.workdb-wal
    Filesize

    108KB

    MD5

    9e4bbb0e5fc10bae56f51c7d67689a7a

    SHA1

    c9bed9f53a0cf815443d7bf02e9147d35e309077

    SHA256

    6a4361f7322d0c15d18670878d8e4b12fabd0f5ece3d46f943932da5ae35b996

    SHA512

    97dac1f78ea9a58072b8c6e7f8a9371a4ab9a9ce3b7ee50ebdcc4457ee7dc31d0f452a639c3aef9be96fa3fc60396f41fcf06e33baa5a90c25268d475f2142b5

    Download Submit

  • /data/data/com.secure.vpn/no_backup/androidx.work.workdb-wal
    Filesize

    189KB

    MD5

    1e70b5a888fc71dfe71cf26f5986eca3

    SHA1

    e0486ffa55192a9298887346685ef8a4d54a2031

    SHA256

    2bfb5c8c359c4a557db96d300efd28b70671032be6e2ed23e69533fd938b4208

    SHA512

    51db5a5f1e13dfb2bfc4479cae6a08927e709b3878a0d2842a7e050d0d5333c68a3fe22521043583f09e77b45f2df93128de93ed20d415e3923191453c37ab9f

    Download Submit

  • /data/data/com.secure.vpn/no_backup/androidx.work.workdb-wal
    Filesize

    16KB

    MD5

    943ee81fb1ce941de011d7e69fad10b6

    SHA1

    8c736bbd0c7d0a8b371a62dfe59d3ea2c5aa1622

    SHA256

    b4395fb72badf31ca761239a2a9e4682638ee16a5526967a36395d2d6daa943e

    SHA512

    644c795a0e312ee5ee08e0d9e54d8bc1c013f7f885c0e80f5bf4d3c91fc631c5dca33eb5f080300b6a7b0fb3d100d29aede16f76e473e8268c78b824579020ed

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.