Analysis Overview
SHA256
6b74febe8a8cc8f4189eccc891bdfccebbc57580675af67b1b6f268f52adad9f
Threat Level: Likely malicious
The file CovidLockRansomware.apk was found to be: Likely malicious.
Malicious Activity Summary
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Makes use of the framework's foreground persistence service
Declares services with permission to bind to the system
Requests disabling of battery optimizations (often used to enable hiding in the background).
Declares broadcast receivers with permission to handle system events
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-15 22:24
Signatures
Declares broadcast receivers with permission to handle system events
| Description | Indicator | Process | Target |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-15 22:24
Reported
2024-04-15 22:31
Platform
android-33-x64-arm64-20240229-en
Max time kernel
320s
Max time network
334s
Command Line
Signatures
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Makes use of the framework's foreground persistence service
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.setServiceForeground | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Processes
com.device.security
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.178.4:443 | udp | |
| GB | 142.250.178.4:443 | tcp | |
| GB | 142.250.178.4:443 | tcp | |
| BE | 64.233.166.188:5228 | tcp | |
| GB | 142.250.178.4:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.178.4:443 | tcp | |
| GB | 172.217.169.10:80 | play.googleapis.com | tcp |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 1.1.1.1:53 | remoteprovisioning.googleapis.com | udp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| GB | 216.58.212.227:443 | tcp | |
| GB | 216.58.213.4:443 | tcp | |
| GB | 216.58.213.4:443 | tcp | |
| GB | 216.58.213.4:443 | tcp | |
| GB | 216.58.213.4:443 | udp | |
| GB | 142.250.178.4:443 | tcp | |
| US | 1.1.1.1:53 | lh3.googleusercontent.com | udp |
| GB | 142.250.200.1:443 | lh3.googleusercontent.com | tcp |
| GB | 142.250.178.4:443 | udp | |
| US | 172.64.41.3:443 | tcp | |
| US | 172.64.41.3:443 | tcp | |
| GB | 142.250.180.3:443 | tcp | |
| US | 172.64.41.3:443 | udp | |
| GB | 142.250.180.3:443 | udp | |
| GB | 142.250.179.232:443 | tcp | |
| GB | 142.250.200.38:80 | tcp | |
| GB | 172.217.169.2:443 | tcp | |
| GB | 142.250.200.38:443 | tcp | |
| GB | 142.250.200.2:443 | tcp | |
| GB | 172.217.16.238:443 | tcp | |
| US | 216.239.32.36:443 | tcp | |
| GB | 216.58.212.227:443 | tcp |