Analysis Overview
Threat Level: Shows suspicious behavior
The file https://www.mediafire.com/file/1qjiryaa2bfydzi/Subway+Surfers_3.10.0_Dat2022Modz_Legit-%29.apk/file?dkey=dss1s0mz3uc&r=684 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads the content of photos stored on the user's device.
Checks CPU information
Checks memory information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-21 08:06
Signatures
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-21 08:06
Reported
2024-04-21 08:09
Platform
android-x64-arm64-20240221-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.android.chrome
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.200.46:443 | tcp | |
| GB | 142.250.200.46:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.179.234:443 | udp | |
| GB | 172.217.169.46:443 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | www.mediafire.com | udp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| US | 104.16.113.74:443 | www.mediafire.com | tcp |
| US | 104.16.113.74:443 | www.mediafire.com | tcp |
| BE | 142.250.110.84:443 | accounts.google.com | tcp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| US | 1.1.1.1:53 | www.mediafire.com | udp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| US | 1.1.1.1:53 | www.mediafire.com | udp |
| US | 1.1.1.1:53 | safebrowsing.googleapis.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| US | 1.1.1.1:53 | www.mediafire.com | udp |
| BE | 74.125.133.84:443 | accounts.google.com | tcp |
| US | 104.16.114.74:443 | www.mediafire.com | tcp |
| US | 1.1.1.1:53 | the.gatekeeperconsent.com | udp |
| US | 1.1.1.1:53 | the.gatekeeperconsent.com | udp |
| US | 104.21.42.32:443 | the.gatekeeperconsent.com | tcp |
| US | 1.1.1.1:53 | btloader.com | udp |
| US | 1.1.1.1:53 | privacy.gatekeeperconsent.com | udp |
| US | 1.1.1.1:53 | www.ezojs.com | udp |
| US | 1.1.1.1:53 | translate.google.com | udp |
| US | 1.1.1.1:53 | static.cloudflareinsights.com | udp |
| US | 1.1.1.1:53 | cdn.amplitude.com | udp |
| US | 1.1.1.1:53 | static.mediafire.com | udp |
| US | 172.67.199.186:443 | privacy.gatekeeperconsent.com | tcp |
| US | 172.67.170.144:443 | www.ezojs.com | tcp |
| GB | 142.250.187.206:443 | translate.google.com | tcp |
| US | 104.16.80.73:443 | static.cloudflareinsights.com | tcp |
| GB | 52.85.142.7:443 | cdn.amplitude.com | tcp |
| US | 1.1.1.1:53 | cdn.otnolatrnup.com | udp |
| US | 1.1.1.1:53 | www.mediafiredls.com | udp |
| US | 104.16.53.110:443 | cdn.otnolatrnup.com | tcp |
| US | 1.1.1.1:53 | translate.googleapis.com | udp |
| GB | 216.58.201.106:443 | translate.googleapis.com | tcp |
| US | 1.1.1.1:53 | otnolatrnup.com | udp |
| GB | 216.58.201.106:443 | translate.googleapis.com | tcp |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| US | 1.1.1.1:53 | api.amplitude.com | udp |
| GB | 172.217.169.3:443 | update.googleapis.com | tcp |
| US | 54.187.211.61:443 | api.amplitude.com | tcp |
| US | 1.1.1.1:53 | g.ezoic.net | udp |
| US | 1.1.1.1:53 | btloader.com | udp |
| US | 172.67.41.60:443 | btloader.com | tcp |
| US | 1.1.1.1:53 | www.mediafiredls.com | udp |
| US | 104.26.2.173:443 | www.mediafiredls.com | tcp |
| GB | 142.250.180.10:443 | safebrowsing.googleapis.com | tcp |
| US | 1.1.1.1:53 | oyvzliipbm | udp |
| US | 1.1.1.1:53 | hqjxqvndlyymfkr | udp |
| US | 1.1.1.1:53 | guqhlxwtvmteuzr | udp |
| US | 1.1.1.1:53 | g.ezoic.net | udp |
| FR | 15.188.219.54:443 | g.ezoic.net | tcp |
| US | 1.1.1.1:53 | go.ezodn.com | udp |
| US | 1.1.1.1:53 | securepubads.g.doubleclick.net | udp |
| US | 172.67.142.121:443 | go.ezodn.com | tcp |
| US | 172.67.142.121:443 | go.ezodn.com | tcp |
| US | 172.67.142.121:443 | go.ezodn.com | tcp |
| GB | 216.58.201.98:443 | securepubads.g.doubleclick.net | tcp |
| US | 1.1.1.1:53 | clients1.google.com | udp |
| US | 1.1.1.1:53 | tags.crwdcntrl.net | udp |
| US | 1.1.1.1:53 | ad.crwdcntrl.net | udp |
| GB | 172.217.16.238:443 | clients1.google.com | tcp |
| US | 1.1.1.1:53 | bcp.crwdcntrl.net | udp |
| IE | 3.248.140.97:443 | bcp.crwdcntrl.net | tcp |
| IE | 54.78.246.130:443 | bcp.crwdcntrl.net | tcp |
| US | 1.1.1.1:53 | api.btloader.com | udp |
| US | 1.1.1.1:53 | ad-delivery.net | udp |
| US | 130.211.23.194:443 | api.btloader.com | tcp |
| US | 172.67.69.19:443 | ad-delivery.net | tcp |
| US | 172.67.69.19:443 | ad-delivery.net | tcp |
| IE | 54.78.246.130:443 | bcp.crwdcntrl.net | tcp |
| US | 1.1.1.1:53 | stats.g.doubleclick.net | udp |
| US | 1.1.1.1:53 | btlr.sharethrough.com | udp |
| US | 1.1.1.1:53 | tlx.3lift.com | udp |
| US | 1.1.1.1:53 | prebid.media.net | udp |
| US | 1.1.1.1:53 | hbopenbid.pubmatic.com | udp |
| DE | 52.57.148.227:443 | btlr.sharethrough.com | tcp |
| DE | 52.57.148.227:443 | btlr.sharethrough.com | tcp |
| DE | 52.57.148.227:443 | btlr.sharethrough.com | tcp |
| DE | 3.78.168.176:443 | tlx.3lift.com | tcp |
| US | 34.120.63.153:443 | prebid.media.net | tcp |
| US | 1.1.1.1:53 | translate-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | analytics.google.com | udp |
| GB | 142.250.200.46:443 | analytics.google.com | tcp |
| US | 1.1.1.1:53 | tags.crwdcntrl.net | udp |
| GB | 18.165.201.18:443 | tags.crwdcntrl.net | tcp |
| US | 1.1.1.1:53 | stats.g.doubleclick.net | udp |
| BE | 108.177.15.155:443 | stats.g.doubleclick.net | tcp |
| BE | 108.177.15.155:443 | stats.g.doubleclick.net | tcp |
| US | 1.1.1.1:53 | hbopenbid.pubmatic.com | udp |
| US | 1.1.1.1:53 | translate-pa.googleapis.com | udp |
| GB | 185.64.190.77:443 | hbopenbid.pubmatic.com | tcp |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 216.58.201.100:443 | www.google.com | tcp |
| US | 1.1.1.1:53 | fundingchoicesmessages.google.com | udp |
| US | 1.1.1.1:53 | fundingchoicesmessages.google.com | udp |
| GB | 142.250.187.206:443 | fundingchoicesmessages.google.com | tcp |
| GB | 142.250.187.206:443 | fundingchoicesmessages.google.com | tcp |
| US | 1.1.1.1:53 | eb2.3lift.com | udp |
| US | 1.1.1.1:53 | contextual.media.net | udp |
| US | 1.1.1.1:53 | ads.pubmatic.com | udp |
| US | 76.223.111.18:443 | eb2.3lift.com | tcp |
| GB | 2.23.160.192:443 | ads.pubmatic.com | tcp |
| US | 1.1.1.1:53 | csi.gstatic.com | udp |
| US | 1.1.1.1:53 | image6.pubmatic.com | udp |
| GB | 185.64.190.78:443 | image6.pubmatic.com | tcp |
| US | 1.1.1.1:53 | contextual.media.net | udp |
| GB | 104.115.32.26:443 | contextual.media.net | tcp |
| US | 1.1.1.1:53 | csi.gstatic.com | udp |
| US | 216.239.32.3:443 | csi.gstatic.com | tcp |
| GB | 216.58.201.106:443 | translate-pa.googleapis.com | tcp |
| GB | 216.58.212.228:443 | tcp | |
| GB | 216.58.212.228:443 | tcp | |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| US | 1.1.1.1:53 | a.nel.cloudflare.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| US | 1.1.1.1:53 | www.mediafire.com | udp |
| US | 1.1.1.1:53 | www.mediafire.com | udp |
Files
files/dom-0.html
| MD5 | 86b3c7a4971bc8f4fe2d7fe2b1a54532 |
| SHA1 | 23f7ec7c46fd4492b0959489bf222bda79560bc3 |
| SHA256 | 1079797c467fbf9dffd375ec8bea3ce3d8e22b6ed566eef8c082ec560f58f47b |
| SHA512 | 44d7b5a8eb8d26bada9f5c21bb8a80925e45dacb4279da7ba9a8f44905a6d0b5bad4a676f5b30445a1b825501fda01398481f0eaafbf0031587088be6bfe26f4 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-21 08:06
Reported
2024-04-21 08:09
Platform
android-x86-arm-20240221-en
Max time kernel
147s
Max time network
137s
Command Line
Signatures
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.android.chrome
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | www.mediafire.com | udp |
| US | 1.1.1.1:53 | www.mediafire.com | udp |
| US | 104.16.114.74:443 | www.mediafire.com | tcp |
| US | 104.16.114.74:443 | www.mediafire.com | tcp |
| US | 1.1.1.1:53 | safebrowsing.googleapis.com | udp |
| GB | 142.250.200.10:443 | safebrowsing.googleapis.com | tcp |
| US | 104.16.114.74:443 | www.mediafire.com | tcp |
| US | 1.1.1.1:53 | the.gatekeeperconsent.com | udp |
| US | 172.67.199.186:443 | the.gatekeeperconsent.com | tcp |
| US | 1.1.1.1:53 | btloader.com | udp |
| US | 172.67.41.60:443 | btloader.com | tcp |
| US | 1.1.1.1:53 | privacy.gatekeeperconsent.com | udp |
| US | 1.1.1.1:53 | www.ezojs.com | udp |
| US | 1.1.1.1:53 | translate.google.com | udp |
| US | 1.1.1.1:53 | static.cloudflareinsights.com | udp |
| US | 1.1.1.1:53 | cdn.amplitude.com | udp |
| US | 1.1.1.1:53 | static.mediafire.com | udp |
| US | 172.67.199.186:443 | privacy.gatekeeperconsent.com | tcp |
| US | 172.67.170.144:443 | www.ezojs.com | tcp |
| GB | 142.250.187.238:443 | translate.google.com | tcp |
| US | 104.16.79.73:443 | static.cloudflareinsights.com | tcp |
| GB | 52.85.142.7:443 | cdn.amplitude.com | tcp |
| US | 1.1.1.1:53 | www.mediafiredls.com | udp |
| US | 1.1.1.1:53 | translate.googleapis.com | udp |
| US | 1.1.1.1:53 | api.amplitude.com | udp |
| US | 54.212.237.82:443 | api.amplitude.com | tcp |
| US | 1.1.1.1:53 | www.mediafiredls.com | udp |
| US | 54.212.237.82:443 | api.amplitude.com | tcp |
| US | 1.1.1.1:53 | clients1.google.com | udp |
| GB | 172.217.169.14:443 | clients1.google.com | tcp |
| GB | 172.217.169.14:443 | clients1.google.com | tcp |
| US | 1.1.1.1:53 | www.google.com | udp |
| US | 1.1.1.1:53 | analytics.google.com | udp |
| US | 1.1.1.1:53 | stats.g.doubleclick.net | udp |
| US | 216.239.38.181:443 | analytics.google.com | tcp |
| BE | 66.102.1.156:443 | stats.g.doubleclick.net | tcp |
| US | 1.1.1.1:53 | g.ezoic.net | udp |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 216.58.212.196:443 | www.google.com | tcp |
| US | 1.1.1.1:53 | www.mediafiredls.com | udp |
| US | 104.26.3.173:443 | www.mediafiredls.com | tcp |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| US | 1.1.1.1:53 | g.ezoic.net | udp |
| FR | 13.39.145.251:443 | g.ezoic.net | tcp |
| US | 1.1.1.1:53 | go.ezodn.com | udp |
| US | 172.67.142.121:443 | go.ezodn.com | tcp |
| US | 172.67.142.121:443 | go.ezodn.com | tcp |
| US | 172.67.142.121:443 | go.ezodn.com | tcp |
| US | 1.1.1.1:53 | dlpashuinn | udp |
| US | 1.1.1.1:53 | wefmyfq | udp |
| US | 1.1.1.1:53 | ufdnvlodswaoeb | udp |
| US | 1.1.1.1:53 | g.ezodn.com | udp |
| US | 1.1.1.1:53 | securepubads.g.doubleclick.net | udp |
| US | 1.1.1.1:53 | ads.pubmatic.com | udp |
| GB | 216.58.212.196:443 | www.google.com | tcp |
| GB | 216.58.201.98:443 | securepubads.g.doubleclick.net | tcp |
| GB | 2.23.160.192:443 | ads.pubmatic.com | tcp |
| US | 1.1.1.1:53 | bshr.ezodn.com | udp |
| US | 172.67.142.121:443 | bshr.ezodn.com | tcp |
| US | 1.1.1.1:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.187.194:443 | googleads.g.doubleclick.net | tcp |
| US | 1.1.1.1:53 | fundingchoicesmessages.google.com | udp |
| GB | 142.250.200.46:443 | fundingchoicesmessages.google.com | tcp |
| US | 1.1.1.1:53 | g.ezodn.com | udp |
| GB | 142.250.200.46:443 | fundingchoicesmessages.google.com | tcp |
| GB | 142.250.200.46:443 | fundingchoicesmessages.google.com | tcp |
| GB | 142.250.200.46:443 | fundingchoicesmessages.google.com | tcp |
| GB | 142.250.200.46:443 | fundingchoicesmessages.google.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| GB | 142.250.200.42:443 | tcp |
Files
files/dom-0.html
| MD5 | ce442372705249e5048ffb588ad4366c |
| SHA1 | 7849124bbdd0a8d8febe7c835d0b8ab57dc06f52 |
| SHA256 | 20371df196a66d279749e8d878326d393acff994ebb276e09e1430dbd2552522 |
| SHA512 | f0e4933aa27b5356a3a43eebcbe14c2f28eeafa17c8655d4597f93e4990af018931df50d0c39ac376e18346ff5d1dae4c93b619310e41d6109e87da283ad0d38 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-21 08:06
Reported
2024-04-21 08:09
Platform
android-x64-20240221-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Reads the content of photos stored on the user's device.
| Description | Indicator | Process | Target |
| URI accessed for read | content://media/external/images/media | N/A | N/A |
Processes
com.android.chrome
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| BE | 108.177.15.84:443 | accounts.google.com | tcp |
| US | 1.1.1.1:53 | www.mediafire.com | udp |
| US | 1.1.1.1:53 | safebrowsing.googleapis.com | udp |
| GB | 172.217.16.234:443 | safebrowsing.googleapis.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.232:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | www.mediafire.com | udp |
| US | 104.16.113.74:443 | www.mediafire.com | tcp |
| US | 104.16.113.74:443 | www.mediafire.com | tcp |
| US | 1.1.1.1:53 | the.gatekeeperconsent.com | udp |
| US | 1.1.1.1:53 | btloader.com | udp |
| US | 172.67.199.186:443 | the.gatekeeperconsent.com | tcp |
| US | 172.67.199.186:443 | the.gatekeeperconsent.com | tcp |
| GB | 142.250.187.202:443 | tcp | |
| US | 1.1.1.1:53 | privacy.gatekeeperconsent.com | udp |
| US | 1.1.1.1:53 | www.ezojs.com | udp |
| US | 172.67.199.186:443 | privacy.gatekeeperconsent.com | tcp |
| US | 1.1.1.1:53 | translate.google.com | udp |
| US | 1.1.1.1:53 | static.cloudflareinsights.com | udp |
| US | 1.1.1.1:53 | cdn.amplitude.com | udp |
| US | 104.21.63.106:443 | www.ezojs.com | tcp |
| US | 1.1.1.1:53 | static.mediafire.com | udp |
| GB | 142.250.180.14:443 | translate.google.com | tcp |
| US | 104.21.63.106:443 | www.ezojs.com | tcp |
| US | 1.1.1.1:53 | www.mediafiredls.com | udp |
| US | 104.26.3.173:443 | www.mediafiredls.com | tcp |
| US | 1.1.1.1:53 | btloader.com | udp |
| US | 104.22.75.216:443 | btloader.com | tcp |
| US | 1.1.1.1:53 | g.ezoic.net | udp |
| FR | 13.39.145.251:443 | g.ezoic.net | tcp |
| US | 1.1.1.1:53 | static.cloudflareinsights.com | udp |
| US | 1.1.1.1:53 | cdn.amplitude.com | udp |
| US | 104.16.80.73:443 | static.cloudflareinsights.com | tcp |
| US | 1.1.1.1:53 | static.mediafire.com | udp |
| GB | 52.85.142.7:443 | cdn.amplitude.com | tcp |
| US | 1.1.1.1:53 | go.ezodn.com | udp |
| US | 172.67.142.121:443 | go.ezodn.com | tcp |
| US | 172.67.142.121:443 | go.ezodn.com | tcp |
| US | 172.67.142.121:443 | go.ezodn.com | tcp |
| US | 1.1.1.1:53 | clients1.google.com | udp |
| GB | 142.250.178.14:443 | clients1.google.com | tcp |
| US | 1.1.1.1:53 | translate.googleapis.com | udp |
| GB | 172.217.16.234:443 | translate.googleapis.com | tcp |
| GB | 172.217.16.234:443 | translate.googleapis.com | tcp |
| US | 1.1.1.1:53 | api.amplitude.com | udp |
| US | 44.241.247.223:443 | api.amplitude.com | tcp |
| US | 1.1.1.1:53 | g.ezodn.com | udp |
| US | 1.1.1.1:53 | securepubads.g.doubleclick.net | udp |
| US | 1.1.1.1:53 | ads.pubmatic.com | udp |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 216.58.201.100:443 | www.google.com | tcp |
| US | 1.1.1.1:53 | securepubads.g.doubleclick.net | udp |
| US | 1.1.1.1:53 | ads.pubmatic.com | udp |
| GB | 142.250.178.2:443 | securepubads.g.doubleclick.net | tcp |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| GB | 142.250.187.195:443 | update.googleapis.com | tcp |
| US | 1.1.1.1:53 | ihuixcaw | udp |
| US | 1.1.1.1:53 | sgrhylpxguyt | udp |
| US | 1.1.1.1:53 | aurnehbuxdahxc | udp |
| GB | 142.250.187.202:443 | tcp | |
| US | 1.1.1.1:53 | ads.pubmatic.com | udp |
| US | 1.1.1.1:53 | bshr.ezodn.com | udp |
| US | 104.21.87.79:443 | bshr.ezodn.com | tcp |
| US | 1.1.1.1:53 | fundingchoicesmessages.google.com | udp |
| US | 1.1.1.1:53 | stats.g.doubleclick.net | udp |
| GB | 216.58.201.110:443 | fundingchoicesmessages.google.com | tcp |
| BE | 108.177.15.155:443 | stats.g.doubleclick.net | tcp |
| BE | 108.177.15.155:443 | stats.g.doubleclick.net | tcp |
| US | 1.1.1.1:53 | analytics.google.com | udp |
| BE | 108.177.15.155:443 | stats.g.doubleclick.net | tcp |
| US | 216.239.38.181:443 | analytics.google.com | tcp |
| GB | 216.58.201.100:443 | www.google.com | tcp |
| GB | 216.58.201.100:443 | www.google.com | tcp |
| GB | 216.58.201.110:443 | fundingchoicesmessages.google.com | tcp |
| GB | 104.115.32.236:443 | ads.pubmatic.com | tcp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| GB | 216.58.212.228:443 | tcp | |
| GB | 216.58.212.228:443 | tcp | |
| US | 1.1.1.1:53 | a.nel.cloudflare.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
Files
files/dom-0.html
| MD5 | fe136cb56fb37b9ce772c48cba8fb5ef |
| SHA1 | 786242efdbdc901469a1df802131b6b31662f26d |
| SHA256 | e087012edd54b0adfc3fe7725a75f354b9347cbd016fd8ea48333c1a657fe5aa |
| SHA512 | 81b6362a7d22b752434f4fc6cf08b58f58be63b91019dc783d365675f0ff40c14f58a02d460e018d286c9cca8f73ec3858150e1b9008daa532dafa955e2231ce |