Malware Analysis Report

2024-09-23 13:53

Sample ID 240429-ttlxzafa49
Target dimond_free.apk
SHA256 517d243ae971f0bd724466676f2ed7f6397fa647791e5018f82126d7c863c723
Tags
evasion impact persistence slocker
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

517d243ae971f0bd724466676f2ed7f6397fa647791e5018f82126d7c863c723

Threat Level: Known bad

The file dimond_free.apk was found to be: Known bad.

Malicious Activity Summary

evasion impact persistence slocker

SLocker payload

Slocker family

Loads dropped Dex/Jar

Registers a broadcast receiver at runtime (usually for listening for system events)

Requests dangerous framework permissions

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-04-29 16:21

Signatures

SLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Slocker family

slocker

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-29 16:21

Reported

2024-04-29 16:23

Platform

android-x64-20240221-en

Max time kernel

151s

Max time network

155s

Command Line

com.lololp

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lololp/cache/natives_sec_blob4612956379034096035.dex N/A N/A
N/A /data/user/0/com.lololp/cache/natives_sec_blob4612956379034096035.dex N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.lololp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp

Files

/data/data/com.lololp/files/cloneSettings_234229880.json

MD5 805779ff4b324f2e7bc966226712c511
SHA1 75ee544449e478d09e7d01ae378a278677e578d8
SHA256 9f5f3b22e9fed87358b21071efcd0d60ef36f38c0552e3c5f0a0d602e4f33247
SHA512 9ef8f501150982f8db49a7fa20179b2943d45d616b4fd9cc4de5040cd7f5e735c92801510bca5e7c1a258ccaaec754dbabb1c8f59da92f0d7a640b4dfe27833f

/data/data/com.lololp/cache/natives_sec_blob4612956379034096035.dex

MD5 e400b315488068e409c0a67ec54b5cf9
SHA1 ebf22b074a669a1f964d0203f27c2ed31f76da7e
SHA256 cc0c12987c9bafac45177af0c4cfbf10e9ea1a780d63edb7cfad35e6ffb7dbe6
SHA512 365f0c7ef1c819fe16ace7def1a17eeac93aeb0295b74e04adeb6370a9be8187737c9667d97f2ca43bc56a2d9924643bb3740981288f878c97864438d677c634

/data/data/com.lololp/cache/oat/natives_sec_blob4612956379034096035.dex.cur.prof

MD5 06adf5da75e7aeec9680c98cfc762855
SHA1 42c5d1d131d8e48d2cc7ccf4fb5f37971c7dec39
SHA256 abd11f8f0165cc4879def0a0450ad5416cf27b6c372f15d4731a229d778d9c5c
SHA512 8f5b09fdf68fec3657da206c8f7b07e24aee223c57e5cef2a08b9b3ecf1f05a2a2d12db20846986284f2c6105ecad13374ba1727fba56baff6407da846abdbb6

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-29 16:21

Reported

2024-04-29 16:24

Platform

android-x64-arm64-20240221-en

Max time kernel

162s

Max time network

145s

Command Line

com.lololp

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lololp/cache/natives_sec_blob212457452940388017.dex N/A N/A
N/A /data/user/0/com.lololp/cache/natives_sec_blob212457452940388017.dex N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.lololp

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 udp
GB 142.250.200.46:443 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.169.74:443 tcp
GB 172.217.169.74:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/user/0/com.lololp/files/cloneSettings_234229880.json

MD5 805779ff4b324f2e7bc966226712c511
SHA1 75ee544449e478d09e7d01ae378a278677e578d8
SHA256 9f5f3b22e9fed87358b21071efcd0d60ef36f38c0552e3c5f0a0d602e4f33247
SHA512 9ef8f501150982f8db49a7fa20179b2943d45d616b4fd9cc4de5040cd7f5e735c92801510bca5e7c1a258ccaaec754dbabb1c8f59da92f0d7a640b4dfe27833f

/data/user/0/com.lololp/cache/natives_sec_blob212457452940388017.dex

MD5 e400b315488068e409c0a67ec54b5cf9
SHA1 ebf22b074a669a1f964d0203f27c2ed31f76da7e
SHA256 cc0c12987c9bafac45177af0c4cfbf10e9ea1a780d63edb7cfad35e6ffb7dbe6
SHA512 365f0c7ef1c819fe16ace7def1a17eeac93aeb0295b74e04adeb6370a9be8187737c9667d97f2ca43bc56a2d9924643bb3740981288f878c97864438d677c634

/data/user/0/com.lololp/cache/oat/natives_sec_blob212457452940388017.dex.cur.prof

MD5 10bab24bde8c3ca8a8cf955cec68617e
SHA1 4d10bc82fe2b59a06ad31adc9e767230975ce8d4
SHA256 0e28a5edec0299d2f05de97b083dea60be30f04442851c2604198888a35b7861
SHA512 eea9f6bd494954a3ad2db8167a09f0142fb4998335ca0637e3a352aa606b9dee9cf4e0d7ea847e439e2b1f457af5b8f26f393dcd9efa233c656e084c53325e50

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-29 16:21

Reported

2024-04-29 16:23

Platform

android-x86-arm-20240221-en

Max time kernel

107s

Max time network

136s

Command Line

com.lololp

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.lololp/cache/natives_sec_blob4672445800604528421.dex N/A N/A
N/A /data/user/0/com.lololp/cache/natives_sec_blob4672445800604528421.dex N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.lololp

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 172.217.169.74:443 semanticlocation-pa.googleapis.com tcp
GB 216.58.213.14:443 tcp
GB 172.217.169.2:443 tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/com.lololp/files/cloneSettings_234229880.json

MD5 805779ff4b324f2e7bc966226712c511
SHA1 75ee544449e478d09e7d01ae378a278677e578d8
SHA256 9f5f3b22e9fed87358b21071efcd0d60ef36f38c0552e3c5f0a0d602e4f33247
SHA512 9ef8f501150982f8db49a7fa20179b2943d45d616b4fd9cc4de5040cd7f5e735c92801510bca5e7c1a258ccaaec754dbabb1c8f59da92f0d7a640b4dfe27833f

/data/data/com.lololp/cache/natives_sec_blob4672445800604528421.dex

MD5 e400b315488068e409c0a67ec54b5cf9
SHA1 ebf22b074a669a1f964d0203f27c2ed31f76da7e
SHA256 cc0c12987c9bafac45177af0c4cfbf10e9ea1a780d63edb7cfad35e6ffb7dbe6
SHA512 365f0c7ef1c819fe16ace7def1a17eeac93aeb0295b74e04adeb6370a9be8187737c9667d97f2ca43bc56a2d9924643bb3740981288f878c97864438d677c634

/data/data/com.lololp/cache/oat/natives_sec_blob4672445800604528421.dex.cur.prof

MD5 64083f34e699faeda117e87f47329495
SHA1 536b4a979f59c2fb5e6b83e6ea87eb0e40286071
SHA256 428830cd6dca1aa20d9e670f656aebad41efbbb0c55c0d1ecac78dc83db22760
SHA512 18d0b950fd4067fc67ac192747f776fa5dc85f5d98e44015376681fa6726b3ee7d4acca45fa19bf94e341e316313bade18d673f1639dc14815d81334ef812632