Analysis Overview
SHA256
517d243ae971f0bd724466676f2ed7f6397fa647791e5018f82126d7c863c723
Threat Level: Known bad
The file dimond_free.apk was found to be: Known bad.
Malicious Activity Summary
SLocker payload
Slocker family
Loads dropped Dex/Jar
Registers a broadcast receiver at runtime (usually for listening for system events)
Requests dangerous framework permissions
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-04-29 16:21
Signatures
SLocker payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Slocker family
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-29 16:21
Reported
2024-04-29 16:23
Platform
android-x64-20240221-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.lololp/cache/natives_sec_blob4612956379034096035.dex | N/A | N/A |
| N/A | /data/user/0/com.lololp/cache/natives_sec_blob4612956379034096035.dex | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.lololp
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.178.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.14:443 | android.apis.google.com | tcp |
| GB | 216.58.213.4:443 | tcp | |
| GB | 216.58.213.4:443 | tcp |
Files
/data/data/com.lololp/files/cloneSettings_234229880.json
| MD5 | 805779ff4b324f2e7bc966226712c511 |
| SHA1 | 75ee544449e478d09e7d01ae378a278677e578d8 |
| SHA256 | 9f5f3b22e9fed87358b21071efcd0d60ef36f38c0552e3c5f0a0d602e4f33247 |
| SHA512 | 9ef8f501150982f8db49a7fa20179b2943d45d616b4fd9cc4de5040cd7f5e735c92801510bca5e7c1a258ccaaec754dbabb1c8f59da92f0d7a640b4dfe27833f |
/data/data/com.lololp/cache/natives_sec_blob4612956379034096035.dex
| MD5 | e400b315488068e409c0a67ec54b5cf9 |
| SHA1 | ebf22b074a669a1f964d0203f27c2ed31f76da7e |
| SHA256 | cc0c12987c9bafac45177af0c4cfbf10e9ea1a780d63edb7cfad35e6ffb7dbe6 |
| SHA512 | 365f0c7ef1c819fe16ace7def1a17eeac93aeb0295b74e04adeb6370a9be8187737c9667d97f2ca43bc56a2d9924643bb3740981288f878c97864438d677c634 |
/data/data/com.lololp/cache/oat/natives_sec_blob4612956379034096035.dex.cur.prof
| MD5 | 06adf5da75e7aeec9680c98cfc762855 |
| SHA1 | 42c5d1d131d8e48d2cc7ccf4fb5f37971c7dec39 |
| SHA256 | abd11f8f0165cc4879def0a0450ad5416cf27b6c372f15d4731a229d778d9c5c |
| SHA512 | 8f5b09fdf68fec3657da206c8f7b07e24aee223c57e5cef2a08b9b3ecf1f05a2a2d12db20846986284f2c6105ecad13374ba1727fba56baff6407da846abdbb6 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-29 16:21
Reported
2024-04-29 16:24
Platform
android-x64-arm64-20240221-en
Max time kernel
162s
Max time network
145s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.lololp/cache/natives_sec_blob212457452940388017.dex | N/A | N/A |
| N/A | /data/user/0/com.lololp/cache/natives_sec_blob212457452940388017.dex | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.lololp
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.14:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.213.10:443 | udp | |
| GB | 142.250.200.46:443 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| GB | 172.217.169.74:443 | tcp | |
| GB | 172.217.169.74:443 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.40:443 | ssl.google-analytics.com | tcp |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp |
Files
/data/user/0/com.lololp/files/cloneSettings_234229880.json
| MD5 | 805779ff4b324f2e7bc966226712c511 |
| SHA1 | 75ee544449e478d09e7d01ae378a278677e578d8 |
| SHA256 | 9f5f3b22e9fed87358b21071efcd0d60ef36f38c0552e3c5f0a0d602e4f33247 |
| SHA512 | 9ef8f501150982f8db49a7fa20179b2943d45d616b4fd9cc4de5040cd7f5e735c92801510bca5e7c1a258ccaaec754dbabb1c8f59da92f0d7a640b4dfe27833f |
/data/user/0/com.lololp/cache/natives_sec_blob212457452940388017.dex
| MD5 | e400b315488068e409c0a67ec54b5cf9 |
| SHA1 | ebf22b074a669a1f964d0203f27c2ed31f76da7e |
| SHA256 | cc0c12987c9bafac45177af0c4cfbf10e9ea1a780d63edb7cfad35e6ffb7dbe6 |
| SHA512 | 365f0c7ef1c819fe16ace7def1a17eeac93aeb0295b74e04adeb6370a9be8187737c9667d97f2ca43bc56a2d9924643bb3740981288f878c97864438d677c634 |
/data/user/0/com.lololp/cache/oat/natives_sec_blob212457452940388017.dex.cur.prof
| MD5 | 10bab24bde8c3ca8a8cf955cec68617e |
| SHA1 | 4d10bc82fe2b59a06ad31adc9e767230975ce8d4 |
| SHA256 | 0e28a5edec0299d2f05de97b083dea60be30f04442851c2604198888a35b7861 |
| SHA512 | eea9f6bd494954a3ad2db8167a09f0142fb4998335ca0637e3a352aa606b9dee9cf4e0d7ea847e439e2b1f457af5b8f26f393dcd9efa233c656e084c53325e50 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-29 16:21
Reported
2024-04-29 16:23
Platform
android-x86-arm-20240221-en
Max time kernel
107s
Max time network
136s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.lololp/cache/natives_sec_blob4672445800604528421.dex | N/A | N/A |
| N/A | /data/user/0/com.lololp/cache/natives_sec_blob4672445800604528421.dex | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.lololp
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.178.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 172.217.169.74:443 | semanticlocation-pa.googleapis.com | tcp |
| GB | 216.58.213.14:443 | tcp | |
| GB | 172.217.169.2:443 | tcp | |
| GB | 142.250.179.234:443 | semanticlocation-pa.googleapis.com | tcp |
| GB | 142.250.178.10:443 | semanticlocation-pa.googleapis.com | tcp |
Files
/data/data/com.lololp/files/cloneSettings_234229880.json
| MD5 | 805779ff4b324f2e7bc966226712c511 |
| SHA1 | 75ee544449e478d09e7d01ae378a278677e578d8 |
| SHA256 | 9f5f3b22e9fed87358b21071efcd0d60ef36f38c0552e3c5f0a0d602e4f33247 |
| SHA512 | 9ef8f501150982f8db49a7fa20179b2943d45d616b4fd9cc4de5040cd7f5e735c92801510bca5e7c1a258ccaaec754dbabb1c8f59da92f0d7a640b4dfe27833f |
/data/data/com.lololp/cache/natives_sec_blob4672445800604528421.dex
| MD5 | e400b315488068e409c0a67ec54b5cf9 |
| SHA1 | ebf22b074a669a1f964d0203f27c2ed31f76da7e |
| SHA256 | cc0c12987c9bafac45177af0c4cfbf10e9ea1a780d63edb7cfad35e6ffb7dbe6 |
| SHA512 | 365f0c7ef1c819fe16ace7def1a17eeac93aeb0295b74e04adeb6370a9be8187737c9667d97f2ca43bc56a2d9924643bb3740981288f878c97864438d677c634 |
/data/data/com.lololp/cache/oat/natives_sec_blob4672445800604528421.dex.cur.prof
| MD5 | 64083f34e699faeda117e87f47329495 |
| SHA1 | 536b4a979f59c2fb5e6b83e6ea87eb0e40286071 |
| SHA256 | 428830cd6dca1aa20d9e670f656aebad41efbbb0c55c0d1ecac78dc83db22760 |
| SHA512 | 18d0b950fd4067fc67ac192747f776fa5dc85f5d98e44015376681fa6726b3ee7d4acca45fa19bf94e341e316313bade18d673f1639dc14815d81334ef812632 |