Overview
overview
8Static
static
63f40f4c863...18.apk
android-9-x86
73f40f4c863...18.apk
android-10-x64
73f40f4c863...18.apk
android-11-x64
7Funlocker.apk
android-9-x86
8Funlocker.apk
android-10-x64
1ONEKEY.apk
android-9-x86
7ONEKEY.apk
android-10-x64
1ONEKEY.apk
android-11-x64
7gdtad.apk
android-9-x86
gdtad.apk
android-10-x64
gdtad.apk
android-11-x64
Analysis
-
max time kernel
134s -
max time network
130s -
platform
android_x86 -
resource
android-x86-arm-20240506-en -
resource tags
androidarch:armarch:x86image:android-x86-arm-20240506-enlocale:en-usos:android-9-x86system -
submitted
13-05-2024 11:27
Static task
static1
Behavioral task
behavioral1
Sample
3f40f4c863620c384c3cb91ac54dce03_JaffaCakes118.apk
Resource
android-x86-arm-20240506-en
Behavioral task
behavioral2
Sample
3f40f4c863620c384c3cb91ac54dce03_JaffaCakes118.apk
Resource
android-x64-20240506-en
Behavioral task
behavioral3
Sample
3f40f4c863620c384c3cb91ac54dce03_JaffaCakes118.apk
Resource
android-x64-arm64-20240506-en
Behavioral task
behavioral4
Sample
Funlocker.apk
Resource
android-x86-arm-20240506-en
Behavioral task
behavioral5
Sample
Funlocker.apk
Resource
android-x64-20240506-en
Behavioral task
behavioral6
Sample
ONEKEY.apk
Resource
android-x86-arm-20240506-en
Behavioral task
behavioral7
Sample
ONEKEY.apk
Resource
android-x64-20240506-en
Behavioral task
behavioral8
Sample
ONEKEY.apk
Resource
android-x64-arm64-20240506-en
Behavioral task
behavioral9
Sample
gdtad.apk
Resource
android-x86-arm-20240506-en
Behavioral task
behavioral10
Sample
gdtad.apk
Resource
android-x64-20240506-en
Behavioral task
behavioral11
Sample
gdtad.apk
Resource
android-x64-arm64-20240506-en
General
-
Target
Funlocker.apk
-
Size
8.3MB
-
MD5
cf4a71b23490b5a3000f552284d70ce0
-
SHA1
58622f609c40eff3d21fb14e702fb0e00cb99243
-
SHA256
28129b642b40a53fc20f0b2d748af8856e05d6245c8f8334dbdb390915e38e06
-
SHA512
5f106ac172095d2545b6e082ae0515bc4b72475e0992227eac3f77bd40ebb7e3bfb0dcbf977caf93901cf83ba2d7899f898150bcb6a7b557e4baa051eb0f7a22
-
SSDEEP
196608:VaQBmiOZgSUfUqNdsxBobd93nMo8bNVfmgVhy:VxEiOGSUVNdsxBon3nz8xVf0
Malware Config
Signatures
-
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
-
Checks CPU information 2 TTPs 3 IoCs
Checks CPU information which indicate if the system is an emulator.
-
Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs
Application may abuse the framework's foreground service to continue running in the foreground.
Processes:
com.change.unlockdescription ioc process Framework service call android.app.IActivityManager.setServiceForeground com.change.unlock -
Queries information about running processes on the device 1 TTPs 3 IoCs
Application may abuse the framework's APIs to collect information about running processes on the device.
Processes:
com.change.unlock:clientcom.change.unlockcom.change.unlock:pushdescription ioc process Framework service call android.app.IActivityManager.getRunningAppProcesses com.change.unlock:client Framework service call android.app.IActivityManager.getRunningAppProcesses com.change.unlock Framework service call android.app.IActivityManager.getRunningAppProcesses com.change.unlock:push -
Queries information about the current Wi-Fi connection 1 TTPs 3 IoCs
Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.
Processes:
com.change.unlock:clientcom.change.unlockcom.change.unlock:pushdescription ioc process Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.change.unlock:client Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.change.unlock Framework service call android.net.wifi.IWifiManager.getConnectionInfo com.change.unlock:push -
Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
Processes:
com.change.unlockcom.change.unlock:clientdescription ioc process Framework service call android.app.IActivityManager.registerReceiver com.change.unlock Framework service call android.app.IActivityManager.registerReceiver com.change.unlock:client -
Checks if the internet connection is available 1 TTPs 2 IoCs
Processes:
com.change.unlock:clientcom.change.unlock:pushdescription ioc process Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.change.unlock:client Framework service call android.net.IConnectivityManager.getActiveNetworkInfo com.change.unlock:push -
Reads information about phone network operator. 1 TTPs
-
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
Processes:
com.change.unlock:clientdescription ioc process Framework API call javax.crypto.Cipher.doFinal com.change.unlock:client
Processes
-
com.change.unlock:client1⤵
- Checks CPU information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks if the internet connection is available
- Uses Crypto APIs (Might try to encrypt user data)
-
com.change.unlock1⤵
- Checks CPU information
- Makes use of the framework's foreground persistence service
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Registers a broadcast receiver at runtime (usually for listening for system events)
-
com.change.unlock:push1⤵
- Checks CPU information
- Queries information about running processes on the device
- Queries information about the current Wi-Fi connection
- Checks if the internet connection is available
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
/data/data/com.change.unlock/databases/tpad_funlocker.dbFilesize
32KB
MD53dadf8a5ae25c6324aa8c14430639d14
SHA1528c098d7c87c03709d1857bcf0d97a75c339113
SHA25695c8e5ddb34aad35974a3a3feef5487bbc25c3c88ff5f02ea84e4f1b323bf185
SHA512609375f17ef37e1e046e62951b7044fd0c62bb671a4ce447a663c71c52b117e04cac5241663bc670bce6d78471dbd9cd2dd4fa41138471f4b2b07ea652cefd5e
-
/data/data/com.change.unlock/databases/tpad_funlocker.dbFilesize
24KB
MD5b571b80423bd619e6f36c62e7121612c
SHA1cce0f8b65f01122c1cacdbe9d359808838be05fb
SHA25623f1a87c612a77b67887fb3917ec9e30caa46e57a4312d80a5388165a8b9f076
SHA512b0ea13f53c38bb0fdcea4088a400c03c820fb090ba7e36ecde9b65ef180197b89ae4082daa1ee955c699d8130797581ee27d0b2a1fbe2ae433905bb54a687d28
-
/data/data/com.change.unlock/databases/tpad_funlocker.dbFilesize
24KB
MD5000bf0f6025a153c0fa6219d21c1cd03
SHA16ebaba2dc9133ed132c29a4838ad02c8ebf5a7b0
SHA256fb0cf2a76581fecc1ea4028dee4736b0f036f974070803d793064881c1afde62
SHA512267cbe2d8f699421827890aaf55a0021ec5bdc89b0c88ac8e3d69a0f6d78cacdfccc875896b4de1e9f245e5f75ded910c944de21cc7b82d7fee92839af8ea309
-
/data/data/com.change.unlock/databases/tpad_funlocker.dbFilesize
24KB
MD5292dca938278454c8e5d8d938a77f578
SHA1e791484000797c8512697c3a76b91dfd0168c79e
SHA256db983e7e3da745112bb772f51192fc4544c0c3ff3c4bd6bbbe404d5a1189efb2
SHA5127d4e6346e22b6d95174596734c77c60e0628055cd58df1969704bcddb570bf45642add61fa77ee7b363038c77e904742245bf3533ad6f7acaed6bb0fa88625d0
-
/data/data/com.change.unlock/databases/tpad_funlocker.dbFilesize
24KB
MD580068c22f3d0bde62161e5a282e3fcaa
SHA10a5d13909ce7e01e2998282f04b75247abd96b27
SHA2560f3b58ee9a21fc52840e380fbbd129f71ac30a4efd571cec9514e0258da8f3ab
SHA5128f714149b870635ff0947ec2225d1433cab636b63c9eb539c1551036ccc5c91e13607170410460d2e120872db90f3c8dea9f756830a04a8439d5f41da3f8580c
-
/data/data/com.change.unlock/databases/tpad_funlocker.db-journalFilesize
32KB
MD51c289479257810a6b3ec65f3ffa67d0a
SHA14ce819177ea8aa5c348cc072a3e027e46026c265
SHA2560647f7501abf0002d3281420f1eca20563a6b298249526ae73a099860ba24fe2
SHA5128290428f2f49ae972517a87b6517210b41b17b1fb1f21b07bb04fbbc52f37c6838fcfc22a6f1082000bc159a2e7aa554eaa1b1c901b661e0823eb42a02a30fa2
-
/data/data/com.change.unlock/databases/tpad_funlocker.db-shmFilesize
32KB
MD5bb7df04e1b0a2570657527a7e108ae23
SHA15188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012
-
/data/data/com.change.unlock/databases/tpad_funlocker.db-shmFilesize
32KB
MD5d8b66cad516d5fa7312a973e8b269286
SHA1dde1efd80d573b97bca5eda6dec860d9a6075964
SHA256bb286805cf636b2117f802c92a9314842bfdb6e0de204fb55b0513084400dbf3
SHA512978e23c047e45e763e1f74abadd648d1cbac9a20e24558b1af4cfc7b5a3a58d4e220d7e80b9126258fadf3c9d545cca76d74af99252b0b97cf4a086ad9e570d3
-
/data/data/com.change.unlock/databases/tpad_funlocker.db-walFilesize
24KB
MD58ae9c7d1ae18b63867e8d67137020230
SHA167c261dd51278fc6baef4b0c73f981b92da30848
SHA256e0d4901c96da215e9120edec4dc3d54e4ac1ef84502796ee99110a2e6ac1eded
SHA512dec8e7180bb7b549cd87b75f2ee1a5e7809c24c82ee32d4c3d33799ea40ba0ac62167497fa6f993ee75906bf557043aac00f90fafcf6c25106896a0f784da6be
-
/data/data/com.change.unlock/databases/tpad_funlocker.db-walFilesize
8KB
MD5bad2db8b0be060947911ad70c91d75b0
SHA19d64a18e1e9792aa53fca16c37eda8cdc54a983d
SHA2569fbd3a46fc42b8caa4a95927dbf4df2a3bb4066d054f90c3c4964e2132c6e521
SHA51285916309d912e7a1947362b22cb2ac2446d1a3f3cfbf0308cb52e79732ece5e890f520caf4796d3d88ab662f983c5c69073ce38c08558cc81b65a74a05c8c527
-
/data/data/com.change.unlock/databases/tpad_funlocker.db-walFilesize
8KB
MD5b9aed6c602a18f886b4ca0b347c72a6c
SHA17d9748bae9d3b031d0e9ac323d49a1a98448ef69
SHA256019f619499f2b1b5f726cf90a0e0bec1b80c81e2a5df1e0d06c8e540bc258150
SHA512564e30678789840bd4fbdde1224181439f211644512c8b60712ab8f66f5e368df1e29e6010dc2f3cbf564ec2250e3add71c915900f355779463510daabcad572
-
/data/data/com.change.unlock/databases/tpad_funlocker.db-walFilesize
24KB
MD533b613afa2a37de9dad4f16e58d8d7c8
SHA1c146451867577e2d157471c2ca1db04aec23b294
SHA2562140e8f2472fd18fefe15fc35ed8dc8809916f65e60f3269b6ad69450213939e
SHA5124dae4d4882588cab51fc5eca65b2a59f0b920c16897a40f36d19c1514fc246b25ca1a76b956e42f4fe1b08879c6422741069713f1691e92ffee7bb284f87467c
-
/data/data/com.change.unlock/databases/tpad_funlocker.db-walFilesize
36KB
MD5db8684b65bcd0bee5b197a5886640755
SHA1879073be4bcd65d8a9b950ae69991fd483538892
SHA256f8f5b073a9983c09273de0ebc146fab4f4e30dddcf1e855bb8600f3039beef5d
SHA51231dfd08c3bf598f5de835eaa476071d0fcb9992db9ab8d7f7dd684836cddcafa8393f9373886ed3d5c5bf5a0c8cd3704ace11c0b9dc4b405a24394419fc22419
-
/storage/emulated/0/.DataStorage/ContextData.xmlFilesize
381B
MD5b7140ee7596ff3c8853670b26b965a2f
SHA126ff40bfc724c633dc5e15bb92bdd0abb7965baf
SHA256e7d21341c094a3136688b588170bdbeb3bb12597e9928f881ff519f5ec7140e9
SHA512b8f5fca1add089c4df2b3588e7adf517046827d19f30e3b10db2d6216f5a661624e561fdf366bbd6c79b4a32b71102cd11cdd91d7408c69bbf1614b2ae8d0932
-
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xmlFilesize
381B
MD50a8dacb9c500e541aed5e4c8ccde8957
SHA14f89dcee5b703b6ceaad6af281f31477e7614fe2
SHA256dbc92ff60de48be00422a3d17180d351fda675bc85b41548c07f88147d35d580
SHA512e880b1a11e63fc783ff5f09f42cad2dfd8dd320fc675b757aa95a0a4b5e565b057de43220b04d8451c4a3d9314de2dc06d98f85a3815961839907110f7195aeb
-
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xmlFilesize
111B
MD59a72220393d2784db2e9bceb3ebe138b
SHA1cba4982dd8a00b10a98efa27db196db87671c877
SHA2561955c68d12cc30095bd038fa77e1c629bd8bbc561668833dd9f4ab037a358296
SHA5124365eac4166a0d10f169c1a2d649ac5e8d439315d690bf2a8ba9df100fa0f254b932ff67fc18b7d182a318d62b5bf38e91b2b07caa946d41867fd0b691fa55a8
-
/storage/emulated/0/.UTSystemConfig/Global/Alvin2.xmlFilesize
381B
MD590268eb997c0228cb7e83948aad5ff08
SHA1d94e47f017a462d1b9192b4fd5fd72681400fa4f
SHA2567c7b6332be2427e3580da71487b236c0546221625b9e406e37eb979e291ceeef
SHA512d3f4a0af2891401ff8796116d5c44ff94e53ca60d0407100b7ab99043dbe21fc06ff9c088ce8d933a34bd629872c9a9c8c712b44b4f7d856d3407404de9bb226
-
/storage/emulated/0/CHANGEUnlock/crash-2024-05-13-11-28-08-1715599688084.logFilesize
8KB
MD513109c07ab79d9673b7aebe339e96d16
SHA1c408ea919bfa8e2e1d9ebcd79e1f7be00ac496d0
SHA2569149408de75407d2a1a88eeec94dc830a982a3d0bde629356d48f07cd672e300
SHA51289cb2dd03460a9f24989e8eb9687c3560a246cd2ee97430d726fe4566bc5be1779d9776da67a88029cd23b87937897b38dfb821a6f6dab01d749bc22298d09cd
-
/storage/emulated/0/ShareSDK/.dkFilesize
2KB
MD50e47c1be0b733a432de67ef0d754111b
SHA1f03015e8cc5f33595317524f3f4430fde67d27f8
SHA2562b5559663f0f3c0c3f3578c51cfd2275b35f0dba36327f25f31449130ca67e30
SHA512897598217231461d80cf7d0e49d081d43b7f835312fe6c8ccb4f2c6914ddb6aa12c99c8579f358529e0196bd6383984bc3ed4c23e42aeee90eb29e351d048d88