Analysis

  • max time kernel
    134s
  • max time network
    130s
  • platform
    android_x86
  • resource
    android-x86-arm-20240506-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240506-enlocale:en-usos:android-9-x86system
  • submitted
    13-05-2024 11:27

General

  • Target

    Funlocker.apk

  • Size

    8.3MB

  • MD5

    cf4a71b23490b5a3000f552284d70ce0

  • SHA1

    58622f609c40eff3d21fb14e702fb0e00cb99243

  • SHA256

    28129b642b40a53fc20f0b2d748af8856e05d6245c8f8334dbdb390915e38e06

  • SHA512

    5f106ac172095d2545b6e082ae0515bc4b72475e0992227eac3f77bd40ebb7e3bfb0dcbf977caf93901cf83ba2d7899f898150bcb6a7b557e4baa051eb0f7a22

  • SSDEEP

    196608:VaQBmiOZgSUfUqNdsxBobd93nMo8bNVfmgVhy:VxEiOGSUVNdsxBon3nz8xVf0

Malware Config

Signatures

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Checks CPU information 2 TTPs 3 IoCs

    Checks CPU information which indicate if the system is an emulator.

  • Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

    Application may abuse the framework's foreground service to continue running in the foreground.

  • Queries information about running processes on the device 1 TTPs 3 IoCs

    Application may abuse the framework's APIs to collect information about running processes on the device.

  • Queries information about the current Wi-Fi connection 1 TTPs 3 IoCs

    Application may abuse the framework's APIs to collect information about the current Wi-Fi connection.

  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 2 IoCs
  • Checks if the internet connection is available 1 TTPs 2 IoCs
  • Reads information about phone network operator. 1 TTPs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs

Processes

  • com.change.unlock:client
    1⤵
    • Checks CPU information
    • Queries information about running processes on the device
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Checks if the internet connection is available
    • Uses Crypto APIs (Might try to encrypt user data)
    PID:4258
  • com.change.unlock
    1⤵
    • Checks CPU information
    • Makes use of the framework's foreground persistence service
    • Queries information about running processes on the device
    • Queries information about the current Wi-Fi connection
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    PID:4295
  • com.change.unlock:push
    1⤵
    • Checks CPU information
    • Queries information about running processes on the device
    • Queries information about the current Wi-Fi connection
    • Checks if the internet connection is available
    PID:4357

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.change.unlock/databases/tpad_funlocker.db
    Filesize

    32KB

    MD5

    3dadf8a5ae25c6324aa8c14430639d14

    SHA1

    528c098d7c87c03709d1857bcf0d97a75c339113

    SHA256

    95c8e5ddb34aad35974a3a3feef5487bbc25c3c88ff5f02ea84e4f1b323bf185

    SHA512

    609375f17ef37e1e046e62951b7044fd0c62bb671a4ce447a663c71c52b117e04cac5241663bc670bce6d78471dbd9cd2dd4fa41138471f4b2b07ea652cefd5e

  • /data/data/com.change.unlock/databases/tpad_funlocker.db
    Filesize

    24KB

    MD5

    b571b80423bd619e6f36c62e7121612c

    SHA1

    cce0f8b65f01122c1cacdbe9d359808838be05fb

    SHA256

    23f1a87c612a77b67887fb3917ec9e30caa46e57a4312d80a5388165a8b9f076

    SHA512

    b0ea13f53c38bb0fdcea4088a400c03c820fb090ba7e36ecde9b65ef180197b89ae4082daa1ee955c699d8130797581ee27d0b2a1fbe2ae433905bb54a687d28

  • /data/data/com.change.unlock/databases/tpad_funlocker.db
    Filesize

    24KB

    MD5

    000bf0f6025a153c0fa6219d21c1cd03

    SHA1

    6ebaba2dc9133ed132c29a4838ad02c8ebf5a7b0

    SHA256

    fb0cf2a76581fecc1ea4028dee4736b0f036f974070803d793064881c1afde62

    SHA512

    267cbe2d8f699421827890aaf55a0021ec5bdc89b0c88ac8e3d69a0f6d78cacdfccc875896b4de1e9f245e5f75ded910c944de21cc7b82d7fee92839af8ea309

  • /data/data/com.change.unlock/databases/tpad_funlocker.db
    Filesize

    24KB

    MD5

    292dca938278454c8e5d8d938a77f578

    SHA1

    e791484000797c8512697c3a76b91dfd0168c79e

    SHA256

    db983e7e3da745112bb772f51192fc4544c0c3ff3c4bd6bbbe404d5a1189efb2

    SHA512

    7d4e6346e22b6d95174596734c77c60e0628055cd58df1969704bcddb570bf45642add61fa77ee7b363038c77e904742245bf3533ad6f7acaed6bb0fa88625d0

  • /data/data/com.change.unlock/databases/tpad_funlocker.db
    Filesize

    24KB

    MD5

    80068c22f3d0bde62161e5a282e3fcaa

    SHA1

    0a5d13909ce7e01e2998282f04b75247abd96b27

    SHA256

    0f3b58ee9a21fc52840e380fbbd129f71ac30a4efd571cec9514e0258da8f3ab

    SHA512

    8f714149b870635ff0947ec2225d1433cab636b63c9eb539c1551036ccc5c91e13607170410460d2e120872db90f3c8dea9f756830a04a8439d5f41da3f8580c

  • /data/data/com.change.unlock/databases/tpad_funlocker.db-journal
    Filesize

    32KB

    MD5

    1c289479257810a6b3ec65f3ffa67d0a

    SHA1

    4ce819177ea8aa5c348cc072a3e027e46026c265

    SHA256

    0647f7501abf0002d3281420f1eca20563a6b298249526ae73a099860ba24fe2

    SHA512

    8290428f2f49ae972517a87b6517210b41b17b1fb1f21b07bb04fbbc52f37c6838fcfc22a6f1082000bc159a2e7aa554eaa1b1c901b661e0823eb42a02a30fa2

  • /data/data/com.change.unlock/databases/tpad_funlocker.db-shm
    Filesize

    32KB

    MD5

    bb7df04e1b0a2570657527a7e108ae23

    SHA1

    5188431849b4613152fd7bdba6a3ff0a4fd6424b

    SHA256

    c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

    SHA512

    768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

  • /data/data/com.change.unlock/databases/tpad_funlocker.db-shm
    Filesize

    32KB

    MD5

    d8b66cad516d5fa7312a973e8b269286

    SHA1

    dde1efd80d573b97bca5eda6dec860d9a6075964

    SHA256

    bb286805cf636b2117f802c92a9314842bfdb6e0de204fb55b0513084400dbf3

    SHA512

    978e23c047e45e763e1f74abadd648d1cbac9a20e24558b1af4cfc7b5a3a58d4e220d7e80b9126258fadf3c9d545cca76d74af99252b0b97cf4a086ad9e570d3

  • /data/data/com.change.unlock/databases/tpad_funlocker.db-wal
    Filesize

    24KB

    MD5

    8ae9c7d1ae18b63867e8d67137020230

    SHA1

    67c261dd51278fc6baef4b0c73f981b92da30848

    SHA256

    e0d4901c96da215e9120edec4dc3d54e4ac1ef84502796ee99110a2e6ac1eded

    SHA512

    dec8e7180bb7b549cd87b75f2ee1a5e7809c24c82ee32d4c3d33799ea40ba0ac62167497fa6f993ee75906bf557043aac00f90fafcf6c25106896a0f784da6be

  • /data/data/com.change.unlock/databases/tpad_funlocker.db-wal
    Filesize

    8KB

    MD5

    bad2db8b0be060947911ad70c91d75b0

    SHA1

    9d64a18e1e9792aa53fca16c37eda8cdc54a983d

    SHA256

    9fbd3a46fc42b8caa4a95927dbf4df2a3bb4066d054f90c3c4964e2132c6e521

    SHA512

    85916309d912e7a1947362b22cb2ac2446d1a3f3cfbf0308cb52e79732ece5e890f520caf4796d3d88ab662f983c5c69073ce38c08558cc81b65a74a05c8c527

  • /data/data/com.change.unlock/databases/tpad_funlocker.db-wal
    Filesize

    8KB

    MD5

    b9aed6c602a18f886b4ca0b347c72a6c

    SHA1

    7d9748bae9d3b031d0e9ac323d49a1a98448ef69

    SHA256

    019f619499f2b1b5f726cf90a0e0bec1b80c81e2a5df1e0d06c8e540bc258150

    SHA512

    564e30678789840bd4fbdde1224181439f211644512c8b60712ab8f66f5e368df1e29e6010dc2f3cbf564ec2250e3add71c915900f355779463510daabcad572

  • /data/data/com.change.unlock/databases/tpad_funlocker.db-wal
    Filesize

    24KB

    MD5

    33b613afa2a37de9dad4f16e58d8d7c8

    SHA1

    c146451867577e2d157471c2ca1db04aec23b294

    SHA256

    2140e8f2472fd18fefe15fc35ed8dc8809916f65e60f3269b6ad69450213939e

    SHA512

    4dae4d4882588cab51fc5eca65b2a59f0b920c16897a40f36d19c1514fc246b25ca1a76b956e42f4fe1b08879c6422741069713f1691e92ffee7bb284f87467c

  • /data/data/com.change.unlock/databases/tpad_funlocker.db-wal
    Filesize

    36KB

    MD5

    db8684b65bcd0bee5b197a5886640755

    SHA1

    879073be4bcd65d8a9b950ae69991fd483538892

    SHA256

    f8f5b073a9983c09273de0ebc146fab4f4e30dddcf1e855bb8600f3039beef5d

    SHA512

    31dfd08c3bf598f5de835eaa476071d0fcb9992db9ab8d7f7dd684836cddcafa8393f9373886ed3d5c5bf5a0c8cd3704ace11c0b9dc4b405a24394419fc22419

  • /storage/emulated/0/.DataStorage/ContextData.xml
    Filesize

    381B

    MD5

    b7140ee7596ff3c8853670b26b965a2f

    SHA1

    26ff40bfc724c633dc5e15bb92bdd0abb7965baf

    SHA256

    e7d21341c094a3136688b588170bdbeb3bb12597e9928f881ff519f5ec7140e9

    SHA512

    b8f5fca1add089c4df2b3588e7adf517046827d19f30e3b10db2d6216f5a661624e561fdf366bbd6c79b4a32b71102cd11cdd91d7408c69bbf1614b2ae8d0932

  • /storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml
    Filesize

    381B

    MD5

    0a8dacb9c500e541aed5e4c8ccde8957

    SHA1

    4f89dcee5b703b6ceaad6af281f31477e7614fe2

    SHA256

    dbc92ff60de48be00422a3d17180d351fda675bc85b41548c07f88147d35d580

    SHA512

    e880b1a11e63fc783ff5f09f42cad2dfd8dd320fc675b757aa95a0a4b5e565b057de43220b04d8451c4a3d9314de2dc06d98f85a3815961839907110f7195aeb

  • /storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml
    Filesize

    111B

    MD5

    9a72220393d2784db2e9bceb3ebe138b

    SHA1

    cba4982dd8a00b10a98efa27db196db87671c877

    SHA256

    1955c68d12cc30095bd038fa77e1c629bd8bbc561668833dd9f4ab037a358296

    SHA512

    4365eac4166a0d10f169c1a2d649ac5e8d439315d690bf2a8ba9df100fa0f254b932ff67fc18b7d182a318d62b5bf38e91b2b07caa946d41867fd0b691fa55a8

  • /storage/emulated/0/.UTSystemConfig/Global/Alvin2.xml
    Filesize

    381B

    MD5

    90268eb997c0228cb7e83948aad5ff08

    SHA1

    d94e47f017a462d1b9192b4fd5fd72681400fa4f

    SHA256

    7c7b6332be2427e3580da71487b236c0546221625b9e406e37eb979e291ceeef

    SHA512

    d3f4a0af2891401ff8796116d5c44ff94e53ca60d0407100b7ab99043dbe21fc06ff9c088ce8d933a34bd629872c9a9c8c712b44b4f7d856d3407404de9bb226

  • /storage/emulated/0/CHANGEUnlock/crash-2024-05-13-11-28-08-1715599688084.log
    Filesize

    8KB

    MD5

    13109c07ab79d9673b7aebe339e96d16

    SHA1

    c408ea919bfa8e2e1d9ebcd79e1f7be00ac496d0

    SHA256

    9149408de75407d2a1a88eeec94dc830a982a3d0bde629356d48f07cd672e300

    SHA512

    89cb2dd03460a9f24989e8eb9687c3560a246cd2ee97430d726fe4566bc5be1779d9776da67a88029cd23b87937897b38dfb821a6f6dab01d749bc22298d09cd

  • /storage/emulated/0/ShareSDK/.dk
    Filesize

    2KB

    MD5

    0e47c1be0b733a432de67ef0d754111b

    SHA1

    f03015e8cc5f33595317524f3f4430fde67d27f8

    SHA256

    2b5559663f0f3c0c3f3578c51cfd2275b35f0dba36327f25f31449130ca67e30

    SHA512

    897598217231461d80cf7d0e49d081d43b7f835312fe6c8ccb4f2c6914ddb6aa12c99c8579f358529e0196bd6383984bc3ed4c23e42aeee90eb29e351d048d88