Malware Analysis Report

2025-01-19 06:59

Sample ID 240522-l8zhlsbf2s
Target Повітряна тривога_6.1.1_APKPure.apk
SHA256 e319e0b595b2ab651f0cf3b8c729329a5da9bd7d5fa3138f5f7e1919b2ae6430
Tags
collection credential_access discovery evasion execution impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e319e0b595b2ab651f0cf3b8c729329a5da9bd7d5fa3138f5f7e1919b2ae6430

Threat Level: Likely malicious

The file Повітряна тривога_6.1.1_APKPure.apk was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion execution impact persistence

Checks if the Android device is rooted.

Checks CPU information

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Checks memory information

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Acquires the wake lock

Checks if the internet connection is available

Schedules tasks to execute at a specified time

Checks the presence of a debugger

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 10:13

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 10:12

Reported

2024-05-22 10:14

Platform

android-33-x64-arm64-20240514-en

Max time kernel

74s

Max time network

85s

Command Line

com.ukrainealarm

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/xbin/su N/A N/A
N/A /system/app/Superuser.apk N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /system_ext/framework/androidx.window.extensions.jar N/A N/A
N/A /system_ext/framework/androidx.window.extensions.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks the presence of a debugger

evasion

Processes

com.ukrainealarm

Network

Country Destination Domain Proto
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.200.35:443 tcp
US 1.1.1.1:53 firebase-settings.crashlytics.com udp
GB 142.250.187.195:443 firebase-settings.crashlytics.com tcp
US 1.1.1.1:53 map.ukrainealarm.com udp
US 104.18.6.136:443 map.ukrainealarm.com tcp
US 162.159.61.3:443 tcp
US 162.159.61.3:443 tcp
GB 216.58.204.67:443 tcp
US 1.1.1.1:53 air-save.ops.ajax.systems udp
FR 52.47.177.152:443 air-save.ops.ajax.systems tcp
US 162.159.61.3:443 udp
GB 216.58.204.67:443 udp
GB 172.217.16.238:443 tcp
US 216.239.34.36:443 tcp
GB 216.58.201.100:443 udp
GB 142.250.180.4:443 udp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com udp
US 104.18.6.136:443 map.ukrainealarm.com tcp
US 1.1.1.1:53 challenges.cloudflare.com udp
US 104.17.2.184:443 challenges.cloudflare.com tcp
US 104.17.2.184:443 challenges.cloudflare.com udp
US 104.17.2.184:443 challenges.cloudflare.com tcp
US 1.1.1.1:53 ajax.googleapis.com udp
US 1.1.1.1:53 cdn.jsdelivr.net udp
US 1.1.1.1:53 unpkg.com udp
GB 142.250.187.234:443 ajax.googleapis.com tcp
US 151.101.65.229:443 cdn.jsdelivr.net tcp
US 104.17.248.203:443 unpkg.com tcp
US 1.1.1.1:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 216.239.32.36:443 region1.google-analytics.com udp

Files

/system_ext/framework/androidx.window.extensions.jar

MD5 3056e1bdb7d4e19789d0319eff484bd0
SHA1 6791ae47aa9466fe0bca27ad6643f846853bbee4
SHA256 8e6331a07c9f2ac139214c527dcaff2c82d126bbe7bd3420cdc36d6a8c9204b0
SHA512 c790980fd68d9f89e32743bc28846807d5e5947c555f494de47714dec5cbd0c08d81c3260fa463759d1b17a953af3c44ec30b14fb08bf6b29db3837346c9f658

/system_ext/framework/androidx.window.sidecar.jar

MD5 29469324e59dfcc052f24b5af4e7b2c4
SHA1 10c1e17ac6f598037bb51baa07945663645de4eb
SHA256 9195dc6a1c75a841384050240dfc972e48178964993fba6619788625f4b40d1a
SHA512 5e27c2b1431369a248298f2f749136a575005584f9999f2a4c204a0c47adce2e33c8df9f058bdafa1bde1c99e46d175560cedfcddcd8581718ed1d9973c37cc2

/data/data/com.ukrainealarm/databases/com.google.android.datatransport.events-journal

MD5 830b70012af34f018df5b95b3f024d37
SHA1 27f31434154aeeb1d60415179aff27639e294abf
SHA256 e74c0257a05930c91dd4f9325b482fc53078ac32c64735b5e0464c93ad9da815
SHA512 8e783981e617958ae79184aa91072df375d3585df17813ab61b415b3cae7a179dc6b6bb52282083b3e83ec5dbfe8e33b2ddcc05201cde2d4b6fde4746dbc7ccc

/data/data/com.ukrainealarm/databases/com.google.android.datatransport.events

MD5 e71348ea3cb513417115a8ee20367117
SHA1 8b11b745381306c08a2bed3fb1485adf8dedbfa5
SHA256 eb77c96b3c8fe48af13735ecf98e5c660d4f503059f2ae08494eaccdfa37be8e
SHA512 0744767400e5891947d979a2a78ab3116947ec805727839244ccaecc51fb4eee50e4faec6ceccbdeb00f672ea7c257fe6e402e96222d3d5270ec009342883a29

/data/data/com.ukrainealarm/files/PersistedInstallation6912502113230517387tmp

MD5 315bee6a659940b4860ce505baebb774
SHA1 de10370413703c0c3a27bc464cea67e5e66de50f
SHA256 e5bb61c67183e482e29e58dd4986c48e8fbdd86e194aa868e3059acba3f01238
SHA512 e3ec3148090d096ec69283e4a4ea5a795603ca30e9094cf50fc0deca85fe3bd50346197d4ce2d5a5adce9dd1d45bf78b7cab73ca1e1f141b16d8a1a3f42cc630

/data/data/com.ukrainealarm/databases/com.google.android.datatransport.events-journal

MD5 3122659f9bc54647d4c4446344aaf57b
SHA1 a308a93439921328077d39a0619e3efebf161645
SHA256 3fcb1c4f94b9e41da7737ba556b58fcd4029925024d8a1316ed11a26a57e6fc4
SHA512 e3f5501cfd6f86176b841023d6a1deeba0a1fe3cb7b29f107d42e17c8bf502189d7c5c6623f52b1fe36d6822514c85ac9756ddc6d21333e37bb569277612b8ba

/data/data/com.ukrainealarm/databases/com.google.android.datatransport.events-journal

MD5 dab095ba3884296fa7fb0cecb24e0f0f
SHA1 ae33183cafc5182280fd55f7ff524b1108cb2bc9
SHA256 5a06e121d1408ac0cca36924f694c4d21d8724da3011039c2cf00ea71ada42eb
SHA512 a5f85eb72ca9c3ed98d8bc3a7be24316a80cb1d6c87a0af00106a9de0cdf6852792ded23244d0675053b6853fca3f79fac94ee6c589f5d90a0f89837efc55a50

/data/data/com.ukrainealarm/files/.com.google.firebase.crashlytics.files.v1/open-sessions/664DC55302AE000110FBEE1F4F5B655E/report

MD5 89714753c732c558caa74497f5b6c016
SHA1 ea5dfcd999d6f7c3ed2d81fb102be20901da999a
SHA256 22b50be3c9ed2284e3fd5cb03ac216b62ec1d8958c5226cf8176ad1546b94cb6
SHA512 4d4f700d5205d580a8b4695ee27ea13d995b7f5785270099fa8b12add81f365d2b0274410247e8ab50af3270e7884685781c499245db61a59949e63732f83c02

/data/data/com.ukrainealarm/files/.com.google.firebase.crashlytics.files.v1/com.crashlytics.settings.json

MD5 758ece3e71d753deaf04c243dae40e76
SHA1 fe12b1cdaf06626f5da774b18f8643d0fa57860a
SHA256 79b7e31b34e54df905f192270a0dbab0449648a6a0c48af58ee45f3216a3df6d
SHA512 b242423040d6372476b01848f78fc51acb5acd28e588ba01d32581a75d994ce19dc58d33d3fc6e57b34b77794b1c1b85574e509e69003d6c6a3ea10dec7a2b7b

/data/data/com.ukrainealarm/no_backup/androidx.work.workdb-journal

MD5 713d4f06554d6001ed448a62214c0c93
SHA1 e6f799e5a17a5a798642292fa73f095b0ea97796
SHA256 3455782aa8ca737eac792d9cd8e6d7aba430cebfa6423a00d74c5945de20fe41
SHA512 797a90c6679a332f2135ecf57db42b883c65ea37eb4e4f439ea564e84e2a6154d744a03afe8de4f0e8c2d1c347e52f898a89d75a39041cf3dfbd819b16a9be34

/data/data/com.ukrainealarm/files/PersistedInstallation2925139467290067237tmp

MD5 8d9ec9bcc17c41510cc7c3e44d4bcbd1
SHA1 e2c038564c7c26d5c5f66971c19c4025c5f49b16
SHA256 8af80e2d9037edf1e75053592160acddb5b345cbd04eb1b1c1eb1a93a02b2a16
SHA512 3c9ab3ca739d3a58b643fa17d4d548b4c724113fd1cb1342cea8afc5dae635c376dac048a08b14492811423588d3013095c7c5e685a235c2f31f1503686f6699

/data/data/com.ukrainealarm/no_backup/androidx.work.workdb

MD5 1e9ba3a55da5610a1aaf765d4d96479a
SHA1 5fa6964e5254257e02daec72b976d94d0f75817a
SHA256 b63639127bdf2b50d7ebff00fccf2e08bd37733d6a620999b97027fbb39d7be0
SHA512 7ac1a4c32ab1e7a936a27d913f2abb47263565099916a8bda70d5accf638794808fe1340feda85532475cfb26badc76d526dd0cc670275423bfe518ac6d37d7c

/data/data/com.ukrainealarm/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ukrainealarm/no_backup/androidx.work.workdb-wal

MD5 8b1de1d5e84639cb5d28bfd8bb220542
SHA1 d02017fa1bb10cc4c0c9200355bf373fd1d5e23c
SHA256 2fd7812871ef3f13383e8daa6a3239c8a8db492d1a1047a84448b7be9445490c
SHA512 5ea72af6ab90e041ef8049db141cdf08c45b6939f2a8abf01b9a0d5e37195b98ca28dff93bf52e88c411a6dc2a234638119d693070d0cf10556eb3ac6aea5c89

/data/data/com.ukrainealarm/no_backup/androidx.work.workdb-wal

MD5 6ff0414dc94564d8e00a2febc14b5a5e
SHA1 4cc9df992a6b32083d1568e13e4da77c8637c5b3
SHA256 8eea8ef6a871c7ca0a98113c2f560e4e1008003ecdab6bb133a25fa2a01766ab
SHA512 f58fd77d823738ae5ccd0f8acc7f28f700f306a7e199bc2ecf57876f3733fb52b149e91de1bb2cd8e2ede1b83d791174f1d7e1c1aedd5f0ee712122fce0fc737

/data/data/com.ukrainealarm/no_backup/androidx.work.workdb-wal

MD5 d42df5f3cb6172d33ea0ce04e95747de
SHA1 390f6fe2557bb0676845bae66798ccdb2079dd15
SHA256 154e4f773fe2353b74341bd0cfe16c3800ab246f4d80ff86ac774b07b65eb502
SHA512 a21623f89aaf4b6c31343eb25c89da27c258d917b46589a0bea67d3e31db1c8f6b65b970abc9ed50ae9fce6cf704b65760d8397d15caa86c311e47cd8b626938

/data/data/com.ukrainealarm/databases/google_app_measurement_local.db-journal

MD5 3d1b5e6b1e237a87c9274b8f21a513e2
SHA1 664164c7487d495c0998c8d3aa94e65138bc6ac0
SHA256 8f4ee6d283ef358f1e0c767736f7ef6c102de3cc1c2465732c0693341fecb52e
SHA512 eea7d1efc940476500fb445d5d58b4bdbedcf2f9d5de89c5cc75a0a174bfa9bdf5ea61d8b96860f76a0489f150a0ba3fac919b6cd8703644473ef26eff28e55e

/data/data/com.ukrainealarm/databases/google_app_measurement_local.db

MD5 0d7044cf9ae84d4e23a8396d4bad6577
SHA1 b657aeb576eda438065f73df8083a2d942a563bc
SHA256 2cca60f699cd5bcd820cc45e6debf356503a23d44ea7147a63d730b8f503496a
SHA512 8dbcc5ae368e7f430801e85fc4819138c744c0790a4d8a5b87bdf079b61c168e40e1ad0049b89dc35e821ec826e78bcdf15805d7b8108e38326b061ba9c7fe61

/data/data/com.ukrainealarm/databases/google_app_measurement_local.db-journal

MD5 9091a7bc941b195fbdf595fa05c7414c
SHA1 9343fbb7f4214147c285e6a241549aaf6755c6ab
SHA256 7121315983b3760d539bc2aa4353a53c51d244d96c7ab1654e69164739aa8e73
SHA512 4cd08b609a374f72985e6396b13e5d9fcd14206a535bb2fdf003469f6532e1131b225dc1f34a68af7948ba5b71176f8f314143e8aa14a5d94b62cab7bec7d874

/data/data/com.ukrainealarm/databases/google_app_measurement_local.db-journal

MD5 4954b638d99103678b3ec4c88cdc0faf
SHA1 1f9e03ca5f82e03288510ab0786f2d4c5527efda
SHA256 11317f17029f9799668def71f4b70a71a2dbbf4453ca1ec77d26df3742cce57b
SHA512 e85f863aeba2d9ebbd8b24d0e1ed5585c290286058b724b5ed962f516480897813bcd7d2a5054dab20fc5e7641038f53c91d71b21b9d9fdf90490fadce00c965

/data/data/com.ukrainealarm/databases/google_app_measurement_local.db-journal

MD5 eb5e8c4fde512970233a4cffbaf149df
SHA1 c97cb5277751531dea4edb74d834553423ec8135
SHA256 f3889e9d792f3d2a52af4ffbb47bbd4d50526af07fef1834b5dda63cec58721f
SHA512 4ee8a1b240af188cad15e38b25dacf24b0fae648fea7f7e76e82b8e7051c4acf611610321dbe99081d4548fb8aba8611106ce5a8cedcdc07e6f7e8f91491d61d

/data/data/com.ukrainealarm/databases/google_app_measurement_local.db-journal

MD5 bf6bc689b39e5d30fa356e4df93cbb8e
SHA1 2f3340e50eff9ae3edd501c5f451465fe1143453
SHA256 dce67808ddb4ecb066f138244bf90a3f128444da2da6f7d2f1a648362608e397
SHA512 e6cfca31be484c25b302cf7bcb2a8e787e62b4eccead5677fd2a4bca3c5af53762e24ba79668f56bf5cf4cb8f3466e90af0c0e66c68dd34f93fddbe349e3dc20

/data/data/com.ukrainealarm/databases/google_app_measurement_local.db-journal

MD5 be1c503ee8bd7c4bd5919b5057e6d260
SHA1 654a8f7a059f3ea508fa8da6e97b2f06d1ab6a66
SHA256 b55dd5c1094002d2b49083d6c382ec1bd2065db59326e0a3b3e2102c5cfbbc5a
SHA512 906e4c060a0a2eca10364767e98addffc1b15f49fd1d99b56e35b12f88e6a48bfaffdead7e39df91a02584567f8b2b08e6a331e74e0dc02a9f46e72ac4dbd421

/data/data/com.ukrainealarm/databases/google_app_measurement_local.db

MD5 fe600eebdad0d0638803cf872a1c7c9c
SHA1 eccb24df3fd84800037ea06374ab10cfec50abae
SHA256 698343cf4747940ac0fa5a45fa19b0b3ed6d0d252315582d24ee2640b346682e
SHA512 d67ff56ac6494028ffd5e9aa28376b50590d19df24313c1f25c6e298494ced072f4c05d3858ffac098757a433e3970b5baeeee8e9c49216998892fa982f670fa

/data/data/com.ukrainealarm/databases/google_app_measurement_local.db

MD5 bed25b568aacd0caf65bbaeefa221a0c
SHA1 7133a6578b6756e4369fe024e595649f11dc11f1
SHA256 4f7b2804c615d88ab075b39b14a78d01142efe12334d7782bd55b604c24aa3ad
SHA512 6c3843bfa52b9d4d38e16e3a75484a31a7aebe5f9c33b807bab49cb0cb93d85d90627a232eacd4ecf885c8cee3691a19a7977f9c01affaa1dceaa1b3f67f8436

/data/data/com.ukrainealarm/files/.com.google.firebase.crashlytics.files.v1/open-sessions/664DC55302AE000110FBEE1F4F5B655E/userlog.tmp

MD5 c33583fae4e0b61cde1c5b9227963237
SHA1 fe2ebe4d27469af1460f7e852031a04208ef629b
SHA256 35c6d6e5b93657e4a741a1cec71c21813fe05aab219909ebbb0f62fb0ae648dc
SHA512 fa09047004bec791b23f0dade0b64f8ab9bbd67555505e0d0818f6e89dfe56f474df80db0786d081d36adf23a5bacea40275ba043444a3a85d3d9612575bdd1e

/data/data/com.ukrainealarm/files/.com.google.firebase.crashlytics.files.v1/open-sessions/664DC55302AE000110FBEE1F4F5B655E/userlog

MD5 005c45ed525010d9c38c27b1df15e385
SHA1 f0297e7feaf856ec25f721fe9c5b81604332da4a
SHA256 ee49d8aee99d979c1f91c0b8f2cfad1d25c1102141f2d46261e7a209c075ee6c
SHA512 d06e578a1a2132a08146d8b546ee137d5e3569473b97b5708581ef86e13cc2f2e4799090e7dbb340060293964f9399917438c7296d5d68920e27da92ad9a91ac

/data/data/com.ukrainealarm/databases/google_app_measurement_local.db

MD5 bb780c235037656466e8d9b897541728
SHA1 cb72c1aa8a58676db475f42cdc63e1c9deecebc3
SHA256 9692ecc93c721dcaef4cf95a86d41fb0c3b643d08d438f18f52e934fe878edfc
SHA512 772f9c48edf136cdcd07b96e17f72cbf1ed55db00997cff7f399fbb85c9c0342d85c03cd0ff541462cd3a8e4cc595ebdec63cb4e45c986942515de5d8605f303

/data/misc/profiles/cur/0/com.ukrainealarm/primary.prof

MD5 d9a775789e7d9a0d88be9ab3b2e310d3
SHA1 5f9727e2aab15426062245f8ccb3368c667ab449
SHA256 eb0a2af498bcfec35a0365d802035cf3dbeb2b470e2f1a1c00c5470fed1b5a01
SHA512 b18f5b16482ea76e4dd38f09effbe8d0a348027ef9338b0ca71993c651f1661b07ce90c24bca07fc10d145c3bf7e42c2c0e4f833711355d0e1c5b20f83f2fc24

/data/data/com.ukrainealarm/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 5ea6c4d9086af8818c38bb10f7a9136c
SHA1 93e1785134553738c241d13c8cd5ca7f8118addf
SHA256 09818af77ee35799ae71938ba64381a0288673483ad1e609793e01e8be623afc
SHA512 41f9b7f417642825a937581111de3a0ca8fdd90c88614613568a1bc3c67830077144d8ae4422fcc73fe610fc0ef608ca9f95c1745c740956e1607a667fff5a9c

/data/data/com.ukrainealarm/files/profileInstalled

MD5 eae848b0996ec75ac8a4a97b71641288
SHA1 d454f2d6e2dd5bf726b0001c6391251f7df2ef07
SHA256 6bb3ac064b17b1b55dfc791a6591df3b16eb1696c1cf68328b7115fcfbf6efb5
SHA512 1025938a118f2a0b0e7f92782747ba20ada314592c70eb68ef6e4630235b33458ba6b5cc293c358963763c4ee0098923e28acd710995bb43fbdbbc5dce84ffba

/data/data/com.ukrainealarm/databases/google_app_measurement_local.db

MD5 63fc878f6b239552ebc23560492a563c
SHA1 dc6b6277f0e6a556cb00e6b488384c05e85f3a5f
SHA256 feb99cd0efad4ef7a5812a960c669033d0a5bf9e92f8920acfcdfc74d5408616
SHA512 15447665ca20d176990c4889d00ae022c4f24b0bca2c48e7a23ecb63c34772cf5bd734766d1ef7223e4ddaaad2c8efc1914eac212a779c24f8b9dd0975a8d882

/data/data/com.ukrainealarm/databases/google_app_measurement_local.db

MD5 c5a1ca23490eb247d53868aae15cf474
SHA1 b82a5b6003045b13f10e8eaf7d833cc62962fc92
SHA256 fe446f5b70fe47988f456d05752cc1656060ff035c6243b92c8bde80b77cfd91
SHA512 0becaae21e366de58514e2ea0689864269e0548940d34a37d8c40669b402d509ee2929a679a7b409e42467f637c963d37ef4bebadb5485120712061c93d7fac1

/data/misc/profiles/cur/0/com.ukrainealarm/primary.prof

MD5 6b2c3e259de5af6314c74abad8195a44
SHA1 d92002308173af5b74d121189411e83791bb59b3
SHA256 fed509a69ae014a05a8f01cf0a2eaea1b16c29ecbe87a4887160b6d4a1e3b30c
SHA512 7be681eb96d74586cc65e17df0dc6c93dba123d5a04eec5018a83f407b10052c4bb49f03d010d9bd9caaded00142820c73c5e0dc7f1e815dc29604cb739a724a