Malware Analysis Report

2025-01-19 06:59

Sample ID 240522-rj7etaeb3t
Target upload-simulator-2-mnogo-deneg-15011-androeed.store-0-1703930999.apk
SHA256 58a0f24477e5ff0d61e8b144590bec0c00c85645ccec1a75aaf5717fc8ff6d17
Tags
collection credential_access discovery evasion impact persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

58a0f24477e5ff0d61e8b144590bec0c00c85645ccec1a75aaf5717fc8ff6d17

Threat Level: Likely malicious

The file upload-simulator-2-mnogo-deneg-15011-androeed.store-0-1703930999.apk was found to be: Likely malicious.

Malicious Activity Summary

collection credential_access discovery evasion impact persistence

Checks if the Android device is rooted.

Queries the mobile country code (MCC)

Checks CPU information

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Queries information about running processes on the device

Requests dangerous framework permissions

Checks if the internet connection is available

Reads information about phone network operator.

Listens for changes in the sensor environment (might be used to detect emulation)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 14:14

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 14:14

Reported

2024-05-22 14:18

Platform

android-33-x64-arm64-20240514-en

Max time kernel

104s

Max time network

118s

Command Line

com.enigmadev.uploadsimulator2

Signatures

Checks if the Android device is rooted.

evasion
Description Indicator Process Target
N/A /system/app/Superuser.apk N/A N/A
N/A /sbin/su N/A N/A
N/A /system/bin/su N/A N/A

Checks CPU information

evasion discovery
Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

evasion discovery
Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.enigmadev.uploadsimulator2/cache/1689111357674.jar N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Checks if the internet connection is available

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Reads information about phone network operator.

discovery

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.enigmadev.uploadsimulator2

Network

Country Destination Domain Proto
GB 216.58.204.68:443 udp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
N/A 224.0.0.251:5353 udp
GB 142.250.178.14:443 udp
GB 142.250.178.14:443 tcp
GB 142.250.178.14:443 tcp
GB 142.250.187.195:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 udp
GB 172.217.169.3:443 tcp
GB 172.217.169.3:443 udp
GB 216.58.204.68:443 udp
GB 216.58.201.100:443 udp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ms.applovin.com udp
US 34.102.162.219:443 ms.applovin.com tcp
US 1.1.1.1:53 d.applovin.com udp
US 1.1.1.1:53 rt.applovin.com udp
US 34.110.179.88:443 d.applovin.com tcp
US 34.117.147.68:443 rt.applovin.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 216.58.212.202:443 remoteprovisioning.googleapis.com tcp
US 1.1.1.1:53 gmscompliance-pa.googleapis.com udp
GB 142.250.180.10:443 gmscompliance-pa.googleapis.com tcp
US 1.1.1.1:53 googleads.g.doubleclick.net udp
GB 216.58.204.66:443 googleads.g.doubleclick.net tcp
GB 216.58.204.66:443 googleads.g.doubleclick.net udp
US 1.1.1.1:53 prod-mediate-events.applovin.com udp
US 34.102.162.219:443 prod-mediate-events.applovin.com tcp
GB 216.58.204.66:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 ms4.applovin.com udp
US 34.102.162.219:443 ms4.applovin.com tcp
GB 216.58.204.66:443 googleads.g.doubleclick.net udp
GB 216.58.204.66:443 googleads.g.doubleclick.net tcp
US 1.1.1.1:53 www.googletagservices.com udp
US 1.1.1.1:53 lh3.googleusercontent.com udp
GB 172.217.16.225:443 lh3.googleusercontent.com tcp
GB 172.217.16.225:443 lh3.googleusercontent.com tcp
GB 172.217.16.225:443 lh3.googleusercontent.com tcp
GB 172.217.16.225:443 lh3.googleusercontent.com tcp
GB 172.217.16.225:443 lh3.googleusercontent.com tcp
US 1.1.1.1:53 csi.gstatic.com udp
FR 172.217.19.35:443 csi.gstatic.com tcp
FR 172.217.19.35:443 csi.gstatic.com tcp
US 1.1.1.1:53 rr1---sn-5hne6nzs.googlevideo.com udp
NL 74.125.8.102:443 rr1---sn-5hne6nzs.googlevideo.com tcp
NL 74.125.8.102:443 rr1---sn-5hne6nzs.googlevideo.com tcp
FR 172.217.19.35:443 csi.gstatic.com udp
GB 172.217.16.225:443 lh3.googleusercontent.com udp
US 1.1.1.1:53 rr4---sn-5hnednss.googlevideo.com udp
NL 172.217.132.201:443 rr4---sn-5hnednss.googlevideo.com tcp
NL 172.217.132.201:443 rr4---sn-5hnednss.googlevideo.com tcp

Files

/data/data/com.enigmadev.uploadsimulator2/no_backup/androidx.work.workdb-journal

MD5 0336eee9e541af8374b8e7721036facb
SHA1 5205314f1ee5f91c77994288ebc7ed3025e5819a
SHA256 6d8287414ac972b45c95b051e0aee8c1bb778f13cf4f63f5152ae10fd058a710
SHA512 2eec260aaa57d137e444abd4265df9088f1b49e56c53e0182119237a47e5dd7f1816eae54d73546f7ff114c9c64f9ef2a14cadb5580e811089c42ebc6b543b85

/data/data/com.enigmadev.uploadsimulator2/no_backup/androidx.work.workdb

MD5 0eb157e1a86d4d00aa601dd2f6ff3ee3
SHA1 fee434f784e73cc7916322e949f727caf8363102
SHA256 b9a8194b71a046e8c0eb30995827b582b4bea834f630a5df2483b778a7d7d8a4
SHA512 b9b79b8c3af8a3f140df230fd89e95206358ba50ff214e7323a2dbbe2937b795f970e588302ffd5d721318bd597ce0a27af26d6cdb07f45569c30209845082a8

/data/data/com.enigmadev.uploadsimulator2/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.enigmadev.uploadsimulator2/no_backup/androidx.work.workdb-wal

MD5 de5977da58547ea1d2a3f1924dc406af
SHA1 93004339d2e6b5dc26869bf5b86f3c58468d2946
SHA256 5c863e494d1573bd533e97f14a2d22243811d292abd899968925591109e542b7
SHA512 2b4eaa11ce4723fae8b48f71b40116dd47f080a7b8b27693a6895060d8e74762680386624fdc6e5479ee1b7eaf8626dd0e0123247385e5693cecd4c2795a7b89

/data/data/com.enigmadev.uploadsimulator2/no_backup/androidx.work.workdb-wal

MD5 a6d76187f4c414a3abb76ef0897e12be
SHA1 626f5e7d18c37d054a74f7bb27deb416f2b7a5e4
SHA256 30efa151b3b2b194c79e5a63aa3fe4aba30439955e95bd9d9bb3fe5036f70b02
SHA512 ef2866d5acf6dbb925055f1d3cffbc3b1abd4d682db1789963b212952bcd53abb25f0d01f21402aa5d4d516c8ed1abdcc4e54db2dd60612381b3ceb3a20367af

/data/data/com.enigmadev.uploadsimulator2/databases/google_app_measurement_local.db-journal

MD5 3b58ed022e7e845c8678bd685002d81b
SHA1 78c4c70745767a27c579376b0603470bf3ccbe9b
SHA256 4e13ee56e9afa1a3ca7d7553e178e54b49cdd103fb66ec32748ad92c7f875c39
SHA512 41b715a04e41b932c49f7284d259667c5c13bdff2515648a4092f833dedaea721cd18334e7f33861224435934ac6149cf9ec7f787ab35f720ce661883cac1733

/data/data/com.enigmadev.uploadsimulator2/databases/google_app_measurement_local.db

MD5 da4c81d9a032121236a4ed034c0cc9d9
SHA1 6ea1d3d14a34c4dbe056fc4380747d3970cb3498
SHA256 30b7dde5771b5ef3cb6cd033fa2b1618a0674f41f47c1441855f3da24887a0ff
SHA512 e61d8e6af3d48cc6e95e34568209bc24308db9d751dd1451538907df0e7caa67e329c4615911b0c6614275f3e5cfb2a8a38288f5818487c5d292c18dd857849f

/data/data/com.enigmadev.uploadsimulator2/databases/google_app_measurement_local.db-journal

MD5 9d06b862da1c04124368a94d9caf5386
SHA1 6795a8511ed266eb44a92394a665d893ae44820d
SHA256 934bc30c3a64b51eb88263ead8cade271f1edbeecec7170dce6134185b1d54b6
SHA512 d147376e856361cbd527fc380145f4dbda5341d325c3c40f719d3157ab2e8387e6639f0a3445781cb2aec73cf449dcb6b038ffa15187409356203ec069c2fa1c

/data/data/com.enigmadev.uploadsimulator2/databases/google_app_measurement_local.db-journal

MD5 2ca58b6b946166b3f2058b29abaea326
SHA1 05b6dbb98689838e9957504afae68a33884e7b38
SHA256 6a939b1cb85dbc51bf5a747eda64dec17578cc29a53a7d0b326c0d3bec8e6454
SHA512 e12dd201da69489bfd21a2e7ceaa3f826de0cf376de510c2316984fa5d94e4e2f1bcdefcecc6a0b22a51061de7640c26bba1a9b52dca0e86d522e5d665029804

/data/data/com.enigmadev.uploadsimulator2/databases/google_app_measurement_local.db-journal

MD5 a88373a67f694dcca1420ec5cb213ef8
SHA1 98985b6b848ab7dfc0521170236315c07300d3e1
SHA256 49b76141f58baecef007503ffef5a1385e12ccff85f3152995a8ff7430cc4cac
SHA512 ac0bfb19ce804e1bedff6fce70cd7c7d67d940d88220495ca082cf5c4b7346c9ce8bb8bd18f2c8ee9da2e0555649d7dd323f2486dc03868237a01768097f4c28

/data/data/com.enigmadev.uploadsimulator2/databases/google_app_measurement_local.db-journal

MD5 973ce0a22919b1e482aa72ee0795a66e
SHA1 1e87347596efa7b1d18aa76a919b56e0f39091a5
SHA256 e5549e116a52e5862f0226ef9a2f7dff24074b0138094886887edb65e2c4bfbe
SHA512 2cca143ac600a4241aee1a7c752e906733cee8318bb17bba90b870f3af49a9c054155b4f1561965cb50557b4c1e10aa8d0f5cc1c62637ec6626efba1375ed68f

/data/data/com.enigmadev.uploadsimulator2/files/al/persistent_postback_cache.json

MD5 a5612927e7792641607f093050b775bb
SHA1 99216e1430784a2fc369f81e03a28e5f681735e3
SHA256 4e89c765f879a6052bf02aaed88823281bbeaf0e713f91faecc643d6d31326db
SHA512 3ce4dd5f437b9405ea6e4d6bcb16512c98914b2dd15a01facab5fc68126698cc37e0448fac28408560552e9688ad1b6948e0fb8c9d11f893635d20e970cd9090

/data/data/com.enigmadev.uploadsimulator2/cache/1689111357674.jar

MD5 189d24556179c74f72678b58e01308c1
SHA1 d4ed4dc1b0fb6741c6c9434348b159dbea92e0b4
SHA256 236eb17c5c14261b62630ebdc5830f4a97d3cf0dbc7bd1de98dfd17d55474353
SHA512 27dc7bd75c982173c58d3a02e793616dd6364bbc3d593d1453c5c1cb5dc0ef560b5931a7736ae12c69486fb170ee723bf124747d1b2727a4026281dccbdae9e2

/data/user/0/com.enigmadev.uploadsimulator2/cache/1689111357674.jar

MD5 2800ad09ca14a7a986a6e8becbbbb158
SHA1 cff8d824d09296149af1f7f7ad12ebb701f4b8c5
SHA256 5b3ace2783fb2b21f30cd4e20a8645e6bd6d59347c44cbfd11141b0d9afcb33e
SHA512 c315532db47e93c406308f997b1f81876dc4394838b64f93b3afce0748f1cd1c5b5e490856e5c7be0fc7aef063c0f4dcef73de0cc1a712eebc4f80a443cea7d3

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 14:14

Reported

2024-05-22 14:17

Platform

android-x86-arm-20240514-en

Max time kernel

45s

Max time network

84s

Command Line

com.enigmadev.uploadsimulator2

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Processes

com.enigmadev.uploadsimulator2

Network

Country Destination Domain Proto
GB 216.58.213.3:443 tcp
GB 142.250.200.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.enigmadev.uploadsimulator2/no_backup/androidx.work.workdb-journal

MD5 51ebff27ba4b2d523a054cd51ded8737
SHA1 b11142d92e3da73239301922c0aa51aa37912bf5
SHA256 a8e395368d1e6ea6e7c801233c26c0c63c8684cb101b6b28f5f36d2e86cf74ad
SHA512 c73d384d8776cf36ab99fda53e0b3774877a01e55fc5d7233b24541f7dcf405701c4375a47cb31ef35e9cd0533c7500407dc475f2561f57733f49f65417b08f4

/data/data/com.enigmadev.uploadsimulator2/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.enigmadev.uploadsimulator2/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.enigmadev.uploadsimulator2/no_backup/androidx.work.workdb-wal

MD5 5072b449fb8938623004983f7d3e00cd
SHA1 3d5ef6b32314b2a69a9cf0e159f77911891ee27d
SHA256 445048af39f328e7435602a14aa7ac4883b272ef63d6e2c8af077ddb77162caf
SHA512 44b2e3f40a597814f23b77413c191251620804c62c1c96bf8d85dcd53c85ed29bdc03a2a381d3eeb680f9a7285debe305e2878c278de8a549034177eebc08315

/data/data/com.enigmadev.uploadsimulator2/no_backup/androidx.work.workdb-wal

MD5 ee09145ad8d7c0adc0b9ba7e96f89f62
SHA1 0868e9932f24aa5717ef6b79ac1630a6227ed62e
SHA256 cc61f332827c515632c1f8913f0397c700cffb0f3e40d7d1ea0c98235cd34344
SHA512 32e8ee0b637455b24212a73943db41b7ccc2ea556b2f897a76d07dea6deacd1d327277adf0e5696c13eb1f7d5aab40efa465eb3daed726ff6d533975d9e2b8d9

/data/data/com.enigmadev.uploadsimulator2/files/shader_cache/CopyShaderGLES3/b1bc5a355ed9bda23f291956f121e0535b4e81b54cdac398412d200e6133161f/0569298c4bd67f71fa194e93b48a113d8bfd63e0.cache

MD5 ec051a0d6e49a4698d3a07ad1c203101
SHA1 599f0df5ff699d7e7ef919a55d74f5afce0ce1f6
SHA256 bd2277141d4bbdf2bc1f8060889ef4927b9b9a2f7f3c77801c418b801fb3b52a
SHA512 e369a3fcabfdb41b1b7a8ea0f54ace8aa84e2f7688943b9c956479fb267f48085022004bc3e7df49baeb9195003d2a787192a6571dfccad2d8e077260ce47724

/data/data/com.enigmadev.uploadsimulator2/files/shader_cache/SceneShaderGLES3/7757391c487ac94cfa6418166bd5fdacce470f09394c1a2a875e878c8c5d8596/0569298c4bd67f71fa194e93b48a113d8bfd63e0.cache

MD5 3fb4be4b9f022f15ab4cc487c98cf367
SHA1 a1f70bc99323bc457d2599c11607e9c28a3d0516
SHA256 621d8ebb0a6a1d148eaa57537cc0fdddc63639a5c6b5985f8c062df1204437ab
SHA512 d5e91bc545dd8820cebd1810982638aa02962c739e0a8dee0964290648d1535ddcb0a62846921f0540186af9c35f8b5e8ea8323ac275b437c020f27a40daed8d