Analysis Overview
SHA256
343a24ea5231099de5ecc817ea1249c6d17fecf7c5cb7458b8e2533c1d9cc760
Threat Level: Likely malicious
The file controle_clientes.apk was found to be: Likely malicious.
Malicious Activity Summary
Checks if the Android device is rooted.
Checks CPU information
Loads dropped Dex/Jar
Queries information about running processes on the device
Queries the mobile country code (MCC)
Checks Android system properties for emulator presence.
Checks memory information
Registers a broadcast receiver at runtime (usually for listening for system events)
Obtains sensitive information copied to the device clipboard
Uses Crypto APIs (Might try to encrypt user data)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-23 12:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-23 12:03
Reported
2024-05-23 12:23
Platform
android-x86-arm-20240514-en
Max time kernel
33s
Max time network
160s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Checks Android system properties for emulator presence.
| Description | Indicator | Process | Target |
| Accessed system property | key: ro.product.model | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/br.com.contasemdia.contasemdia/cache/1582435991586.jar | N/A | N/A |
| N/A | /data/user/0/br.com.contasemdia.contasemdia/cache/1582435991586.jar | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
br.com.contasemdia.contasemdia
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/br.com.contasemdia.contasemdia/cache/1582435991586.jar --output-vdex-fd=71 --oat-fd=72 --oat-location=/data/user/0/br.com.contasemdia.contasemdia/cache/oat/x86/1582435991586.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.200.42:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| US | 1.1.1.1:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.187.226:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.187.226:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.187.226:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| GB | 172.217.169.66:443 | tcp |
Files
/data/data/br.com.contasemdia.contasemdia/databases/contasDB-journal
| MD5 | 73a5aa200fda110725b33038e655336e |
| SHA1 | 9272ca81031081e7ac782fa2dc15442f791efa59 |
| SHA256 | 8013bf23898c0d608cc0024d1f597d4f2937d5ed200a1adc274bedb4527cacf6 |
| SHA512 | ea4066307fa138a0d9a7edd65e3ba1f31589c41a092c6391eddc9064644fdf62182122e77bf4a2da6d4c64db7b51551b7e321f3240cd246510efd36c96693f41 |
/data/data/br.com.contasemdia.contasemdia/databases/contasDB
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/br.com.contasemdia.contasemdia/databases/contasDB-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/br.com.contasemdia.contasemdia/databases/contasDB-wal
| MD5 | 9175d7fcc6086febf35337fde6eff86f |
| SHA1 | 308415205d32e7561e1fd8f3468a8426fee73c2b |
| SHA256 | 32f5997a1dbe6ed4adcdddb0f39bba6bae8eee8f92351acbbb54b5a1fd0f554d |
| SHA512 | 659e35cf9fb810421f717da568e4408db467ada761a515f75cf219933d54989f537684bea63b14d0c51402d3d587f4cdea9a11254b79ca9ab56fcdef254dbb9f |
/data/data/br.com.contasemdia.contasemdia/cache/1582435991586.jar
| MD5 | e8e0527a01aefdb89afd2c508f131da1 |
| SHA1 | f1103e6b260c657ceb3d95f1b023af3fda8b133a |
| SHA256 | f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce |
| SHA512 | fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34 |
/data/user/0/br.com.contasemdia.contasemdia/cache/1582435991586.jar
| MD5 | fde2ee00cbd121cfab5290b078aa3ceb |
| SHA1 | e2b77d5320e155e413d040a8c20020962065b2f8 |
| SHA256 | 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685 |
| SHA512 | a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56 |
/data/user/0/br.com.contasemdia.contasemdia/cache/1582435991586.jar
| MD5 | 2048eb6124a452540ee51dae4145aadf |
| SHA1 | d05005b2cd7fe4cd652b0d7fd1bdac2c19d51451 |
| SHA256 | 105c54b6fe3f25350e92187467761598e4c21d62b1091b77d091f65f3bd98864 |
| SHA512 | bb6cb3853dd2a5d0701e20607d4e153ae201268dd2e5e2d06cc2df208b3b4dc50132a4ab428251b1644d2399fcc717662438d082ff14203387bab8794109d44d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-23 12:03
Reported
2024-05-23 12:12
Platform
android-x64-20240514-en
Max time network
149s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.200:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| GB | 142.250.200.10:443 | tcp | |
| GB | 142.250.200.46:443 | tcp | |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp | |
| GB | 172.217.169.14:443 | tcp | |
| GB | 172.217.16.226:443 | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-23 12:03
Reported
2024-05-23 12:12
Platform
android-x64-arm64-20240514-en
Max time kernel
122s
Max time network
132s
Command Line
Signatures
Checks if the Android device is rooted.
| Description | Indicator | Process | Target |
| N/A | /system/app/Superuser.apk | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/br.com.contasemdia.contasemdia/cache/1582435991586.jar | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
br.com.contasemdia.contasemdia
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.16.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.201.110:443 | android.apis.google.com | tcp |
| GB | 216.58.201.110:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.212.232:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.200.2:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.200.2:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.200.2:443 | googleads.g.doubleclick.net | tcp |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp |
Files
/data/user/0/br.com.contasemdia.contasemdia/databases/contasDB-journal
| MD5 | 22a03433c862bcbec8d7cc292efca908 |
| SHA1 | 2725792e98131701647b8cb6a1afdde5ea80556e |
| SHA256 | d4edf0cb297836cfe68d121a935e07d3c9c851b4283f7c9769f3b837c542c333 |
| SHA512 | 79b1ee805f88fd95d773b844f644bf6cc9857e81097cb94ac805110c3fadc3411377b3ebef6f46b5d9a9c8aef228c5cee19a11d97129a8e7e4b7d4128997b8e3 |
/data/user/0/br.com.contasemdia.contasemdia/databases/contasDB
| MD5 | 3f6df60944ac834b8319f5a85ff24a5a |
| SHA1 | e954ea402e09542f6934dd7b026528d615152322 |
| SHA256 | 172e38bed929b357ee9f19d24c90eefa422d94140e8934a616b39d5c96ad2143 |
| SHA512 | 87169d9f7da254c386fea1fd72a8b7097812c314526c686d19dadfa8eabc2e96310040c2eb1cd367fdf864263e2bb9cd4cfb8961cc49c27ca7f6d5ab42e5628b |
/data/user/0/br.com.contasemdia.contasemdia/databases/contasDB-journal
| MD5 | 581f4fbb8b463cc53e8a5321cf87c077 |
| SHA1 | dc02ca4816b5cf558811c3897b7a31a345cc7757 |
| SHA256 | 8e0e512e8ea3c13e931a6e6f068eb8e768f677d02591b06352d3314e53db4b89 |
| SHA512 | 0ec83ec28e1d82a02ce32e61e5d91feeac602476846c548406beaef0cfb602cbcb88c4dba70470cdabb03c9124d8b22e682d1ed3d98ea98e227afc9d8cc2641d |
/data/user/0/br.com.contasemdia.contasemdia/databases/contasDB-journal
| MD5 | 37adb5a6d81cb9590f48db84e0fb3ec6 |
| SHA1 | c255b5912a175ebdcee7ad64c6fa0d9e88bccee8 |
| SHA256 | 624e834e01c2d554f481df85c8b2a4aed86d84cb70673767fe8eef471af3d79e |
| SHA512 | 2a7a7b9d21e078707d21e2386f849b842fbff0c225147df60bff284b96c25be6f2937678efd08b8455d057f0f50d60b979ad33fec845bb708cc24dea47928b07 |
/data/user/0/br.com.contasemdia.contasemdia/cache/1582435991586.jar
| MD5 | e8e0527a01aefdb89afd2c508f131da1 |
| SHA1 | f1103e6b260c657ceb3d95f1b023af3fda8b133a |
| SHA256 | f809447486f89fcaa74f87e06d126d103d37eb2b3157e88f2c06d989b2c284ce |
| SHA512 | fb53683a83f1068d0f94567b156e6a8910c45b1b5f33db919f7e0b9c55eab28507a235ef76d44d5b549599ea3b54dbc00496a633339d276a80f395da938d6d34 |
/data/user/0/br.com.contasemdia.contasemdia/cache/1582435991586.jar
| MD5 | fde2ee00cbd121cfab5290b078aa3ceb |
| SHA1 | e2b77d5320e155e413d040a8c20020962065b2f8 |
| SHA256 | 2897b0812077c654a9b3fbb0b6303d5cde681eeba7ad9981de65716c7810d685 |
| SHA512 | a9326aff8e454a2b4ac09984ef2a65fddd4dc146b4c44d839035549bff8c9fdaae490326d0b018f76c1ca2e4fb25426d74f550ca0950982fba632a023af99a56 |