Analysis Overview
SHA256
4c15bad3486dc4aa0553ad267812aff29b1a4951abcc6ec91ef7c1feed78e7b2
Threat Level: Shows suspicious behavior
The file VirusShare_645a60e6f4393e4b7e2ae16758dd3a11 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Queries the unique device ID (IMEI, MEID, IMSI)
Declares broadcast receivers with permission to handle system events
Requests dangerous framework permissions
Acquires the wake lock
Tries to add a device administrator.
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-09 23:47
Signatures
Declares broadcast receivers with permission to handle system events
| Description | Indicator | Process | Target |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 23:47
Reported
2024-06-09 23:50
Platform
android-x86-arm-20240603-en
Max time kernel
179s
Max time network
131s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Tries to add a device administrator.
| Description | Indicator | Process | Target |
| Intent action | android.app.action.ADD_DEVICE_ADMIN | N/A | N/A |
Processes
com.android.locker
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | itsecurityteamsinc.su | udp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
Files
/storage/emulated/0/droidflag.syst
| MD5 | 511ae0b1c13f95e5f08f1a0dd3da3d93 |
| SHA1 | b03881fcd505a6f2987289ae37488d514697466a |
| SHA256 | d0b54a6b712cc633e4f9ca3ede91807eb23eaef271e165e4c245c4bf83c3385d |
| SHA512 | 0852db5c1ed8ee1c725ee4f0c486bb61ef1c3765ed650469bbb3cc44c4af72a2f8d5b463b34a1984234c165814a5344ac600a775f07459c4d17c74518a18b181 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 23:47
Reported
2024-06-09 23:50
Platform
android-x64-20240603-en
Max time kernel
179s
Max time network
131s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries the unique device ID (IMEI, MEID, IMSI)
Processes
com.android.locker
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | itsecurityteamsinc.su | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.169.40:443 | ssl.google-analytics.com | tcp |
| GB | 216.58.201.106:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| GB | 142.250.179.238:443 | tcp | |
| GB | 142.250.187.226:443 | tcp | |
| GB | 142.250.200.36:443 | tcp | |
| GB | 142.250.200.36:443 | tcp | |
| GB | 216.58.212.206:443 | tcp |
Files
/storage/emulated/0/droidflag.syst
| MD5 | 511ae0b1c13f95e5f08f1a0dd3da3d93 |
| SHA1 | b03881fcd505a6f2987289ae37488d514697466a |
| SHA256 | d0b54a6b712cc633e4f9ca3ede91807eb23eaef271e165e4c245c4bf83c3385d |
| SHA512 | 0852db5c1ed8ee1c725ee4f0c486bb61ef1c3765ed650469bbb3cc44c4af72a2f8d5b463b34a1984234c165814a5344ac600a775f07459c4d17c74518a18b181 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-09 23:47
Reported
2024-06-09 23:50
Platform
android-x64-arm64-20240603-en
Max time kernel
179s
Max time network
139s
Command Line
Signatures
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Tries to add a device administrator.
| Description | Indicator | Process | Target |
| Intent action | android.app.action.ADD_DEVICE_ADMIN | N/A | N/A |
Processes
com.android.locker
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.238:443 | tcp | |
| GB | 142.250.187.238:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.212.202:443 | tcp | |
| GB | 216.58.212.202:443 | tcp | |
| US | 1.1.1.1:53 | itsecurityteamsinc.su | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.201.104:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.180.4:443 | tcp | |
| GB | 142.250.180.4:443 | tcp | |
| GB | 172.217.169.42:443 | tcp | |
| GB | 142.250.180.4:443 | tcp |
Files
/storage/emulated/0/droidflag.syst
| MD5 | 511ae0b1c13f95e5f08f1a0dd3da3d93 |
| SHA1 | b03881fcd505a6f2987289ae37488d514697466a |
| SHA256 | d0b54a6b712cc633e4f9ca3ede91807eb23eaef271e165e4c245c4bf83c3385d |
| SHA512 | 0852db5c1ed8ee1c725ee4f0c486bb61ef1c3765ed650469bbb3cc44c4af72a2f8d5b463b34a1984234c165814a5344ac600a775f07459c4d17c74518a18b181 |