Malware Analysis Report

2025-01-19 07:57

Sample ID 240610-nryk4ahd4t
Target deltazero.amarok.foss_77.apk
SHA256 6063b3ac4192223bdaa02f7b1d344c0e4c49ebe8ca17ec08c5c2d2ae485d52e8
Tags
persistence evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6063b3ac4192223bdaa02f7b1d344c0e4c49ebe8ca17ec08c5c2d2ae485d52e8

Threat Level: Shows suspicious behavior

The file deltazero.amarok.foss_77.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence evasion

Loads dropped Dex/Jar

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 11:38

Signatures

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by quick settings tile services to bind with the system. Allows apps to add custom tiles to the quick settings menu. android.permission.BIND_QUICK_SETTINGS_TILE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 11:38

Reported

2024-06-10 11:43

Platform

android-x86-arm-20240603-en

Max time kernel

10s

Max time network

136s

Command Line

deltazero.amarok.foss

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

deltazero.amarok.foss

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.178.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/deltazero.amarok.foss/no_backup/androidx.work.workdb-journal

MD5 24e51fb0829c2941d723257ff61938b1
SHA1 e63939c4892e93b499b98fe3550430bcc248f8d6
SHA256 11f96d8747c7eebc43bed2e0e366761daf6b438b3d30802fb557fd18b004d4ea
SHA512 362404d970958039bd984ef8995df6824ca9883e8c2f319850bf3262a974b154bae5c28d6cb7981bc96f837a0b649e7048d495778d9b0a648ab85113fdbabc1e

/data/data/deltazero.amarok.foss/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/deltazero.amarok.foss/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/deltazero.amarok.foss/no_backup/androidx.work.workdb-wal

MD5 5769c0699d69a3294b9bf10e58585468
SHA1 6c49da1d3d9ffeeab2945346f4fea3085de57c5f
SHA256 887f274333a5c14cf99ebc356927613d9d65fd0452fafd2b4dac0e513e8eeeac
SHA512 5c579b31293ccf010fae278a1a5d413675cc9f9fb7e43f22cfdccc16b7a2defb4fec9dcc7b011ab7da5105f29b5c3ad8ebc1f4d90e2ee2af2ebd9b555e946c9f

/data/data/deltazero.amarok.foss/no_backup/androidx.work.workdb-wal

MD5 1cb2a126562a73a2499781a7270e96d5
SHA1 3fd978ce267f3bfbc5f883bb18efbb809315e85f
SHA256 2d731ff44132ab09a2766ee093889a64138de9fe6a3606ad14145da40e5a643b
SHA512 c626b12f7e2ff56d3b15f1a23881eb7e0c2f8116d40a9070ad97fcf296b47c5e85c0262f4a57862e377d0f66b26727ed253f36b436a173817d7ef96f10a0b285

/data/data/deltazero.amarok.foss/no_backup/androidx.work.workdb-wal

MD5 77e611155a53da67f48256b023d6a990
SHA1 acd372f8606aaa46397419b4ebe9123638be729f
SHA256 626c13acce2d3dd2f93173178d9f91e43cc42885682e765d608879824bfafea3
SHA512 076aa9302ec8f412010269e7ed848519e6a48d08ab28033280dedc9df481667517e5695a5ad21234198a0e2c74157aa983ff78e2e82d857a52aa57ce9b1404fb

/data/misc/profiles/cur/0/deltazero.amarok.foss/primary.prof

MD5 2a4f44fc342f3c88ca4b2349353113ee
SHA1 8a0c7be3b8db6c01ed9723fc801fd472388b9fc9
SHA256 a3b381cfe2c009951b0512fc2faeb7e8f5f37c6681dc677eade40878c30f0d80
SHA512 b7cb00582e98a4055262d842c309163d0d5890a1b8399d32297f38eeb36801b34320a2b48699d993a80799a5c905a85a187dd6a91e08a313ceaf16628fe97ba0

/data/data/deltazero.amarok.foss/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 942ee3830f62044b35176f258e844824
SHA1 e0a4541f1095818c82771673d322e5af7e44b0f8
SHA256 bede1b97c7e592942c6b26c75a120d7852139b97fa9b622c4b7a7d721c5e5711
SHA512 6ae1249bdf6411cf9467ab0d4c4c43dc70d93d586c482c78ebfb7c0a819dde5d29911cd550d4db48d83c52d6b1d8286a5486a2634c90bb441ea2d6ad09ba555e

/data/data/deltazero.amarok.foss/files/profileInstalled

MD5 65ed0bb1a438bb2b818a04844fb28761
SHA1 a3176f277cc4d012f17cb94b33dc7a5994eb348f
SHA256 28106a048cb7e6dbbb419924798fa2ab9352c2c8b5cd0e3d21a40e52588a58f1
SHA512 67629f41ae370588d60bebfefc31449b3101c59d52f4fa9479ff7b2eccd1f3fa7835afe61d6d2a408b1e9d3fbacc1deb9c3342ae18dd7ca298ff23b25f03294a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 11:38

Reported

2024-06-10 11:43

Platform

android-x64-20240603-en

Max time kernel

47s

Max time network

150s

Command Line

deltazero.amarok.foss

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

deltazero.amarok.foss

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.234:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
GB 172.217.169.66:443 tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/data/deltazero.amarok.foss/no_backup/androidx.work.workdb-journal

MD5 1cfd4ceb19945aa171f4eb720033b1d6
SHA1 269a821a8bfbacc957a054bb28625c467ad542cb
SHA256 4ca80bfc1ed84dec2fe7849d326ab6bc9ed0f0004a7116f77f7a51074e7dac28
SHA512 aaf344db82444486e9fb37ceb6049b370e652de1f467ef8268905b9ee2247cad541bb7c722f68c187cbf98118569d00b70412382b6fe6fad28ac7ef3d9ed566b

/data/data/deltazero.amarok.foss/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/deltazero.amarok.foss/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/deltazero.amarok.foss/no_backup/androidx.work.workdb-wal

MD5 6759f2e93b4c2a09b841021192d41694
SHA1 cac714955962d8e96cc1e02590f80d7017bc2c91
SHA256 0ff08a7f54df9af5fb7902611c3b800a98dfac52f476998ef503475f6155f125
SHA512 c40007a9d24e58990a5f1db2e90754acb3872cd28961f9d21b01285eaefa2880b798f89f6cba679e025747fe6e3ef80c08e9614742172b17607ebe9860348fc8

/data/data/deltazero.amarok.foss/no_backup/androidx.work.workdb-wal

MD5 5f97babe0437115a6a5fb909d3a21417
SHA1 0d322a1fc42450a489b55364f472548929b96585
SHA256 3182926e93d2f3d9480a020a2055b7eeebb8bb2e44855417843263a59aab7374
SHA512 3b88f27bec1518b56243d44543a2e0c5c424a510e978f38efc0dbe0212dec6444f8805d3929f01ca1dc019f5da44f0ab5650b430c360293bab692a20c28847f2

/data/data/deltazero.amarok.foss/no_backup/androidx.work.workdb-wal

MD5 3e66bdb706370ee99c880a585d26b349
SHA1 e46795fcfd97ed815696bde540cc021098ed0980
SHA256 c72ee358c9acc92f5e5ec44eca2e2ace7f1a45f03b1edf8d705215b026099c37
SHA512 a874dc0ff7735f705b5a3c5779913261ed4ff595f051f0e5b0f98264f9d39843dbf8efa29adafd77505efcfe9012d453ecbd8308ed87249e6989bfd87a1a3b35

/data/misc/profiles/cur/0/deltazero.amarok.foss/primary.prof

MD5 2a4f44fc342f3c88ca4b2349353113ee
SHA1 8a0c7be3b8db6c01ed9723fc801fd472388b9fc9
SHA256 a3b381cfe2c009951b0512fc2faeb7e8f5f37c6681dc677eade40878c30f0d80
SHA512 b7cb00582e98a4055262d842c309163d0d5890a1b8399d32297f38eeb36801b34320a2b48699d993a80799a5c905a85a187dd6a91e08a313ceaf16628fe97ba0

/data/data/deltazero.amarok.foss/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 0e1aaa0fd4ffc5bd5eb255638db2adf3
SHA1 c95588bcc2fdbab9b368193013faa79a58e228e9
SHA256 8c0dbd9e12f25de5be3994b1c4c9137f5e15d06f60127aa3889dec2b91e583e1
SHA512 acbc025a2dc61572af80d8adf1a7f15b7f5957595e099579b5656c2529c6627fd39b6017c77273fba588f5d3c8f6cfbf649ca660fa56644dcd406ae7302d6b36

/data/data/deltazero.amarok.foss/files/profileInstalled

MD5 db39c6b07bef84695c54b2b6711006fa
SHA1 f29fd7ab17884c1988d93c6394e56ed0496038ce
SHA256 87678f03012a9b4a7670ee97b441cab2cb7e9c622ae3a9def389deb4236f1a09
SHA512 b810c5817b551c3e07c0985b699aea0fd214af66da6b1a7d423c78bf288dcbadf92ea7f58f78b784a2091e81a885375cd77d0f9a17f80fc13f2d0699aeee7c47

/data/misc/profiles/cur/0/deltazero.amarok.foss/primary.prof

MD5 d01c3354189255189c401ff170596fd3
SHA1 fc8d6d23871b3daa96691f379b643161a3c41b1c
SHA256 5bbce25895638ae31915f117dcc0124a50fe726155806d1a80e770445ac54eef
SHA512 88766055b13281e4271059f0dbcda495ae148a6f77a05605f7d106a29d41d7903bd50ea841aa7e32d6c5332207f14558f9554d06076918a24c983f46bc105dfd

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-10 11:38

Reported

2024-06-10 11:43

Platform

android-x64-arm64-20240603-en

Max time kernel

9s

Max time network

133s

Command Line

deltazero.amarok.foss

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A

Processes

deltazero.amarok.foss

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
GB 216.58.212.234:443 tcp
GB 216.58.212.234:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/system_ext/framework/androidx.window.sidecar.jar

MD5 bdf3529e80318eb14e53a5bf3720c10d
SHA1 25c9ace4b1af6e80ebb2572345972c56505969ba
SHA256 bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b
SHA512 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b

/data/data/deltazero.amarok.foss/no_backup/androidx.work.workdb-journal

MD5 0736eb5785b251a5b6f9570a854fc65d
SHA1 eb216f4db5d18d06b75c73cff5b7358c67a144c8
SHA256 936265e93a54f95469a04c514a50cb43e4772f49c3b1c1d5f7c0e4debee00556
SHA512 49c047474782bd2839b903b4e05ce0d21d33e325883b0c0673bf0d8d075f47cf9509e2fd2ad1703ec434532b4d840e37dc3cd454fec7a193aaff6cc418a21660

/data/data/deltazero.amarok.foss/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/deltazero.amarok.foss/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/deltazero.amarok.foss/no_backup/androidx.work.workdb-wal

MD5 922da7de63f070a36188f3b4b18c616c
SHA1 1a1838549783dd2c8f66c634acdf73544d3b30ee
SHA256 0cd1649834963b4911d1fdd2545de8820715e1d69f874ab5979f3bcbc72d3960
SHA512 daf65d28b0106dc58ddea0a7c882a83a5a58e62574e6492400671b03d06ea482ad39dbad27761b21f73eed3f6a32e9d393c44e9bc7484fce33482c7e07327c04

/data/data/deltazero.amarok.foss/no_backup/androidx.work.workdb-wal

MD5 5cdf81cd6908c5659907ca382d83a150
SHA1 c811d052106bcb2ae665abed65906b4910be9b62
SHA256 07712c5f7e3ec35f36745eebbaba6e8c6127ca01f0b40d1ad43d0afcb2207cc3
SHA512 fad0a90381c9706c298c52a151f61ded54d023d2941229db7e470fe959730b707c3611f729ffc764211ef28d84fc1e9df0599a5cf3e4b866049adedb14b67819

/data/misc/profiles/cur/0/deltazero.amarok.foss/primary.prof

MD5 2a4f44fc342f3c88ca4b2349353113ee
SHA1 8a0c7be3b8db6c01ed9723fc801fd472388b9fc9
SHA256 a3b381cfe2c009951b0512fc2faeb7e8f5f37c6681dc677eade40878c30f0d80
SHA512 b7cb00582e98a4055262d842c309163d0d5890a1b8399d32297f38eeb36801b34320a2b48699d993a80799a5c905a85a187dd6a91e08a313ceaf16628fe97ba0

/data/data/deltazero.amarok.foss/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 d979a0da85ffd12c77b9fffc871b575c
SHA1 9f6de7691fb171fef13f26429334039974d6cbc6
SHA256 7dff6c769afac310452f52d1d78ff1c300e920ae4c9a366e955c890b61a197b4
SHA512 6a3399a35f339d283342de50f2bdc633878f6a0b423f5f4b5ec73df845d8f52f27175a3676c149906f871597e8ab85ed114ab8ecabc07415b4f8a27f94956e23