Malware Analysis Report

2025-01-19 07:43

Sample ID 240615-ad4naswaml
Target 6a5a918efe3b6425ecef6fcf4c747fc229a263953bee317bcd1fd87b56f202db.bin
SHA256 6a5a918efe3b6425ecef6fcf4c747fc229a263953bee317bcd1fd87b56f202db
Tags
discovery evasion
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6a5a918efe3b6425ecef6fcf4c747fc229a263953bee317bcd1fd87b56f202db

Threat Level: Shows suspicious behavior

The file 6a5a918efe3b6425ecef6fcf4c747fc229a263953bee317bcd1fd87b56f202db.bin was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion

Loads dropped Dex/Jar

Queries the phone number (MSISDN for GSM devices)

Requests dangerous framework permissions

Reads information about phone network operator.

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-15 00:06

Signatures

Declares services with permission to bind to the system

Description Indicator Process Target
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows the app to answer an incoming phone call. android.permission.ANSWER_PHONE_CALLS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to write and read the user's call log data. android.permission.WRITE_CALL_LOG N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 00:06

Reported

2024-06-15 00:09

Platform

android-x86-arm-20240611.1-en

Max time kernel

9s

Max time network

159s

Command Line

com.dzbockjwetycgfwehgf4gcytwe.security

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/0.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/0.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/0.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/1.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/1.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/1.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/2.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/2.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/2.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/3.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/3.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/3.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/4.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/4.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/4.obfedex N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.dzbockjwetycgfwehgf4gcytwe.security

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/0.obfedex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/oat/x86/0.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/1.obfedex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/oat/x86/1.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/2.obfedex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/oat/x86/2.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/3.obfedex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/oat/x86/3.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/4.obfedex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/oat/x86/4.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 142.250.178.10:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp

Files

/data/data/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/0.obfedex

MD5 ee282f90f21d11a55f158b28ad4ec2bc
SHA1 b8b286b31822bd60cde977e1a3a1348e85ed1d86
SHA256 96b37a444cda40eae2765c39090272313e66125f157c0ea036dd1f14a7c18a01
SHA512 d292bf79282f54da7ed4b14aac40dd120ad0cc18725a9a6aa1711363b1394a11eeac9c1db6369f6292ef19440f6315e04d3b108b691ab91bf768eab6f9a53e05

/data/data/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/1.obfedex

MD5 414d57a6bbf3fe0e2e3afa9cafdc8d66
SHA1 22f9a18bdc3fc9602e34124faaa3c19210cdabfd
SHA256 f314d87d7182112f734dd2166b564a04f9404bf476e663ba93eaa4f467f91346
SHA512 1345a4a52ec22717e42a787c7760ea81b233526fd9e520fd7dc3517c94a71642e7de446d8d9052be0713e097e7fe08faaad252d202880358b6825d5c07347fe1

/data/data/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/2.obfedex

MD5 778badeb555406d4f183eb5be07b0243
SHA1 11092524cf1870a80101df7cbeb5568ca5b5948f
SHA256 3dd104225ec115fb1111c889f8bfc589be68e2acbd260169648327c2923acca3
SHA512 dfa60f9f7abf4081ccbe7a4a8e77bfc26acd589e00609028c9d4355fc11126e25a2fd952640359d57ce59600bbe7c6a783df489012f374dd46c7ea79542e5e0e

/data/data/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/3.obfedex

MD5 1770e8040a2b4ae8ad3f5ba261935e05
SHA1 455088625c7eba8e2c309fc59abbfa76e72d1bd1
SHA256 9f06ba1f434c7aa4828bc5f0d0ed7f356ff1f2a12f79b176dec5808558d219a2
SHA512 49a1f2c6c5b0b16c66fda2fd18a6ce658a1a028d93eb2f63dc51cba49bf966b98bf06080e0eb575b227b72079e3857c1c0859dcfffd8011883c77d1428310ef6

/data/data/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/4.obfedex

MD5 10c92e0e1dd219d4b6c341456e9c2b80
SHA1 6e8a14ab1d3637d667711cacd1c533bf1a2c55ac
SHA256 e89dea42c6922714ce33ed8f706c57a61ddb4f0d75d86a2b019e1dddeb9a2ae3
SHA512 49b8ca7e0b11f5bf838990fe2df513936b281151c16ac695f47eeb82753c04c7ea52fff6079926c2158747f017d177aee6e56fe7bd4d78f6830adc3b248cfa75

/data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/0.obfedex

MD5 92120536e0d6e842e9454f74433bc28a
SHA1 ec3ca00fa6d81b0f88b8a75aef16a346917bdb30
SHA256 32f386272c7c0cf33ad74bab6675beb3f5adfeec37204d50267d63c57852f4cd
SHA512 f897afb3718d88a38791b87b60095989bd4cde3d472fe0d6a7178c81898eee0fead2713729556036e090c4fc8923c143075c446c112dac259da1f424b4f3c2eb

/data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/1.obfedex

MD5 02357bede357c2024bdb4dd59a32b699
SHA1 29d4e8647cb5dec44e49ecdf6bc06c37043b3f3c
SHA256 1ba727eec2462b0f692e6c9b7d6503174bf02dd1373d7da73eef0e915aafb01d
SHA512 466ca17212333e7f613185d7d6791bae8cb53c75b4f31898a130e8b6aa7beb2dfbed1bee1d861619dd04105a132d346fee9812007f5abdc66d924f266a1ddde5

/data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/2.obfedex

MD5 178b7174b4e2d62add242147b03f4716
SHA1 9c69a9bd34cd7cf9d5b32147a536ebc0c9b56b81
SHA256 6a9981b90a71bf6e6e9e6f2377557d77312959e0defdb1f4f8e1db81690a1478
SHA512 e4443182d15fa58274ef2490f190fc28a0ab72e36103e1692ba5fd3bbace79e6e2ac33df76dbbd87e3778b4c5af264b698b2069b4ebe22c0a5c39994c2cc9fc4

/data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/3.obfedex

MD5 53de2acb231aac9f256ab234f3fb2cc1
SHA1 90d0537cca9ab45c64aad710796a0bb116da70f0
SHA256 caba991db9b39aebe6722dd2123dc12ded80436e1c42fb83a45316a2fd83aec1
SHA512 a43806157efbdb1e6947bb12aa904080c363717b323f37e5c701dfd78cc56bb497aec8f93ed884073fe28fb126b58e782697f2f01a43f906b32b75d356865513

/data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/4.obfedex

MD5 bdf38de44f9c87f05fbfe2397fd6ad4e
SHA1 a160bac7228c4a8622d19ea6e18ac3ced94273e4
SHA256 69896639097905291cb855b6675c8cbc901cb3ab382e5b121cd0401ed3c3e2b1
SHA512 2fc98f6b76e1a46aceddf365c776a9c375c254c71205bdbd48a404454da5aba3e6a4c9796466c909aa6cf5c1acdadb940b632ae75ad9c143ff6905fe06bec218

/storage/emulated/0/dzbockjwetycgfwehgf4gcytwe.txt

MD5 6512bd43d9caa6e02c990b0a82652dca
SHA1 17ba0791499db908433b80f37c5fbc89b870084b
SHA256 4fc82b26aecb47d2868c4efbe3581732a3e7cbcc6c2efb32062c08170a05eeb8
SHA512 74a49c698dbd3c12e36b0b287447d833f74f3937ff132ebff7054baa18623c35a705bb18b82e2ac0384b5127db97016e63609f712bc90e3506cfbea97599f46f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 00:06

Reported

2024-06-15 00:09

Platform

android-x64-20240611.1-en

Max time kernel

21s

Max time network

160s

Command Line

com.dzbockjwetycgfwehgf4gcytwe.security

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/0.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/0.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/1.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/1.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/2.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/2.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/3.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/3.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/4.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/4.obfedex N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads information about phone network operator.

discovery

Processes

com.dzbockjwetycgfwehgf4gcytwe.security

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 g.tenor.com udp
GB 172.217.169.66:443 tcp
GB 216.58.201.100:443 tcp
GB 142.250.200.14:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.10:443 semanticlocation-pa.googleapis.com tcp
BE 64.233.184.188:5228 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com tcp
US 1.1.1.1:53 mdh-pa.googleapis.com udp
US 1.1.1.1:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.133.84:443 accounts.google.com tcp

Files

/data/data/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/0.obfedex

MD5 ee282f90f21d11a55f158b28ad4ec2bc
SHA1 b8b286b31822bd60cde977e1a3a1348e85ed1d86
SHA256 96b37a444cda40eae2765c39090272313e66125f157c0ea036dd1f14a7c18a01
SHA512 d292bf79282f54da7ed4b14aac40dd120ad0cc18725a9a6aa1711363b1394a11eeac9c1db6369f6292ef19440f6315e04d3b108b691ab91bf768eab6f9a53e05

/data/data/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/1.obfedex

MD5 414d57a6bbf3fe0e2e3afa9cafdc8d66
SHA1 22f9a18bdc3fc9602e34124faaa3c19210cdabfd
SHA256 f314d87d7182112f734dd2166b564a04f9404bf476e663ba93eaa4f467f91346
SHA512 1345a4a52ec22717e42a787c7760ea81b233526fd9e520fd7dc3517c94a71642e7de446d8d9052be0713e097e7fe08faaad252d202880358b6825d5c07347fe1

/data/data/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/2.obfedex

MD5 778badeb555406d4f183eb5be07b0243
SHA1 11092524cf1870a80101df7cbeb5568ca5b5948f
SHA256 3dd104225ec115fb1111c889f8bfc589be68e2acbd260169648327c2923acca3
SHA512 dfa60f9f7abf4081ccbe7a4a8e77bfc26acd589e00609028c9d4355fc11126e25a2fd952640359d57ce59600bbe7c6a783df489012f374dd46c7ea79542e5e0e

/data/data/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/3.obfedex

MD5 1770e8040a2b4ae8ad3f5ba261935e05
SHA1 455088625c7eba8e2c309fc59abbfa76e72d1bd1
SHA256 9f06ba1f434c7aa4828bc5f0d0ed7f356ff1f2a12f79b176dec5808558d219a2
SHA512 49a1f2c6c5b0b16c66fda2fd18a6ce658a1a028d93eb2f63dc51cba49bf966b98bf06080e0eb575b227b72079e3857c1c0859dcfffd8011883c77d1428310ef6

/data/data/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/4.obfedex

MD5 10c92e0e1dd219d4b6c341456e9c2b80
SHA1 6e8a14ab1d3637d667711cacd1c533bf1a2c55ac
SHA256 e89dea42c6922714ce33ed8f706c57a61ddb4f0d75d86a2b019e1dddeb9a2ae3
SHA512 49b8ca7e0b11f5bf838990fe2df513936b281151c16ac695f47eeb82753c04c7ea52fff6079926c2158747f017d177aee6e56fe7bd4d78f6830adc3b248cfa75

/storage/emulated/0/dzbockjwetycgfwehgf4gcytwe.txt

MD5 6512bd43d9caa6e02c990b0a82652dca
SHA1 17ba0791499db908433b80f37c5fbc89b870084b
SHA256 4fc82b26aecb47d2868c4efbe3581732a3e7cbcc6c2efb32062c08170a05eeb8
SHA512 74a49c698dbd3c12e36b0b287447d833f74f3937ff132ebff7054baa18623c35a705bb18b82e2ac0384b5127db97016e63609f712bc90e3506cfbea97599f46f

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-15 00:06

Reported

2024-06-15 00:09

Platform

android-x64-arm64-20240611.1-en

Max time kernel

8s

Max time network

141s

Command Line

com.dzbockjwetycgfwehgf4gcytwe.security

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/0.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/0.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/1.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/1.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/2.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/2.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/3.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/3.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/4.obfedex N/A N/A
N/A /data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/4.obfedex N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Processes

com.dzbockjwetycgfwehgf4gcytwe.security

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.8:443 ssl.google-analytics.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/0.obfedex

MD5 ee282f90f21d11a55f158b28ad4ec2bc
SHA1 b8b286b31822bd60cde977e1a3a1348e85ed1d86
SHA256 96b37a444cda40eae2765c39090272313e66125f157c0ea036dd1f14a7c18a01
SHA512 d292bf79282f54da7ed4b14aac40dd120ad0cc18725a9a6aa1711363b1394a11eeac9c1db6369f6292ef19440f6315e04d3b108b691ab91bf768eab6f9a53e05

/data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/1.obfedex

MD5 414d57a6bbf3fe0e2e3afa9cafdc8d66
SHA1 22f9a18bdc3fc9602e34124faaa3c19210cdabfd
SHA256 f314d87d7182112f734dd2166b564a04f9404bf476e663ba93eaa4f467f91346
SHA512 1345a4a52ec22717e42a787c7760ea81b233526fd9e520fd7dc3517c94a71642e7de446d8d9052be0713e097e7fe08faaad252d202880358b6825d5c07347fe1

/data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/2.obfedex

MD5 778badeb555406d4f183eb5be07b0243
SHA1 11092524cf1870a80101df7cbeb5568ca5b5948f
SHA256 3dd104225ec115fb1111c889f8bfc589be68e2acbd260169648327c2923acca3
SHA512 dfa60f9f7abf4081ccbe7a4a8e77bfc26acd589e00609028c9d4355fc11126e25a2fd952640359d57ce59600bbe7c6a783df489012f374dd46c7ea79542e5e0e

/data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/3.obfedex

MD5 1770e8040a2b4ae8ad3f5ba261935e05
SHA1 455088625c7eba8e2c309fc59abbfa76e72d1bd1
SHA256 9f06ba1f434c7aa4828bc5f0d0ed7f356ff1f2a12f79b176dec5808558d219a2
SHA512 49a1f2c6c5b0b16c66fda2fd18a6ce658a1a028d93eb2f63dc51cba49bf966b98bf06080e0eb575b227b72079e3857c1c0859dcfffd8011883c77d1428310ef6

/data/user/0/com.dzbockjwetycgfwehgf4gcytwe.security/app_p94c.sws.jb8y.b0r/obfs/4.obfedex

MD5 10c92e0e1dd219d4b6c341456e9c2b80
SHA1 6e8a14ab1d3637d667711cacd1c533bf1a2c55ac
SHA256 e89dea42c6922714ce33ed8f706c57a61ddb4f0d75d86a2b019e1dddeb9a2ae3
SHA512 49b8ca7e0b11f5bf838990fe2df513936b281151c16ac695f47eeb82753c04c7ea52fff6079926c2158747f017d177aee6e56fe7bd4d78f6830adc3b248cfa75

/storage/emulated/0/dzbockjwetycgfwehgf4gcytwe.txt

MD5 6512bd43d9caa6e02c990b0a82652dca
SHA1 17ba0791499db908433b80f37c5fbc89b870084b
SHA256 4fc82b26aecb47d2868c4efbe3581732a3e7cbcc6c2efb32062c08170a05eeb8
SHA512 74a49c698dbd3c12e36b0b287447d833f74f3937ff132ebff7054baa18623c35a705bb18b82e2ac0384b5127db97016e63609f712bc90e3506cfbea97599f46f