Malware Analysis Report

2025-01-19 08:01

Sample ID 240616-wcllzszhrb
Target lucky-patcher.apk
SHA256 fb0e99db0f0bd43e99fc13f3edec138f51b873a91b26624526a1dd00abb574ad
Tags
impact persistence discovery
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

fb0e99db0f0bd43e99fc13f3edec138f51b873a91b26624526a1dd00abb574ad

Threat Level: Shows suspicious behavior

The file lucky-patcher.apk was found to be: Shows suspicious behavior.

Malicious Activity Summary

impact persistence discovery

Requests dangerous framework permissions

Reads information about phone network operator.

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 17:46

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 17:46

Reported

2024-06-16 17:50

Platform

android-x86-arm-20240611.1-en

Max time kernel

124s

Max time network

140s

Command Line

cm.aptoide.pt

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

cm.aptoide.pt

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 graph.facebook.com udp
GB 157.240.221.18:443 graph.facebook.com tcp
GB 157.240.221.18:443 graph.facebook.com tcp
GB 157.240.221.18:443 graph.facebook.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp

Files

/data/data/cm.aptoide.pt/files/.fstreaming/fInProgress/currentFile

MD5 ac253b712dee7479d95cfe37f201eeab
SHA1 cc148ed3b267f6286279d474c15eca10406102b6
SHA256 57b83220b38a0c7d5abaa0cfabc53b22b30dd2c41a9a54ba99f22965a98b0d17
SHA512 2483081bab0a4e3502bdc54c87c80ce8a9aff7fa3aa7ef08c472d9ca4cd0831f81bdda14c73bcd9764d6fd45ddf219ef0687a5a02d469c7e26f5f1073809e662

/data/data/cm.aptoide.pt/databases/androidx.work.workdb-journal

MD5 a592bdb969474e088f0eec35cd231ef1
SHA1 50e4ec3b8324fe22edbd4ae554f3a88c71987cde
SHA256 279f4bb1005996fed0fec7bcb93fe83c3cfb2eae12375259452cee5188c9873d
SHA512 c8a34b46dd9006ca02b21d329f0faf93830070339f3c5c239818081b4005d5d0e35f1e27b483603a9de4789b54d47224784987976893224a25c59e77ef2f2eeb

/data/data/cm.aptoide.pt/databases/aptoide.db-journal

MD5 dece60b5d505bc746a6017d5b26f1c16
SHA1 0f1fca578fa82d9ed390825fb3a9b089d96ce228
SHA256 c7bcb522433f15871511a175da1e45fbffe81a38c7086fe018afe7a8c822fc3e
SHA512 028c36092c1c75e2f826f022203f9813ddc115ab08582f5cd1b41d6b4f549a5a3d61b4de0d7980efd02e249361601f8ba79f02493a18e031cf3f47e082f2634a

/data/data/cm.aptoide.pt/databases/aptoide.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/cm.aptoide.pt/databases/aptoide.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/cm.aptoide.pt/databases/aptoide.db-wal

MD5 15ba24e6959678a6cbb36945f8258bbb
SHA1 21a915d07eb3e8aa1ea22893c303c5793f82ac90
SHA256 e4175bd9347bfb189406d79334f09ef3b6b264479d8bbda3bf6716d46a0105bb
SHA512 84a271a36236f61951b36eb1eafc329c92404188c5e4fd80c39fa20459cbe260616afffec7ccc8406c26436b18133defbbc017bac793d1f12c6126653cf61c08

/data/data/cm.aptoide.pt/databases/androidx.work.workdb-wal

MD5 5acedd333c7552a7ee56eb6473052d98
SHA1 d32244e0e8ee484927204ab8566592904950ac48
SHA256 caca92a2fea08baa4fb4c73016d11ef218a04e78388f9187071736cff9c4c72a
SHA512 1730d8dba738911c802fde49f283818c28875d68ab5995740d84ba6e926451cd683f3c6dfa1d367503be2b02b9c2e3d35e6d1deaa05c13d5ae3309597f586493

/data/data/cm.aptoide.pt/databases/androidx.work.workdb-wal

MD5 a8394dae5320d1b01ba93dc4f21dc40f
SHA1 f181e86509cba6f00dad7ea5b6c71834f9a2d6df
SHA256 551f696b466c3d391e076cf995c1b81ccd15bb20747e409240bc458f8f47043c
SHA512 a82fff2541a7a7e8c786c8b3fc11e3b158e32154b53269be2d577ad19f2e490b5fbc9b22e4a4dc9847ff7280722ea53ec34cc724a0130f83f2a2c55d5c20957b

/data/data/cm.aptoide.pt/databases/aptoide.db-wal

MD5 619d946daba7352715d4f0720c084d34
SHA1 37c5a113b726a965ddcc7cc63f6f5a4e648cd9b1
SHA256 2b06f1a2d2605a074e47ba238e0a00877b3ef81d2eeb64c093e8b3fa5a2117ae
SHA512 8f7bdf5ba9b832d82f7a84a44cfe5095c343064ae55e229828734a5f1db457ef9c60c5618b5d72007e0408e8bf6abe6489e76f3ad72b0bbbf381046c023d531c

/data/data/cm.aptoide.pt/no_backup/.flurryNoBackup/installationNum

MD5 d1971ed3753819e9ca6557f24a11a33b
SHA1 c30016215451cc052ed5f9125d1c86fd8be3cbc1
SHA256 7b3978eb94116ad23e441c2881921b25b337854c2aeb1554434e5715368f14ab
SHA512 d7121c6b3bf89159dfcbe44a5d149f4a1a7ebf54988121ec57fd70280002ba712b21025240b94ef19e05f9430715b38840cbe515d70c5da40de53bc06e553ea7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 17:46

Reported

2024-06-16 17:50

Platform

android-x64-20240611.1-en

Max time kernel

124s

Max time network

153s

Command Line

cm.aptoide.pt

Signatures

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

cm.aptoide.pt

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.10:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 graph.facebook.com udp
GB 163.70.147.22:443 graph.facebook.com tcp
GB 163.70.147.22:443 graph.facebook.com tcp
GB 163.70.147.22:443 graph.facebook.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 172.217.169.78:443 tcp
GB 142.250.179.226:443 tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp
GB 172.217.169.10:443 tcp
GB 172.217.169.14:443 tcp

Files

/data/data/cm.aptoide.pt/databases/aptoide.db-journal

MD5 1d0e17d54a44d338542d0cd2fc780709
SHA1 4a7537790c27ae7eedbb23415f95d8e573ed2076
SHA256 2a5713eda0cb642ced0f7170b05a1959ea670ed7ff2f059bba3d0ca26ce6e588
SHA512 c1417ecda506fdc1ce76b11ba6a363a9996bb73d060eb2b35a62ded19a1bdf3d53404452089a58ed2bece45263aa00e21cc505e2dbe073c54cb0ade52f559963

/data/data/cm.aptoide.pt/databases/aptoide.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/cm.aptoide.pt/databases/aptoide.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/cm.aptoide.pt/databases/aptoide.db-wal

MD5 cea9a5caf0b5c2219a83837d194a938f
SHA1 d25c7616d1cc091e7b8ccd2230acee1bd4738ae3
SHA256 4f5dac25b6b76eee83ab20ac07af329459d5e71a985c64e08788f5a145a393b6
SHA512 7b4043a58fac91f43822ef1a439ae84b654e3a7d6040254337e30e49df8e9d6c8a54baec3a0085384d3738c0b573d94e1d0716f05bfed2f3e067a0f49b829d82

/data/data/cm.aptoide.pt/databases/androidx.work.workdb-journal

MD5 6a5e3972ed9749b336fe3a9bfbc82b77
SHA1 543f71f266a386797445b8aa835b7445715f723d
SHA256 a6d40a09a6986a27814ecd1b41055e9f669297951a116ee1682c40a760825e5c
SHA512 a5bcb39e2299ed61630b0209c8c4df14affb7ff0ddaf16e7893a8954092abd87d77b1f19e613652a5615ecc08667811d025b3f8a74af94e55031d1d3201d6889

/data/data/cm.aptoide.pt/files/.fstreaming/fInProgress/currentFile

MD5 a329741973fd38baa55a39bb50f2d9a0
SHA1 63c0de16e3f1885bd412263c575cbb98b5848d82
SHA256 09eb1cc71472268a61108477d388393daee1c9ab9b8ca07a0a5f1df568c6e448
SHA512 612cf744ef3452b3cc6cf9068d96542fcd35b44cf30d5831d5df8142f2a57fef791fb3af9a574a8ad697991ae7988a6cafc8e04cab2d2162db3b3b9bbedec79c

/data/data/cm.aptoide.pt/databases/androidx.work.workdb-wal

MD5 4ee80aa729dc6ffdffdee8ab3192bcf2
SHA1 fd8cd6dbaedb3793f4dfe3f7227d4cb03e7af1c8
SHA256 91c6bc50809b1fbc2e720ed39a5f38f1e5d1c16a5d5c9f74a8e6f61ecb14b137
SHA512 4fb99081183fa2eb11bc7936723532bfa80dd48bdc0064ae91b12af73e58fe43461dcf90e4aff8c41fa69eb302385a37fc1c52c308d373d1078f33cf025f89cb

/data/data/cm.aptoide.pt/databases/androidx.work.workdb-wal

MD5 7cded16ce0f063826d48b2ea33606037
SHA1 825ee40856bc034629133873aa21e948a4f192af
SHA256 3a13ba2d01d95676bbbcc8654b3833b71d074009d2d473667ca38dd9dc976464
SHA512 07d773f69e98fab65d50f859417d76e7c90ebc4c857a94ebb7d5f2349f8114d013ec470795288fdbc08689ac01611f2545f2dea0d2a82354b7293ddb1f412a3e

/data/data/cm.aptoide.pt/databases/aptoide.db-wal

MD5 8af46abd25b1f2f8d473148624715e3d
SHA1 46a417964d0b01d282ddbbc0f5f7189ea3ee86c2
SHA256 5adcdda616dc0a8b9ea4cfe669eabde83536df62319f472f9041af326ebcfce0
SHA512 8c95b8702ebc5e3240e79cd537c6a8919f6b2e7464e20f5e14ff658d9e9e0f24ca4560f6d0570809177cf69fb4a15cd8463e35cbd4c186773370eec07756acdb

/data/data/cm.aptoide.pt/no_backup/.flurryNoBackup/installationNum

MD5 c4f32f6ab27edecb0eb39d65dc325e97
SHA1 8765866d450cf8c127cc67ff1199053d4a29cf2c
SHA256 7362ecfb0d305f1cb0e245dfd92a4c8c310fd81936a531f06bfa719ea2116aa8
SHA512 f94f04c34f05412d0bc23781562b67e09dd151a0a8ce5c3ced8308e4085b090fdcd7a284b6caa0207fdb6c298eebd582669c89ffc9ecf880698673487da27e0c

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-16 17:46

Reported

2024-06-16 17:48

Platform

android-x64-arm64-20240611.1-en

Max time kernel

64s

Max time network

91s

Command Line

cm.aptoide.pt

Signatures

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

cm.aptoide.pt

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 graph.facebook.com udp
GB 157.240.221.18:443 graph.facebook.com tcp
GB 157.240.221.18:443 graph.facebook.com tcp
GB 157.240.221.18:443 graph.facebook.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/user/0/cm.aptoide.pt/databases/androidx.work.workdb-journal

MD5 3843d3306e28dd2243c924f440a1a56c
SHA1 a0c04c5dfbd01ce90a1bfb55383a5fdd754e677a
SHA256 0d6d5d24be47dc5ebc4edc2207794f54bb4342ec1a89a060bd1b25b421e499c2
SHA512 ea8c0f82d5c52a44565049e7d5062755a73e59e6a9f616a18fa6089f25b309260e1e0ea78ae385bf68eb0a2a686de9285ee9be2798a19e5566abf07ac1f11ed2

/data/user/0/cm.aptoide.pt/databases/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/cm.aptoide.pt/databases/aptoide.db-journal

MD5 e32c9442b3cfb01f98c74372394d9a59
SHA1 43f9d4aff6eed3bbcd9c0b7d9a69e9f2cb228173
SHA256 009f24b9a32acc83d29cfdc9032c6cf900d32937b23085428542fcf35f429ac5
SHA512 a2d5317d69649e903f75009932bf4f970863f3d79a60f59264c44111f30b313503b21f1df2befbe939618b2d30b9ef51377a87fa779942b1bd611b5071f9d78c

/data/user/0/cm.aptoide.pt/databases/aptoide.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/cm.aptoide.pt/files/.fstreaming/fInProgress/currentFile

MD5 b9fade547c2316889b257b8806a60a6f
SHA1 b4888cffd646baa3b4d5d4b2e03d297b902bbc6e
SHA256 de743d89bba52978f7000a944a45c8d2d9e0306c3c1a4e5551687251010ea50b
SHA512 9f9e081475812793e52adc34b15a9a3eff13ed56a7bf0fdffbc87a07bb9c5ca0c685f0e1c1b971ef6eb3d10e46ecd4a92c35ce8547897fa3d87663ab315a7514

/data/user/0/cm.aptoide.pt/databases/aptoide.db-wal

MD5 cc8e021e7fddde3e65b8c9815aef8a47
SHA1 70b5af7c14ff55f9345ee0c578ee7898d0afa601
SHA256 f1b8aa1bddc3d3680128c81d58e2fca8b4c472295d12adab44436a46694ee9da
SHA512 923b2283ad5a0091e42697dafb3cefd9aa6e07c6abf8d3fd5aeec49c27a0c4fdcdff1ff3a73e77ca1396843948936907b6b94ec7a0daee655367b99505b006b9

/data/user/0/cm.aptoide.pt/databases/androidx.work.workdb-wal

MD5 5ddf9347b9ed1ca9482a8db94f74484c
SHA1 c4aab76b054ee0571f008a388a3ebfeff942ca6d
SHA256 5540565777fc778d08dc348b1d5a09478b284c1338db148e42edaa53228031b3
SHA512 90f135a90ce1811269a923584ccd9ff0a4315154ecffffdbad9d065d52562eae3545c84957d44063ed40b0ed43e4f71692f93b30ecba3ea715ca486c80fc61d5

/data/user/0/cm.aptoide.pt/databases/androidx.work.workdb-wal

MD5 2de3b4ab5cba7ed3e9aa83ae571bbd69
SHA1 6126a069ebf6cf2a2d71fe42ddd544304195b474
SHA256 648f670747b9ca42fafcba05e91d6e5eae6b819972177260b13f856138cb33fa
SHA512 1d1801327105dd72cf7d14eaac2d26521177c97de27d7836bf0ad95771c86ac9922939062d632c4c7fe17e76731813877d47bdf45b9e6445a3246c0db877108b

/data/user/0/cm.aptoide.pt/databases/aptoide.db-wal

MD5 b32907d70a96c60b7c6edc3778bba8f9
SHA1 b12773caedd971716d142e68758a9a778843607a
SHA256 639f53f2c708311f6baa8baa5e166c4cfd646a2a36ce2974310b51ad7994274f
SHA512 8210748d20eebbc94fb7a0a404c540691ae02e95b106553b37ae42d42ce41d085d86f5448a0aabdafe2422b1b4b218eea68fa9c59c123a651b47bb31bff049f6

/data/user/0/cm.aptoide.pt/no_backup/.flurryNoBackup/installationNum

MD5 8b0363d99d7ca32aad7b29e16bff0d72
SHA1 c0baebd1f1dd2f6929e7d96ce56356f41a8197c6
SHA256 63e96739613747fb388f02f2792d604dfdd4021cf60d5f6b3767198c288e2d6c
SHA512 6cd1ea2847530f5edead7498f7bf825871ed2fa03bd445a4b58e8a399e328af6797f56a7c0951c5299f5823aa1e633fec53d30d1f210bb97f551457e040f9351