Analysis Overview
SHA256
3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913
Threat Level: Likely malicious
The file 3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913 was found to be: Likely malicious.
Malicious Activity Summary
Removes its main activity from the application launcher
Obtains sensitive information copied to the device clipboard
Requests dangerous framework permissions
Queries the mobile country code (MCC)
Queries information about active data network
Registers a broadcast receiver at runtime (usually for listening for system events)
Resource Forking
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Checks memory information
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-21 10:30
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-21 10:30
Reported
2024-06-21 10:31
Platform
ubuntu2004-amd64-20240611-en
Max time kernel
0s
Max time network
1s
Command Line
Signatures
Processes
/tmp/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk
[/tmp/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk]
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-21 10:30
Reported
2024-06-21 10:31
Platform
ubuntu2204-amd64-20240522.1-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-21 10:30
Reported
2024-06-21 10:33
Platform
win11-20240508-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-21 10:30
Reported
2024-06-21 10:34
Platform
android-x64-arm64-20240611.1-en
Max time kernel
175s
Max time network
134s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.AUTORUS.JapanDrag
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.46:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | three.nameapp.xyz | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.212.232:443 | ssl.google-analytics.com | tcp |
| GB | 216.58.201.100:443 | tcp | |
| GB | 216.58.201.100:443 | tcp |
Files
/data/user/0/com.AUTORUS.JapanDrag/files/Config
| MD5 | 3f2590d822b06751a77d616da1d2b5ab |
| SHA1 | e5426e325d11b3851ff25936f8d953aa2b94a1a8 |
| SHA256 | df9bf5d54a727935bbe66548eba65bf2ff072cd77baf114f41e18ec299114f41 |
| SHA512 | 44f10c45cd895f7e89c70f9fdbd623e65b07197da288a7248c6e3d7aeb6b6372167b45dc2ff25f07b752eb9fc9cb0e2dc1e38b6ce9cd527551a49507cf7a57cc |
/data/user/0/com.AUTORUS.JapanDrag/files/Timer
| MD5 | 7ef32354243dc0a7508f5818986935fb |
| SHA1 | a2e933d4daedc392f49a13c87158663505dc4f06 |
| SHA256 | 1a896cc29e594217a1ac1498e9635309bb2dc9e56be80d8c1c4f90deb444501c |
| SHA512 | 512e1fe3463897ee8854e5fbf4d91d86cf9635817d4f5f7a70767d3f85f23257bf9501dd5a4b404d63c50e734b11b9568500fa77f8c58b0840a617c87c331f55 |
/data/user/0/com.AUTORUS.JapanDrag/files/Timer
| MD5 | 846b1b808b0ddb882e4cec1e50c92800 |
| SHA1 | dc778125a16a95d19528b11b82cccb03a99a9af4 |
| SHA256 | 73ad2f257602237ee2714bce9cf5c8b142b76b56dd9e0b5d79151c412d80f080 |
| SHA512 | f88075cb55f39945d3ee20b87ae05b08bf4428d8f9221d65ef33dd3ac58d76c9363cc0900712dec37f081f440b356501660520c3756c86480c94f46d672e589e |
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-21 10:30
Reported
2024-06-21 10:31
Platform
debian12-armhf-20240221-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-21 10:30
Reported
2024-06-21 10:31
Platform
debian9-armhf-20240418-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-21 10:30
Reported
2024-06-21 10:31
Platform
debian9-mipsbe-20240611-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-21 10:30
Reported
2024-06-21 10:31
Platform
debian9-mipsel-20240418-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-21 10:30
Reported
2024-06-21 10:31
Platform
ubuntu2404-amd64-20240523-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 10:30
Reported
2024-06-21 10:33
Platform
win10-20240404-en
Max time kernel
134s
Max time network
135s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.d.1.a.1.a.6.8.f.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.239.69.13.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-21 10:30
Reported
2024-06-21 10:33
Platform
win7-20240508-en
Max time kernel
121s
Max time network
121s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\apk_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\apk_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\apk_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.apk | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\.apk\ = "apk_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\apk_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\apk_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\apk_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 352 wrote to memory of 2632 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 352 wrote to memory of 2632 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 352 wrote to memory of 2632 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2632 wrote to memory of 2820 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2632 wrote to memory of 2820 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2632 wrote to memory of 2820 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2632 wrote to memory of 2820 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 701116fb8c8af56962175250f4eb7b43 |
| SHA1 | 53127dfed3415c40e1b6bb5b43024b060d77deda |
| SHA256 | b1fcfd9adaaa92ae1558bebd4f0c1bf2aa739e22a7c06f45ae87c99d70c45b4e |
| SHA512 | bb4914b861ee6d3ede8d85041cd563f9d75a95274bdfbbb5d01cfdcd38a334d34a69b4fe57ff0af221cd0892e064a3e05862a6ea2280d862f048813157202dd7 |
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-21 10:30
Reported
2024-06-21 10:34
Platform
android-x64-20240611.1-en
Max time network
158s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.232:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| GB | 142.250.179.234:443 | tcp | |
| GB | 142.250.200.46:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.200.46:443 | tcp | |
| GB | 142.250.179.226:443 | tcp | |
| GB | 172.217.169.42:443 | tcp | |
| GB | 172.217.169.42:443 | tcp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-21 10:30
Reported
2024-06-21 10:34
Platform
android-x86-arm-20240611.1-en
Max time kernel
175s
Max time network
170s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.AUTORUS.JapanDrag
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | three.nameapp.xyz | udp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
Files
/data/data/com.AUTORUS.JapanDrag/files/Config
| MD5 | c763f628d20461f9e1a0725edd675b72 |
| SHA1 | 95abfbffcdba1dc656adbf42a80592203c2e4aaf |
| SHA256 | 42525c157399c9e2c0fc69cc51120fe02815aa9df397116d328c203aada60cff |
| SHA512 | 27a4beb885ddbdddbd32d19f3c5e775d282f30ddc76ccf5de296e1294a03966cc79cbbe7dac9d0b7c72fca347436609e88beff1daefd29898150f3543e89d7de |
/data/data/com.AUTORUS.JapanDrag/files/Timer
| MD5 | 7f0fb662309224339999a9a0014eca9a |
| SHA1 | 21a540e6f6acf41fb443cd56bbeffe5d68b64622 |
| SHA256 | a1014328f1dc18efb803d227bc9dd31dd002d0488b79bfac169410933604fdd5 |
| SHA512 | 96f6ec61d46f720dcfb71d61dcc698fde64b56649c9b5e95db5dec12e3ad753be917e3eb5cc1062c30a70b24eeda005e7f63384388ef8f97c702ab8b283cd3b2 |
/data/data/com.AUTORUS.JapanDrag/files/Timer
| MD5 | 9833d74268b7cd6a4b497ace27bb85e0 |
| SHA1 | e3835211608f007f59d45db2dfa101c2556aa1d6 |
| SHA256 | 581940d2b1bfb99cf3701c9fc236ebdaf52a979e2da506d2caf8a109bd04c00a |
| SHA512 | 134479701487c223e782f492ee82a7612c0c23e007769a6339c1aeaa540283f6d3ff3c52864b47353ec2568dce948ea4d79e7e654b71665985656cb0e0abd229 |
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-21 10:30
Reported
2024-06-21 10:34
Platform
android-33-x64-arm64-20240611.1-en
Max time kernel
176s
Max time network
135s
Command Line
Signatures
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.AUTORUS.JapanDrag
Network
| Country | Destination | Domain | Proto |
| BE | 173.194.76.188:5228 | tcp | |
| GB | 172.217.16.228:443 | tcp | |
| GB | 172.217.169.36:443 | udp | |
| GB | 172.217.169.36:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.212.234:443 | udp | |
| GB | 216.58.212.234:443 | tcp | |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | three.nameapp.xyz | udp |
| GB | 216.58.212.238:443 | android.apis.google.com | tcp |
| GB | 216.58.212.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | remoteprovisioning.googleapis.com | udp |
| GB | 172.217.169.74:443 | remoteprovisioning.googleapis.com | tcp |
| US | 162.159.61.3:443 | tcp | |
| US | 162.159.61.3:443 | tcp | |
| GB | 142.250.179.227:443 | tcp | |
| US | 162.159.61.3:443 | udp | |
| GB | 142.250.179.227:443 | udp | |
| GB | 172.217.169.36:443 | udp | |
| GB | 142.250.179.228:443 | udp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 216.58.212.195:443 | tcp |
Files
/data/user/0/com.AUTORUS.JapanDrag/files/Config
| MD5 | 59c71e7d532bae6d5056d870aa7ce97b |
| SHA1 | 6f291bcc7fdbe709913d0ba50e38ddf5457c9cd7 |
| SHA256 | efe66ea8ccd08cf645e2df9be97450bbef97804dd3b9a1c65b6470de86bacb63 |
| SHA512 | 6baf7fdad8b16382aa3ef67ae93258dcc3c09b866af31c94f62a5a47de1372d7d79e6a8684f7788a362a701939aba1fa78bddf36d050594f41ee7355d9bb7a9c |
/data/user/0/com.AUTORUS.JapanDrag/files/Timer
| MD5 | f4597d4851da0b459761b1713fdd46cc |
| SHA1 | c02a5a98e51595f65743d327d95cf0b99ce82695 |
| SHA256 | b275320ad4da58c9cd196c123e425df528d565f050600bf6b10c27ba662f6be7 |
| SHA512 | b33f6d6fcbc289e67526e0ff1c0952dfbe3ab846546c8427a4af2195202b0ce372efdfe12d5d05e6bcb802f210ab1441de202852f61fc44d9082fbdda2a064e9 |
/data/user/0/com.AUTORUS.JapanDrag/files/Timer
| MD5 | f284413075a08b31502c8dfb6b3c5983 |
| SHA1 | 9745f9239f15f149e5da435262d4a0032b8c8710 |
| SHA256 | 04372340b0cec8378ac9e28433c0deb2929028c37674761da9a332a412947158 |
| SHA512 | f883727ed02d85a54482d71f80afbd93c26ae0348bd2b0d9296aef147bb6d4ce6d898af0454a9e69fadc97088240be4ea50bbcc95af68245cb41295efe18587a |
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-21 10:30
Reported
2024-06-21 10:31
Platform
debian12-mipsel-20240221-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-21 10:30
Reported
2024-06-21 10:31
Platform
macos-20240611-en
Max time kernel
13s
Max time network
18s
Command Line
Signatures
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk]
/bin/zsh
[/bin/zsh -c /Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk]
/Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk
[/Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk]
/usr/libexec/dmd
[/usr/libexec/dmd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.systemsoundserverd]
/usr/sbin/systemsoundserverd
[/usr/sbin/systemsoundserverd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.AudioComponentRegistrar]
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.routined]
/usr/libexec/routined
[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Maps.mapspushd]
/System/Library/CoreServices/mapspushd
[/System/Library/CoreServices/mapspushd]
Network
| Country | Destination | Domain | Proto |
| US | 52.182.143.213:443 | tcp | |
| GB | 17.250.81.65:443 | tcp | |
| US | 8.8.8.8:53 | onedscolprdcus22.centralus.cloudapp.azure.com | udp |
| US | 52.182.143.215:443 | onedscolprdcus22.centralus.cloudapp.azure.com | tcp |
| US | 8.8.8.8:53 | h3.apis.apple.map.fastly.net | udp |
| US | 8.8.8.8:53 | a1366.dscapi6.akamai.net | udp |
| GB | 23.59.171.27:443 | tcp | |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| US | 8.8.8.8:53 | a479.dscg4.akamai.net | udp |
Files
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-21 10:30
Reported
2024-06-21 10:31
Platform
ubuntu2204-amd64-20240522.1-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-21 10:30
Reported
2024-06-21 10:31
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk
[/tmp/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk]
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-21 10:30
Reported
2024-06-21 10:33
Platform
win10-20240404-en
Max time kernel
133s
Max time network
136s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-21 10:30
Reported
2024-06-21 10:33
Platform
win10v2004-20240611-en
Max time kernel
139s
Max time network
109s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-21 10:30
Reported
2024-06-21 10:34
Platform
android-33-x64-arm64-20240611.1-en
Max time kernel
175s
Max time network
135s
Command Line
Signatures
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.AUTORUS.JapanDrag
Network
| Country | Destination | Domain | Proto |
| GB | 172.217.16.228:443 | udp | |
| GB | 172.217.16.228:443 | udp | |
| GB | 216.58.212.196:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | three.nameapp.xyz | udp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | remoteprovisioning.googleapis.com | udp |
| US | 162.159.61.3:443 | tcp | |
| US | 162.159.61.3:443 | tcp | |
| US | 162.159.61.3:443 | udp | |
| GB | 142.250.179.228:443 | udp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| GB | 172.217.16.228:443 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
Files
/data/user/0/com.AUTORUS.JapanDrag/files/Config
| MD5 | 59c71e7d532bae6d5056d870aa7ce97b |
| SHA1 | 6f291bcc7fdbe709913d0ba50e38ddf5457c9cd7 |
| SHA256 | efe66ea8ccd08cf645e2df9be97450bbef97804dd3b9a1c65b6470de86bacb63 |
| SHA512 | 6baf7fdad8b16382aa3ef67ae93258dcc3c09b866af31c94f62a5a47de1372d7d79e6a8684f7788a362a701939aba1fa78bddf36d050594f41ee7355d9bb7a9c |
/data/user/0/com.AUTORUS.JapanDrag/files/Timer
| MD5 | fb53ceca0ccc8709c94f671fc4ec961b |
| SHA1 | 9fea81eebc52195b068d113420d34d8dfbae3993 |
| SHA256 | 4043813dd19cf1d7fe6d5b141963a2aed8218f980a233a8725efbe326f489c50 |
| SHA512 | fa73154227f47f6cd8bc7a686759ff6f9626e0feb40e40e737ab1869bdb535f1cb3602f402f71a5e75558eb4a14c46aee100d35249a7360871e390cb4645da55 |
/data/user/0/com.AUTORUS.JapanDrag/files/Timer
| MD5 | 09487e8605c9cce2ea0fca0d584b7806 |
| SHA1 | e2253e74f2a07da3fcf8b624e121d09a9733a145 |
| SHA256 | c78b001183fc21556c468874443564d7737288073c43a9bf21b0e2c8424b3fb5 |
| SHA512 | 459dbc3139694b6caed57273f0260f5ef20ced8bbaf50ba260c55c5cdb9c9daa2ef813d580f2b254987e2a30191d38cf377037657330ea241ab51db29d76c88b |
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-21 10:30
Reported
2024-06-21 10:33
Platform
macos-20240611-en
Max time kernel
133s
Max time network
146s
Command Line
Signatures
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pluginkit.pkd]
/usr/libexec/pkd
[/usr/libexec/pkd]
/bin/zsh
[/bin/zsh -c /Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk]
/Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk
[/Users/run/3b5558487a749f6b653a717a1061aee1d44a5e1ed501ac2651de1075ed865913.apk]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.systemsoundserverd]
/usr/sbin/systemsoundserverd
[/usr/sbin/systemsoundserverd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.AudioComponentRegistrar]
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]
/usr/bin/pluginkit
[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater66017B75/OneDrive.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.security.cloudkeychainproxy3]
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.AddressBook.ContactsAccountsService]
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.routined]
/usr/libexec/routined
[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Maps.mapspushd]
/System/Library/CoreServices/mapspushd
[/System/Library/CoreServices/mapspushd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]
/usr/libexec/neagent
[/usr/libexec/neagent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lb._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 20.189.173.6:443 | tcp | |
| US | 8.8.8.8:53 | api.apple-cloudkit.fe2.apple-dns.net | udp |
| US | 8.8.8.8:53 | h3.apis.apple.map.fastly.net | udp |
| US | 8.8.8.8:53 | a1366.dscapi6.akamai.net | udp |
| GB | 104.91.71.16:443 | a1366.dscapi6.akamai.net | tcp |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| US | 8.8.8.8:53 | a479.dscg4.akamai.net | udp |
| GB | 104.91.71.7:443 | a1366.dscapi6.akamai.net | tcp |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| US | 23.219.244.63:443 | cds.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| GB | 2.21.189.171:443 | help.apple.com | tcp |
| GB | 2.21.189.171:443 | help.apple.com | tcp |
| N/A | 224.0.0.251:5353 | udp |
Files
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd
| MD5 | 268fcc2f959120b5c34e0fc1ea2321dc |
| SHA1 | de15482a5d3966da6a8ff94f8dd9825deb5de2ae |
| SHA256 | 48a08978f59f53777029a798ddda8fd06af02411447460350df0bce09330a51e |
| SHA512 | 9f138a38b61cf90a3d5c142c86f524b4b9aa457d759bf06fece1f52671987b2ad2a8d934214c0f6b51918c1aead750d3a37b9fc50f68232d283fb00fd4379434 |