Malware Analysis Report

2024-09-23 13:54

Sample ID 240726-wpy3vaydnh
Target https://www.mediafire.com/file/uut7jo6m92glu7t/tiktok.apk/file
Tags
slocker ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://www.mediafire.com/file/uut7jo6m92glu7t/tiktok.apk/file was found to be: Known bad.

Malicious Activity Summary

slocker ransomware

SLocker

SLocker payload

Requests dangerous framework permissions

Checks CPU information

Checks memory information

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-26 18:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 18:06

Reported

2024-07-26 18:11

Platform

android-33-x64-arm64-20240624-en

Max time kernel

298s

Max time network

312s

Command Line

com.android.chrome

Signatures

SLocker

ransomware slocker

SLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.android.chrome

Network

Country Destination Domain Proto
GB 216.58.201.100:443 udp
N/A 224.0.0.251:5353 udp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp
US 1.1.1.1:53 www.mediafire.com udp
US 104.16.114.74:443 www.mediafire.com tcp
US 104.16.114.74:443 www.mediafire.com tcp
US 1.1.1.1:53 gmscompliance-pa.googleapis.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 66.102.1.84:443 accounts.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com tcp
US 1.1.1.1:53 the.gatekeeperconsent.com udp
US 104.21.42.32:443 the.gatekeeperconsent.com tcp
US 1.1.1.1:53 chrome.cloudflare-dns.com udp
US 1.1.1.1:53 chrome.cloudflare-dns.com udp
US 1.1.1.1:53 chrome.cloudflare-dns.com udp
US 162.159.61.3:443 chrome.cloudflare-dns.com tcp
US 162.159.61.3:443 chrome.cloudflare-dns.com tcp
US 172.64.41.3:443 chrome.cloudflare-dns.com tcp
US 1.1.1.1:53 btloader.com udp
US 1.1.1.1:53 www.ezojs.com udp
US 104.22.75.216:443 btloader.com tcp
US 104.21.63.106:443 www.ezojs.com tcp
US 1.1.1.1:53 translate.google.com udp
US 1.1.1.1:53 a.nel.cloudflare.com udp
US 1.1.1.1:53 static.cloudflareinsights.com udp
GB 142.250.179.238:443 translate.google.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 104.16.80.73:443 static.cloudflareinsights.com tcp
US 162.159.61.3:443 chrome.cloudflare-dns.com udp
DE 142.250.185.200:443 udp
NL 18.239.18.117:443 cdn.amplitude.com tcp
US 104.16.114.74:443 www.mediafire.com udp
GB 216.58.204.78:443 tcp
GB 216.58.204.78:443 tcp
US 172.67.73.78:443 www.mediafiredls.com tcp
GB 216.58.204.78:443 tcp
US 104.16.113.74:443 www.mediafire.com udp
US 104.16.52.110:443 cdn.otnolatrnup.com tcp
DE 142.250.186.170:443 content-autofill.googleapis.com tcp
DE 142.250.186.170:443 tcp
US 35.82.39.1:443 api.amplitude.com tcp
US 1.1.1.1:53 update.googleapis.com udp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
GB 216.58.212.227:443 update.googleapis.com tcp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
DE 142.250.186.74:443 translate.googleapis.com tcp
US 216.239.36.181:443 analytics.google.com tcp
BE 108.177.15.156:443 stats.g.doubleclick.net tcp
DE 142.250.186.170:443 udp
DE 216.58.212.170:443 optimizationguide-pa.googleapis.com tcp
DE 142.250.186.132:443 udp
DE 142.250.186.74:443 udp
DE 142.250.186.74:443 translate.googleapis.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
US 104.16.52.110:443 udp
US 104.21.42.32:443 the.gatekeeperconsent.com udp
US 104.21.63.106:443 www.ezojs.com udp
DE 142.250.185.142:443 udp
US 199.91.155.17:443 download2276.mediafire.com tcp
US 199.91.155.17:443 tcp
US 216.239.36.181:443 udp
US 104.21.63.210:443 1redlink.com tcp
US 104.21.63.210:443 tcp
DE 142.250.186.74:443 udp
US 104.21.63.210:443 udp
US 104.18.95.41:443 challenges.cloudflare.com tcp
US 104.18.95.41:443 udp
US 104.18.95.41:443 challenges.cloudflare.com tcp
GB 216.58.201.100:443 udp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
US 162.159.61.3:443 chrome.cloudflare-dns.com udp
US 34.104.35.123:443 edgedl.me.gvt1.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 34.104.35.123:443 udp
DE 142.250.186.78:80 redirector.gvt1.com tcp
DE 74.125.108.105:80 r4---sn-i5h7lnll.gvt1.com tcp
DE 74.125.108.103:80 r2---sn-i5h7lnll.gvt1.com tcp
DE 142.250.185.100:443 udp
US 1.1.1.1:53 voilatile-pa.googleapis.com udp
GB 142.250.179.234:443 voilatile-pa.googleapis.com tcp
DE 142.250.186.46:443 tcp
DE 142.250.186.46:443 tcp
DE 142.250.186.46:443 encrypted-tbn0.gstatic.com tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.187.228:443 www.google.com udp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 encrypted-tbn0.gstatic.com udp
GB 142.250.179.238:443 encrypted-tbn0.gstatic.com tcp
GB 142.250.179.238:443 encrypted-tbn0.gstatic.com udp
GB 142.250.187.194:443 tcp
GB 142.250.187.194:443 tcp
GB 142.250.200.38:443 tcp
GB 142.250.180.2:443 tcp
GB 142.250.187.194:443 tcp
GB 172.217.169.46:443 tcp
US 216.239.34.36:443 tcp
GB 172.217.169.42:443 voilatile-pa.googleapis.com tcp
GB 172.217.16.225:443 tcp
GB 142.250.179.225:443 tcp
GB 172.217.16.225:443 tcp
GB 172.217.16.225:443 tcp
GB 172.217.16.225:443 tcp
GB 172.217.16.225:443 tcp

Files

/storage/emulated/0/Download/.pending-1722622037-tiktok.apk (deleted)

MD5 59071590099d21dd439896592338bf95
SHA1 6a521e1d2a632c26e53b83d2cc4b0edecfc1e68c
SHA256 07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541
SHA512 eedb6cadbceb2c991fc6f68dccb80463b3f660c5358acd7d705398ae2e3df2b4327f0f6c6746486848bd2992b379776483a98063ae96edb45877bb0314874668

/storage/emulated/0/Download/.pending-1722622037-tiktok.apk

MD5 7cc805be68b2392cbc8d9b643b6f1a35
SHA1 d808a8aee11a2335e09ceb2744b60a00544f0b71
SHA256 3ad6a04700902fdc4dcf1fcdaa39490335319860c6777b9efa32a58cda8dcc77
SHA512 3f6c825a2f3aa40d1d8caef0220b2fe40166efd864a26a63df5573f489fc073aa7d1dcf50b4c41a53e31f3c7397fb171f46603168e261558601df28e8503b81c

files/dom-0.html

MD5 a9fc5ee9473aecad51b1440523f03a39
SHA1 aeecc415a1c52e2457138f6bb237dda50dee0b40
SHA256 6f9d6d5abbe029dd63263748ad46512889479a21891e403de9cc6d8c72959ae7
SHA512 222aa1a9bfbe998030f2af06a3b1b0c4ec4f6ac93801c1a422b449c3942e8ccc23fe4351453cc8252d4816d72473d78afedd5b33e2c4bb42cc95370a00cfd6b3

files/dom-1.html

MD5 1335c351bf36193d364de30056207aa0
SHA1 78668edb9da525f9fcc59b5e5b6c0f34f9680652
SHA256 0914fa07767812cb1c48ae028b2fdb7915620317db6b85bee531b71c9ab9c378
SHA512 9b31a1746e2b41ba379ca06380f0c1cdf7a0d78e79deda5f4dceacd7807fa5d70a2b3edb8a5753b6daf99c70f800e4f774a6033b7b70d78ba65c3a97062453f0