51baf4bc48db631e887ded88c0beb05b7a2f6f26ad2d122ee7c6cca6678752f5

max time kernel
177s
max time network
176s
platform
android_x64
resource
android-x64-20240624-en
resource tags

androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
submitted
04/08/2024, 12:30 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stick War_ Legacy.apk
Size

3.2MB
MD5

ae5770ecb741649cd470d645dd611843
SHA1

d6d29b4466c5139b9ea5b63d2b85150d6604abc5
SHA256

ba39a4b76ab656532003e560476b9a295df488f50195c6b9d7ac523b6d07aab4
SHA512

dda845e67dedf51508205f6aa7ffd8d19fcad0f0077178c71b8f65a96cb4096d3f326f52c081ea003f78703fdbbbff79f77b3618fd06717be67987627d0f524f
SSDEEP

98304:mO76p/xfKx1ppTyRwkrB0z+X0iXN9ALEjTRVShd:mi6FxfKxjdy66B0z+EiZnKT

Score

7^/10

collection credential_access discovery evasion impact persistence

Malware Config

Signatures

Loads dropped Dex/Jar 1 TTPs 1 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

ioc	pid	Process
/data/user/0/com.herocraft.game.treasuresofthedeep/files/ac2b308d.dex	5274	com.herocraft.game.treasuresofthedeep

Obtains sensitive information copied to the device clipboard 2 TTPs 1 IoCs

Application may abuse the framework's APIs to obtain sensitive information copied to the device clipboard.

collection credential_access impact

Clipboard Data

T1414

Transmitted Data Manipulation

T1641.001

description	ioc	Process
Framework service call	android.content.IClipboard.addPrimaryClipChangedListener	com.herocraft.game.treasuresofthedeep

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.herocraft.game.treasuresofthedeep

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.herocraft.game.treasuresofthedeep

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.herocraft.game.treasuresofthedeep

Queries the mobile country code (MCC) 1 TTPs 1 IoCs

discovery

System Network Configuration Discovery

T1422

description	ioc	Process
Framework service call	com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone	com.herocraft.game.treasuresofthedeep

Reads information about phone network operator. 1 TTPs
discovery

System Network Configuration Discovery
T1422

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.herocraft.game.treasuresofthedeep

Checks memory information 2 TTPs 1 IoCs

System Checks

T1633.001

System Information Discovery

T1426

description	ioc	Process
File opened for read	/proc/meminfo	com.herocraft.game.treasuresofthedeep

com.herocraft.game.treasuresofthedeep
1⤵
- Loads dropped Dex/Jar
- Obtains sensitive information copied to the device clipboard
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Queries the mobile country code (MCC)
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Checks memory information
PID:5274

Network

DNS

ssl.google-analytics.com

Remote address:

1.1.1.1:53

Request

ssl.google-analytics.com

IN A

Response

ssl.google-analytics.com

IN A

142.250.187.200
DNS

ssl.google-analytics.com

Remote address:

1.1.1.1:53

Request

ssl.google-analytics.com

IN A
DNS

android.apis.google.com

Remote address:

1.1.1.1:53

Request

android.apis.google.com

IN A

Response

android.apis.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

216.58.204.78
DNS

sara.sfjioagjioabnjqqfmx.com

Remote address:

1.1.1.1:53

Request

sara.sfjioagjioabnjqqfmx.com

IN A

Response

sara.sfjioagjioabnjqqfmx.com

IN A

5.149.249.226
GET

http://sara.sfjioagjioabnjqqfmx.com//client.config/?app=pndr2&format=json&advert_key=ZWMwMDBhMDgxZTAwMzc4MjAwMDAzNzhmMDAzNzhmMDAzNzhmMzZjN2M1MjY4OA==&uid=780ABDFF0721FED15DF808C30272B9EB-76A5A351A79E61EEA499828B024904C2302D7EED&version=51.0&pckg=com.herocraft.game.treasuresofthedeep&ia=10&im=Google&id=Android_SDK_built_for_x86_64&net_id=4289365017389580802&did=1b5d8057-4238-11ef-9b6a-566f6e6e092b&p1=_&ddate=1720990800&rlid=&refLink=&gateId=&net_type=731&fcm_token=cJjIod9BSf-LkvhtI2xu0Q:APA91bHI5EyI-YLiuSpHNWtbAwf1MPc7PszA8mKAD9w0khyh7x7PXiskAvnD4JDdU3klaRZ9onLjS24GHQHJBHnJy05CQjsU2REx4daIfbkZoM9tJ1ahPGVcnx9vihzYbTQzDPW9cWnP&sp_time=6&ne=1&network_operator=T-Mobile&phone_type=gsm&sim_operator=T-Mobile&network_vpn=&sim_iso=us&networks=lo;eth0&network_type=MOBILE&network_iso=us&pndr_install=1

Remote address:

5.149.249.226:80

Request

GET //client.config/?app=pndr2&format=json&advert_key=ZWMwMDBhMDgxZTAwMzc4MjAwMDAzNzhmMDAzNzhmMDAzNzhmMzZjN2M1MjY4OA==&uid=780ABDFF0721FED15DF808C30272B9EB-76A5A351A79E61EEA499828B024904C2302D7EED&version=51.0&pckg=com.herocraft.game.treasuresofthedeep&ia=10&im=Google&id=Android_SDK_built_for_x86_64&net_id=4289365017389580802&did=1b5d8057-4238-11ef-9b6a-566f6e6e092b&p1=_&ddate=1720990800&rlid=&refLink=&gateId=&net_type=731&fcm_token=cJjIod9BSf-LkvhtI2xu0Q:APA91bHI5EyI-YLiuSpHNWtbAwf1MPc7PszA8mKAD9w0khyh7x7PXiskAvnD4JDdU3klaRZ9onLjS24GHQHJBHnJy05CQjsU2REx4daIfbkZoM9tJ1ahPGVcnx9vihzYbTQzDPW9cWnP&sp_time=6&ne=1&network_operator=T-Mobile&phone_type=gsm&sim_operator=T-Mobile&network_vpn=&sim_iso=us&networks=lo;eth0&network_type=MOBILE&network_iso=us&pndr_install=1 HTTP/1.1
User-Agent: Mozilla/5.0 (Linux; Android 10; Android SDK built for x86_64 Build/QSR1.210802.001; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/74.0.3729.185 Mobile Safari/537.36
Host: sara.sfjioagjioabnjqqfmx.com
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx
Date: Sun, 04 Aug 2024 12:31:03 GMT
Content-Type: application/json
Content-Length: 1152
Connection: keep-alive
Timing-Allow-Origin: *

142.250.187.200:443

ssl.google-analytics.com

tls

1.3kB
5.9kB
8
9
142.250.179.238:443

tls, https

857 B
40 B
1
1
216.58.204.78:443

android.apis.google.com

tls

6.0kB
9.4kB
16
26
5.149.249.226:80

http://sara.sfjioagjioabnjqqfmx.com//client.config/?app=pndr2&format=json&advert_key=ZWMwMDBhMDgxZTAwMzc4MjAwMDAzNzhmMDAzNzhmMDAzNzhmMzZjN2M1MjY4OA==&uid=780ABDFF0721FED15DF808C30272B9EB-76A5A351A79E61EEA499828B024904C2302D7EED&version=51.0&pckg=com.herocraft.game.treasuresofthedeep&ia=10&im=Google&id=Android_SDK_built_for_x86_64&net_id=4289365017389580802&did=1b5d8057-4238-11ef-9b6a-566f6e6e092b&p1=_&ddate=1720990800&rlid=&refLink=&gateId=&net_type=731&fcm_token=cJjIod9BSf-LkvhtI2xu0Q:APA91bHI5EyI-YLiuSpHNWtbAwf1MPc7PszA8mKAD9w0khyh7x7PXiskAvnD4JDdU3klaRZ9onLjS24GHQHJBHnJy05CQjsU2REx4daIfbkZoM9tJ1ahPGVcnx9vihzYbTQzDPW9cWnP&sp_time=6&ne=1&network_operator=T-Mobile&phone_type=gsm&sim_operator=T-Mobile&network_vpn=&sim_iso=us&networks=lo;eth0&network_type=MOBILE&network_iso=us&pndr_install=1

http

1.3kB
1.5kB
5
4

HTTP Request

GET http://sara.sfjioagjioabnjqqfmx.com//client.config/?app=pndr2&format=json&advert_key=ZWMwMDBhMDgxZTAwMzc4MjAwMDAzNzhmMDAzNzhmMDAzNzhmMzZjN2M1MjY4OA==&uid=780ABDFF0721FED15DF808C30272B9EB-76A5A351A79E61EEA499828B024904C2302D7EED&version=51.0&pckg=com.herocraft.game.treasuresofthedeep&ia=10&im=Google&id=Android_SDK_built_for_x86_64&net_id=4289365017389580802&did=1b5d8057-4238-11ef-9b6a-566f6e6e092b&p1=_&ddate=1720990800&rlid=&refLink=&gateId=&net_type=731&fcm_token=cJjIod9BSf-LkvhtI2xu0Q:APA91bHI5EyI-YLiuSpHNWtbAwf1MPc7PszA8mKAD9w0khyh7x7PXiskAvnD4JDdU3klaRZ9onLjS24GHQHJBHnJy05CQjsU2REx4daIfbkZoM9tJ1ahPGVcnx9vihzYbTQzDPW9cWnP&sp_time=6&ne=1&network_operator=T-Mobile&phone_type=gsm&sim_operator=T-Mobile&network_vpn=&sim_iso=us&networks=lo;eth0&network_type=MOBILE&network_iso=us&pndr_install=1

HTTP Response

200
142.250.200.36:443

tls, https

430 B
40 B
2
1
142.250.200.36:443

www.google.com

tls

8.3kB
10.5kB
25
35
172.217.16.238:443

520 B
10
216.58.204.66:443

520 B
10

224.0.0.251:5353

3.7kB
11
1.1.1.1:53

ssl.google-analytics.com

dns

140 B
86 B
2
1

DNS Request

ssl.google-analytics.com

DNS Request

ssl.google-analytics.com

DNS Response

142.250.187.200
1.1.1.1:53

android.apis.google.com

dns

69 B
109 B
1
1

DNS Request

android.apis.google.com

DNS Response

216.58.204.78
1.1.1.1:53

sara.sfjioagjioabnjqqfmx.com

dns

74 B
90 B
1
1

DNS Request

sara.sfjioagjioabnjqqfmx.com

DNS Response

5.149.249.226

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Foreground Persistence

T1541

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Clipboard Data

T1414

Discovery

System Information Discovery

T1426

System Network Configuration Discovery

T1422

System Network Connections Discovery

T1421

Lateral Movement

Collection

Clipboard Data

T1414

Command and Control

Exfiltration

Impact

Data Manipulation

T1641

Transmitted Data Manipulation

T1641.001

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.herocraft.game.treasuresofthedeep/files/Ni

Filesize
697B

MD5
a7531a4c22e7672a3c69d79eba9f18d6

SHA1
0fbdb7fca41dc28f0f03cd233d64e0d9a8f7e8a4

SHA256
c8763943e9c347de2c3cd1d764fb0dbad9105a7a36acd0e71820a0763cb7807a

SHA512
0385607f71b436dd0bb1230eb499887e7320531395fd0bb7ed8f3d99191fa4aab47f7d07e48078ef16aedceaefb049da687a58f2a97940640c5dc018de69dcf8

Download Submit
/data/data/com.herocraft.game.treasuresofthedeep/files/PersistedInstallation7460318339083462914tmp

Filesize
569B

MD5
0090059200965f7c9e4502487a977de0

SHA1
7e5eeb66dfe1b07d97c31148eb165100e9987f1f

SHA256
4294f3b08fd0519742cbb10e6b5aa7a3b06d7333259b3e8087e33deb6ef57644

SHA512
64f84f0f7478525cccd85ef6dd82771a67ac106dc6dfe637f018007d01e00d1c7c282dfa2898481c77456875db11851c982bcea95f8ab5043fca76b6d370f19a

Download Submit
/data/data/com.herocraft.game.treasuresofthedeep/files/S

Filesize
224B

MD5
d88054a5ace8edb135d29e35cb8ca256

SHA1
0205f70bc0752a0aae118bf4d92d5e284c5f42bd

SHA256
91fedc8a4a491ef24bc05a4f4e831ed0650c3c29311b867ae78f8c316ec908cf

SHA512
9be2b7ecd11924d2778b917382191c03b1fd10fe9a141222a4c9b030131fb7b662d6e049f8ff2b15e0e33757ccf826c7b208c9ea59ada65435dc762cb8207908

Download Submit
/data/data/com.herocraft.game.treasuresofthedeep/files/S

Filesize
224B

MD5
70500a21d802190587b1e34ef4675a1a

SHA1
bf09b29c98be6dd30b49c6b6aba673b4ee78d446

SHA256
d7f3a5d8417f670e916f651e79b3704d1eb5bf45eacd423c88ece30f3c2c44fc

SHA512
456a193226c1ac2628b1db1e11151956acef98c8600e293a8c24b93ae57f96d45427e46433179984b94cc61d0711c6780f139ec3b149e157c7ba205504948d8b

Download Submit
/data/data/com.herocraft.game.treasuresofthedeep/files/ac2b308d.dex

Filesize
2.3MB

MD5
48aab9b1635e8a510b4a1126c1f95bc5

SHA1
7ce5597408c9a42d93e882ed904dd0f3551ab81b

SHA256
1653275e4d68124e6af999b4311ac471f0a8adbcdffe4f64c678e1e84f367725

SHA512
e5a224994ed1332b87c33b3d0784b69be8733cde478650888e889af3d20c9d33b9c20720ac4104f15aecb8a94bc4101f5d826cc7161797f66b416be939d0bd3b

Download Submit
/data/user/0/com.herocraft.game.treasuresofthedeep/files/ac2b308d.dex

Filesize
6.4MB

MD5
121d33b2c1295d49f9fba521016f45fe

SHA1
69e49d75e0a5e37cbc1f3f29fe5dccc656db27dc

SHA256
6f86990c8865f5cacbe7c38d934947aebae0a7f891043c714f012806a8e4467c

SHA512
561d57fc6e5c20b8c94949cc461d7e0e6595d041c1f8fe07c4b6815df92f71eede53bb1d333e58e494dec0e9db9a740c3917ba5519bdb3f51da7a3e3f744ac4b

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.