Malware Analysis Report

2024-10-16 05:28

Sample ID 240804-ppf4psvfkq
Target virusX.zip
SHA256 51baf4bc48db631e887ded88c0beb05b7a2f6f26ad2d122ee7c6cca6678752f5
Tags
collection impact privilege_escalation credential_access discovery evasion persistence slocker wipelock tispy infostealer spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

51baf4bc48db631e887ded88c0beb05b7a2f6f26ad2d122ee7c6cca6678752f5

Threat Level: Known bad

The file virusX.zip was found to be: Known bad.

Malicious Activity Summary

collection impact privilege_escalation credential_access discovery evasion persistence slocker wipelock tispy infostealer spyware trojan

TiSpy payload

Wipelock Android payload

TiSpy

Wipelock family

SLocker payload

Slocker family

Queries the phone number (MSISDN for GSM devices)

Reads the contacts stored on the device.

Requests cell location

Queries information about the current nearby Wi-Fi networks

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Reads information about phone network operator.

Acquires the wake lock

Queries information about the current Wi-Fi connection

Requests uninstalling the application.

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Tries to add a device administrator.

Declares broadcast receivers with permission to handle system events

Declares services with permission to bind to the system

Queries information about active data network

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-04 12:30

Signatures

SLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Slocker family

slocker

Wipelock Android payload

Description Indicator Process Target
N/A N/A N/A N/A

Wipelock family

wipelock

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows the app to answer an incoming phone call. android.permission.ANSWER_PHONE_CALLS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:36

Platform

android-x86-arm-20240624-en

Max time kernel

179s

Max time network

133s

Command Line

com.elite

Signatures

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/data/phones N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

com.elite

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:36

Platform

android-x64-20240624-en

Max time kernel

179s

Max time network

165s

Command Line

com.elite

Signatures

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/data/phones N/A N/A

Processes

com.elite

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:33

Platform

android-x64-20240624-en

Max time kernel

177s

Max time network

176s

Command Line

com.herocraft.game.freemium.catchthecandy

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.herocraft.game.freemium.catchthecandy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 g1.flostiks.com udp
PL 51.75.61.103:80 g1.flostiks.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/data/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex

MD5 d951efa7f0ca59781f3af35949338902
SHA1 ac853df2b6835dbac7c94eb008ab4657e68eda70
SHA256 5b0a0d3671f6ff3ea0001624a0c157d057965e60891c5335391880fe9b00e183
SHA512 8fbbc1c347ec03478b01ff321d159656abfcad1d9ac3b426382348567c57bbaf1cdb3cac77c38fbcf62e0e17063f170fc9f9bf200a982b940dcad47e30b05617

/data/user/0/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex

MD5 767a8ce605249b314939882f824f989a
SHA1 7cb1e61d4fa739b92b25d13bcf33bbb00cff9baa
SHA256 26d8b34344e6e61c8a1380e9773109569accb467b36f954a1e5c729a4d701fa5
SHA512 baec83cf6d66fc0dbf13411043c8168acf38b0b66a9c20f9b1ec54d6f5ef21527d22b4c47dd54734dcd5bd85410dc3bb8fe786fb1702443beee9a42e869c4475

/data/data/com.herocraft.game.freemium.catchthecandy/files/PersistedInstallation2766970602771739892tmp

MD5 0c1dd1d4d86517e75ff2d8aad3c7cdb5
SHA1 80284c3b3e07c9a6a16c0fe31f73b75b07e2ba25
SHA256 08787fd01e289901a509c684593ba0c7e51732206aab9df36bc075b3682de3bf
SHA512 ebe83e94f5310fd28ab60ab2432ae2649f5b6127a29178aa1dcf08899c515b0d4f42bb23fe0f03c932303972c9d8c07d73ec2761beb28386c98ab260259fdcf1

/data/data/com.herocraft.game.freemium.catchthecandy/files/Iksc

MD5 2a360640f3c7f0591d34044f31d4d5a2
SHA1 bce3544325766541eebca2849affc392dbfe8e1c
SHA256 698e8f50d4b9eb2885726db4d1f480a9261258f70f0e50a382342b585b774ba1
SHA512 5a9e8519e96a8741d6327bdce80d86b7eab9f4ca895278d442735bab15274bdcd7760d6c1e22fc2a316d2a58e32e8834a919240cdb343148317c59b6e3f82cd6

/data/data/com.herocraft.game.freemium.catchthecandy/files/kNp

MD5 fcf8595f3f97d84349798eb54f5e7046
SHA1 c18244aa40d5c75e361387e354a8018d385ff00c
SHA256 951011eb94c2b3acb4bc749b5ecbb0f843c2240daaa7cbfd5cae4726c3bf8d99
SHA512 4b2aa7ff10a60e07bc05c11352683f9b1c6bfd348e8e4cc9c86f2eeae6cee45325cd91ad43fef549e86db53d0b2cc2354314064bc1444aa3dd8ee95f8f6186ac

/data/data/com.herocraft.game.freemium.catchthecandy/files/kNp

MD5 51c6726c6bf0f9c2d08e7a8691a44d7d
SHA1 6f73531d46b13412affe6224bd86472504cb88b6
SHA256 464ef4d427590b66d6ad89eeb886742efd3e483b3f33e0cb3a0568eb7b7fe50c
SHA512 b1274e7f7262a8a71e6a509d98d398359ec4246aacdc43ce35e43c8597d2d712eb5a411c857cae1663cab35a05e25804d66979fe779ab06682b169826370b9a7

/data/data/com.herocraft.game.freemium.catchthecandy/files/Iksc

MD5 bea431cfa9db90ef1fe3a5ee1bedaedb
SHA1 7bfbf30feb16ab0839902e8f40f6ba874031d0ce
SHA256 6c176005b3321d27294ffd0a4d8e5fefce65778373973a78bede260502601087
SHA512 5f6f0b6842b25516b24d04202d8c0b0e37b9ba1dca0dbe26fe20ba729031784df3fded3472ee17a65fc40e4654c800aa14f9606f9943152453d05e235689e7fe

/data/data/com.herocraft.game.freemium.catchthecandy/files/kNp

MD5 4914273c193d912bdf2cf3c73ea11f7c
SHA1 c283ed99eb84f99e51f585dbe131e69de67588aa
SHA256 874b8ac230782247480dfd4c8c6703bd35923d7dbe8e0c8afbbd59ebe0220ee5
SHA512 e85db149bd93c03cc1d3b77c64d3945e89797c006dd1f4482836b16d53816f321a9296f43ff8317f167612988b3b01cacb519397ee58cedcb6d8626b5af1ae58

Analysis: behavioral16

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:33

Platform

android-x64-20240624-en

Max time kernel

177s

Max time network

176s

Command Line

com.herocraft.game.treasuresofthedeep

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.herocraft.game.treasuresofthedeep/files/ac2b308d.dex N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.herocraft.game.treasuresofthedeep

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 sara.sfjioagjioabnjqqfmx.com udp
NL 5.149.249.226:80 sara.sfjioagjioabnjqqfmx.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp
GB 172.217.16.238:443 tcp
GB 216.58.204.66:443 tcp

Files

/data/data/com.herocraft.game.treasuresofthedeep/files/ac2b308d.dex

MD5 48aab9b1635e8a510b4a1126c1f95bc5
SHA1 7ce5597408c9a42d93e882ed904dd0f3551ab81b
SHA256 1653275e4d68124e6af999b4311ac471f0a8adbcdffe4f64c678e1e84f367725
SHA512 e5a224994ed1332b87c33b3d0784b69be8733cde478650888e889af3d20c9d33b9c20720ac4104f15aecb8a94bc4101f5d826cc7161797f66b416be939d0bd3b

/data/user/0/com.herocraft.game.treasuresofthedeep/files/ac2b308d.dex

MD5 121d33b2c1295d49f9fba521016f45fe
SHA1 69e49d75e0a5e37cbc1f3f29fe5dccc656db27dc
SHA256 6f86990c8865f5cacbe7c38d934947aebae0a7f891043c714f012806a8e4467c
SHA512 561d57fc6e5c20b8c94949cc461d7e0e6595d041c1f8fe07c4b6815df92f71eede53bb1d333e58e494dec0e9db9a740c3917ba5519bdb3f51da7a3e3f744ac4b

/data/data/com.herocraft.game.treasuresofthedeep/files/PersistedInstallation7460318339083462914tmp

MD5 0090059200965f7c9e4502487a977de0
SHA1 7e5eeb66dfe1b07d97c31148eb165100e9987f1f
SHA256 4294f3b08fd0519742cbb10e6b5aa7a3b06d7333259b3e8087e33deb6ef57644
SHA512 64f84f0f7478525cccd85ef6dd82771a67ac106dc6dfe637f018007d01e00d1c7c282dfa2898481c77456875db11851c982bcea95f8ab5043fca76b6d370f19a

/data/data/com.herocraft.game.treasuresofthedeep/files/S

MD5 d88054a5ace8edb135d29e35cb8ca256
SHA1 0205f70bc0752a0aae118bf4d92d5e284c5f42bd
SHA256 91fedc8a4a491ef24bc05a4f4e831ed0650c3c29311b867ae78f8c316ec908cf
SHA512 9be2b7ecd11924d2778b917382191c03b1fd10fe9a141222a4c9b030131fb7b662d6e049f8ff2b15e0e33757ccf826c7b208c9ea59ada65435dc762cb8207908

/data/data/com.herocraft.game.treasuresofthedeep/files/Ni

MD5 a7531a4c22e7672a3c69d79eba9f18d6
SHA1 0fbdb7fca41dc28f0f03cd233d64e0d9a8f7e8a4
SHA256 c8763943e9c347de2c3cd1d764fb0dbad9105a7a36acd0e71820a0763cb7807a
SHA512 0385607f71b436dd0bb1230eb499887e7320531395fd0bb7ed8f3d99191fa4aab47f7d07e48078ef16aedceaefb049da687a58f2a97940640c5dc018de69dcf8

/data/data/com.herocraft.game.treasuresofthedeep/files/S

MD5 70500a21d802190587b1e34ef4675a1a
SHA1 bf09b29c98be6dd30b49c6b6aba673b4ee78d446
SHA256 d7f3a5d8417f670e916f651e79b3704d1eb5bf45eacd423c88ece30f3c2c44fc
SHA512 456a193226c1ac2628b1db1e11151956acef98c8600e293a8c24b93ae57f96d45427e46433179984b94cc61d0711c6780f139ec3b149e157c7ba205504948d8b

Analysis: behavioral17

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:33

Platform

android-x64-arm64-20240624-en

Max time kernel

179s

Max time network

140s

Command Line

com.herocraft.game.treasuresofthedeep

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.herocraft.game.treasuresofthedeep/files/ac2b308d.dex N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.herocraft.game.treasuresofthedeep

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
GB 216.58.213.10:443 tcp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 sara.sfjioagjioabnjqqfmx.com udp
PL 51.75.61.102:80 sara.sfjioagjioabnjqqfmx.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/data/com.herocraft.game.treasuresofthedeep/files/ac2b308d.dex

MD5 48aab9b1635e8a510b4a1126c1f95bc5
SHA1 7ce5597408c9a42d93e882ed904dd0f3551ab81b
SHA256 1653275e4d68124e6af999b4311ac471f0a8adbcdffe4f64c678e1e84f367725
SHA512 e5a224994ed1332b87c33b3d0784b69be8733cde478650888e889af3d20c9d33b9c20720ac4104f15aecb8a94bc4101f5d826cc7161797f66b416be939d0bd3b

/data/user/0/com.herocraft.game.treasuresofthedeep/files/ac2b308d.dex

MD5 121d33b2c1295d49f9fba521016f45fe
SHA1 69e49d75e0a5e37cbc1f3f29fe5dccc656db27dc
SHA256 6f86990c8865f5cacbe7c38d934947aebae0a7f891043c714f012806a8e4467c
SHA512 561d57fc6e5c20b8c94949cc461d7e0e6595d041c1f8fe07c4b6815df92f71eede53bb1d333e58e494dec0e9db9a740c3917ba5519bdb3f51da7a3e3f744ac4b

/data/data/com.herocraft.game.treasuresofthedeep/files/S

MD5 2a3951fd6eeebc64eafa481dab946cfc
SHA1 d040e5d24dd38e62c98d60913964cc673129e2ab
SHA256 27f2b8e665e2e3190c5491ebe7ab81e0547d99d9934354fa021f4b2cca230f6b
SHA512 fbd06fb98b2ddc98db391afe266103846f79e62f3c0205ab14e266f94d32c04d4e655aa4210fd1326754aac5c89bea996089312dfdc692d9c0588ccb21b40c78

/data/data/com.herocraft.game.treasuresofthedeep/files/Ni

MD5 00ac23358ddc59b18579b65a96321e8b
SHA1 004524ed704abb03410f843347b77e1a595a4795
SHA256 45c3ab537e0e2bfb5fe898e283e677664cdf6acc0735760b8276cc43d6d601c7
SHA512 1ac825dba7d718ab1e0cec5ae3365f8ce80b04dde1b860aa8130e323766db735eb6ab9afb865cc3b05bcb1346a3e0b096f3a6b8f7879149e344eb26593a3d7fa

/data/data/com.herocraft.game.treasuresofthedeep/files/S

MD5 a78a9b62c0765043a08d18d25df9d3b9
SHA1 070459c91aef2c639e3f20e860b79ecf48ed318f
SHA256 4114222ac36bb33c753d98ca4914addfc40d16d51a8cd88f42cf98697b1eab01
SHA512 968a6996f99fc7bc827426e98f445aa2b5e30a499dbbeef967412bb99522c41a9f19ca4930610c59d858f04199bf16a4f6ac35757aba7829a9bfd9a814679963

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:33

Platform

android-x86-arm-20240624-en

Max time kernel

179s

Max time network

136s

Command Line

com.hellboy

Signatures

Requests uninstalling the application.

evasion
Description Indicator Process Target
Intent action android.intent.action.DELETE N/A N/A

Processes

com.hellboy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:33

Platform

android-x64-20240624-en

Max time kernel

175s

Max time network

174s

Command Line

com.herocraft.game.birdsonwire.freemium

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.herocraft.game.birdsonwire.freemium

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 g1.buyappcenter.com udp
NL 217.12.201.177:80 g1.buyappcenter.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex

MD5 a2c0379f196c91a175f47b801895518a
SHA1 549b6e1c77021378b4189f736b7eb7437a9d9497
SHA256 35cdc216518a388e7842f6b67a2c65ea06ca5302286087df3a9db29603b9aa21
SHA512 e3ebb67eb0a9c9e13db1dd29474bf93af6e0e3b9607623c0a70672bfb4f2505abc1f2c23e1592175317bc4f384fb7966954f0d37e6f331f7eb724ff5e6be4205

/data/user/0/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex

MD5 670d8683a3c1765ced65f8b60bfacdba
SHA1 24bc8f1ec3e925316fa05918fed1962379debe15
SHA256 fc48615db02bf829b738c5efef9cfc368b27c0a40fe69d4fa165cf59b0d6cc9f
SHA512 c6e7c7104c31d2b567874fed9684c172b1dc722d084ab998b0159420554e27ce044ed8b0099194919c18d782ac9d075962c966c602eaaf021f36d9d262bbc9a8

/data/data/com.herocraft.game.birdsonwire.freemium/files/PersistedInstallation2167478085138301818tmp

MD5 68a62f7ab4012b2de624f90429ddb8a6
SHA1 d5bad7d171dc4ae6fa69c19671856d4e51cb5693
SHA256 6c6baabcff4825d6d3953ff8d9d60e74cfab3321f37d6bce971c11ef37854e19
SHA512 dfa8e9b0806407c7ff280eb2dc8c8106b667e9e6e259d3f279310484edc2bfaae81f8ca2014936aeb9ba167a38ae064d7f0be14f0078971b757531a78a903f36

/data/data/com.herocraft.game.birdsonwire.freemium/files/UMYa

MD5 f19888b1645f005f7b5b87b934f7737c
SHA1 eea6b92c985e94a03b7a25c4a86dba6144c1eda7
SHA256 8f6fc416e42ffaaa3b3774eb86da16a25b7a5bc69ca1aea3a335ed0cf4d2e60e
SHA512 bc613990b04c59ade6d8f0998cf42f976e2def114200c1e56c18d1938104216379dc57d89e16a8640359daf73ea7a3e74653939f7de3cfc61758f955ae05c06b

/data/data/com.herocraft.game.birdsonwire.freemium/files/KWW

MD5 9521f578414bd8a3e758f4e0c243eb20
SHA1 ecf295e6075a27a1a0b5e6768b3df0e97b7e800a
SHA256 35610131bd6f5d10206b999aa351fbec6846fd4f72e37c7b3ddb48d053401b13
SHA512 6d1b1e2e9bb8fe8596dbcefad7106a025a3ec4b3c7c30cb5762df528d37dc559d3c184289d4dbbd6f9c915dc76d602e0db2329d565fa2841e7a66c6019553d65

/data/data/com.herocraft.game.birdsonwire.freemium/files/UMYa

MD5 6e03b5cee1e86ac1dc6837b8b1234104
SHA1 14dcce3899f769b23cb245a56e13ada0bdc276b1
SHA256 5f78c4df76040aefec7e05fbc9c5648bb9bc11f09f40409e3fe1ff42997fc52f
SHA512 52fa5ed0c9acdd21a348801e12ab2efab960bedd6d5dc39db1537e4943cb2950f7d677a6339a81f6616fbd69545648ee821c1b207de8f26c8e6a3cd8493750d8

Analysis: behavioral11

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:33

Platform

android-x64-arm64-20240624-en

Max time kernel

179s

Max time network

138s

Command Line

com.hellboy

Signatures

Requests uninstalling the application.

evasion
Description Indicator Process Target
Intent action android.intent.action.DELETE N/A N/A

Processes

com.hellboy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:33

Platform

android-x64-20240624-en

Max time kernel

178s

Max time network

179s

Command Line

com.herocraft.game.treasuresofthedeep

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.herocraft.game.treasuresofthedeep/files/7f8f78df.dex N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.herocraft.game.treasuresofthedeep

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 g2.coidnhfqqe.com udp
NL 217.12.201.177:80 g2.coidnhfqqe.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/data/com.herocraft.game.treasuresofthedeep/files/7f8f78df.dex

MD5 767ef40815362c541a89c4c50650c022
SHA1 46079e6da37683dce34f1d965f68b56deeeccff0
SHA256 045e58a267b61428e9b68a2b7f84eccb9335617ed119227acd35c9be5b2f48e1
SHA512 d1406c8299796a0c0d10ab6fe36c85c543bf91333e6bd6a8675e79b740e7325d45c66222b74737de320eedfce4ff1ba0f79517076e2ccb176aeae5c244be406f

/data/user/0/com.herocraft.game.treasuresofthedeep/files/7f8f78df.dex

MD5 38c2fd6b3426f301739dd658c91c462b
SHA1 98464a62414b23440ebecacdcf3097c8e9f1eff4
SHA256 51e662b019aea637e0be77e0bfd8d06eab2ebc3b4d2b07a3b81595ee63f8eefe
SHA512 ca7acf337f0069ce63a91da6aa36c4529b7968cc38cd6ffd9559ee37498075eab13331b68866f617a338279df6955ff32d8f7dea2941664da654fa855f4bfa1a

/data/data/com.herocraft.game.treasuresofthedeep/files/PersistedInstallation8856373932017377130tmp

MD5 8e2daa00c25ec0f6bba13474c9310a76
SHA1 2dd9aaa76e25285bff5af2bdf6590396bde7ff5a
SHA256 5c2245ec0e5654c69ae54f60b891f7f7e4767176c288031582d32cdd8a23578c
SHA512 34eb660f60f4e097e788233f3b5c9af006d28fbd7d037ac0db6acbb64bb1ac054ee193ddb951cda99deee1d8f002e69cbb7ffc97f2f363b92ffbd0c79c09e9bb

/data/data/com.herocraft.game.treasuresofthedeep/files/PersistedInstallation3063882221661882106tmp

MD5 d8fb243fbe5681f3204915dcf32ad2a3
SHA1 ddfc082d67182d1dd0516e5f13eb96404971589c
SHA256 4ef18114851e0db67c7f9defa8956077f41fcf76c4820bbf24fe27d6a6bfb0db
SHA512 55c2c864955b1e665ffe57b4d5396118a2cc2c30fdecf4731d391633495c8cb4dd9a18fc08efb4d70340f549632ec8963ad2bbdeac3a7af2c69a95f07cba29ab

/data/data/com.herocraft.game.treasuresofthedeep/files/WmJ

MD5 8f2831ebf4a2a3ce664fb3a2f5392a6a
SHA1 173df2d1a41b17b0a0841a6710137f828ee6ee5d
SHA256 72177963a321a5d03c859366c69c3321b6747fcf9a555cc06dedeb5b084b7990
SHA512 83b74eff85c6c9e22d1dc030f8d1f962a9f7237876f3d41d16148dd629b87d2acdea3253c98f2b8e6c4695c76042f189fe78dd8be7556e72bfacdfa2267c5cc9

/data/data/com.herocraft.game.treasuresofthedeep/files/GZCo

MD5 db05bf421c1d82412c83166f7213aa13
SHA1 dd9333218b42aa853f1533a317bdedcb9c9b62ce
SHA256 e9822709ff53d7ca719871506ce8493b2486f3044494c8c7118366f88d938134
SHA512 934537f5d99d47f76c9f13da1d56e304ff5552372caecc6dd4b7422eefd6a0167f13a4649d8dbeb389f55f39bbbd1bfde3bd18f8a0377b559d874861c3f83690

/data/data/com.herocraft.game.treasuresofthedeep/files/GZCo

MD5 4718065352dfa65008091593bdb3440d
SHA1 ddc80f3ea78f41f4d67de6f891eef5d42efe6e4b
SHA256 330a78479ad1082df1e8879cab45888698a506fe3cfa2051fc2f471a115a3f4c
SHA512 d002bf3cedbb713a0d8182316784ad732a77c4db08f08fecf278f951233cc743eeabd30ac6dc80297e91175e73d051158e3f5305fb7fffb84284b9eaf03ad1a0

/data/data/com.herocraft.game.treasuresofthedeep/files/WmJ

MD5 efd16812a45512730616ae5be4c2467d
SHA1 1adac37b206e3e2dc45c8240f3782f0e35be7295
SHA256 41077a447aca5822fdbfcde54dfb7e3abffc8b0fb2639034244bf01a8143d57b
SHA512 0a5760d0ee83be1f5511de55294056093d1a43f2d36d839272e6482d73ede0252b4ea5411d863db19fffacd4f042acbe0a12edb88a484d2d11d614784899377e

/data/data/com.herocraft.game.treasuresofthedeep/files/GZCo

MD5 f9827e68987d196d45760538f21983a1
SHA1 450d5f21044d7495371f2c935c508bca87804a1e
SHA256 e55136f8b4555314c2d7e19a5914d33d8c5f80a8857b77c5bc8e4c61fa7ccfbd
SHA512 3040ba123f02eb2c9761298c8159ea92fd2ab6974418c6adb474ddbc4de88816182ed47d6202f8d08f14254ee38f191e79595ca972686ad64d557c02de08fb5f

Analysis: behavioral23

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:36

Platform

android-x64-arm64-20240624-en

Max time kernel

179s

Max time network

133s

Command Line

com.elite

Signatures

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/data/phones N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

com.elite

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
GB 172.217.169.42:443 tcp
GB 172.217.169.42:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:36

Platform

android-x86-arm-20240624-en

Max time kernel

179s

Max time network

137s

Command Line

com.herocraft.game.birdsonwire.freemium

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A Anonymous-DexFile@0xd3463000-0xd372550c N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.herocraft.game.birdsonwire.freemium

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 g2.slachozhin.com udp
NL 217.12.201.177:80 g2.slachozhin.com tcp

Files

Anonymous-DexFile@0xd3463000-0xd372550c

MD5 862273f2c6de4c25816b5cb1ae006df9
SHA1 7c4c0026bc157cfc104ad91980d3c40b2d5e78ce
SHA256 c77d7de1df41842245f63cf10e13aed92fca563b8aa81a3888b4f142a5314f90
SHA512 688ffa31ce578992ad659df808bce82f88e4b86c000c08ce4b6873f6dd743cca5e65583fb0f98b408ebd45cfebe2634290f12607429f26a5a37a716771eecd06

/data/data/com.herocraft.game.birdsonwire.freemium/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.herocraft.game.birdsonwire.freemium/files/pxx

MD5 d8f5443da12abe2f2f41ec045b8ec608
SHA1 a6bcace4ee434ddc697036c352bdf8d2e1a196af
SHA256 46da53a47f0cc1e559e940fa0ea797336c9413fb442911779d98a5aebbee3091
SHA512 be486e4fde193890700c7ab64891bce0057656a9f62cfeaa404e65540a0f0393da34da8b20e1c90a23bbf971fb868d8172ce91d35c53f244ff7954b172976236

/data/data/com.herocraft.game.birdsonwire.freemium/files/qu

MD5 94117f538fb09d18309b16fcd5328262
SHA1 29943f611a22a41ac864609d9049ba6266d435f5
SHA256 b09abe2f92ad963571c606b68e4183aa689247ca2dccd40e039722c447db3599
SHA512 0b0868704bca5718ea86deccc82fd08024c1d7b52ffb76d17c016f7c7cd17b8c7715ff8108f0ffb13d65d2232ff5883b048eb9491e99229d907b50cdb7fbe16d

/data/data/com.herocraft.game.birdsonwire.freemium/files/pxx

MD5 469b84bd32218f45f278275a90cab77a
SHA1 1f2bf3261f6dffcfe6ff12935cee528900088df9
SHA256 758bae075d257b15de49b80d56352373628c35acf7fbcff13c81395607055f32
SHA512 1c858472790cdf60c1e0fcc9d0435f664169efd0d05a19418cb92b74bcfc716219d4ee2f409ad14d30b83eb4325c7a680ea95319bc1b8522a1c979cb97afd572

Analysis: behavioral27

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:36

Platform

android-x64-20240624-en

Max time kernel

49s

Max time network

164s

Command Line

com.test.accessibility

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.test.accessibility/app_ded/U5IKbtEk4k2AhDPajfKhV3RNVoVuAf46.dex N/A N/A
N/A /data/user/0/com.test.accessibility/app_ded/U5IKbtEk4k2AhDPajfKhV3RNVoVuAf46.dex N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.test.accessibility

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp

Files

/data/data/com.test.accessibility/app_ded/U5IKbtEk4k2AhDPajfKhV3RNVoVuAf46.dex

MD5 8b5230cead615f005f2171207699d8aa
SHA1 1fa3764bdda3aa85f0481f8d63d96517c2638e3e
SHA256 b6f3c778f8411b88897f99b57e4c9c5c2ed6102527dd816147f4ca28de8d4498
SHA512 4d1b05e242d151fdfed77f7fa92bcc211cd23e28af134aaa5b403607b2ded7db6b6fb1fcbd134ecf31170e874f1e3ffb9d028e6ea8328441a678b725a180f22c

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:33

Platform

android-x86-arm-20240624-en

Max time kernel

150s

Max time network

129s

Command Line

com.XPhantom.id

Signatures

N/A

Processes

com.XPhantom.id

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:33

Platform

android-x86-arm-20240624-en

Max time kernel

7s

Max time network

139s

Command Line

com.herocraft.game.freemium.catchthecandy

Signatures

N/A

Processes

com.herocraft.game.freemium.catchthecandy

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.herocraft.game.freemium.catchthecandy/files/oat/x86/f2f8f843.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 g1.flostiks.com udp
NL 217.12.201.177:80 g1.flostiks.com tcp

Files

/data/data/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex

MD5 d951efa7f0ca59781f3af35949338902
SHA1 ac853df2b6835dbac7c94eb008ab4657e68eda70
SHA256 5b0a0d3671f6ff3ea0001624a0c157d057965e60891c5335391880fe9b00e183
SHA512 8fbbc1c347ec03478b01ff321d159656abfcad1d9ac3b426382348567c57bbaf1cdb3cac77c38fbcf62e0e17063f170fc9f9bf200a982b940dcad47e30b05617

Analysis: behavioral10

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:33

Platform

android-x64-20240624-en

Max time kernel

179s

Max time network

165s

Command Line

com.hellboy

Signatures

N/A

Processes

com.hellboy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
GB 216.58.213.10:443 tcp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:37

Platform

android-x86-arm-20240624-en

Max time kernel

179s

Max time network

133s

Command Line

yige.liwu

Signatures

N/A

Processes

yige.liwu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.238:443 android.apis.google.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/yige.liwu/files/icon.png

MD5 7548d066a9aa312d36b5cfc5a7f5b0fa
SHA1 0800400fa83daf5634cbf326d7b5d4f2211468c9
SHA256 50d77bc0fa7305d4da74db5007b02f54649a58d5408f0a7c40342ad84708fb79
SHA512 ad53f3f223e1a48dbffe289ad7ece8c298ee8b447896fb3a928c7755105b4e425da4f4700ac2ed7a500f2dfe8ad0d5649277cd0fecbd13bb1578c25a483a37c5

/data/data/yige.liwu/files/init.lua

MD5 e3694ec7db7020258bf758a52e2d0645
SHA1 d5defa6423ed8092e3e3318e8060368e8ae452f8
SHA256 ecf576d534eb40ec5fd48e060880245a0641bc8cd3ad0952248dd25446c84d9e
SHA512 85c8005f8ef344745caaa28d26c0eeb3e41a8ca39c594235c552056e16a5397b67f62a6083aaee785853a0d976c41384bef80babc05663c02d441ed4c1c2be2f

/data/data/yige.liwu/files/layout.lua

MD5 ed41bfdc7b560bf3c8a3db3936844e57
SHA1 06917281f7b6dd7a02c83c7172bcf81f50651aa8
SHA256 e66e4aa1da846ec6b7d16faaf813cde5b7ff00be75de0ab88ff9cad86bd2e5cc
SHA512 e90e2a7dda24e951080d8ebcbc8bd3c96a65d47c4c72e170a32b70e82dd65b2a91b1ad1b82fd9188dab611660bea71719392cc986708aeea2107ddb66f2934e6

/data/data/yige.liwu/files/layout.lua.bak

MD5 7ca336ff302f2406ddf544ec9496df15
SHA1 e8d958beec87196600512a930b03cddc1d6c564a
SHA256 3231436a0bad0a696fd14420e1e092e028e08114d920cf5e49d2b7885d3ebeb5
SHA512 b82d9494a49926354608972e0f289fe92c7210c81776ff45f794bbeb966e8b55107e4a8e57a069778bc986e8fe90d9ac01214faff8170fc1476277c90d020625

/data/data/yige.liwu/files/liangshao.mp3

MD5 cc0dc1d7f666c489b5a9d9ffa20b0fa5
SHA1 c8660b92d676d4a193e78eced06fdc39f4bafe83
SHA256 1abbaa787fc34bf35a53dfeff57c71b9bd071f3cf0655ebf18eef3ec1b67cea5
SHA512 b87369aff93b6ab7428c8fc54b24e053e55045873e601f556070d4d9a0cf3c0d34880d43acaafb151b720ad3e9a34562b1e53e0b2c87660651a9bb3e76a66826

/data/data/yige.liwu/files/main.lua

MD5 3d0633bc3a201278ad60aa4cdbf9a577
SHA1 d0fa194d9ce0a5e4c1d90231c5f55619fa2a1e41
SHA256 c4a6b47361c0a2f088e4c64d6f5b8d2d3a50f4cdd47fd252f8cba58a7cf64479
SHA512 c41af8ee47159e624ec9da1099f5627097e9834f3cc775807543e1a3184e1b898ef40bda544b05c13959ce5c34f03aef37930eb6baabe261f976e92c45bb5a71

/data/data/yige.liwu/files/main.lua.bak

MD5 24ebb9b4b1da527a5578c9e4412d4495
SHA1 2f7d65cb553a78876ea58ca3fefbf360ee8dcbf6
SHA256 fef046099f745952b122c513c7376a3551bf3fa6ddd5c6fca99c43a6baab8ca8
SHA512 41777c272c557d9a2f8cc8eacd2f6edd2c7a4fe5cf0edaaa5562ebf2ea52b9ca0b6fccdb7fd467a2c07be67f2087c84870ec51d138d13c3fbfbb1e5bb4abbd6a

/data/data/yige.liwu/app_lua/DebugAssistant.lua

MD5 fdfbdc25aba596c7aeac18ae05ed9203
SHA1 34f68b36c76e7dd0672352fe199aaa160836b64b
SHA256 e5f89e152e51bd46327b269c3f0e63cb7c6efaf4ec2c808d81059b10310a748a
SHA512 0de1ec7edbe7bdf6d58c3b47d13194c986308ae7276ff64ab0683b00712100709661eb480a68378402af7bbd659e365e9b9954178dafc9c774345d880d428787

/data/data/yige.liwu/app_lua/import.lua

MD5 12f6fd0256ac015bb9098db1b4b890fd
SHA1 a65ad219e0999c21e8da05f3dca782308de04889
SHA256 4664fa024695e27585e7422cb3e88588e279f7762aa3fe0b327390727301f2e9
SHA512 08e4fe3348cc2bc21aa397d61ecb1d9d1466ce9f45137e1c7b1931c786a09a86e36b35506cb5f41db669f6dda42190fad42e352317209bb935e3d538a7517f38

/data/data/yige.liwu/app_lua/loadbitmap.lua

MD5 171092dd13095fc94a62d34b4b124ab9
SHA1 45c8700030375367f15f4fcc15c01e6afd6d9d45
SHA256 19d85e1e4ce561623c4271208f3e793cfdef0a6b5912986469812813ca8ce72e
SHA512 ee7b7e8378dfae736c8c04a0ca7e90354b7a530c8d8fe2b5c62a5724188ade7d7759615122485cb803027a4ecbe4ca9d97ddefeeb3f3f6fbe9a1c4a38c4b2227

/data/data/yige.liwu/app_lua/loadlayout.lua

MD5 34e94fc8b2e560c28b500a958c9e2ada
SHA1 e7f8bf1ed956fe9bea1677cbd9c60845e07213ca
SHA256 9f9e99b9d9f1ce809168ad77a7c54dc0673cec3462c3235f36a96fa144fffce7
SHA512 e66ee9b628dce59bb80942a814a386f923ff892f684907866264bad31f5ecd5a44f72f398c55f56d04e2e0d84c75fddbc3e960f9489da8b8cc649fcd324a7272

/data/data/yige.liwu/app_lua/loadmenu.lua

MD5 641e4ef02f4db9182c5a653a90f7188a
SHA1 f65417d63f6afbdba512b565eea5c4cb96ce0a2b
SHA256 d06dcb77cc3a4e2ad21c973fc95ba814f407e9cfb5d51b551471f3d49c25cf78
SHA512 cf5a7fb13f0a6b274e9f8ca35880b733b848c1d3dfd87d84974d14756a93cf542c6f3fd0e9ba1707008c483f027265b1db90c75d62eb85222562f0ce6be29f09

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:33

Platform

android-x86-arm-20240624-en

Max time kernel

49s

Max time network

136s

Command Line

com.crbpphsj.wjphxfzk

Signatures

TiSpy

trojan infostealer spyware tispy

TiSpy payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.crbpphsj.wjphxfzk/code_cache/1722774637223.dex N/A N/A
N/A /data/data/com.crbpphsj.wjphxfzk/code_cache/1722774637223.dex N/A N/A
N/A /data/user/0/com.crbpphsj.wjphxfzk/files/dex/YWmycydWrtgRZdrZq.zip N/A N/A
N/A /data/user/0/com.crbpphsj.wjphxfzk/files/dex/YWmycydWrtgRZdrZq.zip N/A N/A
N/A /data/data/com.crbpphsj.wjphxfzk/code_cache/1722774649682.dex N/A N/A
N/A /data/data/com.crbpphsj.wjphxfzk/code_cache/1722774649682.dex N/A N/A
N/A /data/user/0/com.crbpphsj.wjphxfzk/files/dex/YWmycydWrtgRZdrZq.zip N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.crbpphsj.wjphxfzk

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.crbpphsj.wjphxfzk/code_cache/1722774637223.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/data/com.crbpphsj.wjphxfzk/code_cache/oat/x86/1722774637223.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.crbpphsj.wjphxfzk/files/dex/YWmycydWrtgRZdrZq.zip --output-vdex-fd=49 --oat-fd=50 --oat-location=/data/user/0/com.crbpphsj.wjphxfzk/files/dex/oat/x86/YWmycydWrtgRZdrZq.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.crbpphsj.wjphxfzk/code_cache/1722774649682.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/data/com.crbpphsj.wjphxfzk/code_cache/oat/x86/1722774649682.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 auth.familysafty.com udp
US 172.67.207.9:443 auth.familysafty.com tcp

Files

/data/data/com.crbpphsj.wjphxfzk/code_cache/1722774637223.dex

MD5 d3364728f634bf71c4b16542c02c60cb
SHA1 f23088362b69935f404f2b81eaa40ed3172efca5
SHA256 401f68f4448fd6288b7619a7a2ae4646493cd7268f16aa6714802833fbc1197e
SHA512 9378bbda71abcb437676a2d4095d7d3ab6a5a1c1682ec95f3f6d050b9226692cd1a29ba8e7a65dac441c29cfb7b1d5e69e34b5cc32989c90c025909567a662af

/data/data/com.crbpphsj.wjphxfzk/code_cache/1722774637223.dex

MD5 a137b5568de65b8fef35329930d8617f
SHA1 49a2d6e95d447ba1d448c81691f6a609fb2859ed
SHA256 bc5290425eaa32b00a84a94c58976321e7643bc5d668817524ad68a1c7d2082b
SHA512 9dd6c25dea7b3424e8ca0150a9f1f6f85ed5fccef69e7fadfa05324014b74cc350365b788cee2a8ce25afccee084908e679eafa7f449e7791c6288485d2c5338

/data/data/com.crbpphsj.wjphxfzk/code_cache/1722774637223.dex

MD5 cf790c0dfb1361b86d4b8bfca1f8814c
SHA1 d452d9d6504f6af0c9408d6fdb1ced0ff3c45dee
SHA256 5dfcef0f59a512a9d88d21de81e5f9a20ff420d328736a1426b0a45f9459d832
SHA512 e2194cf4ab22064206d9df3523afd3b247f4ce72b7fed17056029746d1f79c1a25d340f8f9c7ec77b9590d05dc7549a735d631a368f82c472cd54bb8a1396c47

/data/data/com.crbpphsj.wjphxfzk/files/dex/YWmycydWrtgRZdrZq.zip

MD5 59393f43989813af3d160e210a5952c9
SHA1 9b6780014fb444ea42351e80a94c6d30fc40df25
SHA256 6bcf568203c45b24659e5138f9149ddb0221eac842afc82339686d9ee7e8ec2d
SHA512 10c18b2b0258d96155ccc5269565000d502a5e88d4117d838ff46036b0e8eee656515a50205d4e602148c3bc39083072fb08dee70223beaac0b4cd569a3c18f7

/data/user/0/com.crbpphsj.wjphxfzk/files/dex/YWmycydWrtgRZdrZq.zip

MD5 6b1a12f2792059773d78e52505ce2e7f
SHA1 ef8254c4e28e718fc6c7c6e92920a07f06dae233
SHA256 cb480143a043bb4fe9452618c2c4875263311389ee865ec165319c49c28283ca
SHA512 26d2a36ca021f1d86f5a4d19502f757821f908e2d68a716e4f5d5deeec689a09c27a98796685cf244324f332eaf952f6e87772fe80552811eb2a3efeb3b396f5

/data/user/0/com.crbpphsj.wjphxfzk/files/dex/YWmycydWrtgRZdrZq.zip

MD5 f8ed1392b1899775322feb5072dc6a61
SHA1 11f6099c1289198fa6556febaf126ff5d365db79
SHA256 986689df19eabd4f217fbdb7fd5562b2d7caa71daf7f5fa0cafab15aab0ac4a7
SHA512 cf60269d11d6428e33550c07f3b79539d761a02f95fb3ce679900b441360d44142473f3c8098a7879cca8c786d2d3c14f008ff83bd978465ce7e503df47f2f37

/data/data/com.crbpphsj.wjphxfzk/files/477498.so

MD5 1b82243685c1c0be15d83c8fc11153f9
SHA1 e637f8b2d0c3c0dadd45dcd88be87f5e12f8624d
SHA256 deb10f3c7b34c37e2dcb226c68ebaae067e61e05429b44273e9610e84b7223f7
SHA512 cd7e82cfa509809d1a644a105e022759d74d00d1c13f90df389cfa88eb997aa3c371ebbc3d66397e1e72ecd9adb2f38029f619ad278b50a9907b68d7631b9c3a

/data/data/com.crbpphsj.wjphxfzk/logs/Sistema1722774653358.log

MD5 a96c3ac8e52a48645fd822293ca601bb
SHA1 aa12322836c38816c2d2aed8b7b29a67e1d77961
SHA256 e75c998af07247b46a0f09ef7f0158524bce9dea9bc1645a8103ecda75690a7f
SHA512 721ef4e9fe27f7e9f74c9acc9d7bf3c183a7f49d92bcf225124a02a6684b0032ee1ef356343c560407a10c4ecc3b715c3f1be035666627cb2967771bc4feade5

/data/data/com.crbpphsj.wjphxfzk/databases/privatesms.db-journal

MD5 c99725805dad00b9cca6c6339098102f
SHA1 db9b4b8addc3a61fda9227bbe92d96e04c8aad46
SHA256 6918713e9efb5003c84692875097d3aa62a113ed546c77740e3221cd0312dbd3
SHA512 3948b7a6eb6cd64b0d4ad25a551b72ca747f288a4ed214a2f9b1b5be438889baca8d58203543945b4513f36841a87b438b6bdb4bae46a8eb2c5f52b1c2dc9d15

/data/data/com.crbpphsj.wjphxfzk/databases/privatesms.db

MD5 3621ce0aa81e37bc5c80e2cf881f1dd0
SHA1 00365f82dcada94caea07443656848baf60b3bd9
SHA256 8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5
SHA512 76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf

/data/data/com.crbpphsj.wjphxfzk/databases/privatesms.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.crbpphsj.wjphxfzk/databases/privatesms.db-wal

MD5 e8503e21afcfd5cf7d21f65f087f0668
SHA1 f4e0e95d9745c5e2bf7754da9ee83001c012af6f
SHA256 9902c48d3ef1cacd1ac08c6e9d078ad639ab3e51970035d9298dddae53c08d7a
SHA512 e4d25b2d7f7d492c650a9e662fc9343dc92dee0c9ee4274329961e6532430d8257d8865ae6c868eff6c1c32b71e45cc51a7e2cea1b4176b455f161ec2ea34038

Analysis: behavioral20

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:33

Platform

android-x64-arm64-20240624-en

Max time kernel

177s

Max time network

139s

Command Line

com.herocraft.game.birdsonwire.freemium

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.herocraft.game.birdsonwire.freemium

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 g1.buyappcenter.com udp
SE 185.117.88.15:80 g1.buyappcenter.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex

MD5 a2c0379f196c91a175f47b801895518a
SHA1 549b6e1c77021378b4189f736b7eb7437a9d9497
SHA256 35cdc216518a388e7842f6b67a2c65ea06ca5302286087df3a9db29603b9aa21
SHA512 e3ebb67eb0a9c9e13db1dd29474bf93af6e0e3b9607623c0a70672bfb4f2505abc1f2c23e1592175317bc4f384fb7966954f0d37e6f331f7eb724ff5e6be4205

/data/user/0/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex

MD5 670d8683a3c1765ced65f8b60bfacdba
SHA1 24bc8f1ec3e925316fa05918fed1962379debe15
SHA256 fc48615db02bf829b738c5efef9cfc368b27c0a40fe69d4fa165cf59b0d6cc9f
SHA512 c6e7c7104c31d2b567874fed9684c172b1dc722d084ab998b0159420554e27ce044ed8b0099194919c18d782ac9d075962c966c602eaaf021f36d9d262bbc9a8

/data/data/com.herocraft.game.birdsonwire.freemium/files/UMYa

MD5 e208f56229cb418f834d3956b2cfa463
SHA1 7824d0483a669c303f2e72cd61924e6ce69d07f9
SHA256 3d458e2bd784dfe88cbc02f7b2bca5c050835d4a6b3e9b8e49df9ed324670ad8
SHA512 b9bf659e6e24dd4a8e15b6b33345dcc5ec02d0c0e1e16f3ddab59f6b462b9edfb2e4d529bfd2b0d38fa3fef6e6154eb397f5d1bedf203b176b9ecc1b841d8f6f

/data/data/com.herocraft.game.birdsonwire.freemium/files/KWW

MD5 42dab2cb4f548d89097d4d3294c54d6e
SHA1 3e56662ca616ac59a8f14d9b12f6b583df7d877f
SHA256 a9253dec929d2008fe679c8910ef964e32ed86e015d383616468ed603402682d
SHA512 3178dc91f08eaf7141d7e4f4c27118e07a3f6501ba385f7e6699c57b9bae662b16a79748ad57a3770ad1b34d03d2d85878ebad838442d85ad04a9cf41f4a78be

/data/data/com.herocraft.game.birdsonwire.freemium/files/UMYa

MD5 8093f63b24dacce98773b476cc149cd7
SHA1 246a1ad2c3a2da6d9f998ca74ea46324291c469a
SHA256 42af84fd38ff69db981539fd5684927540cd877ad5efd9ea9dd2777b38bccdf7
SHA512 1bb5f91849032785bdf358d6da4a50288342cde09f6bbad8166c0104df13b7a6f38f118bbbcb430c8609bc4e5de0beccc94cc789b7ecd631442d23e88fe5c33e

Analysis: behavioral28

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:37

Platform

android-x64-arm64-20240624-en

Max time kernel

13s

Max time network

136s

Command Line

com.test.accessibility

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.test.accessibility/app_ded/71SHYKnXzwVMyq1P3JfI0x7DeKMMgSVO.dex N/A N/A
N/A /data/user/0/com.test.accessibility/app_ded/71SHYKnXzwVMyq1P3JfI0x7DeKMMgSVO.dex N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.test.accessibility

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.212.200:443 ssl.google-analytics.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

/data/data/com.test.accessibility/app_ded/71SHYKnXzwVMyq1P3JfI0x7DeKMMgSVO.dex

MD5 8b5230cead615f005f2171207699d8aa
SHA1 1fa3764bdda3aa85f0481f8d63d96517c2638e3e
SHA256 b6f3c778f8411b88897f99b57e4c9c5c2ed6102527dd816147f4ca28de8d4498
SHA512 4d1b05e242d151fdfed77f7fa92bcc211cd23e28af134aaa5b403607b2ded7db6b6fb1fcbd134ecf31170e874f1e3ffb9d028e6ea8328441a678b725a180f22c

Analysis: behavioral24

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:36

Platform

android-x86-arm-20240624-en

Max time kernel

49s

Max time network

133s

Command Line

com.ygvezckt.rwqaztkw

Signatures

TiSpy

trojan infostealer spyware tispy

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip N/A N/A
N/A /data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip N/A N/A
N/A /data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip N/A N/A
N/A /data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip N/A N/A
N/A /data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip N/A N/A
N/A /data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.ygvezckt.rwqaztkw

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/oat/x86/316f40170801e947.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip --output-vdex-fd=43 --oat-fd=45 --oat-location=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/oat/x86/lLtoeVfIDbcROVZBX.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp

Files

/data/data/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip

MD5 1b463ebe439550e65863364d145f3633
SHA1 06a1d114d31cc0c0735f6e865290de0df66534fc
SHA256 402745874a8f4229a51c30bb0a3fc4a383d5d2bdecf43f73920c7ec59f402631
SHA512 45be5088110b35464faac2c708084e5337ddf5f89d582001582c47db28e04ab577dc036ee481b02f3743b3bfc1a0bc85cdf9185f23aa8e683a2890833b77be5a

/data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip

MD5 c276d68c66d80dfed813846189721519
SHA1 3006ae75be916f82d520f683322ce5b8af4be68b
SHA256 ba4227db1d3fb1d9befcdc67847e414b5070dd7e9d28e397c4cec1488309053e
SHA512 b5c1844af6bc735c26cb736691d864c3cb4ac567d49c8c0f5a3f73c7d8aa7de890900563a99a7e0a1e114cf561955225bea7522df876c338f380d03e502bb497

/data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip

MD5 0141ce546517d0ff09558391ffe2c3d1
SHA1 c8da2607f42222cf6726f30015fce0e501df3c30
SHA256 4f647e2c0402fab82866f27337c18543123212e46abb52914e8c22bcff7382cf
SHA512 886f3fd3d8b891a8a1ced7552bb73e82b8eb390bf028570d1e5f1089863399dfe26184c4b6974968cc0a801ac1dadc768af157c386cda3fb0b810279680f48ce

/data/data/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip

MD5 5631aac4cdaafaf80e13e30ca0f35df4
SHA1 a5c11f94c00875c38fcc29debd5ab1f01b6a6d20
SHA256 c65d54edc4dfb9bb13a51764be2b1a66e6ef781a6f1a18368d22aeea79f1af6c
SHA512 15c45aabc02a08dd369de2b9f3ba736ccdea4cd325e865b079810887d3cfbdf52a7286dbb0516630cc0f83d3fba0a99efcb2a1f37ce3ee0a50bae98eb731eb47

/data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip

MD5 eba2e1ec82083be20ece86501cf4a651
SHA1 c7296d77e0ff6982396d13e1f6cc54b2be4b5f12
SHA256 7cd112ace3c9789beb88d7d75e3c664706505fc8c5ede01fc92fabb9da2700ec
SHA512 668f0e05318a9a1d8f28aa9f8796450422b0f5d722704bcb37e003d42951e7033053b2c38ba4bc1144b14bac9114d875e860f5ee8add0986234228e2dc9dfbaf

/data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip

MD5 0df030186d9f5c370a15db6223ca2eb7
SHA1 33a9951863ceaf037787cd169c4cf61fcb7bba1b
SHA256 ecf40b3088a5186d0c043c2248aaa1a509c4336ae7cad299741fb7fc7ba0b11c
SHA512 0777b4c68b58b428410554b9e420852cd3fb2f2bcfe7a48487b1564918c386ca5d80327a7dc9b9b2d8d55da5330296aabd1f866db3e068bbfb3a3d7f393547ae

/data/data/com.ygvezckt.rwqaztkw/files/dex/pro_btn_bg_animation_img_0.jpg.zip

MD5 7c20a2b01bf3f9df1f0abb72ebbe82be
SHA1 e601b2e41434623edbeece32867517a3cdec5449
SHA256 1a10cc3cd2dc21a9be2d2eb758fd19288082619d331245b927d0a9299462ea2e
SHA512 3faa6efbd3ebf6e1aff7ebe9958c5f94bbfe9c5ff9e11e9092b1b7301bbe6504c01b922d709303147e213b3cadce8e96462220a1d1bf4d6cdaec95b3f84bb1b4

/data/data/com.ygvezckt.rwqaztkw/files/477458.so

MD5 8767a74133b3328c2a87a24893142ec2
SHA1 c1c48bcab9d7bf804cad029656d8b79bf8655d29
SHA256 80afd0eea39b125cd5a2f300a3b50302f002ff332943f71bd46d7ce5914e0f82
SHA512 96a2d70a2adfef8b8da4fc8c6b2be0b7eed0c33f76770093799fd3bbccf1b766290151cbd65981634c821baabdd8d445a6f66cf955045f0f402286b61aab2d7c

/data/data/com.ygvezckt.rwqaztkw/logs/Sistema1722774844993.log

MD5 5d1ff891bc721369e4a2301dd402317c
SHA1 281718a73f223c437bfff506d9a255ffe76d2576
SHA256 c703d6127bc2b2d978a52e665c055a1aa1892626c77d1d8397d59c6a81f91c5d
SHA512 b087ca2ca2d9c9858a8b738420480847e625c34b818fa4c1d735bf76e793c02a464d7c9727c00638aa147d146220a81863ab7ec6c74f706057f28ed2b736158b

/data/data/com.ygvezckt.rwqaztkw/databases/privatesms.db-journal

MD5 2bf668b3ef7c863f9dcb4617b34bd206
SHA1 a5c4854fe442e2ac7e320db2f441ce4616510bb5
SHA256 7dea96b03a2fd2320121556dc1055d8f54f558c56afbcaadcf7d28718807c579
SHA512 1fa12ff6cda0c147bce3d918646e38fc21e9d3fbb02a3a913f4448a16ee9ac2190998d6bf362b534d7c58bcee9ab0bc91387b696ae521528e54fd5a35eff575b

/data/data/com.ygvezckt.rwqaztkw/databases/privatesms.db

MD5 3621ce0aa81e37bc5c80e2cf881f1dd0
SHA1 00365f82dcada94caea07443656848baf60b3bd9
SHA256 8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5
SHA512 76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf

/data/data/com.ygvezckt.rwqaztkw/databases/privatesms.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ygvezckt.rwqaztkw/databases/privatesms.db-wal

MD5 43c3accbfe79afdab34c4854e2090c8e
SHA1 0b9a2c197cd0cf29a80116496ec3f4cff97ff368
SHA256 daf2f106a41f14ca1f16479ef9865dfa9a2e36cc9475d96baee942d0a4daf141
SHA512 f7b8bde86268f929c66a3efaeac21c2072b252cb06736ae40462ea97af8ab66aeccfc77780b89f62f5208cc4ae60ad4a4003a9f65a758ba5c393d4db69b794b6

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:33

Platform

android-x64-20240624-en

Max time network

196s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:33

Platform

android-x86-arm-20240624-en

Max time kernel

7s

Max time network

137s

Command Line

com.herocraft.game.treasuresofthedeep

Signatures

N/A

Processes

com.herocraft.game.treasuresofthedeep

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.herocraft.game.treasuresofthedeep/files/ac2b308d.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.herocraft.game.treasuresofthedeep/files/oat/x86/ac2b308d.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 sara.sfjioagjioabnjqqfmx.com udp
NL 5.149.249.226:80 sara.sfjioagjioabnjqqfmx.com tcp

Files

/data/data/com.herocraft.game.treasuresofthedeep/files/ac2b308d.dex

MD5 48aab9b1635e8a510b4a1126c1f95bc5
SHA1 7ce5597408c9a42d93e882ed904dd0f3551ab81b
SHA256 1653275e4d68124e6af999b4311ac471f0a8adbcdffe4f64c678e1e84f367725
SHA512 e5a224994ed1332b87c33b3d0784b69be8733cde478650888e889af3d20c9d33b9c20720ac4104f15aecb8a94bc4101f5d826cc7161797f66b416be939d0bd3b

Analysis: behavioral18

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:33

Platform

android-x86-arm-20240624-en

Max time kernel

9s

Max time network

137s

Command Line

com.herocraft.game.birdsonwire.freemium

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex N/A N/A

Processes

com.herocraft.game.birdsonwire.freemium

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.herocraft.game.birdsonwire.freemium/files/oat/x86/b04e7800.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 g1.buyappcenter.com udp
NL 217.12.201.177:80 g1.buyappcenter.com tcp

Files

/data/data/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex

MD5 a2c0379f196c91a175f47b801895518a
SHA1 549b6e1c77021378b4189f736b7eb7437a9d9497
SHA256 35cdc216518a388e7842f6b67a2c65ea06ca5302286087df3a9db29603b9aa21
SHA512 e3ebb67eb0a9c9e13db1dd29474bf93af6e0e3b9607623c0a70672bfb4f2505abc1f2c23e1592175317bc4f384fb7966954f0d37e6f331f7eb724ff5e6be4205

/data/user/0/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex

MD5 670d8683a3c1765ced65f8b60bfacdba
SHA1 24bc8f1ec3e925316fa05918fed1962379debe15
SHA256 fc48615db02bf829b738c5efef9cfc368b27c0a40fe69d4fa165cf59b0d6cc9f
SHA512 c6e7c7104c31d2b567874fed9684c172b1dc722d084ab998b0159420554e27ce044ed8b0099194919c18d782ac9d075962c966c602eaaf021f36d9d262bbc9a8

Analysis: behavioral26

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:36

Platform

android-x86-arm-20240624-en

Max time kernel

48s

Max time network

132s

Command Line

com.test.accessibility

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.test.accessibility/app_ded/0dVpoWJqMUDuK2U9Uv4lmOfHLV7Tj1K2.dex N/A N/A
N/A /data/user/0/com.test.accessibility/app_ded/0dVpoWJqMUDuK2U9Uv4lmOfHLV7Tj1K2.dex N/A N/A
N/A /data/user/0/com.test.accessibility/app_ded/0dVpoWJqMUDuK2U9Uv4lmOfHLV7Tj1K2.dex N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.test.accessibility

/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.test.accessibility/app_ded/0dVpoWJqMUDuK2U9Uv4lmOfHLV7Tj1K2.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/user/0/com.test.accessibility/app_ded/oat/x86/0dVpoWJqMUDuK2U9Uv4lmOfHLV7Tj1K2.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

/data/data/com.test.accessibility/app_ded/0dVpoWJqMUDuK2U9Uv4lmOfHLV7Tj1K2.dex

MD5 8b5230cead615f005f2171207699d8aa
SHA1 1fa3764bdda3aa85f0481f8d63d96517c2638e3e
SHA256 b6f3c778f8411b88897f99b57e4c9c5c2ed6102527dd816147f4ca28de8d4498
SHA512 4d1b05e242d151fdfed77f7fa92bcc211cd23e28af134aaa5b403607b2ded7db6b6fb1fcbd134ecf31170e874f1e3ffb9d028e6ea8328441a678b725a180f22c

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:33

Platform

android-x64-arm64-20240624-en

Max time kernel

178s

Max time network

136s

Command Line

com.herocraft.game.freemium.catchthecandy

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.herocraft.game.freemium.catchthecandy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 g1.flostiks.com udp
NL 217.12.201.177:80 g1.flostiks.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/data/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex

MD5 d951efa7f0ca59781f3af35949338902
SHA1 ac853df2b6835dbac7c94eb008ab4657e68eda70
SHA256 5b0a0d3671f6ff3ea0001624a0c157d057965e60891c5335391880fe9b00e183
SHA512 8fbbc1c347ec03478b01ff321d159656abfcad1d9ac3b426382348567c57bbaf1cdb3cac77c38fbcf62e0e17063f170fc9f9bf200a982b940dcad47e30b05617

/data/user/0/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex

MD5 767a8ce605249b314939882f824f989a
SHA1 7cb1e61d4fa739b92b25d13bcf33bbb00cff9baa
SHA256 26d8b34344e6e61c8a1380e9773109569accb467b36f954a1e5c729a4d701fa5
SHA512 baec83cf6d66fc0dbf13411043c8168acf38b0b66a9c20f9b1ec54d6f5ef21527d22b4c47dd54734dcd5bd85410dc3bb8fe786fb1702443beee9a42e869c4475

/data/data/com.herocraft.game.freemium.catchthecandy/files/kNp

MD5 b92a32b3a9ff34ac3eaab946e85952e7
SHA1 d3165eb07cf22f1f17c98ec5320787592200d0a2
SHA256 0036042078874d8ac867716e6f3526a703c36c5f01c6ae4fbc051123f287c75f
SHA512 6fb1252cd6ab67da24c8eb586cac1d80d92684133aadee1c324e053dcda1bf4ac86b542f53a03fdc4bb02ff1802f1246b978f7d8e72edbff407c2f22a9de1c68

/data/data/com.herocraft.game.freemium.catchthecandy/files/Iksc

MD5 2ca6bda9f648c0dbf35b37a62e7de8b4
SHA1 8604a21d698bafd351bbfa785343e992b27001cd
SHA256 7d2312c3ef64533beef6e8c06edb6afc584a7d11e7100c017967812f49316352
SHA512 0a56599157c17ce43bf9bed1f175efa4453b32b52e2e43c2fd551e5e437202e7898a74925a74e786b39c66f88b4a46e2d8864eb9009227d9bba9814857ad2d40

/data/data/com.herocraft.game.freemium.catchthecandy/files/kNp

MD5 a397530ec241f1719a4619ddefb44aae
SHA1 0bb67ec48540a4485cde5a2b613b27e647846452
SHA256 5348424b7b1e8b4266af5bfd6b65d2da2a5cdc562e3857e120844eec375e75a4
SHA512 23b3d81f74afe23bad5a2826ad810b6942b28becd5c8f8e924ed4d24601d68d6f65f6df4c461448139ab955cd6345946e1a6c14625dc00e1526492c60cb0bc59

Analysis: behavioral12

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:33

Platform

android-x86-arm-20240624-en

Max time kernel

9s

Max time network

136s

Command Line

com.herocraft.game.treasuresofthedeep

Signatures

N/A

Processes

com.herocraft.game.treasuresofthedeep

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.herocraft.game.treasuresofthedeep/files/7f8f78df.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.herocraft.game.treasuresofthedeep/files/oat/x86/7f8f78df.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
US 1.1.1.1:53 g2.coidnhfqqe.com udp
NL 217.12.201.177:80 g2.coidnhfqqe.com tcp

Files

/data/data/com.herocraft.game.treasuresofthedeep/files/7f8f78df.dex

MD5 767ef40815362c541a89c4c50650c022
SHA1 46079e6da37683dce34f1d965f68b56deeeccff0
SHA256 045e58a267b61428e9b68a2b7f84eccb9335617ed119227acd35c9be5b2f48e1
SHA512 d1406c8299796a0c0d10ab6fe36c85c543bf91333e6bd6a8675e79b740e7325d45c66222b74737de320eedfce4ff1ba0f79517076e2ccb176aeae5c244be406f

Analysis: behavioral14

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:33

Platform

android-x64-arm64-20240624-en

Max time kernel

177s

Max time network

140s

Command Line

com.herocraft.game.treasuresofthedeep

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.herocraft.game.treasuresofthedeep/files/7f8f78df.dex N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.herocraft.game.treasuresofthedeep

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 g2.coidnhfqqe.com udp
SE 185.117.88.15:80 g2.coidnhfqqe.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/com.herocraft.game.treasuresofthedeep/files/7f8f78df.dex

MD5 767ef40815362c541a89c4c50650c022
SHA1 46079e6da37683dce34f1d965f68b56deeeccff0
SHA256 045e58a267b61428e9b68a2b7f84eccb9335617ed119227acd35c9be5b2f48e1
SHA512 d1406c8299796a0c0d10ab6fe36c85c543bf91333e6bd6a8675e79b740e7325d45c66222b74737de320eedfce4ff1ba0f79517076e2ccb176aeae5c244be406f

/data/user/0/com.herocraft.game.treasuresofthedeep/files/7f8f78df.dex

MD5 38c2fd6b3426f301739dd658c91c462b
SHA1 98464a62414b23440ebecacdcf3097c8e9f1eff4
SHA256 51e662b019aea637e0be77e0bfd8d06eab2ebc3b4d2b07a3b81595ee63f8eefe
SHA512 ca7acf337f0069ce63a91da6aa36c4529b7968cc38cd6ffd9559ee37498075eab13331b68866f617a338279df6955ff32d8f7dea2941664da654fa855f4bfa1a

/data/data/com.herocraft.game.treasuresofthedeep/files/PersistedInstallation7524765214598914980tmp

MD5 d46f00d8e2220fd12f6ada76a2712e17
SHA1 1c4b4fa856e9726b4e9743b95b4062aed2678b89
SHA256 e31e27030158b334ca05feba00f34daace289ab439ac4e9517d10c1a8ec018b0
SHA512 4c69cb08d4d0d3bc12b401b1edbd28a773fea7aacaee6c568a8ac6d2cfb009e5632d542c40a3eaab4bead98cf15b7db818f87a8226deacc9c80023ee99fe1141

/data/data/com.herocraft.game.treasuresofthedeep/files/GZCo

MD5 b35f9def59bd8511ddfefe522dfb9b91
SHA1 943da5442336ed5741f4bdb9e31f628c79de3278
SHA256 afc9dd5e8a0b5c0d46defe450eec08a0c9b10ddd26f17e655d3f5c1597329163
SHA512 9939ef6284c2ddfd82fdedf9d1918976fcddc9c9f13eb074a1637d691d0b4af92b309d691d44da6eeeeae9a5adfa106b58445e05dca63168a52bfd87f1f92c13

/data/data/com.herocraft.game.treasuresofthedeep/files/WmJ

MD5 0971afaacfaf0a7359780e36be2f75ab
SHA1 dff7ceeddcb40314eb61bce1602fd71a4ded91a7
SHA256 840edeb78261b86463c3085e922eec851ebe93155dda4973c98326bbed1f59c0
SHA512 9f5cacdda779f1e8152baf881ab17ab548730c28b5a3707002862d4edadca2602d060085b0488209798bb4a1a7cb06fc01ebd5753e301799b21f6a301a3b3afb

/data/data/com.herocraft.game.treasuresofthedeep/files/GZCo

MD5 e057ad471d5f883f589e815179e6b35f
SHA1 702eb3e1fd5af1d0550a697d74a021ac5d3a9067
SHA256 e25806d0cbab061f03d83e5577c4f1e2d934fc5486ff9da6332cfed4cc44e8e2
SHA512 16298477a5180d1a903575ca93eb62c3f71df64c1e48d978062d6e98789df69a87958ee52cbff91337e91adee811b07fe7ce48572990bcac9ae90877e3e1350e

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:33

Platform

android-x64-arm64-20240624-en

Max time kernel

162s

Max time network

138s

Command Line

com.XPhantom.id

Signatures

N/A

Processes

com.XPhantom.id

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-04 12:30

Reported

2024-08-04 12:33

Platform

android-x86-arm-20240624-en

Max time kernel

50s

Max time network

136s

Command Line

com.foqrpral.oxudfpdy

Signatures

TiSpy

trojan infostealer spyware tispy

TiSpy payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.foqrpral.oxudfpdy/code_cache/1722774637385.dex N/A N/A
N/A /data/data/com.foqrpral.oxudfpdy/code_cache/1722774637385.dex N/A N/A
N/A /data/user/0/com.foqrpral.oxudfpdy/files/dex/rIiUhJCHARxzyIQxM.zip N/A N/A
N/A /data/user/0/com.foqrpral.oxudfpdy/files/dex/rIiUhJCHARxzyIQxM.zip N/A N/A
N/A /data/data/com.foqrpral.oxudfpdy/code_cache/1722774649380.dex N/A N/A
N/A /data/data/com.foqrpral.oxudfpdy/code_cache/1722774649380.dex N/A N/A
N/A /data/user/0/com.foqrpral.oxudfpdy/files/dex/rIiUhJCHARxzyIQxM.zip N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.foqrpral.oxudfpdy

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.foqrpral.oxudfpdy/code_cache/1722774637385.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/data/com.foqrpral.oxudfpdy/code_cache/oat/x86/1722774637385.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.foqrpral.oxudfpdy/files/dex/rIiUhJCHARxzyIQxM.zip --output-vdex-fd=49 --oat-fd=50 --oat-location=/data/user/0/com.foqrpral.oxudfpdy/files/dex/oat/x86/rIiUhJCHARxzyIQxM.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.foqrpral.oxudfpdy/code_cache/1722774649380.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/data/com.foqrpral.oxudfpdy/code_cache/oat/x86/1722774649380.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 auth.familysafty.com udp
US 104.21.45.3:443 auth.familysafty.com tcp

Files

/data/data/com.foqrpral.oxudfpdy/code_cache/1722774637385.dex

MD5 d3364728f634bf71c4b16542c02c60cb
SHA1 f23088362b69935f404f2b81eaa40ed3172efca5
SHA256 401f68f4448fd6288b7619a7a2ae4646493cd7268f16aa6714802833fbc1197e
SHA512 9378bbda71abcb437676a2d4095d7d3ab6a5a1c1682ec95f3f6d050b9226692cd1a29ba8e7a65dac441c29cfb7b1d5e69e34b5cc32989c90c025909567a662af

/data/data/com.foqrpral.oxudfpdy/code_cache/1722774637385.dex

MD5 a137b5568de65b8fef35329930d8617f
SHA1 49a2d6e95d447ba1d448c81691f6a609fb2859ed
SHA256 bc5290425eaa32b00a84a94c58976321e7643bc5d668817524ad68a1c7d2082b
SHA512 9dd6c25dea7b3424e8ca0150a9f1f6f85ed5fccef69e7fadfa05324014b74cc350365b788cee2a8ce25afccee084908e679eafa7f449e7791c6288485d2c5338

/data/data/com.foqrpral.oxudfpdy/code_cache/1722774637385.dex

MD5 cf790c0dfb1361b86d4b8bfca1f8814c
SHA1 d452d9d6504f6af0c9408d6fdb1ced0ff3c45dee
SHA256 5dfcef0f59a512a9d88d21de81e5f9a20ff420d328736a1426b0a45f9459d832
SHA512 e2194cf4ab22064206d9df3523afd3b247f4ce72b7fed17056029746d1f79c1a25d340f8f9c7ec77b9590d05dc7549a735d631a368f82c472cd54bb8a1396c47

/data/data/com.foqrpral.oxudfpdy/files/dex/rIiUhJCHARxzyIQxM.zip

MD5 e10223a9dd1e0ddb8b1061d1f4437625
SHA1 7d1e8cc7b1409eb49f4fef532a4f3003f8785b4a
SHA256 649d1bcd5b1a5f75260e284bb8e1bda2c4630dca5a7536d5e56c8b8dcd51b5d3
SHA512 a0aac391a377c514598034929fb1d7fad129f32eb253c778de1724b7bebb84afe077ac2d0bea432b2bbd93cbe192d2452e85c9e3356d4ba8d321c349242aab8b

/data/user/0/com.foqrpral.oxudfpdy/files/dex/rIiUhJCHARxzyIQxM.zip

MD5 5e55cdadb8774e38f6b17f3c8acfe6af
SHA1 96fa6e628d74782f6efe0f52c6113ed638d37845
SHA256 05402c8959137f312278d1f2d5fe1cf7e0ff1c26fa09521c37fe700b0c82ca23
SHA512 a76d1a43278eb938bc7a133a6235e3b465a1c8266b57e2d3d39dd5736178388df3873ac49ee5a8ca4564a984ddabd5d18b5aceb6af666d988bcc420ccc7d1685

/data/user/0/com.foqrpral.oxudfpdy/files/dex/rIiUhJCHARxzyIQxM.zip

MD5 4a3936648e0d6bb8de54977f7d2f2440
SHA1 528efc4052546f80a371bfce96e7cb3813ee3ddc
SHA256 bfea891d0ac92148bc35c91769f34c802c07b020b4330213650360f4ebb245d3
SHA512 c72a85335ae061943f53be66472f2ca83d3ab780665cf2b919c838bfee265f202d02a7c1b1cbb038fb0f56c53f8ec1dbd390fe9ee1c69fdf81a0f652cc677e39

/data/data/com.foqrpral.oxudfpdy/files/477480.so

MD5 58c46208d95caaa3e72b9a812e2e4fa7
SHA1 d4d4159adde5b34b31f06fdbf622577a7e5c49e2
SHA256 61afb81a844465836f0f8665ec5cda08620362f1cfd3357b54c31e64747c7569
SHA512 12a7b66191bdfb6012517acda5a2dfe4b3ed510fdac14673a859a50cf358365f58a9accd91126e1cb95f68bbcec9265a3cab9d46e481700b161f4578bec4a835

/data/data/com.foqrpral.oxudfpdy/logs/Sistema1722774653596.log

MD5 12d3a8799bab5701d804a8f23c164900
SHA1 02f0c3618fac6154175d1dc64cf9ea6476d8fd6f
SHA256 4fed2734027927347133ddc077da8f2d8597a4f8bea4dff6e55d8cef65892498
SHA512 4dd8d97df32e99d3d41723d5d796505a6bbbad27cf5ef8186e15dc814e9328665ebb1a7b5af1149791eef8a5dbcc8a695e7bfb0a430bcbd9b4cfda681d7b429b

/data/data/com.foqrpral.oxudfpdy/databases/privatesms.db-journal

MD5 4c2e781253e4604dc044505ebe58affa
SHA1 2f578f19e4008533e2243fb511c751f03aab43d6
SHA256 2aa169c46b2fa20771c82ebb3efdff88dccaeefe71b7bef978b38209253f51de
SHA512 654f8a1c9763d1f5f96654639c01fa902333e71ee8bf10ac6d8d6e2cf643c5ddeb37f12dc64accd16eacbc83d7bc8d428584bb0c0948c6d29c862909a63f3bc0

/data/data/com.foqrpral.oxudfpdy/databases/privatesms.db

MD5 3621ce0aa81e37bc5c80e2cf881f1dd0
SHA1 00365f82dcada94caea07443656848baf60b3bd9
SHA256 8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5
SHA512 76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf

/data/data/com.foqrpral.oxudfpdy/databases/privatesms.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.foqrpral.oxudfpdy/databases/privatesms.db-wal

MD5 f785020717efc804b4b3de2acdcfa5d5
SHA1 3a1e3786fa5412acdbf74b292998eefe0315ade4
SHA256 0988ecf6206e111e2d990ec47f29e89147c1be0e25364d5a84e829a8c2f2c1dc
SHA512 bb50be59d1da4c296fd9bc64fe0075bdad1a029725c6fa3f5843b73cb57d5227f1f18ea28a3a47102695be7679515df2ce9b1ae9c5f4450b6e32f1885ce2762f