Malware Analysis Report

2024-10-16 05:23

Sample ID 240805-brn1fasfqj
Target 51baf4bc48db631e887ded88c0beb05b7a2f6f26ad2d122ee7c6cca6678752f5.zip
SHA256 51baf4bc48db631e887ded88c0beb05b7a2f6f26ad2d122ee7c6cca6678752f5
Tags
evasion collection credential_access discovery impact persistence tispy infostealer spyware trojan slocker wipelock privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

51baf4bc48db631e887ded88c0beb05b7a2f6f26ad2d122ee7c6cca6678752f5

Threat Level: Known bad

The file 51baf4bc48db631e887ded88c0beb05b7a2f6f26ad2d122ee7c6cca6678752f5.zip was found to be: Known bad.

Malicious Activity Summary

evasion collection credential_access discovery impact persistence tispy infostealer spyware trojan slocker wipelock privilege_escalation

Slocker family

TiSpy

SLocker payload

Wipelock family

TiSpy payload

Wipelock Android payload

Queries the phone number (MSISDN for GSM devices)

Reads the contacts stored on the device.

Requests cell location

Queries information about the current nearby Wi-Fi networks

Obtains sensitive information copied to the device clipboard

Loads dropped Dex/Jar

Requests uninstalling the application.

Declares services with permission to bind to the system

Tries to add a device administrator.

Queries the mobile country code (MCC)

Makes use of the framework's foreground persistence service

Queries information about the current Wi-Fi connection

Reads information about phone network operator.

Acquires the wake lock

Queries information about active data network

Requests dangerous framework permissions

Declares broadcast receivers with permission to handle system events

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-05 01:23

Signatures

SLocker payload

Description Indicator Process Target
N/A N/A N/A N/A

Slocker family

slocker

Wipelock Android payload

Description Indicator Process Target
N/A N/A N/A N/A

Wipelock family

wipelock

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows the app to answer an incoming phone call. android.permission.ANSWER_PHONE_CALLS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:26

Platform

android-x64-20240624-en

Max time kernel

112s

Max time network

156s

Command Line

com.XPhantom.id

Signatures

N/A

Processes

com.XPhantom.id

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
GB 216.58.213.14:443 tcp
GB 142.250.178.2:443 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:26

Platform

android-x86-arm-20240624-en

Max time kernel

9s

Max time network

137s

Command Line

com.herocraft.game.freemium.catchthecandy

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex N/A N/A

Processes

com.herocraft.game.freemium.catchthecandy

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.herocraft.game.freemium.catchthecandy/files/oat/x86/f2f8f843.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
US 1.1.1.1:53 g1.flostiks.com udp
NL 217.12.201.177:80 g1.flostiks.com tcp

Files

/data/data/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex

MD5 d951efa7f0ca59781f3af35949338902
SHA1 ac853df2b6835dbac7c94eb008ab4657e68eda70
SHA256 5b0a0d3671f6ff3ea0001624a0c157d057965e60891c5335391880fe9b00e183
SHA512 8fbbc1c347ec03478b01ff321d159656abfcad1d9ac3b426382348567c57bbaf1cdb3cac77c38fbcf62e0e17063f170fc9f9bf200a982b940dcad47e30b05617

/data/user/0/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex

MD5 767a8ce605249b314939882f824f989a
SHA1 7cb1e61d4fa739b92b25d13bcf33bbb00cff9baa
SHA256 26d8b34344e6e61c8a1380e9773109569accb467b36f954a1e5c729a4d701fa5
SHA512 baec83cf6d66fc0dbf13411043c8168acf38b0b66a9c20f9b1ec54d6f5ef21527d22b4c47dd54734dcd5bd85410dc3bb8fe786fb1702443beee9a42e869c4475

Analysis: behavioral8

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:26

Platform

android-x64-arm64-20240624-en

Max time kernel

176s

Max time network

139s

Command Line

com.herocraft.game.freemium.catchthecandy

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.herocraft.game.freemium.catchthecandy

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 g1.flostiks.com udp
PL 51.75.61.103:80 g1.flostiks.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex

MD5 d951efa7f0ca59781f3af35949338902
SHA1 ac853df2b6835dbac7c94eb008ab4657e68eda70
SHA256 5b0a0d3671f6ff3ea0001624a0c157d057965e60891c5335391880fe9b00e183
SHA512 8fbbc1c347ec03478b01ff321d159656abfcad1d9ac3b426382348567c57bbaf1cdb3cac77c38fbcf62e0e17063f170fc9f9bf200a982b940dcad47e30b05617

/data/user/0/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex

MD5 767a8ce605249b314939882f824f989a
SHA1 7cb1e61d4fa739b92b25d13bcf33bbb00cff9baa
SHA256 26d8b34344e6e61c8a1380e9773109569accb467b36f954a1e5c729a4d701fa5
SHA512 baec83cf6d66fc0dbf13411043c8168acf38b0b66a9c20f9b1ec54d6f5ef21527d22b4c47dd54734dcd5bd85410dc3bb8fe786fb1702443beee9a42e869c4475

/data/data/com.herocraft.game.freemium.catchthecandy/files/kNp

MD5 7ce5d7cded3512aea50c6d450ea6f24f
SHA1 a93b862e88d944dbf4745901e9639e23dab0f0ef
SHA256 9702d9eb10977318202b643eb13f16f4f31fdc42f456fbc49cd71243e7f99643
SHA512 dff68f564a25ae69918b41039faf02fa5a9268b1bc1ffda8f590a819347654520dbb930d1fdc9822ae56282007fa240605386510c89ce4e32b3a64aafae28bff

/data/data/com.herocraft.game.freemium.catchthecandy/files/Iksc

MD5 2ca6bda9f648c0dbf35b37a62e7de8b4
SHA1 8604a21d698bafd351bbfa785343e992b27001cd
SHA256 7d2312c3ef64533beef6e8c06edb6afc584a7d11e7100c017967812f49316352
SHA512 0a56599157c17ce43bf9bed1f175efa4453b32b52e2e43c2fd551e5e437202e7898a74925a74e786b39c66f88b4a46e2d8864eb9009227d9bba9814857ad2d40

/data/data/com.herocraft.game.freemium.catchthecandy/files/kNp

MD5 acd829190074a21b9ab12e3cc9067b3a
SHA1 f48ffe0c0eaf20fb949b13fd15d27f36eca16e2c
SHA256 77e5fe94a86ace5241051aee3a9703d171b2591837b90681c3f7c9c9f25e6ff3
SHA512 9df2c721338f38f66e1ff832d22a048061947e7b38af56b198eff49f529749c25a9c0a470ab08f527114a1dc85a569dc7ba27e459771f22c7b44aa62b4e958a0

Analysis: behavioral15

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:26

Platform

android-x86-arm-20240624-en

Max time kernel

9s

Max time network

137s

Command Line

com.herocraft.game.treasuresofthedeep

Signatures

N/A

Processes

com.herocraft.game.treasuresofthedeep

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.herocraft.game.treasuresofthedeep/files/ac2b308d.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.herocraft.game.treasuresofthedeep/files/oat/x86/ac2b308d.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 sara.sfjioagjioabnjqqfmx.com udp
NL 217.12.201.177:80 sara.sfjioagjioabnjqqfmx.com tcp

Files

/data/data/com.herocraft.game.treasuresofthedeep/files/ac2b308d.dex

MD5 48aab9b1635e8a510b4a1126c1f95bc5
SHA1 7ce5597408c9a42d93e882ed904dd0f3551ab81b
SHA256 1653275e4d68124e6af999b4311ac471f0a8adbcdffe4f64c678e1e84f367725
SHA512 e5a224994ed1332b87c33b3d0784b69be8733cde478650888e889af3d20c9d33b9c20720ac4104f15aecb8a94bc4101f5d826cc7161797f66b416be939d0bd3b

Analysis: behavioral25

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:30

Platform

android-x86-arm-20240624-en

Max time kernel

177s

Max time network

132s

Command Line

com.herocraft.game.birdsonwire.freemium

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A Anonymous-DexFile@0xd0f66000-0xd122850c N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.herocraft.game.birdsonwire.freemium

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 g2.slachozhin.com udp
NL 217.12.201.177:80 g2.slachozhin.com tcp

Files

Anonymous-DexFile@0xd0f66000-0xd122850c

MD5 862273f2c6de4c25816b5cb1ae006df9
SHA1 7c4c0026bc157cfc104ad91980d3c40b2d5e78ce
SHA256 c77d7de1df41842245f63cf10e13aed92fca563b8aa81a3888b4f142a5314f90
SHA512 688ffa31ce578992ad659df808bce82f88e4b86c000c08ce4b6873f6dd743cca5e65583fb0f98b408ebd45cfebe2634290f12607429f26a5a37a716771eecd06

/data/data/com.herocraft.game.birdsonwire.freemium/databases/com.google.android.datatransport.events-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.herocraft.game.birdsonwire.freemium/files/PersistedInstallation4267493684137047724tmp

MD5 d6cc09b45e09cdb47ed1721033fe34f1
SHA1 70530e509629d07b8d60999b55a6fa8fbe5c3368
SHA256 ef925a59690cc65597ed93e12f43e0c3e7775460004cce1c4ed9c04afda0c2e2
SHA512 67d76e8982e640e39a412ea04e90f2d9300939d206375c17a15a251f615cc24fc7fcb6367bf4e02eeb3f11aa2821e115a7b77f53f40262b699748ad85752b320

/data/data/com.herocraft.game.birdsonwire.freemium/files/pxx

MD5 83c96008f0d540154bd38ba725bb2e65
SHA1 d6166d8cea8ed0188f3740ab6757aa3f2a5b7bd7
SHA256 9f3360a098100fabc028ec2b873dc39caefa37dcd0accef31b8b1eba1b2bcd3f
SHA512 7be4e058720a7c3b14aca7f2a5f14ae744342910cec98f2f40bf25af626eae18b8b8d4a74bc2c5c91ef992bf1f0a908e72c7428c4d8b817d4a7c156594f03667

/data/data/com.herocraft.game.birdsonwire.freemium/files/qu

MD5 94117f538fb09d18309b16fcd5328262
SHA1 29943f611a22a41ac864609d9049ba6266d435f5
SHA256 b09abe2f92ad963571c606b68e4183aa689247ca2dccd40e039722c447db3599
SHA512 0b0868704bca5718ea86deccc82fd08024c1d7b52ffb76d17c016f7c7cd17b8c7715ff8108f0ffb13d65d2232ff5883b048eb9491e99229d907b50cdb7fbe16d

/data/data/com.herocraft.game.birdsonwire.freemium/files/pxx

MD5 711572aedad9e7ac8bc1d29b90b3048a
SHA1 9cc0346eb5098e55e077af034aa0c6e886736792
SHA256 1a3540f840aaaeba8dee8b3b9eb170c6164af44adff8763f56b05e60cd433ffa
SHA512 eaa469490b3819a9cbf00a19abe5af7e258b8018666d0281cb0dec87a5f5faa5cd5f4c0b7c61193aafd1afdbf57d6a606d37c4f2ca7d06303b6d63f49538a25c

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:26

Platform

android-x86-arm-20240624-en

Max time kernel

49s

Max time network

136s

Command Line

com.crbpphsj.wjphxfzk

Signatures

TiSpy

trojan infostealer spyware tispy

TiSpy payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.crbpphsj.wjphxfzk/code_cache/1722821015646.dex N/A N/A
N/A /data/data/com.crbpphsj.wjphxfzk/code_cache/1722821015646.dex N/A N/A
N/A /data/user/0/com.crbpphsj.wjphxfzk/files/dex/YWmycydWrtgRZdrZq.zip N/A N/A
N/A /data/user/0/com.crbpphsj.wjphxfzk/files/dex/YWmycydWrtgRZdrZq.zip N/A N/A
N/A /data/data/com.crbpphsj.wjphxfzk/code_cache/1722821027442.dex N/A N/A
N/A /data/data/com.crbpphsj.wjphxfzk/code_cache/1722821027442.dex N/A N/A
N/A /data/user/0/com.crbpphsj.wjphxfzk/files/dex/YWmycydWrtgRZdrZq.zip N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.crbpphsj.wjphxfzk

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.crbpphsj.wjphxfzk/code_cache/1722821015646.dex --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/data/com.crbpphsj.wjphxfzk/code_cache/oat/x86/1722821015646.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.crbpphsj.wjphxfzk/files/dex/YWmycydWrtgRZdrZq.zip --output-vdex-fd=49 --oat-fd=50 --oat-location=/data/user/0/com.crbpphsj.wjphxfzk/files/dex/oat/x86/YWmycydWrtgRZdrZq.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.crbpphsj.wjphxfzk/code_cache/1722821027442.dex --output-vdex-fd=45 --oat-fd=46 --oat-location=/data/data/com.crbpphsj.wjphxfzk/code_cache/oat/x86/1722821027442.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 auth.familysafty.com udp
US 104.21.45.3:443 auth.familysafty.com tcp

Files

/data/data/com.crbpphsj.wjphxfzk/code_cache/1722821015646.dex

MD5 d3364728f634bf71c4b16542c02c60cb
SHA1 f23088362b69935f404f2b81eaa40ed3172efca5
SHA256 401f68f4448fd6288b7619a7a2ae4646493cd7268f16aa6714802833fbc1197e
SHA512 9378bbda71abcb437676a2d4095d7d3ab6a5a1c1682ec95f3f6d050b9226692cd1a29ba8e7a65dac441c29cfb7b1d5e69e34b5cc32989c90c025909567a662af

/data/data/com.crbpphsj.wjphxfzk/code_cache/1722821015646.dex

MD5 a137b5568de65b8fef35329930d8617f
SHA1 49a2d6e95d447ba1d448c81691f6a609fb2859ed
SHA256 bc5290425eaa32b00a84a94c58976321e7643bc5d668817524ad68a1c7d2082b
SHA512 9dd6c25dea7b3424e8ca0150a9f1f6f85ed5fccef69e7fadfa05324014b74cc350365b788cee2a8ce25afccee084908e679eafa7f449e7791c6288485d2c5338

/data/data/com.crbpphsj.wjphxfzk/code_cache/1722821015646.dex

MD5 cf790c0dfb1361b86d4b8bfca1f8814c
SHA1 d452d9d6504f6af0c9408d6fdb1ced0ff3c45dee
SHA256 5dfcef0f59a512a9d88d21de81e5f9a20ff420d328736a1426b0a45f9459d832
SHA512 e2194cf4ab22064206d9df3523afd3b247f4ce72b7fed17056029746d1f79c1a25d340f8f9c7ec77b9590d05dc7549a735d631a368f82c472cd54bb8a1396c47

/data/data/com.crbpphsj.wjphxfzk/files/dex/YWmycydWrtgRZdrZq.zip

MD5 59393f43989813af3d160e210a5952c9
SHA1 9b6780014fb444ea42351e80a94c6d30fc40df25
SHA256 6bcf568203c45b24659e5138f9149ddb0221eac842afc82339686d9ee7e8ec2d
SHA512 10c18b2b0258d96155ccc5269565000d502a5e88d4117d838ff46036b0e8eee656515a50205d4e602148c3bc39083072fb08dee70223beaac0b4cd569a3c18f7

/data/user/0/com.crbpphsj.wjphxfzk/files/dex/YWmycydWrtgRZdrZq.zip

MD5 6b1a12f2792059773d78e52505ce2e7f
SHA1 ef8254c4e28e718fc6c7c6e92920a07f06dae233
SHA256 cb480143a043bb4fe9452618c2c4875263311389ee865ec165319c49c28283ca
SHA512 26d2a36ca021f1d86f5a4d19502f757821f908e2d68a716e4f5d5deeec689a09c27a98796685cf244324f332eaf952f6e87772fe80552811eb2a3efeb3b396f5

/data/user/0/com.crbpphsj.wjphxfzk/files/dex/YWmycydWrtgRZdrZq.zip

MD5 f8ed1392b1899775322feb5072dc6a61
SHA1 11f6099c1289198fa6556febaf126ff5d365db79
SHA256 986689df19eabd4f217fbdb7fd5562b2d7caa71daf7f5fa0cafab15aab0ac4a7
SHA512 cf60269d11d6428e33550c07f3b79539d761a02f95fb3ce679900b441360d44142473f3c8098a7879cca8c786d2d3c14f008ff83bd978465ce7e503df47f2f37

/data/data/com.crbpphsj.wjphxfzk/files/477498.so

MD5 1b82243685c1c0be15d83c8fc11153f9
SHA1 e637f8b2d0c3c0dadd45dcd88be87f5e12f8624d
SHA256 deb10f3c7b34c37e2dcb226c68ebaae067e61e05429b44273e9610e84b7223f7
SHA512 cd7e82cfa509809d1a644a105e022759d74d00d1c13f90df389cfa88eb997aa3c371ebbc3d66397e1e72ecd9adb2f38029f619ad278b50a9907b68d7631b9c3a

/data/data/com.crbpphsj.wjphxfzk/logs/Sistema1722821031140.log

MD5 46cf04caa3c8a81641c726438a3a207d
SHA1 c7e048dbfb498b7d707590041767d5dba75f81a9
SHA256 0cbccc92d18792a9ec5161f070518108a2a79e194c0f1bd4eaadebdf31c10517
SHA512 c1152da72f3a1eab32227cc685538dde0394cef5c1efc34060b75c6f567e03cb5ebbbedbf96ce90b8a824683c58c0397402e5ed18626d8bb8e6530e07283c67b

/data/data/com.crbpphsj.wjphxfzk/databases/privatesms.db-journal

MD5 edbb27c9b1cc7cfc23160a02a1573a87
SHA1 9697e74fb4ef5c0bd69f61195368fd335899ade2
SHA256 0a6a0fd42a08d8622fa151907100f8a209153dee9beffd4327ddbd3157a37267
SHA512 3b6813d2296a5e16723c060baf54a10b1ade4e58a484831a5c36399ff04157098699b4f47923c33872e33ea3280fe8768dbfd33538bedee12c1170e62b3fded8

/data/data/com.crbpphsj.wjphxfzk/databases/privatesms.db

MD5 3621ce0aa81e37bc5c80e2cf881f1dd0
SHA1 00365f82dcada94caea07443656848baf60b3bd9
SHA256 8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5
SHA512 76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf

/data/data/com.crbpphsj.wjphxfzk/databases/privatesms.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.crbpphsj.wjphxfzk/databases/privatesms.db-wal

MD5 22e4b2e0afbd5e539f33c6e2359f1d79
SHA1 8f2e0f635ac8651d4173034b3e22bd4133148e32
SHA256 7e8ac836651205b36ca78c8138449c21ca100a619222d3c0a11820b3fc8f8fd5
SHA512 af1693e80a5db9a7891613547f7fdde19776a5af0afb2c56f8e73dd16e9b563c70f2b262665da18bb3dd6f1fd67cfa024876f5f0fa9986414328eb1cbd0aeeef

Analysis: behavioral13

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:26

Platform

android-x64-20240624-en

Max time network

158s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 142.250.200.46:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp
US 1.1.1.1:53 g2.coidnhfqqe.com udp
SE 185.117.88.15:80 g2.coidnhfqqe.com tcp
GB 142.250.179.238:443 tcp
GB 142.250.200.34:443 tcp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:29

Platform

android-x64-20240624-en

Max time kernel

179s

Max time network

157s

Command Line

com.elite

Signatures

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/data/phones N/A N/A

Processes

com.elite

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:26

Platform

android-x86-arm-20240624-en

Max time kernel

152s

Max time network

142s

Command Line

com.XPhantom.id

Signatures

N/A

Processes

com.XPhantom.id

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:26

Platform

android-x64-20240624-en

Max time kernel

177s

Max time network

177s

Command Line

com.herocraft.game.freemium.catchthecandy

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.herocraft.game.freemium.catchthecandy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 g1.flostiks.com udp
NL 217.12.201.177:80 g1.flostiks.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex

MD5 d951efa7f0ca59781f3af35949338902
SHA1 ac853df2b6835dbac7c94eb008ab4657e68eda70
SHA256 5b0a0d3671f6ff3ea0001624a0c157d057965e60891c5335391880fe9b00e183
SHA512 8fbbc1c347ec03478b01ff321d159656abfcad1d9ac3b426382348567c57bbaf1cdb3cac77c38fbcf62e0e17063f170fc9f9bf200a982b940dcad47e30b05617

/data/user/0/com.herocraft.game.freemium.catchthecandy/files/f2f8f843.dex

MD5 767a8ce605249b314939882f824f989a
SHA1 7cb1e61d4fa739b92b25d13bcf33bbb00cff9baa
SHA256 26d8b34344e6e61c8a1380e9773109569accb467b36f954a1e5c729a4d701fa5
SHA512 baec83cf6d66fc0dbf13411043c8168acf38b0b66a9c20f9b1ec54d6f5ef21527d22b4c47dd54734dcd5bd85410dc3bb8fe786fb1702443beee9a42e869c4475

/data/data/com.herocraft.game.freemium.catchthecandy/files/PersistedInstallation8988318291488160722tmp

MD5 89fde8cea1d7457adf8b9011a2c32dbd
SHA1 7986155d08b30c76d44a36f27368112b39c3829c
SHA256 806d31fc2de42488b12f31a0709118547f294726d19720b6ac863bc9b621023b
SHA512 15d5707c95bd65daa6c22fc95300a3a5ced839847d10601d0b6939860ba681171e575c277d1f5befa8b7992d94b681a9421b86fe61a08955639b9473152aee49

/data/data/com.herocraft.game.freemium.catchthecandy/files/Iksc

MD5 2a360640f3c7f0591d34044f31d4d5a2
SHA1 bce3544325766541eebca2849affc392dbfe8e1c
SHA256 698e8f50d4b9eb2885726db4d1f480a9261258f70f0e50a382342b585b774ba1
SHA512 5a9e8519e96a8741d6327bdce80d86b7eab9f4ca895278d442735bab15274bdcd7760d6c1e22fc2a316d2a58e32e8834a919240cdb343148317c59b6e3f82cd6

/data/data/com.herocraft.game.freemium.catchthecandy/files/kNp

MD5 c31790b347a4d5be7218767004981141
SHA1 d90542e0f645ccc155b5271929818764aaf58ae6
SHA256 c1af3ad9751452387021656a5cc3d2215f0bbb1715085570c172fe330dc8153e
SHA512 01f782a949eae52af15252803fcb63a5ca7fd486a0a0bfe158e7d0f0a7cc287a4026f2f070e59afba795f3b8aba54818369964273c4792ee28e88350641daefb

/data/data/com.herocraft.game.freemium.catchthecandy/files/kNp

MD5 551011df5c0f14b803bd3407885df694
SHA1 7db6b29718da08d631b527af0ffc2f7deef50d1e
SHA256 9941a2ded83620582b55f28b20dea92ef4badba10f6c30f70c0c70496c136b7f
SHA512 897c687625a99bc02ef64bc3f2903a0124279fffe3d306a966a3f8275f7ea2ea8ade0c276890fefcb08f8ea4f02d28049a95b8b4a1dc5cfb23da94036d4efbdb

/data/data/com.herocraft.game.freemium.catchthecandy/files/Iksc

MD5 bea431cfa9db90ef1fe3a5ee1bedaedb
SHA1 7bfbf30feb16ab0839902e8f40f6ba874031d0ce
SHA256 6c176005b3321d27294ffd0a4d8e5fefce65778373973a78bede260502601087
SHA512 5f6f0b6842b25516b24d04202d8c0b0e37b9ba1dca0dbe26fe20ba729031784df3fded3472ee17a65fc40e4654c800aa14f9606f9943152453d05e235689e7fe

/data/data/com.herocraft.game.freemium.catchthecandy/files/kNp

MD5 e162e00278e3c7336d2fcf3494838e0d
SHA1 ba84e6a53f10d11c2d24eb873173e5fb3c6a268f
SHA256 63d225da94a0dfab172dbdd935b0dc7a0579fd726b1cfa1bb779ed3f35711c4e
SHA512 155ea941e6befd70990a1ef6091c79a5a201cbe6ee075de38f2cac1b48e6251c1fca048aed1a21a0b8ec52eef9d33fb331001d2706cc07b6b5bcce91faf6bd87

Analysis: behavioral29

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:30

Platform

android-x86-arm-20240624-en

Max time kernel

179s

Max time network

132s

Command Line

yige.liwu

Signatures

N/A

Processes

yige.liwu

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp

Files

/data/data/yige.liwu/files/icon.png

MD5 7548d066a9aa312d36b5cfc5a7f5b0fa
SHA1 0800400fa83daf5634cbf326d7b5d4f2211468c9
SHA256 50d77bc0fa7305d4da74db5007b02f54649a58d5408f0a7c40342ad84708fb79
SHA512 ad53f3f223e1a48dbffe289ad7ece8c298ee8b447896fb3a928c7755105b4e425da4f4700ac2ed7a500f2dfe8ad0d5649277cd0fecbd13bb1578c25a483a37c5

/data/data/yige.liwu/files/init.lua

MD5 e3694ec7db7020258bf758a52e2d0645
SHA1 d5defa6423ed8092e3e3318e8060368e8ae452f8
SHA256 ecf576d534eb40ec5fd48e060880245a0641bc8cd3ad0952248dd25446c84d9e
SHA512 85c8005f8ef344745caaa28d26c0eeb3e41a8ca39c594235c552056e16a5397b67f62a6083aaee785853a0d976c41384bef80babc05663c02d441ed4c1c2be2f

/data/data/yige.liwu/files/layout.lua

MD5 ed41bfdc7b560bf3c8a3db3936844e57
SHA1 06917281f7b6dd7a02c83c7172bcf81f50651aa8
SHA256 e66e4aa1da846ec6b7d16faaf813cde5b7ff00be75de0ab88ff9cad86bd2e5cc
SHA512 e90e2a7dda24e951080d8ebcbc8bd3c96a65d47c4c72e170a32b70e82dd65b2a91b1ad1b82fd9188dab611660bea71719392cc986708aeea2107ddb66f2934e6

/data/data/yige.liwu/files/layout.lua.bak

MD5 7ca336ff302f2406ddf544ec9496df15
SHA1 e8d958beec87196600512a930b03cddc1d6c564a
SHA256 3231436a0bad0a696fd14420e1e092e028e08114d920cf5e49d2b7885d3ebeb5
SHA512 b82d9494a49926354608972e0f289fe92c7210c81776ff45f794bbeb966e8b55107e4a8e57a069778bc986e8fe90d9ac01214faff8170fc1476277c90d020625

/data/data/yige.liwu/files/liangshao.mp3

MD5 cc0dc1d7f666c489b5a9d9ffa20b0fa5
SHA1 c8660b92d676d4a193e78eced06fdc39f4bafe83
SHA256 1abbaa787fc34bf35a53dfeff57c71b9bd071f3cf0655ebf18eef3ec1b67cea5
SHA512 b87369aff93b6ab7428c8fc54b24e053e55045873e601f556070d4d9a0cf3c0d34880d43acaafb151b720ad3e9a34562b1e53e0b2c87660651a9bb3e76a66826

/data/data/yige.liwu/files/main.lua

MD5 3d0633bc3a201278ad60aa4cdbf9a577
SHA1 d0fa194d9ce0a5e4c1d90231c5f55619fa2a1e41
SHA256 c4a6b47361c0a2f088e4c64d6f5b8d2d3a50f4cdd47fd252f8cba58a7cf64479
SHA512 c41af8ee47159e624ec9da1099f5627097e9834f3cc775807543e1a3184e1b898ef40bda544b05c13959ce5c34f03aef37930eb6baabe261f976e92c45bb5a71

/data/data/yige.liwu/files/main.lua.bak

MD5 24ebb9b4b1da527a5578c9e4412d4495
SHA1 2f7d65cb553a78876ea58ca3fefbf360ee8dcbf6
SHA256 fef046099f745952b122c513c7376a3551bf3fa6ddd5c6fca99c43a6baab8ca8
SHA512 41777c272c557d9a2f8cc8eacd2f6edd2c7a4fe5cf0edaaa5562ebf2ea52b9ca0b6fccdb7fd467a2c07be67f2087c84870ec51d138d13c3fbfbb1e5bb4abbd6a

/data/data/yige.liwu/app_lua/DebugAssistant.lua

MD5 fdfbdc25aba596c7aeac18ae05ed9203
SHA1 34f68b36c76e7dd0672352fe199aaa160836b64b
SHA256 e5f89e152e51bd46327b269c3f0e63cb7c6efaf4ec2c808d81059b10310a748a
SHA512 0de1ec7edbe7bdf6d58c3b47d13194c986308ae7276ff64ab0683b00712100709661eb480a68378402af7bbd659e365e9b9954178dafc9c774345d880d428787

/data/data/yige.liwu/app_lua/import.lua

MD5 12f6fd0256ac015bb9098db1b4b890fd
SHA1 a65ad219e0999c21e8da05f3dca782308de04889
SHA256 4664fa024695e27585e7422cb3e88588e279f7762aa3fe0b327390727301f2e9
SHA512 08e4fe3348cc2bc21aa397d61ecb1d9d1466ce9f45137e1c7b1931c786a09a86e36b35506cb5f41db669f6dda42190fad42e352317209bb935e3d538a7517f38

/data/data/yige.liwu/app_lua/loadbitmap.lua

MD5 171092dd13095fc94a62d34b4b124ab9
SHA1 45c8700030375367f15f4fcc15c01e6afd6d9d45
SHA256 19d85e1e4ce561623c4271208f3e793cfdef0a6b5912986469812813ca8ce72e
SHA512 ee7b7e8378dfae736c8c04a0ca7e90354b7a530c8d8fe2b5c62a5724188ade7d7759615122485cb803027a4ecbe4ca9d97ddefeeb3f3f6fbe9a1c4a38c4b2227

/data/data/yige.liwu/app_lua/loadlayout.lua

MD5 34e94fc8b2e560c28b500a958c9e2ada
SHA1 e7f8bf1ed956fe9bea1677cbd9c60845e07213ca
SHA256 9f9e99b9d9f1ce809168ad77a7c54dc0673cec3462c3235f36a96fa144fffce7
SHA512 e66ee9b628dce59bb80942a814a386f923ff892f684907866264bad31f5ecd5a44f72f398c55f56d04e2e0d84c75fddbc3e960f9489da8b8cc649fcd324a7272

/data/data/yige.liwu/app_lua/loadmenu.lua

MD5 641e4ef02f4db9182c5a653a90f7188a
SHA1 f65417d63f6afbdba512b565eea5c4cb96ce0a2b
SHA256 d06dcb77cc3a4e2ad21c973fc95ba814f407e9cfb5d51b551471f3d49c25cf78
SHA512 cf5a7fb13f0a6b274e9f8ca35880b733b848c1d3dfd87d84974d14756a93cf542c6f3fd0e9ba1707008c483f027265b1db90c75d62eb85222562f0ce6be29f09

Analysis: behavioral9

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:26

Platform

android-x86-arm-20240624-en

Max time kernel

179s

Max time network

137s

Command Line

com.hellboy

Signatures

Requests uninstalling the application.

evasion
Description Indicator Process Target
Intent action android.intent.action.DELETE N/A N/A

Processes

com.hellboy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:26

Platform

android-x64-20240624-en

Max time kernel

179s

Max time network

170s

Command Line

com.hellboy

Signatures

N/A

Processes

com.hellboy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:27

Platform

android-x64-arm64-20240624-en

Max time kernel

177s

Max time network

132s

Command Line

com.herocraft.game.birdsonwire.freemium

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.herocraft.game.birdsonwire.freemium

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 g1.buyappcenter.com udp
SE 185.117.88.15:80 g1.buyappcenter.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex

MD5 a2c0379f196c91a175f47b801895518a
SHA1 549b6e1c77021378b4189f736b7eb7437a9d9497
SHA256 35cdc216518a388e7842f6b67a2c65ea06ca5302286087df3a9db29603b9aa21
SHA512 e3ebb67eb0a9c9e13db1dd29474bf93af6e0e3b9607623c0a70672bfb4f2505abc1f2c23e1592175317bc4f384fb7966954f0d37e6f331f7eb724ff5e6be4205

/data/user/0/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex

MD5 670d8683a3c1765ced65f8b60bfacdba
SHA1 24bc8f1ec3e925316fa05918fed1962379debe15
SHA256 fc48615db02bf829b738c5efef9cfc368b27c0a40fe69d4fa165cf59b0d6cc9f
SHA512 c6e7c7104c31d2b567874fed9684c172b1dc722d084ab998b0159420554e27ce044ed8b0099194919c18d782ac9d075962c966c602eaaf021f36d9d262bbc9a8

/data/data/com.herocraft.game.birdsonwire.freemium/files/UMYa

MD5 7ea900d1cea9cedcb544e64147cd3806
SHA1 16e151131fb241391a94516e52e23da47d595d90
SHA256 722d585d6271dd45bbedefd1087ded79b0b808bab50373446f5a599d533c3014
SHA512 f3e6df69f7586b55d32a63c9ae0bcd1b17dfe3286ddb99f432869dad06bc6a39704850c957447b318a9bb9098016a2de997dea237aba3b50661f12f569db164e

/data/data/com.herocraft.game.birdsonwire.freemium/files/KWW

MD5 42dab2cb4f548d89097d4d3294c54d6e
SHA1 3e56662ca616ac59a8f14d9b12f6b583df7d877f
SHA256 a9253dec929d2008fe679c8910ef964e32ed86e015d383616468ed603402682d
SHA512 3178dc91f08eaf7141d7e4f4c27118e07a3f6501ba385f7e6699c57b9bae662b16a79748ad57a3770ad1b34d03d2d85878ebad838442d85ad04a9cf41f4a78be

/data/data/com.herocraft.game.birdsonwire.freemium/files/UMYa

MD5 6d6cb4c4ef0a684867034b480e5607a5
SHA1 18bafb6d4b81d1b9ad8e33a64eb244511a14a8be
SHA256 3fe34bec874f02f4f16dcb1c4a5de6c76539343e707254e055ab8f4cf79134c6
SHA512 e1f92b415f5264acf74e9fcc20e21d4a62a7ce0fec110f1250d3fa3896e1bf2066a830a4a7ad00e844c8c322eee1d87a356d183599377c4b9a6be0b596c8314c

Analysis: behavioral26

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:30

Platform

android-x86-arm-20240624-en

Max time kernel

12s

Max time network

137s

Command Line

com.test.accessibility

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.test.accessibility/app_ded/iTEQJZeQk7ptEKTnzvO9ohoWsDAlFg2o.dex N/A N/A
N/A /data/user/0/com.test.accessibility/app_ded/iTEQJZeQk7ptEKTnzvO9ohoWsDAlFg2o.dex N/A N/A
N/A /data/user/0/com.test.accessibility/app_ded/iTEQJZeQk7ptEKTnzvO9ohoWsDAlFg2o.dex N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.test.accessibility

/system/bin/dex2oat --debuggable --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --debuggable --generate-mini-debug-info --dex-file=/data/user/0/com.test.accessibility/app_ded/iTEQJZeQk7ptEKTnzvO9ohoWsDAlFg2o.dex --output-vdex-fd=43 --oat-fd=44 --oat-location=/data/user/0/com.test.accessibility/app_ded/oat/x86/iTEQJZeQk7ptEKTnzvO9ohoWsDAlFg2o.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 216.58.213.10:443 tcp

Files

/data/data/com.test.accessibility/app_ded/iTEQJZeQk7ptEKTnzvO9ohoWsDAlFg2o.dex

MD5 8b5230cead615f005f2171207699d8aa
SHA1 1fa3764bdda3aa85f0481f8d63d96517c2638e3e
SHA256 b6f3c778f8411b88897f99b57e4c9c5c2ed6102527dd816147f4ca28de8d4498
SHA512 4d1b05e242d151fdfed77f7fa92bcc211cd23e28af134aaa5b403607b2ded7db6b6fb1fcbd134ecf31170e874f1e3ffb9d028e6ea8328441a678b725a180f22c

Analysis: behavioral5

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:26

Platform

android-x86-arm-20240624-en

Max time kernel

50s

Max time network

137s

Command Line

com.foqrpral.oxudfpdy

Signatures

TiSpy

trojan infostealer spyware tispy

TiSpy payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/data/com.foqrpral.oxudfpdy/code_cache/1722821019527.dex N/A N/A
N/A /data/data/com.foqrpral.oxudfpdy/code_cache/1722821019527.dex N/A N/A
N/A /data/user/0/com.foqrpral.oxudfpdy/files/dex/rIiUhJCHARxzyIQxM.zip N/A N/A
N/A /data/user/0/com.foqrpral.oxudfpdy/files/dex/rIiUhJCHARxzyIQxM.zip N/A N/A
N/A /data/data/com.foqrpral.oxudfpdy/code_cache/1722821030231.dex N/A N/A
N/A /data/data/com.foqrpral.oxudfpdy/code_cache/1722821030231.dex N/A N/A
N/A /data/user/0/com.foqrpral.oxudfpdy/files/dex/rIiUhJCHARxzyIQxM.zip N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.foqrpral.oxudfpdy

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.foqrpral.oxudfpdy/code_cache/1722821019527.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/data/com.foqrpral.oxudfpdy/code_cache/oat/x86/1722821019527.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.foqrpral.oxudfpdy/files/dex/rIiUhJCHARxzyIQxM.zip --output-vdex-fd=48 --oat-fd=49 --oat-location=/data/user/0/com.foqrpral.oxudfpdy/files/dex/oat/x86/rIiUhJCHARxzyIQxM.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/data/com.foqrpral.oxudfpdy/code_cache/1722821030231.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/data/com.foqrpral.oxudfpdy/code_cache/oat/x86/1722821030231.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 auth.familysafty.com udp
US 104.21.45.3:443 auth.familysafty.com tcp

Files

/data/data/com.foqrpral.oxudfpdy/code_cache/1722821019527.dex

MD5 d3364728f634bf71c4b16542c02c60cb
SHA1 f23088362b69935f404f2b81eaa40ed3172efca5
SHA256 401f68f4448fd6288b7619a7a2ae4646493cd7268f16aa6714802833fbc1197e
SHA512 9378bbda71abcb437676a2d4095d7d3ab6a5a1c1682ec95f3f6d050b9226692cd1a29ba8e7a65dac441c29cfb7b1d5e69e34b5cc32989c90c025909567a662af

/data/data/com.foqrpral.oxudfpdy/code_cache/1722821019527.dex

MD5 a137b5568de65b8fef35329930d8617f
SHA1 49a2d6e95d447ba1d448c81691f6a609fb2859ed
SHA256 bc5290425eaa32b00a84a94c58976321e7643bc5d668817524ad68a1c7d2082b
SHA512 9dd6c25dea7b3424e8ca0150a9f1f6f85ed5fccef69e7fadfa05324014b74cc350365b788cee2a8ce25afccee084908e679eafa7f449e7791c6288485d2c5338

/data/data/com.foqrpral.oxudfpdy/code_cache/1722821019527.dex

MD5 cf790c0dfb1361b86d4b8bfca1f8814c
SHA1 d452d9d6504f6af0c9408d6fdb1ced0ff3c45dee
SHA256 5dfcef0f59a512a9d88d21de81e5f9a20ff420d328736a1426b0a45f9459d832
SHA512 e2194cf4ab22064206d9df3523afd3b247f4ce72b7fed17056029746d1f79c1a25d340f8f9c7ec77b9590d05dc7549a735d631a368f82c472cd54bb8a1396c47

/data/data/com.foqrpral.oxudfpdy/files/dex/rIiUhJCHARxzyIQxM.zip

MD5 e10223a9dd1e0ddb8b1061d1f4437625
SHA1 7d1e8cc7b1409eb49f4fef532a4f3003f8785b4a
SHA256 649d1bcd5b1a5f75260e284bb8e1bda2c4630dca5a7536d5e56c8b8dcd51b5d3
SHA512 a0aac391a377c514598034929fb1d7fad129f32eb253c778de1724b7bebb84afe077ac2d0bea432b2bbd93cbe192d2452e85c9e3356d4ba8d321c349242aab8b

/data/user/0/com.foqrpral.oxudfpdy/files/dex/rIiUhJCHARxzyIQxM.zip

MD5 5e55cdadb8774e38f6b17f3c8acfe6af
SHA1 96fa6e628d74782f6efe0f52c6113ed638d37845
SHA256 05402c8959137f312278d1f2d5fe1cf7e0ff1c26fa09521c37fe700b0c82ca23
SHA512 a76d1a43278eb938bc7a133a6235e3b465a1c8266b57e2d3d39dd5736178388df3873ac49ee5a8ca4564a984ddabd5d18b5aceb6af666d988bcc420ccc7d1685

/data/user/0/com.foqrpral.oxudfpdy/files/dex/rIiUhJCHARxzyIQxM.zip

MD5 4a3936648e0d6bb8de54977f7d2f2440
SHA1 528efc4052546f80a371bfce96e7cb3813ee3ddc
SHA256 bfea891d0ac92148bc35c91769f34c802c07b020b4330213650360f4ebb245d3
SHA512 c72a85335ae061943f53be66472f2ca83d3ab780665cf2b919c838bfee265f202d02a7c1b1cbb038fb0f56c53f8ec1dbd390fe9ee1c69fdf81a0f652cc677e39

/data/data/com.foqrpral.oxudfpdy/files/477480.so

MD5 58c46208d95caaa3e72b9a812e2e4fa7
SHA1 d4d4159adde5b34b31f06fdbf622577a7e5c49e2
SHA256 61afb81a844465836f0f8665ec5cda08620362f1cfd3357b54c31e64747c7569
SHA512 12a7b66191bdfb6012517acda5a2dfe4b3ed510fdac14673a859a50cf358365f58a9accd91126e1cb95f68bbcec9265a3cab9d46e481700b161f4578bec4a835

/data/data/com.foqrpral.oxudfpdy/logs/Sistema1722821033953.log

MD5 eb006078d0a77e87ddb8d096ec6590d4
SHA1 ec1ade402fc2efac32350bae5747172497753e20
SHA256 d8d09181fb955c90d57e06678aa5ced3f32c39e8aa1dcde63a1b58a6e5c54ce6
SHA512 2655abe6c8da87e05e85f84903b44992fb4d0522ac5061eda0507569ff1529321b7aff8d4b6545152b5a43cf16bcf5bef08661ef71aab7274682a6028c4b8944

/data/data/com.foqrpral.oxudfpdy/databases/privatesms.db-journal

MD5 8e0d22cdf7e5306e5675fbb01cb4e470
SHA1 aec8eeb6d7988a6038858fa579dc33b9d6dca0ce
SHA256 01e28e9a2b4c2ecea29fec6a117aa00194e5c757966fb458e9774822bfd41a02
SHA512 9b06eb1247bef16b9ad546f95a0cc613d9e0c1ee9fe0eeff11c1c1d4913470882240ce53ab53ebfc48b1d499de8a1df39b404b9ef515bdfddd2acdbb331320c7

/data/data/com.foqrpral.oxudfpdy/databases/privatesms.db

MD5 3621ce0aa81e37bc5c80e2cf881f1dd0
SHA1 00365f82dcada94caea07443656848baf60b3bd9
SHA256 8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5
SHA512 76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf

/data/data/com.foqrpral.oxudfpdy/databases/privatesms.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.foqrpral.oxudfpdy/databases/privatesms.db-wal

MD5 ee4933c65f0f23eef71256bf393ff959
SHA1 af40dabe5f034dc0e0cd0882fed4d9b360d1ffa9
SHA256 e306907674a0717cbc2a754ac55080d44dbdd9b8efa4ad49762454b99cda8b71
SHA512 c87a43bf67346699340dbad488293efe46fcb335fb08ef218fa82ff9fd866a8157f9b6b623abb26d515ba20aadf238988ae78fda6af451cfc7858798592aa6ca

Analysis: behavioral12

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:26

Platform

android-x86-arm-20240624-en

Max time kernel

11s

Max time network

133s

Command Line

com.herocraft.game.treasuresofthedeep

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.herocraft.game.treasuresofthedeep/files/7f8f78df.dex N/A N/A

Processes

com.herocraft.game.treasuresofthedeep

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.herocraft.game.treasuresofthedeep/files/7f8f78df.dex --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.herocraft.game.treasuresofthedeep/files/oat/x86/7f8f78df.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
US 1.1.1.1:53 g2.coidnhfqqe.com udp
SE 185.117.88.15:80 g2.coidnhfqqe.com tcp

Files

/data/data/com.herocraft.game.treasuresofthedeep/files/7f8f78df.dex

MD5 767ef40815362c541a89c4c50650c022
SHA1 46079e6da37683dce34f1d965f68b56deeeccff0
SHA256 045e58a267b61428e9b68a2b7f84eccb9335617ed119227acd35c9be5b2f48e1
SHA512 d1406c8299796a0c0d10ab6fe36c85c543bf91333e6bd6a8675e79b740e7325d45c66222b74737de320eedfce4ff1ba0f79517076e2ccb176aeae5c244be406f

/data/user/0/com.herocraft.game.treasuresofthedeep/files/7f8f78df.dex

MD5 38c2fd6b3426f301739dd658c91c462b
SHA1 98464a62414b23440ebecacdcf3097c8e9f1eff4
SHA256 51e662b019aea637e0be77e0bfd8d06eab2ebc3b4d2b07a3b81595ee63f8eefe
SHA512 ca7acf337f0069ce63a91da6aa36c4529b7968cc38cd6ffd9559ee37498075eab13331b68866f617a338279df6955ff32d8f7dea2941664da654fa855f4bfa1a

Analysis: behavioral21

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:29

Platform

android-x86-arm-20240624-en

Max time kernel

179s

Max time network

138s

Command Line

com.elite

Signatures

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/data/phones N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

com.elite

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:30

Platform

android-x64-arm64-20240624-en

Max time kernel

179s

Max time network

134s

Command Line

com.elite

Signatures

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/data/phones N/A N/A

Tries to add a device administrator.

privilege_escalation impact
Description Indicator Process Target
Intent action android.app.action.ADD_DEVICE_ADMIN N/A N/A

Processes

com.elite

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:30

Platform

android-x64-arm64-20240624-en

Max time kernel

13s

Max time network

134s

Command Line

com.test.accessibility

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.test.accessibility/app_ded/6U4CpB7Ij5saC4T8BCONqMSzwY4TSpAp.dex N/A N/A
N/A /data/user/0/com.test.accessibility/app_ded/6U4CpB7Ij5saC4T8BCONqMSzwY4TSpAp.dex N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.test.accessibility

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.test.accessibility/app_ded/6U4CpB7Ij5saC4T8BCONqMSzwY4TSpAp.dex

MD5 8b5230cead615f005f2171207699d8aa
SHA1 1fa3764bdda3aa85f0481f8d63d96517c2638e3e
SHA256 b6f3c778f8411b88897f99b57e4c9c5c2ed6102527dd816147f4ca28de8d4498
SHA512 4d1b05e242d151fdfed77f7fa92bcc211cd23e28af134aaa5b403607b2ded7db6b6fb1fcbd134ecf31170e874f1e3ffb9d028e6ea8328441a678b725a180f22c

Analysis: behavioral11

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:26

Platform

android-x64-arm64-20240624-en

Max time kernel

179s

Max time network

140s

Command Line

com.hellboy

Signatures

Requests uninstalling the application.

evasion
Description Indicator Process Target
Intent action android.intent.action.DELETE N/A N/A

Processes

com.hellboy

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:26

Platform

android-x64-arm64-20240624-en

Max time kernel

177s

Max time network

140s

Command Line

com.herocraft.game.treasuresofthedeep

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.herocraft.game.treasuresofthedeep/files/7f8f78df.dex N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.herocraft.game.treasuresofthedeep

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.16.238:443 tcp
GB 172.217.16.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 g2.coidnhfqqe.com udp
PL 51.75.61.102:80 g2.coidnhfqqe.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/data/com.herocraft.game.treasuresofthedeep/files/7f8f78df.dex

MD5 767ef40815362c541a89c4c50650c022
SHA1 46079e6da37683dce34f1d965f68b56deeeccff0
SHA256 045e58a267b61428e9b68a2b7f84eccb9335617ed119227acd35c9be5b2f48e1
SHA512 d1406c8299796a0c0d10ab6fe36c85c543bf91333e6bd6a8675e79b740e7325d45c66222b74737de320eedfce4ff1ba0f79517076e2ccb176aeae5c244be406f

/data/user/0/com.herocraft.game.treasuresofthedeep/files/7f8f78df.dex

MD5 38c2fd6b3426f301739dd658c91c462b
SHA1 98464a62414b23440ebecacdcf3097c8e9f1eff4
SHA256 51e662b019aea637e0be77e0bfd8d06eab2ebc3b4d2b07a3b81595ee63f8eefe
SHA512 ca7acf337f0069ce63a91da6aa36c4529b7968cc38cd6ffd9559ee37498075eab13331b68866f617a338279df6955ff32d8f7dea2941664da654fa855f4bfa1a

/data/data/com.herocraft.game.treasuresofthedeep/files/GZCo

MD5 ef3dc26f08548b3cb5df835f0d692e94
SHA1 4be2f105dabcbf77afe43e489f9d4fb34703b382
SHA256 f50f04bc4b545dae30675238f2fbfe5f1039124d5fe5498290e4486b49765b52
SHA512 5dd65c233900d9f7179dce3e5a313ed1ceee2786334c083bbecef0e080b5be5931694bef577ce3cb1ec87b5d0a580ec478d136959d600d14abcba817376b8c4e

/data/data/com.herocraft.game.treasuresofthedeep/files/WmJ

MD5 0971afaacfaf0a7359780e36be2f75ab
SHA1 dff7ceeddcb40314eb61bce1602fd71a4ded91a7
SHA256 840edeb78261b86463c3085e922eec851ebe93155dda4973c98326bbed1f59c0
SHA512 9f5cacdda779f1e8152baf881ab17ab548730c28b5a3707002862d4edadca2602d060085b0488209798bb4a1a7cb06fc01ebd5753e301799b21f6a301a3b3afb

/data/data/com.herocraft.game.treasuresofthedeep/files/GZCo

MD5 4831e35c6785220a27b53fe2b32428b3
SHA1 29d0d4760e87a66b49f08b4ee9c36116644fe04d
SHA256 dacc6eec344a74db588d9429b3bf7c7f17d107312cb200c5306107df952c00cb
SHA512 66699da4afde7145184c42264e95bf6fa8ded7e0a04cb7b0369e797e68183469517b9e866016de830143e7836e65dcddac3c88958ff0a3b3302d0236a4a00be7

Analysis: behavioral27

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:30

Platform

android-x64-20240624-en

Max time kernel

12s

Max time network

164s

Command Line

com.test.accessibility

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.test.accessibility/app_ded/vZvR2XdzkGTMz1B7SEDL5TdMHRSgJ2Yd.dex N/A N/A
N/A /data/user/0/com.test.accessibility/app_ded/vZvR2XdzkGTMz1B7SEDL5TdMHRSgJ2Yd.dex N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.test.accessibility

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp

Files

/data/data/com.test.accessibility/app_ded/vZvR2XdzkGTMz1B7SEDL5TdMHRSgJ2Yd.dex

MD5 8b5230cead615f005f2171207699d8aa
SHA1 1fa3764bdda3aa85f0481f8d63d96517c2638e3e
SHA256 b6f3c778f8411b88897f99b57e4c9c5c2ed6102527dd816147f4ca28de8d4498
SHA512 4d1b05e242d151fdfed77f7fa92bcc211cd23e28af134aaa5b403607b2ded7db6b6fb1fcbd134ecf31170e874f1e3ffb9d028e6ea8328441a678b725a180f22c

Analysis: behavioral4

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:26

Platform

android-x64-arm64-20240624-en

Max time kernel

158s

Max time network

139s

Command Line

com.XPhantom.id

Signatures

N/A

Processes

com.XPhantom.id

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.212.206:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:26

Platform

android-x64-arm64-20240624-en

Max time kernel

175s

Max time network

138s

Command Line

com.herocraft.game.treasuresofthedeep

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.herocraft.game.treasuresofthedeep/files/ac2b308d.dex N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.herocraft.game.treasuresofthedeep

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 sara.sfjioagjioabnjqqfmx.com udp
SE 185.117.88.15:80 sara.sfjioagjioabnjqqfmx.com tcp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/data/com.herocraft.game.treasuresofthedeep/files/ac2b308d.dex

MD5 48aab9b1635e8a510b4a1126c1f95bc5
SHA1 7ce5597408c9a42d93e882ed904dd0f3551ab81b
SHA256 1653275e4d68124e6af999b4311ac471f0a8adbcdffe4f64c678e1e84f367725
SHA512 e5a224994ed1332b87c33b3d0784b69be8733cde478650888e889af3d20c9d33b9c20720ac4104f15aecb8a94bc4101f5d826cc7161797f66b416be939d0bd3b

/data/user/0/com.herocraft.game.treasuresofthedeep/files/ac2b308d.dex

MD5 121d33b2c1295d49f9fba521016f45fe
SHA1 69e49d75e0a5e37cbc1f3f29fe5dccc656db27dc
SHA256 6f86990c8865f5cacbe7c38d934947aebae0a7f891043c714f012806a8e4467c
SHA512 561d57fc6e5c20b8c94949cc461d7e0e6595d041c1f8fe07c4b6815df92f71eede53bb1d333e58e494dec0e9db9a740c3917ba5519bdb3f51da7a3e3f744ac4b

/data/data/com.herocraft.game.treasuresofthedeep/files/S

MD5 70f4ac9bac4337e8439b68ed921202bf
SHA1 c30dd2fc7d9db6c2c9c1cf63b9e87d7dcbabc58e
SHA256 076cb83b9dd1a3ca14fba616d430db52c908da3a5999bd04810fc363d1cb1d9e
SHA512 4da3fc6f7297d5a717f27e4b1800ade82bc9749c17927224b46826ad464ec709a604f2512312f7c2a1485b7a2d46ef9924e05498c2abf3cccf55beac964bb23a

/data/data/com.herocraft.game.treasuresofthedeep/files/Ni

MD5 00ac23358ddc59b18579b65a96321e8b
SHA1 004524ed704abb03410f843347b77e1a595a4795
SHA256 45c3ab537e0e2bfb5fe898e283e677664cdf6acc0735760b8276cc43d6d601c7
SHA512 1ac825dba7d718ab1e0cec5ae3365f8ce80b04dde1b860aa8130e323766db735eb6ab9afb865cc3b05bcb1346a3e0b096f3a6b8f7879149e344eb26593a3d7fa

/data/data/com.herocraft.game.treasuresofthedeep/files/S

MD5 d5dd8aa002853d41d54179c46dc4c703
SHA1 64ee055ffbf7e5074c7d4dcd4c5a3811a87d389f
SHA256 4a77c73e4440f2675a23593caa688e0d4488789b9eb174b9df7a117988a91ced
SHA512 851a1f8917bbc8cff856e881d30dcda8b33d7afefbac88b12a7a25b8d62ab6204079e5eac27a4fdfd68928fb619f5820660a1e19087e5e59dd5d6aa6af9f6079

Analysis: behavioral18

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:26

Platform

android-x86-arm-20240624-en

Max time kernel

9s

Max time network

128s

Command Line

com.herocraft.game.birdsonwire.freemium

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex N/A N/A

Processes

com.herocraft.game.birdsonwire.freemium

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex --output-vdex-fd=42 --oat-fd=43 --oat-location=/data/user/0/com.herocraft.game.birdsonwire.freemium/files/oat/x86/b04e7800.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 g1.buyappcenter.com udp
SE 185.117.88.15:80 g1.buyappcenter.com tcp

Files

/data/data/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex

MD5 a2c0379f196c91a175f47b801895518a
SHA1 549b6e1c77021378b4189f736b7eb7437a9d9497
SHA256 35cdc216518a388e7842f6b67a2c65ea06ca5302286087df3a9db29603b9aa21
SHA512 e3ebb67eb0a9c9e13db1dd29474bf93af6e0e3b9607623c0a70672bfb4f2505abc1f2c23e1592175317bc4f384fb7966954f0d37e6f331f7eb724ff5e6be4205

/data/user/0/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex

MD5 670d8683a3c1765ced65f8b60bfacdba
SHA1 24bc8f1ec3e925316fa05918fed1962379debe15
SHA256 fc48615db02bf829b738c5efef9cfc368b27c0a40fe69d4fa165cf59b0d6cc9f
SHA512 c6e7c7104c31d2b567874fed9684c172b1dc722d084ab998b0159420554e27ce044ed8b0099194919c18d782ac9d075962c966c602eaaf021f36d9d262bbc9a8

Analysis: behavioral19

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:26

Platform

android-x64-20240624-en

Max time kernel

174s

Max time network

172s

Command Line

com.herocraft.game.birdsonwire.freemium

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.herocraft.game.birdsonwire.freemium

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 g1.buyappcenter.com udp
PL 51.75.61.103:80 g1.buyappcenter.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp
GB 172.217.169.74:443 tcp

Files

/data/data/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex

MD5 a2c0379f196c91a175f47b801895518a
SHA1 549b6e1c77021378b4189f736b7eb7437a9d9497
SHA256 35cdc216518a388e7842f6b67a2c65ea06ca5302286087df3a9db29603b9aa21
SHA512 e3ebb67eb0a9c9e13db1dd29474bf93af6e0e3b9607623c0a70672bfb4f2505abc1f2c23e1592175317bc4f384fb7966954f0d37e6f331f7eb724ff5e6be4205

/data/user/0/com.herocraft.game.birdsonwire.freemium/files/b04e7800.dex

MD5 670d8683a3c1765ced65f8b60bfacdba
SHA1 24bc8f1ec3e925316fa05918fed1962379debe15
SHA256 fc48615db02bf829b738c5efef9cfc368b27c0a40fe69d4fa165cf59b0d6cc9f
SHA512 c6e7c7104c31d2b567874fed9684c172b1dc722d084ab998b0159420554e27ce044ed8b0099194919c18d782ac9d075962c966c602eaaf021f36d9d262bbc9a8

/data/data/com.herocraft.game.birdsonwire.freemium/files/PersistedInstallation123543989478983912tmp

MD5 bdedd3ba3ef5e56f9fa0fc72b917b7f7
SHA1 6abadcf27ade5910d6520926c6c1c719ec96ff7e
SHA256 ab9cd264c87098d28b978bc3d4529a9466ebf208a72383a2a19466caa86e2522
SHA512 4b26bd0a1a8f0a7a3517d55aae7808d78e517586dedf8bfd68ab428bd472243403bd86ad5cc5d29b08311ad0df6d3fe0484a17dca091010c8f2fe3eeff0312b2

/data/data/com.herocraft.game.birdsonwire.freemium/files/PersistedInstallation8581516570902548133tmp

MD5 0accf3c4f4b3dde1db828931e4481070
SHA1 45079742665904909382b5c31525e85b7dec987f
SHA256 b782223dd0a170bae265cf1cefef8a001a53c880514b8cdfbe1d1e03760ba7df
SHA512 def579f75aaedf783f5681ea7fa3f5c24d2d7b6af24cce090f2fd36b27c3589129f0670a18459e01db1cc6135ba2b0f0c4ec3fcb2610b9c6f11dbc16a57f4637

/data/data/com.herocraft.game.birdsonwire.freemium/files/KWW

MD5 4fa8c5ba0ee39486c3a305d8e7542df6
SHA1 c40608d35e6305d9a7fd6c2c6dabb5885a83613a
SHA256 a7b018c98bf4848a4fdecf194090476f8d0c12f9e371f556199ce44ec38c4230
SHA512 bac6ac441cd2241496d1ebae6e3cf5667813909864ce43cf97a6648041b92a778cb66376f9c916c2d36dffc3da10542c3c3eef15307db237fc52604f9e6f7560

/data/data/com.herocraft.game.birdsonwire.freemium/files/UMYa

MD5 9d9426193e333252ee36e466c9fba9b7
SHA1 78c2b3b7a997f4cf3aa6190a59c7307d7b50eedc
SHA256 304f0c741a091026cdeb975db854e41669638c8841bc040715f5b19fe129f490
SHA512 5d7dc7f3172448e7594044fcc9af5fd826f21dfcea5d9ec4f0143bdff037d5280ca1aa03bfd134265d602a249b0f4466fdea7bf017019cc1cb5078960e9bc630

/data/data/com.herocraft.game.birdsonwire.freemium/files/UMYa

MD5 6b21ca369489844e8182bab0f16b31d1
SHA1 4cab66287894b71852d90d35d9e6481a2d591790
SHA256 257605eb65ed3339164fd0b82907b4cc44a23dd5c4c7ad85c3b6fe7f25c0b001
SHA512 354a63d64432098c85d29c23d5dcb0593db40df652f31530e8fc2d3a753d1027012f5726692c1cb5fa30cc724f4adffd883ce7b36fd2bb206c7566a2886dab19

/data/data/com.herocraft.game.birdsonwire.freemium/files/KWW

MD5 ebbe1740ea56359a39aec1bd3b678a04
SHA1 8afee5ba2b466712b2eab43a9b8638840fbfd5e3
SHA256 5c4a99208237e564fac93c5e983b16dacf457948f2d8ce9984173d22660c6283
SHA512 42c71c3f562e992e57b348b2c7be218ab33eac8acb25311cb9c4dff7fd0643e69133990e7d645a0e1b422147389b4f0767788e5d842d37a56be85169e21686fd

/data/data/com.herocraft.game.birdsonwire.freemium/files/UMYa

MD5 10c7cd593cdbdafd10fa1388ede9357c
SHA1 61cafe3dc50e6149b7b650257e584587a1051c6e
SHA256 bb4c08367e00f66b4a4de956eb1632b03d2f3ce78795f63cef5f463fd897fd43
SHA512 205a288ec6f1fe5da77bf825793b3f0aa2d668b656c43bd19504d023df99e5b33c9ffa786e9f9180ddbdcffdc0bef301a403d7787753b66b50edf871b12847ee

Analysis: behavioral24

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:29

Platform

android-x86-arm-20240624-en

Max time kernel

48s

Max time network

128s

Command Line

com.ygvezckt.rwqaztkw

Signatures

TiSpy

trojan infostealer spyware tispy

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip N/A N/A
N/A /data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip N/A N/A
N/A /data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip N/A N/A
N/A /data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip N/A N/A
N/A /data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip N/A N/A
N/A /data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip N/A N/A

Queries information about the current nearby Wi-Fi networks

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getScanResults N/A N/A

Queries the phone number (MSISDN for GSM devices)

discovery

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.ygvezckt.rwqaztkw

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/oat/x86/316f40170801e947.odex --compiler-filter=quicken --class-loader-context=&

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip --output-vdex-fd=45 --oat-fd=44 --oat-location=/data/user/0/com.ygvezckt.rwqaztkw/files/dex/oat/x86/lLtoeVfIDbcROVZBX.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp

Files

/data/data/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip

MD5 1b463ebe439550e65863364d145f3633
SHA1 06a1d114d31cc0c0735f6e865290de0df66534fc
SHA256 402745874a8f4229a51c30bb0a3fc4a383d5d2bdecf43f73920c7ec59f402631
SHA512 45be5088110b35464faac2c708084e5337ddf5f89d582001582c47db28e04ab577dc036ee481b02f3743b3bfc1a0bc85cdf9185f23aa8e683a2890833b77be5a

/data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip

MD5 c276d68c66d80dfed813846189721519
SHA1 3006ae75be916f82d520f683322ce5b8af4be68b
SHA256 ba4227db1d3fb1d9befcdc67847e414b5070dd7e9d28e397c4cec1488309053e
SHA512 b5c1844af6bc735c26cb736691d864c3cb4ac567d49c8c0f5a3f73c7d8aa7de890900563a99a7e0a1e114cf561955225bea7522df876c338f380d03e502bb497

/data/user/0/com.ygvezckt.rwqaztkw/files/dex/316f40170801e947.zip

MD5 0141ce546517d0ff09558391ffe2c3d1
SHA1 c8da2607f42222cf6726f30015fce0e501df3c30
SHA256 4f647e2c0402fab82866f27337c18543123212e46abb52914e8c22bcff7382cf
SHA512 886f3fd3d8b891a8a1ced7552bb73e82b8eb390bf028570d1e5f1089863399dfe26184c4b6974968cc0a801ac1dadc768af157c386cda3fb0b810279680f48ce

/data/data/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip

MD5 5631aac4cdaafaf80e13e30ca0f35df4
SHA1 a5c11f94c00875c38fcc29debd5ab1f01b6a6d20
SHA256 c65d54edc4dfb9bb13a51764be2b1a66e6ef781a6f1a18368d22aeea79f1af6c
SHA512 15c45aabc02a08dd369de2b9f3ba736ccdea4cd325e865b079810887d3cfbdf52a7286dbb0516630cc0f83d3fba0a99efcb2a1f37ce3ee0a50bae98eb731eb47

/data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip

MD5 eba2e1ec82083be20ece86501cf4a651
SHA1 c7296d77e0ff6982396d13e1f6cc54b2be4b5f12
SHA256 7cd112ace3c9789beb88d7d75e3c664706505fc8c5ede01fc92fabb9da2700ec
SHA512 668f0e05318a9a1d8f28aa9f8796450422b0f5d722704bcb37e003d42951e7033053b2c38ba4bc1144b14bac9114d875e860f5ee8add0986234228e2dc9dfbaf

/data/user/0/com.ygvezckt.rwqaztkw/files/dex/lLtoeVfIDbcROVZBX.zip

MD5 0df030186d9f5c370a15db6223ca2eb7
SHA1 33a9951863ceaf037787cd169c4cf61fcb7bba1b
SHA256 ecf40b3088a5186d0c043c2248aaa1a509c4336ae7cad299741fb7fc7ba0b11c
SHA512 0777b4c68b58b428410554b9e420852cd3fb2f2bcfe7a48487b1564918c386ca5d80327a7dc9b9b2d8d55da5330296aabd1f866db3e068bbfb3a3d7f393547ae

/data/data/com.ygvezckt.rwqaztkw/files/dex/pro_btn_bg_animation_img_0.jpg.zip

MD5 7c20a2b01bf3f9df1f0abb72ebbe82be
SHA1 e601b2e41434623edbeece32867517a3cdec5449
SHA256 1a10cc3cd2dc21a9be2d2eb758fd19288082619d331245b927d0a9299462ea2e
SHA512 3faa6efbd3ebf6e1aff7ebe9958c5f94bbfe9c5ff9e11e9092b1b7301bbe6504c01b922d709303147e213b3cadce8e96462220a1d1bf4d6cdaec95b3f84bb1b4

/data/data/com.ygvezckt.rwqaztkw/files/477458.so

MD5 8767a74133b3328c2a87a24893142ec2
SHA1 c1c48bcab9d7bf804cad029656d8b79bf8655d29
SHA256 80afd0eea39b125cd5a2f300a3b50302f002ff332943f71bd46d7ce5914e0f82
SHA512 96a2d70a2adfef8b8da4fc8c6b2be0b7eed0c33f76770093799fd3bbccf1b766290151cbd65981634c821baabdd8d445a6f66cf955045f0f402286b61aab2d7c

/data/data/com.ygvezckt.rwqaztkw/logs/Sistema1722821223161.log

MD5 59a270bf9697ac290d25416cc5d07de0
SHA1 c5e2e061c54d9f320ea3fc82310738c173e25d1b
SHA256 d5746aaa9f577df76ed1e5334519e23008b3e4918f3e1a83b96c2bd63e02dbd4
SHA512 b98af881e6ba7f80d8d1dd9252c880d5ce5b57b9c5054f518d7f32a88c6fb86e4f9049fe4384d71893490a3a9615b11f45a908ff9b47fc45d30141b91d0cab7c

/data/data/com.ygvezckt.rwqaztkw/databases/privatesms.db-journal

MD5 b61ca75f7c09d267f8c008a6caf0c4b8
SHA1 e1ba2fe5d5eea6c29c7f3cb12a83e31e4c2c3144
SHA256 a5910635554b2ae348790b255e1ca41fceaf9bf28d921529322fd45eda50578d
SHA512 8c5b4f27a152b3ccdb890832a7b6897ce618cf57a0cc4f423d3dff7aa1f8b86a77b64c78ea80e85e885a4e3d58d7d69fb264f6e5e1a5f069adcb89782d8628d4

/data/data/com.ygvezckt.rwqaztkw/databases/privatesms.db

MD5 3621ce0aa81e37bc5c80e2cf881f1dd0
SHA1 00365f82dcada94caea07443656848baf60b3bd9
SHA256 8620d146b06037c9dc98b8788c3137344eb9d7e1f8b982ffec4c1d8549f24dd5
SHA512 76bb7175359d61ce39e95008269752de25769c4e274b4bcf37b920bc2cbfb680b2a4a88de860ed069655d1f47604638b0301c2c6131107cd929348895d73d2bf

/data/data/com.ygvezckt.rwqaztkw/databases/privatesms.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.ygvezckt.rwqaztkw/databases/privatesms.db-wal

MD5 1b813f308efeab47760ecc2d8ea1fad4
SHA1 01799628c2445f111cedda26c1c938aa3b8118b5
SHA256 dddcb53374f0b66cf5f223cb310a874f6a2083ea2ba1d04ccaff8d24a1089a09
SHA512 fa17d55d0594b7c1caa486b2ad631bc2636a49951ad43bc341b3b1e37c2a152afe80239f9b45700bda5c3bf234dec215b10f1685b6a7b6c62b5fd6dd2022dd07

Analysis: behavioral16

Detonation Overview

Submitted

2024-08-05 01:22

Reported

2024-08-05 01:26

Platform

android-x64-20240624-en

Max time kernel

178s

Max time network

173s

Command Line

com.herocraft.game.treasuresofthedeep

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.herocraft.game.treasuresofthedeep/files/ac2b308d.dex N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.herocraft.game.treasuresofthedeep

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.8:443 ssl.google-analytics.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 sara.sfjioagjioabnjqqfmx.com udp
NL 217.12.201.177:80 sara.sfjioagjioabnjqqfmx.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
GB 216.58.212.206:443 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/com.herocraft.game.treasuresofthedeep/files/ac2b308d.dex

MD5 48aab9b1635e8a510b4a1126c1f95bc5
SHA1 7ce5597408c9a42d93e882ed904dd0f3551ab81b
SHA256 1653275e4d68124e6af999b4311ac471f0a8adbcdffe4f64c678e1e84f367725
SHA512 e5a224994ed1332b87c33b3d0784b69be8733cde478650888e889af3d20c9d33b9c20720ac4104f15aecb8a94bc4101f5d826cc7161797f66b416be939d0bd3b

/data/user/0/com.herocraft.game.treasuresofthedeep/files/ac2b308d.dex

MD5 121d33b2c1295d49f9fba521016f45fe
SHA1 69e49d75e0a5e37cbc1f3f29fe5dccc656db27dc
SHA256 6f86990c8865f5cacbe7c38d934947aebae0a7f891043c714f012806a8e4467c
SHA512 561d57fc6e5c20b8c94949cc461d7e0e6595d041c1f8fe07c4b6815df92f71eede53bb1d333e58e494dec0e9db9a740c3917ba5519bdb3f51da7a3e3f744ac4b

/data/data/com.herocraft.game.treasuresofthedeep/files/PersistedInstallation3491306266844953979tmp

MD5 4907b2de4716c442dffc974c6f6f1d94
SHA1 27c41bdac0d4b74c695f85ebe590c576d1e6feae
SHA256 aed64a9d2fa62180caeff9f7999e4c193c08bc60a9b24ab9add200e69ed06382
SHA512 9a6f1a467db09702cceffcd02355f0ec3f5b53278c14e9d5f7a66ae6e7b5bb17bc306893d1ebf4596489717d45509da401384cc02b8a206bfa71548bfd497a6f

/data/data/com.herocraft.game.treasuresofthedeep/files/Ni

MD5 36bda346a1b07cd0f1c4251dd648f5aa
SHA1 a9b575f1d7f505dcb4c1bfc19e1176bf70669709
SHA256 d86d4c27a9181d2d1af466ba4301c6192e742a769dfd261ab44278eea971fa73
SHA512 9527cd712f70790701c6798d7f961aa057cb0ac1ff483ba7ced1dba60cc914561a175430345fef743988b2ee881a4e94d72f3b7ab064ea009d58c2a90dc1be5d

/data/data/com.herocraft.game.treasuresofthedeep/files/S

MD5 9ec38b083d951f9507e87e9234af62ea
SHA1 9e3f547513c99bf5a76457446d815975da790f93
SHA256 519e8f9587014bc4caf9a31269bce02517b74b4de0b0b9821ea093e0065ad8e8
SHA512 ed58be959ac06dbd389acda83427638f4af3bfade66dd70af45af586c48e10c190cec4be85d0b5fc9bcd50eeb431ea7a8be8931a776bc2ed6f5cde579a860cef

/data/data/com.herocraft.game.treasuresofthedeep/files/S

MD5 6efb21bb18b4f9974812f948e89629ce
SHA1 178ac1c52f5a5399479d72b61d7fd087d57d2ce5
SHA256 9b45001308bf186c3da6cd6fb8e67273599933ade74cdc5910cba8678f2712d8
SHA512 c05a6496e35eecc0b4fe993f7aa1362a4ca3a8de42fe450973b7e7136ea3ecb5db04ea08778d3dbbf9495140f7e656f72b59dc90e4a927f58e478fe361f1ede8

/data/data/com.herocraft.game.treasuresofthedeep/files/Ni

MD5 2303ccf5868f14cb02d9d21f57596583
SHA1 a6d56feacf7e56f77b45673ece23f9e69a31e917
SHA256 45f6bd86ef8579600aef8d8d05a7373ec3ca78be015ccdaff875124f7887f817
SHA512 8414b24e642b0dd1f40a31d34377af3287ebb071ca822272a9124dfd09d9a644a9a8c28b4d19a0d830814e90c411bd35569100609a7a442125eeb5a3c3931577

/data/data/com.herocraft.game.treasuresofthedeep/files/S

MD5 ad51ad88a311160024131aa32820a86c
SHA1 f8a97dbd2eb72ecc6d84a69718bb43bc5c48fb2a
SHA256 8b59bad5a6951a8fef94767159ffe269d13fe8da9520384b8424e34bb34c3f98
SHA512 3b0612affd68ca227ccafc32c9c9c77dca46b343849e777fbf405a27bea0012bbe2755c5156c4d7d1ab6c2de3f4cbe0d07cd7418417c54a324bbb561043e8e18