Analysis Overview
Threat Level: Known bad
The file https://web.archive.org/web/20230706214529/https://download1587.mediafire.com/t1vdad3xufngg6CCX1k5jtiFJ0YYnHArLuX2ldpUW45Y7C5_ICaaMoj15-uYrQ6IH4D6uZD0Xn-dcHnvDAXCw1fpmTc_0gQtEgldscAvESOiKjQXCpk1VPUISW0N9EJwVOMwZfG74yKr06krisXQH9u4s95Hp7LFqY-oMYQYAG2yBcY/12o45hf43lvv6az/fnaf2+aptoide.apk was found to be: Known bad.
Malicious Activity Summary
Wipelock Android payload
Wipelock
Declares broadcast receivers with permission to handle system events
Requests dangerous framework permissions
Checks CPU information
Checks memory information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-11 10:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-11 10:02
Reported
2024-08-11 10:56
Platform
android-x86-arm-20240624-en
Max time kernel
1819s
Max time network
1828s
Command Line
Signatures
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.android.chrome
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | web.archive.org | udp |
| US | 207.241.237.3:443 | web.archive.org | tcp |
| US | 207.241.237.3:443 | web.archive.org | tcp |
| US | 1.1.1.1:53 | archive.org | udp |
| US | 1.1.1.1:53 | web-static.archive.org | udp |
| US | 207.241.237.2:443 | web-static.archive.org | tcp |
| US | 207.241.237.2:443 | web-static.archive.org | tcp |
| US | 207.241.237.2:443 | web-static.archive.org | tcp |
| US | 207.241.237.2:443 | web-static.archive.org | tcp |
| US | 207.241.237.2:443 | web-static.archive.org | tcp |
| US | 207.241.237.2:443 | web-static.archive.org | tcp |
| US | 1.1.1.1:53 | archive.org | udp |
| US | 207.241.224.2:443 | archive.org | tcp |
| US | 207.241.224.2:443 | archive.org | tcp |
| US | 1.1.1.1:53 | wayback-api.archive.org | udp |
| US | 207.241.224.2:443 | archive.org | tcp |
| US | 207.241.237.8:443 | wayback-api.archive.org | tcp |
| US | 1.1.1.1:53 | athena.archive.org | udp |
| US | 207.241.225.195:443 | athena.archive.org | tcp |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| GB | 142.250.179.227:443 | update.googleapis.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| GB | 172.217.16.227:80 | tcp | |
| GB | 172.217.16.228:443 | tcp | |
| GB | 142.250.200.2:443 | tcp | |
| GB | 142.250.187.227:443 | tcp | |
| GB | 142.250.179.238:443 | tcp | |
| GB | 142.250.187.227:443 | tcp | |
| GB | 142.250.179.238:443 | tcp | |
| GB | 142.250.187.227:443 | tcp | |
| GB | 142.250.187.227:443 | tcp | |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| GB | 142.250.187.195:443 | update.googleapis.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| BE | 74.125.133.188:5228 | tcp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| GB | 216.58.204.78:443 | tcp |
Files
files/dom-0.html
| MD5 | d37bee639444465d5de41a131150a6ca |
| SHA1 | 88e527cfaecf448e30fde956a7acb3ebfd098e1f |
| SHA256 | f0a10d97acd18b888aa6aef0ea0df21894490deca7cf9767cd824b7034143cd7 |
| SHA512 | a4676c63b1162d9d0a37d9a19e54f93add736dfcfcc9663a457519f8877565fb35bda7b0a536943a36e466c88ca882aed7942843d55922c2cf19631c7b15a0a8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-11 10:02
Reported
2024-08-11 10:56
Platform
android-x64-20240624-en
Max time kernel
1657s
Max time network
1789s
Command Line
Signatures
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.android.chrome
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| BE | 142.251.168.84:443 | accounts.google.com | tcp |
| US | 1.1.1.1:53 | web.archive.org | udp |
| US | 207.241.237.3:443 | web.archive.org | tcp |
| US | 207.241.237.3:443 | web.archive.org | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.201.104:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | archive.org | udp |
| US | 1.1.1.1:53 | web-static.archive.org | udp |
| US | 207.241.224.2:443 | archive.org | tcp |
| US | 207.241.237.2:443 | web-static.archive.org | tcp |
| US | 207.241.237.2:443 | web-static.archive.org | tcp |
| US | 207.241.237.2:443 | web-static.archive.org | tcp |
| US | 207.241.237.2:443 | web-static.archive.org | tcp |
| US | 207.241.237.2:443 | web-static.archive.org | tcp |
| US | 207.241.237.2:443 | web-static.archive.org | tcp |
| US | 1.1.1.1:53 | wayback-api.archive.org | udp |
| US | 207.241.224.2:443 | archive.org | tcp |
| US | 207.241.237.8:443 | wayback-api.archive.org | tcp |
| US | 1.1.1.1:53 | athena.archive.org | udp |
| US | 207.241.225.195:443 | athena.archive.org | tcp |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| GB | 142.250.178.3:443 | update.googleapis.com | tcp |
| GB | 142.250.179.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| GB | 142.250.200.36:443 | tcp | |
| GB | 142.250.200.36:443 | tcp | |
| GB | 216.58.204.67:443 | tcp | |
| GB | 216.58.204.66:443 | tcp | |
| GB | 216.58.204.67:443 | tcp | |
| GB | 216.58.204.67:443 | tcp | |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| GB | 142.250.179.227:443 | update.googleapis.com | tcp |
| GB | 172.217.16.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| BE | 74.125.71.188:5228 | tcp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
Files
/storage/emulated/0/Android/data/com.android.chrome/files/Download/Unconfirmed 659339.crdownload
| MD5 | dc98efd71997adb619bfc6e09b3df258 |
| SHA1 | 50d0d722d4af4a863a19749dd7ef680c67662aa2 |
| SHA256 | d6c670c7a27105f082108d89c6d6b983bdeba6cef36d357b2c4c2bfbc4189aab |
| SHA512 | 1903987f5cd074bb672cf335442178a0820bce6e02dc5a04bbbd894c2048bcb068c85e6cefd3663bd0505a20c0651dcfcbb60760f2c5744e344af6f7a627ade7 |
files/dom-0.html
| MD5 | 7bf50b36e56363da967abcc2b75f1e90 |
| SHA1 | 60e31a2d5d8424cd0a62be005c4c8266a7129b71 |
| SHA256 | 2be361e2690648d7a02a3dee9be9c5f7125b450ad0cd35d5195a7c3434d55386 |
| SHA512 | d4363dfaf43c7a0889c3db59d429bfb4ba1e3afbef4aab93ff7e2981a48044eae46a877e091cb46dc72e2f9ebc5eb6e59d419e1f85389fbde59f592232a35f34 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-08-11 10:02
Reported
2024-08-11 10:56
Platform
android-x64-arm64-20240624-en
Max time kernel
1804s
Max time network
1830s
Command Line
Signatures
Wipelock
Wipelock Android payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Declares broadcast receivers with permission to handle system events
| Description | Indicator | Process | Target |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
com.android.chrome
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | web.archive.org | udp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| US | 1.1.1.1:53 | web.archive.org | udp |
| BE | 108.177.15.84:443 | accounts.google.com | tcp |
| US | 207.241.237.3:443 | web.archive.org | tcp |
| US | 1.1.1.1:53 | archive.org | udp |
| US | 1.1.1.1:53 | web-static.archive.org | udp |
| US | 207.241.224.2:443 | archive.org | tcp |
| US | 207.241.237.2:443 | web-static.archive.org | tcp |
| US | 207.241.237.2:443 | web-static.archive.org | tcp |
| US | 207.241.237.2:443 | web-static.archive.org | tcp |
| US | 207.241.237.2:443 | web-static.archive.org | tcp |
| US | 1.1.1.1:53 | wayback-api.archive.org | udp |
| US | 207.241.224.2:443 | archive.org | tcp |
| US | 207.241.237.8:443 | wayback-api.archive.org | tcp |
| US | 1.1.1.1:53 | athena.archive.org | udp |
| US | 207.241.225.195:443 | athena.archive.org | tcp |
| US | 207.241.237.8:443 | wayback-api.archive.org | tcp |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| GB | 142.250.187.227:443 | update.googleapis.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.204.78:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp | |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| GB | 142.250.200.3:443 | update.googleapis.com | tcp |
| US | 1.1.1.1:53 | web.archive.org | udp |
| US | 1.1.1.1:53 | web.archive.org | udp |
| US | 207.241.237.3:443 | web.archive.org | tcp |
| GB | 142.250.200.34:443 | tcp | |
| GB | 142.250.187.227:443 | update.googleapis.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| BE | 142.251.173.188:5228 | tcp | |
| US | 1.1.1.1:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.180.14:443 | tcp |
Files
/storage/emulated/0/Download/.pending-1723976746-fnaf2 aptoide.apk (deleted)
| MD5 | 8ee5139d1bf116a56b8e11b5eff06afd |
| SHA1 | 6fa68ada075e3084fa0c5c11719c6e5d425d2623 |
| SHA256 | 9f5e69c7df5eeb053816fe31c732c46f6f266015097e81e048f64ec26a0881f3 |
| SHA512 | edfe422e5e7eccdf03a30afdd578fde5440b3b00c1cad2f467c78bab1ccc18e1600f11ac925fb25a5b9bbc6b9cc51946d023e6a5725d88aede6d691112e42f2d |
/storage/emulated/0/Download/.pending-1723976746-fnaf2 aptoide.apk
| MD5 | d7224fefc668cd6c672c3930b988b180 |
| SHA1 | 18fe07b4c76edbfc961ac7cb0db0f072a0942975 |
| SHA256 | 584b2232e6e6f1b2f5de74110b2429a4bce52f402f86868d0cd220bebd6c0f60 |
| SHA512 | 302fd5c9e8d7f9aef76451d510ca86f1022c02ac07138503d552586f4f01e317e7f0ac15f3e7ac301c0372895be730a7a845cf28fbd2f7ae948c67bf0d079c50 |
files/dom-0.html
| MD5 | 3cb82a7d4d0ee212e4df431cf64e6f6c |
| SHA1 | b0b4e9c4546f345edaf1cb187a5dc56db4497631 |
| SHA256 | 529f47c1dab6ed0b2f2f289ffc3043c1f4d2a5ab2a28db4adf64d088be8eab79 |
| SHA512 | eae676fdff9adf5b044b15506f0349658981d7caa280f5fdb8d1b2b37e5d11bb61cced2aba6d4181d380553166647a4bb05cdb39f5697441093628aeff3dc82f |