Analysis Overview
SHA256
6b74febe8a8cc8f4189eccc891bdfccebbc57580675af67b1b6f268f52adad9f
Threat Level: Shows suspicious behavior
The file CovidLockRansomware.apk was found to be: Shows suspicious behavior.
Malicious Activity Summary
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Legitimate hosting services abused for malware hosting/C2
Makes use of the framework's foreground persistence service
Requests disabling of battery optimizations (often used to enable hiding in the background).
Requests enabling of the accessibility settings.
Tries to add a device administrator.
Declares broadcast receivers with permission to handle system events
Declares services with permission to bind to the system
Analysis: static1
Detonation Overview
Reported
2024-08-13 20:42
Signatures
Declares broadcast receivers with permission to handle system events
| Description | Indicator | Process | Target |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 20:42
Reported
2024-08-13 20:45
Platform
android-33-x64-arm64-20240624-en
Max time kernel
123s
Max time network
132s
Command Line
Signatures
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
Makes use of the framework's foreground persistence service
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.setServiceForeground | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Requests enabling of the accessibility settings.
| Description | Indicator | Process | Target |
| Intent action | android.settings.ACCESSIBILITY_SETTINGS | N/A | N/A |
Tries to add a device administrator.
| Description | Indicator | Process | Target |
| Intent action | android.app.action.ADD_DEVICE_ADMIN | N/A | N/A |
Processes
com.device.security
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.196:443 | udp | |
| GB | 142.250.187.196:443 | tcp | |
| GB | 216.58.212.238:443 | tcp | |
| GB | 216.58.212.238:443 | tcp | |
| GB | 216.58.212.238:443 | udp | |
| US | 162.159.61.3:443 | tcp | |
| US | 162.159.61.3:443 | tcp | |
| BE | 142.251.168.84:443 | tcp | |
| US | 162.159.61.3:443 | udp | |
| GB | 142.250.187.228:443 | tcp | |
| US | 1.1.1.1:53 | rcs-acs-tmo-us.jibe.google.com | udp |
| US | 216.239.36.155:443 | rcs-acs-tmo-us.jibe.google.com | tcp |
| GB | 142.250.187.228:443 | tcp | |
| GB | 142.250.187.228:443 | udp | |
| GB | 142.250.187.196:443 | tcp | |
| GB | 172.217.169.68:443 | tcp | |
| GB | 172.217.169.68:443 | tcp | |
| US | 1.1.1.1:53 | remoteprovisioning.googleapis.com | udp |
| US | 172.64.41.3:443 | tcp | |
| US | 172.64.41.3:443 | tcp | |
| GB | 142.250.200.3:443 | tcp | |
| US | 172.64.41.3:443 | udp | |
| US | 34.104.35.123:80 | tcp | |
| GB | 142.250.200.3:443 | udp | |
| GB | 142.250.187.196:443 | udp | |
| GB | 142.250.187.227:443 | tcp | |
| US | 1.1.1.1:53 | qmjy6.bemobtracks.com | udp |
| US | 162.159.61.3:443 | udp | |
| GB | 142.250.187.228:443 | udp | |
| IE | 54.220.182.27:443 | qmjy6.bemobtracks.com | tcp |
| IE | 54.220.182.27:443 | qmjy6.bemobtracks.com | tcp |
| IE | 54.220.182.27:443 | qmjy6.bemobtracks.com | tcp |
| US | 104.20.3.235:443 | tcp | |
| US | 104.22.58.199:443 | tcp | |
| US | 104.22.58.199:443 | udp | |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| GB | 142.250.200.3:443 | update.googleapis.com | tcp |
| US | 104.18.95.41:443 | tcp | |
| US | 104.18.95.41:443 | udp |