Analysis Overview
SHA256
7f753c97e4d13bd94eda8f2505d6f228e97ea615692bf33ed030a4d4db78960b
Threat Level: Likely malicious
The file Indian Army.apk was found to be: Likely malicious.
Malicious Activity Summary
Removes its main activity from the application launcher
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Loads dropped Dex/Jar
Declares broadcast receivers with permission to handle system events
Legitimate hosting services abused for malware hosting/C2
Declares services with permission to bind to the system
Requests dangerous framework permissions
Makes use of the framework's foreground persistence service
Requests disabling of battery optimizations (often used to enable hiding in the background).
Uses Crypto APIs (Might try to encrypt user data)
Analysis: static1
Detonation Overview
Reported
2024-08-25 05:34
Signatures
Declares broadcast receivers with permission to handle system events
| Description | Indicator | Process | Target |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 05:34
Reported
2024-08-25 05:37
Platform
android-x64-arm64-20240624-en
Max time kernel
154s
Max time network
139s
Command Line
Signatures
Removes its main activity from the application launcher
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.devicf/cache/natives_sec_blob968523387863523665.dex | N/A | N/A |
| N/A | /data/user/0/com.devicf/cache/natives_sec_blob968523387863523665.dex | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Makes use of the framework's foreground persistence service
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.setServiceForeground | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data)
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.devicf
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.14:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| GB | 142.250.180.14:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.179.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.200.36:443 | tcp | |
| GB | 142.250.200.36:443 | tcp | |
| US | 1.1.1.1:53 | qmjy6.bemobtracks.com | udp |
| US | 1.1.1.1:53 | qmjy6.bemobtracks.com | udp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| US | 1.1.1.1:53 | qmjy6.bemobtracks.com | udp |
| DE | 35.158.71.179:443 | qmjy6.bemobtracks.com | tcp |
| US | 1.1.1.1:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 1.1.1.1:53 | services.vlitag.com | udp |
| US | 104.22.59.199:443 | services.vlitag.com | tcp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| BE | 66.102.1.84:443 | accounts.google.com | tcp |
| US | 104.22.59.199:443 | services.vlitag.com | tcp |
| US | 1.1.1.1:53 | region1.google-analytics.com | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | tcp |
| US | 1.1.1.1:53 | dsp.vlitag.com | udp |
| US | 1.1.1.1:53 | cmp.inmobi.com | udp |
| US | 1.1.1.1:53 | s3.vlitag.com | udp |
| US | 1.1.1.1:53 | securepubads.g.doubleclick.net | udp |
| US | 1.1.1.1:53 | imasdk.googleapis.com | udp |
| US | 1.1.1.1:53 | c.amazon-adsystem.com | udp |
| GB | 18.244.114.32:443 | cmp.inmobi.com | tcp |
| GB | 142.250.200.34:443 | securepubads.g.doubleclick.net | tcp |
| GB | 13.224.223.9:443 | c.amazon-adsystem.com | tcp |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| GB | 142.250.200.35:443 | update.googleapis.com | tcp |
| GB | 13.224.223.9:443 | c.amazon-adsystem.com | tcp |
| GB | 18.244.114.32:443 | cmp.inmobi.com | tcp |
| GB | 142.250.200.34:443 | securepubads.g.doubleclick.net | tcp |
| US | 1.1.1.1:53 | config.aps.amazon-adsystem.com | udp |
| GB | 108.156.39.61:443 | config.aps.amazon-adsystem.com | tcp |
| US | 1.1.1.1:53 | cdn.hadronid.net | udp |
| US | 104.22.52.173:443 | cdn.hadronid.net | tcp |
| US | 1.1.1.1:53 | api.cmp.inmobi.com | udp |
| DE | 18.197.222.173:443 | api.cmp.inmobi.com | tcp |
| US | 1.1.1.1:53 | id.hadron.ad.gt | udp |
| US | 172.67.23.234:443 | id.hadron.ad.gt | tcp |
| US | 1.1.1.1:53 | a.ad.gt | udp |
| US | 104.22.5.69:443 | a.ad.gt | tcp |
| US | 1.1.1.1:53 | p.ad.gt | udp |
| US | 1.1.1.1:53 | ids.ad.gt | udp |
| US | 1.1.1.1:53 | secure.adnxs.com | udp |
| US | 1.1.1.1:53 | match.adsrvr.org | udp |
| US | 1.1.1.1:53 | image2.pubmatic.com | udp |
| US | 1.1.1.1:53 | token.rubiconproject.com | udp |
| US | 1.1.1.1:53 | cm.g.doubleclick.net | udp |
| US | 104.22.5.69:443 | p.ad.gt | tcp |
| US | 1.1.1.1:53 | sync.1rx.io | udp |
| US | 44.236.200.196:443 | ids.ad.gt | tcp |
| US | 44.236.200.196:443 | ids.ad.gt | tcp |
| US | 44.236.200.196:443 | ids.ad.gt | tcp |
| NL | 185.89.210.212:443 | secure.adnxs.com | tcp |
| US | 52.223.40.198:443 | match.adsrvr.org | tcp |
| NL | 198.47.127.205:443 | image2.pubmatic.com | tcp |
| NL | 69.173.156.148:443 | token.rubiconproject.com | tcp |
| GB | 216.58.213.2:443 | cm.g.doubleclick.net | tcp |
| NL | 46.228.174.117:443 | sync.1rx.io | tcp |
| US | 1.1.1.1:53 | ssum-sec.casalemedia.com | udp |
| US | 104.22.5.69:443 | p.ad.gt | tcp |
| US | 104.18.36.155:443 | ssum-sec.casalemedia.com | tcp |
| US | 1.1.1.1:53 | bh.contextweb.com | udp |
| US | 44.236.200.196:443 | ids.ad.gt | tcp |
| NL | 208.93.169.131:443 | bh.contextweb.com | tcp |
| US | 44.236.200.196:443 | ids.ad.gt | tcp |
| US | 44.236.200.196:443 | ids.ad.gt | tcp |
| US | 1.1.1.1:53 | a.nel.cloudflare.com | udp |
| US | 1.1.1.1:53 | ad.360yield.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| IE | 63.33.11.39:443 | ad.360yield.com | tcp |
| US | 1.1.1.1:53 | pixels.ad.gt | udp |
| US | 172.67.23.234:443 | pixels.ad.gt | tcp |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| GB | 142.250.200.35:443 | update.googleapis.com | tcp |
| US | 1.1.1.1:53 | pastebin.com | udp |
| US | 1.1.1.1:53 | cdn.prod.uidapi.com | udp |
| US | 1.1.1.1:53 | cdn.id5-sync.com | udp |
| US | 1.1.1.1:53 | connectid.analytics.yahoo.com | udp |
| US | 1.1.1.1:53 | static.criteo.net | udp |
| US | 1.1.1.1:53 | oa.openxcdn.net | udp |
| US | 1.1.1.1:53 | cdn.jsdelivr.net | udp |
| US | 1.1.1.1:53 | cdn-ima.33across.com | udp |
| US | 104.22.52.86:443 | cdn.id5-sync.com | tcp |
| US | 1.1.1.1:53 | invstatic101.creativecdn.com | udp |
| NL | 178.250.1.3:443 | static.criteo.net | tcp |
| US | 1.1.1.1:53 | tags.crwdcntrl.net | udp |
| US | 34.102.146.192:443 | oa.openxcdn.net | tcp |
| US | 151.101.65.229:443 | cdn.jsdelivr.net | tcp |
| GB | 18.245.255.11:443 | cdn.prod.uidapi.com | tcp |
| GB | 18.245.162.16:443 | connectid.analytics.yahoo.com | tcp |
| US | 104.18.35.167:443 | cdn-ima.33across.com | tcp |
| US | 34.96.70.87:443 | invstatic101.creativecdn.com | tcp |
| GB | 18.245.143.83:443 | tags.crwdcntrl.net | tcp |
| US | 1.1.1.1:53 | id5-sync.com | udp |
| US | 104.18.35.167:443 | cdn-ima.33across.com | tcp |
| US | 34.96.70.87:443 | invstatic101.creativecdn.com | tcp |
| US | 1.1.1.1:53 | oajs.openx.net | udp |
| DE | 162.19.138.82:443 | id5-sync.com | tcp |
| US | 1.1.1.1:53 | bcp.crwdcntrl.net | udp |
| US | 34.120.107.143:443 | oajs.openx.net | tcp |
| IE | 54.154.69.222:443 | bcp.crwdcntrl.net | tcp |
| US | 1.1.1.1:53 | google-bidout-d.openx.net | udp |
| US | 34.98.64.218:443 | google-bidout-d.openx.net | tcp |
Files
/data/user/0/com.devicf/cache/natives_sec_blob968523387863523665.dex
| MD5 | d743db0c89d4626d2e078ecebae80a04 |
| SHA1 | 07faeec4f4892ea850bd76e31ad2779b8c3bda64 |
| SHA256 | 2f1a706ebdb117e3f7c63deabdd1df7032352f9517293cd8f19dc126d66dbfb0 |
| SHA512 | 9dd5126cbb4d0a887ef0231a7c8582e9c69ecbbed71204cb14c6ddcd1000f19479a0cbe11b663c3b617fd85acc57e15419d7220ecc5c7002e11b2ea432bf4955 |
/data/user/0/com.devicf/cache/oat/natives_sec_blob968523387863523665.dex.cur.prof
| MD5 | 073fcef210080a7d20892b6ba6092868 |
| SHA1 | a752b0691aebf4de84936cbabe6dbc1cdbc24d0c |
| SHA256 | 1701a7c317a17b3383a8ae8451d73f3b3c54cdf09553997d96ad9c05b2e7c89a |
| SHA512 | 2f64a31bfc32aa18ec5711c0c22502e525e776ea68ed2ded8bba0e46cb9fae69b0b0f622a6df30dce7daa80ce86c354ee96ddb5454ab44aaf60f099dd3722524 |