Analysis

  • max time kernel
    9s
  • max time network
    131s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    12-09-2024 07:09

General

  • Target

    base.apk

  • Size

    8.4MB

  • MD5

    d5cffe9867da6f30e270fb508c40ab8e

  • SHA1

    4860eebd427379b8bf991b2110f9cd336b86fe7c

  • SHA256

    e0d2f2aff69cafdaf1099e5d0a1bf3ad32413e7c971c0ffc113f6fb5b0819b5c

  • SHA512

    6b653475b032ccf2b8944be4f68bcff4fc6f9eddeaef374650b211fe7b67101ecdab446df1bb6436aa42bb91dfc27342c2dce6bbfcd7c25d46d20b61115af8a9

  • SSDEEP

    196608:BKBC9YVEYRq+2Bq9lIu6i4MvwTjIvPTBrOb6:BK3Emq+2GP6PMvlvPlr

Malware Config

Signatures

  • Loads dropped Dex/Jar 1 TTPs 3 IoCs

    Runs executable file dropped to the device during analysis.

  • Acquires the wake lock 1 IoCs
  • Queries information about active data network 1 TTPs 1 IoCs
  • Queries the mobile country code (MCC) 1 TTPs 1 IoCs
  • Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs
  • Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
  • Checks memory information 2 TTPs 1 IoCs

Processes

  • Doctor.con
    1⤵
    • Loads dropped Dex/Jar
    • Acquires the wake lock
    • Queries information about active data network
    • Queries the mobile country code (MCC)
    • Registers a broadcast receiver at runtime (usually for listening for system events)
    • Uses Crypto APIs (Might try to encrypt user data)
    • Checks memory information
    PID:4318
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/Doctor.con/cache/natives_sec_blob1755363102103725355.dex --output-vdex-fd=46 --oat-fd=48 --oat-location=/data/user/0/Doctor.con/cache/oat/x86/natives_sec_blob1755363102103725355.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4348

Network

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/Doctor.con/cache/natives_sec_blob1755363102103725355.dex

    Filesize

    550KB

    MD5

    ffcba9530d4f171ab67983f5d1950b54

    SHA1

    e74f816c65dc89dfbd668d27b65b4da0cde26b49

    SHA256

    ced12259631608d6af65bf72ddb6695d0c945bdc3f539a4e7778377f0ed25e3d

    SHA512

    c6251e08db812b41a63476755ff34f2f4fec232e910a6a4769b0a77a281e7ad48e7cb86f5d7bd7b67b579d3e5ab770b6145600f8877d72aabe626e2bc944ded6

  • /data/data/Doctor.con/cache/~test.test

    Filesize

    4B

    MD5

    098f6bcd4621d373cade4e832627b4f6

    SHA1

    a94a8fe5ccb19ba61c4c0873d391e987982fbbd3

    SHA256

    9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08

    SHA512

    ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

  • /data/data/Doctor.con/databases/google_app_measurement_local.db

    Filesize

    16KB

    MD5

    7237409e0640cfab7bdbd429bf821a3b

    SHA1

    4c3da934842f8d4835dfe2a9c275a300e5123309

    SHA256

    5c8e1b63d187efafe1e09bfadd83fd360176d689b57b5a0cc40e6854c12449fa

    SHA512

    c8afaf6a8ee43ce3601feff417bfaec563c01bcff0aae24577054034112b2020967f25b0b1a919c3c9e5e81d62a21a87e908b782c4d5cb8bba8ac259108e9c1f

  • /data/data/Doctor.con/databases/google_app_measurement_local.db

    Filesize

    16KB

    MD5

    a182deddaffcd883a74fc680020ea154

    SHA1

    c59f9286ab1b72d79bcb719505102615d255ed04

    SHA256

    0b8e786ef521f0085662a2868dfa0fa5982c4a22e31f3d3fd39733e1b42e780c

    SHA512

    ded5e4a8fc1fc4deb4e327615404d8ed7c16486a46d26281b1412c144ab0bbfe96f293b0bee57fa7b936a3545fc576db1d8b33eceae2d63fa18ad2950d55559d

  • /data/data/Doctor.con/databases/google_app_measurement_local.db

    Filesize

    16KB

    MD5

    602d77328e22659015f045bb1ed34a08

    SHA1

    ff92074786c754508de3d42b7a9a12109c09f122

    SHA256

    e1de94c451d5cfca5196b10189f94adcdd4f56eac36a0a838f9e133375c2ecbb

    SHA512

    a2c052f5b7c5471b8c8c3f60da63b12dd1df0c6bcab5f6b7b61d3b5e01bb63f7f5d73cc7a3ebef5ab7ae79b2a1362c9f636d90247b3e71649b91c5aa3becb1a5

  • /data/data/Doctor.con/databases/google_app_measurement_local.db

    Filesize

    16KB

    MD5

    aaa92c28adf266d0550ab4ea0194df75

    SHA1

    facead0a606ebed5da11dbba76a865228fcf828b

    SHA256

    12595ceeac5272cf0ebd75f557a41c8157a3025bd78fb188cfc6b3611d632f36

    SHA512

    2713a376d6568d60f3f4caaeb13bb847bee85db4f046d26356418ba2e902af4af826caa88b407ac85a1ed4c523ba33ab0901b5b27f9dcab24fe3f38fb746f8bd

  • /data/data/Doctor.con/databases/google_app_measurement_local.db

    Filesize

    16KB

    MD5

    0fb8d4a4bc122b869a7a6b9d8e5a33b7

    SHA1

    30a98b16d1c7962601d5939861b3aefd82757413

    SHA256

    941baa872c3aadbaaf76898c919bb54c7fdf188359c14d68dd25344f806a974a

    SHA512

    f570507b67ffe237032dca175934ed0cf5f3296f6dfae6ceaff83435ee435a0e5d2ef7b3f6ce88e1fc1f406e7b32dd64b4aa454c2239ff48eaa3f3295bde049f

  • /data/data/Doctor.con/databases/google_app_measurement_local.db-journal

    Filesize

    512B

    MD5

    70c33dbf77bee9c211e7e412867898f1

    SHA1

    defbc9255a129229b51ae9b4462b26503a9b1eea

    SHA256

    4d7f9220e198486ba83d7c04b629f26705266611dca59b43f9b63e1d5ec3132b

    SHA512

    f5a30c077f3a5fc75d8b2067f0f82d9d82a1d33a03975d250d4812187b2949ca499f22fc991bbad9f5175818162aa3f372aa6f1a7e99d8772892562b9d258442

  • /data/data/Doctor.con/databases/google_app_measurement_local.db-shm

    Filesize

    28KB

    MD5

    cf845a781c107ec1346e849c9dd1b7e8

    SHA1

    b44ccc7f7d519352422e59ee8b0bdbac881768a7

    SHA256

    18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7

    SHA512

    4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

  • /data/data/Doctor.con/databases/google_app_measurement_local.db-wal

    Filesize

    36KB

    MD5

    15d4f67cadcb78abc90f418faf77db9e

    SHA1

    26cdee85f8b61367d48a13839e892a7f5f0bbf4b

    SHA256

    8fc416c1fa2dc181e781eae7e1cf9c75bf0831817e58e6f34f5803ae59393be0

    SHA512

    f1135f87331183ca501945bca60477494ea198650fabace5eaf39fc44ef88b09f98644c8250fc27ec5bced038b60e278dc2a70ab2f8fd145b771db44e8cdcd07

  • /data/data/Doctor.con/databases/google_app_measurement_local.db-wal

    Filesize

    4KB

    MD5

    6f391feb5b44950f5ab89dee991e6c71

    SHA1

    74955147ee60a57dcd8cde403631e5937c23e37e

    SHA256

    9cf825a378f0f87302dfa7f7700fd449c6e51dde093938b24c5f6b200ecb1dc5

    SHA512

    4e4bdc77b5228c4824ebb9066f302162330052bc97b8d393e579d9d68a85f001371decf708b4f5315d7cc4ee0aeef7230dffa09bfd043b78e26f615fe7e2dc35

  • /data/data/Doctor.con/databases/google_app_measurement_local.db-wal

    Filesize

    4KB

    MD5

    ff3350040163c2508e8b3511a5fa70ae

    SHA1

    129a0d24bb20c7127f16afe8c400b8b3cd37c63d

    SHA256

    e9e03a1d65fd6b12d10324286551d295836171aa0e0449d06f429b008b6c7d20

    SHA512

    062909d513cfe3b929834fd810da7fe41abb09b2f5c9b4df7554d43b088bfac14f3adf745d8b4ed28d65cb2607bcb63aeca3d18feb87504bac2a8d796d0285b2

  • /data/data/Doctor.con/databases/google_app_measurement_local.db-wal

    Filesize

    4KB

    MD5

    38e85447e6dc51bcc37400fdc8b027d8

    SHA1

    1ebc2892d5db0d4a13c806b3c670171fbe47b5b1

    SHA256

    a5e057cfbba63312a57fc4fabd634104e93655cbb13d32e4b6b879cbd9f288b4

    SHA512

    594a00e22452eff604611d6dd83747d63aaed6e4601941e7a4746d32a8165a936d32904aa289edbe73a22109d6325ec8e97b25a1351a393cf39fc3a33ad9a726

  • /data/data/Doctor.con/databases/google_app_measurement_local.db-wal

    Filesize

    4KB

    MD5

    c160cecd7f7947d3517fbbf414904a58

    SHA1

    65018fd2c6d8b633e4d6f46fa9ee3861afabe0b6

    SHA256

    40e56c957a70c380eef8bda5afc5f9a8ded388e5b1db5f637cd4eff7fc6a0399

    SHA512

    dd6877e6299bef9b352b0b67334e7d5fa72ff35dc570ba08d1010518cec1c6240686f63dd361b76a6c37bdeb1650b99cb7d2f585ccca6965aa2c5170d6c378be

  • /data/data/Doctor.con/files/PersistedInstallation698721332178430141tmp

    Filesize

    567B

    MD5

    49ee38b600b7c9e24d9bdf7761f73aca

    SHA1

    fa2b37ab4b709601f6d3e23504f46204c16b20cc

    SHA256

    c80b119bdbace23695c2070d02af422dec2a017d6cc600347756b3c4d202dbaf

    SHA512

    76536b3fc63557f2c891d60ab992daf958ef4387e3cc744f79aa8630bc021fb95e7675a007b28c59bcbb2c81e2ce5372bb66d30efdb9469e724a412689b3eea7

  • /data/data/Doctor.con/files/PersistedInstallation8164327427134267595tmp

    Filesize

    90B

    MD5

    6c8f228d7b7364c4ec197aadbc4d2d85

    SHA1

    e38d8681c0e51e54053a020bdb34376942620d72

    SHA256

    b12b77b00d9db7540ce6e1cecf1000f07216352b8dde87d25e1852bae182e1b6

    SHA512

    12d968eaa4d99e9839cc5aae25a7aaac401a2f498449e518306c97f22240ca83e3433181067b6fc657b4ab5178de25861a31f673b140d4ac9fa5279f4f925284

  • /data/data/Doctor.con/files/cloneSettings.json

    Filesize

    10KB

    MD5

    d08c86b93470645b80e6371892c307bb

    SHA1

    62d258e4770ebc8e0ea0774cc4254229b0b57d39

    SHA256

    6b41f67a335794eb95c9f68363d2f98a81e6934c1e7d2915195ec690971275c2

    SHA512

    630bafe967883899311b60207322f8252fd22ca311dd4dd2932baa40869bd5e1dd644532c2ebd2711c354de12887acc947cd641bf0b40d5549471dcf0bd621be

  • /data/user/0/Doctor.con/cache/natives_sec_blob1755363102103725355.dex

    Filesize

    550KB

    MD5

    4ecdf266a248c661a60e78b21cac0857

    SHA1

    5cf08634f40c63bf2b48d51e13935168e465a4cf

    SHA256

    fc42736ea857ccbcca8f65cfb9fb4d32f643be781724020026a386233b304546

    SHA512

    b7edb37b3df48ecd7cfffc60b32d5e800e4de5ad321e91e2ac441daa2377ff5f9fc4bc37bd47c0156926556dfea35ef00e4e1ace86fe646cfeeeed957be65c92