Analysis

  • max time kernel
    4s
  • max time network
    137s
  • platform
    android_x64
  • resource
    android-x64-20240624-en
  • resource tags

    androidarch:x64arch:x86image:android-x64-20240624-enlocale:en-usos:android-10-x64system
  • submitted
    08-10-2024 02:39

General

  • Target

    5d2ff3a0a3820997a9929df3c53768079a7b4515f28ec4dc87dcf646a543d8fb.apk

  • Size

    3.6MB

  • MD5

    d836feab9d4bf3c6cf086bdc14724c8b

  • SHA1

    c837cf7b181679a0081165e5fe4aa0eb94f748f8

  • SHA256

    5d2ff3a0a3820997a9929df3c53768079a7b4515f28ec4dc87dcf646a543d8fb

  • SHA512

    8c7801c5f1d8dfda39e0c65bdbea83feb8f217b41b69a245d01dd9e983a6a357c8b0b2be79123bed07e638655fc66ef3a093cc01be68c696ecfea5ab6c692dad

  • SSDEEP

    98304:5s13ZL3Vf6JqeomaMDmQZ75ub8GoRJ6Odp/9hBbW+te6lXhAyHzwI:eTLVf6JumaMiQVWovl9jS+oS4I

Score
7/10

Malware Config

Signatures

  • Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps) 1 TTPs
  • Acquires the wake lock 1 IoCs
  • Queries information about active data network 1 TTPs 1 IoCs

Processes

  • com.systemservice
    1⤵
    • Acquires the wake lock
    • Queries information about active data network
    PID:4966

Network

  • flag-us
    DNS
    ssl.google-analytics.com
    Remote address:
    1.1.1.1:53
    Request
    ssl.google-analytics.com
    IN A
    Response
    ssl.google-analytics.com
    IN A
    142.250.179.232
  • flag-us
    DNS
    protocol-a100.phoneparental.com
    Remote address:
    1.1.1.1:53
    Request
    protocol-a100.phoneparental.com
    IN A
    Response
    protocol-a100.phoneparental.com
    IN A
    172.67.144.220
    protocol-a100.phoneparental.com
    IN A
    104.21.47.58
  • flag-us
    GET
    http://protocol-a100.phoneparental.com/protocols/get-brand-info.aspx?brand_info=tts
    Remote address:
    172.67.144.220:80
    Request
    GET /protocols/get-brand-info.aspx?brand_info=tts HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86_64 Build/QSR1.210802.001)
    Host: protocol-a100.phoneparental.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Tue, 08 Oct 2024 02:39:50 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: private
    Vary: Accept-Encoding
    Set-Cookie: ASP.NET_SessionId=et554p15ycb3bknzpf3y2t5i; path=/; HttpOnly; SameSite=Lax
    X-AspNetMvc-Version: 5.2
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=T3NfNXbQUETXI6CSOiPATCi7dsKCPlatQ2wDJJGE41ctKvYsEpKOdpp1VNpVjq0PYB%2BaDpiGBxvcNGS7VJIBVCdw4nIDILaB6e84teQQ2g3%2BE2bnPcFFdtAqQO9UIRJv8f0YUYiphvd27zXULLiSb4HA"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Speculation-Rules: "/cdn-cgi/speculation"
    Server: cloudflare
    CF-RAY: 8cf2c340be639485-LHR
    Content-Encoding: gzip
  • flag-us
    GET
    http://protocol-a100.phoneparental.com/protocols/get-brand-info.aspx?brand_info=tts
    Remote address:
    172.67.144.220:80
    Request
    GET /protocols/get-brand-info.aspx?brand_info=tts HTTP/1.1
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 10; Android SDK built for x86_64 Build/QSR1.210802.001)
    Host: protocol-a100.phoneparental.com
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Tue, 08 Oct 2024 02:39:51 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Cache-Control: private
    Vary: Accept-Encoding
    Set-Cookie: ASP.NET_SessionId=yhdr2qxsfcvitbbxskmvcwpe; path=/; HttpOnly; SameSite=Lax
    X-AspNetMvc-Version: 5.2
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mozTnTW19OpxJaeTNRnTZuky%2B9OR9hR7sDvschvqJsVMtEmH3JyoUMmhtLCh0jAFrLuiwOX7%2BhH9ORbThbk6EyDsZUpKl7jbPU6p8v1cHauYbzlQ8hGlFvb6qK0O7KAlPx7aBBvsO74svlefMSMlLlEy"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Speculation-Rules: "/cdn-cgi/speculation"
    Server: cloudflare
    CF-RAY: 8cf2c3479a1a9485-LHR
    Content-Encoding: gzip
  • flag-us
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    216.58.212.238
  • flag-us
    DNS
    g.tenor.com
    Remote address:
    1.1.1.1:53
    Request
    g.tenor.com
    IN A
    Response
    g.tenor.com
    IN CNAME
    tenor.googleapis.com
    tenor.googleapis.com
    IN A
    216.58.212.202
    tenor.googleapis.com
    IN A
    142.250.180.10
    tenor.googleapis.com
    IN A
    142.250.187.202
    tenor.googleapis.com
    IN A
    142.250.187.234
    tenor.googleapis.com
    IN A
    172.217.16.234
    tenor.googleapis.com
    IN A
    172.217.169.42
    tenor.googleapis.com
    IN A
    142.250.200.42
    tenor.googleapis.com
    IN A
    142.250.179.234
    tenor.googleapis.com
    IN A
    216.58.201.106
    tenor.googleapis.com
    IN A
    216.58.204.74
    tenor.googleapis.com
    IN A
    216.58.213.10
    tenor.googleapis.com
    IN A
    142.250.178.10
    tenor.googleapis.com
    IN A
    142.250.200.10
    tenor.googleapis.com
    IN A
    172.217.169.10
  • flag-us
    DNS
    www.google.com
    Remote address:
    1.1.1.1:53
    Request
    www.google.com
    IN A
    Response
    www.google.com
    IN A
    142.250.178.4
  • 142.250.200.34:443
    520 B
    10
  • 216.58.204.78:443
    520 B
    10
  • 142.250.179.232:443
    ssl.google-analytics.com
    tls
    1.3kB
    6.2kB
    8
    8
  • 142.250.179.228:443
    520 B
    10
  • 172.67.144.220:80
    http://protocol-a100.phoneparental.com/protocols/get-brand-info.aspx?brand_info=tts
    http
    922 B
    3.4kB
    8
    9

    HTTP Request

    GET http://protocol-a100.phoneparental.com/protocols/get-brand-info.aspx?brand_info=tts

    HTTP Response

    200

    HTTP Request

    GET http://protocol-a100.phoneparental.com/protocols/get-brand-info.aspx?brand_info=tts

    HTTP Response

    200
  • 142.250.179.238:443
    tls, https
    900 B
    40 B
    1
    1
  • 216.58.212.238:443
    android.apis.google.com
    tls
    4.7kB
    8.6kB
    14
    21
  • 216.58.212.238:443
    android.apis.google.com
    tls
    2.3kB
    5.9kB
    10
    10
  • 216.58.212.202:443
    g.tenor.com
    tls
    1.7kB
    7.9kB
    11
    12
  • 216.58.212.202:443
    g.tenor.com
    tls, https
    128 B
    40 B
    2
    1
  • 216.239.34.223:443
    tls, https
    128 B
    40 B
    2
    1
  • 142.250.178.4:443
    www.google.com
    tls
    2.1kB
    8.8kB
    13
    15
  • 224.0.0.251:5353
    3.7kB
    11
  • 1.1.1.1:53
    ssl.google-analytics.com
    dns
    70 B
    86 B
    1
    1

    DNS Request

    ssl.google-analytics.com

    DNS Response

    142.250.179.232

  • 1.1.1.1:53
    protocol-a100.phoneparental.com
    dns
    77 B
    109 B
    1
    1

    DNS Request

    protocol-a100.phoneparental.com

    DNS Response

    172.67.144.220
    104.21.47.58

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
    109 B
    1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    216.58.212.238

  • 1.1.1.1:53
    g.tenor.com
    dns
    57 B
    312 B
    1
    1

    DNS Request

    g.tenor.com

    DNS Response

    216.58.212.202
    142.250.180.10
    142.250.187.202
    142.250.187.234
    172.217.16.234
    172.217.169.42
    142.250.200.42
    142.250.179.234
    216.58.201.106
    216.58.204.74
    216.58.213.10
    142.250.178.10
    142.250.200.10
    172.217.169.10

  • 1.1.1.1:53
    www.google.com
    dns
    60 B
    76 B
    1
    1

    DNS Request

    www.google.com

    DNS Response

    142.250.178.4

  • 142.250.178.4:443
    www.google.com
    https
    1.5kB
    49 B
    2
    1

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/com.systemservice/databases/com.google.android.datatransport.events

    Filesize

    12KB

    MD5

    ea628e04765adaf4238a5dcdff4bbd51

    SHA1

    a801947619ea8c368efe9c006a324dc6339ac60b

    SHA256

    885e337c2156e4dbf2176a9677ade50418740532d222ccae5ad4aa371b54c6a4

    SHA512

    c0287b0e7b690a7231a37d1745c49f3d861b22aa65dd769ba6a8b5ab9da55443f749957781ee05a405019c39e1be45d37a971b821bffd62a1d5620bc39119abe

  • /data/data/com.systemservice/databases/com.google.android.datatransport.events-journal

    Filesize

    512B

    MD5

    646d1cbcd9453bb009e441dd0d8c752b

    SHA1

    5841ab3f01dd1bdbe3ea1ff52e5a3f81395d7e01

    SHA256

    d4b48b1187487d808b0b52cf9035df861bad76f874b24cf84c59c2e50c33b00d

    SHA512

    1156e36c2309ae480bdd43fa3f2ddb234782a602dd97e098ec66de85b184b7284a7fba5642b1f8984073428542a8bae49867cf5e5455bf199fa698812a8c06d1

  • /data/data/com.systemservice/databases/com.google.android.datatransport.events-journal

    Filesize

    8KB

    MD5

    d0cb6ff9424ac5c0009eeff155fcb654

    SHA1

    20165cbf24b7aa0a548d8421b18d844a3c971a93

    SHA256

    9ac2396c73f99b9914a462e0ad3329fd1e6591fac726c26441be29be30ac0e50

    SHA512

    ff655625af6b65dd4727b31c3175e4e71371cc2c65697c6cadb5c2e2326d41968f3da6ca4513ee25f877fe9098670dacf2afc870a900f1579d685d4199594f2a

  • /data/data/com.systemservice/databases/com.google.android.datatransport.events-journal

    Filesize

    8KB

    MD5

    be9fd8535a8aac38602e8258f2e52322

    SHA1

    e99843ddeca0fe34ef4ec7958f1cc08013cc957f

    SHA256

    d2c98a5fdef91476ca6caae268e3e19159f0877a03cddf3e72beb6aaeff362ce

    SHA512

    a853d39d05f9d1596d54b94e673cb4274426ad87d7d16ac93257a600ff727780e934b976dc95c91f64541fadcba46abf068b6dcdb636c0705e3180f77f93b7df

  • /data/data/com.systemservice/databases/core.db

    Filesize

    36KB

    MD5

    045489a0639eee27bca52f48828cd93d

    SHA1

    436e7966e7c019273c44faa4d8c5709b816dfda3

    SHA256

    0151eae0eec786abb19ab59d7361b3291ae98411fae12cbbdfecd1612e16996e

    SHA512

    c8739a723a8648b0e380b946a97fb6cd83d6c4769ec3679bf4bc003ad0049ff5cccfc8f75a6ea272feced0020b13d3129f792f0f22cf442f0d0127f399eba22e

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.