61795af91d31cf452d602dd4ea32504fdee25f629804076f813b02b51c775617

Analysis

max time kernel
148s
max time network
155s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
21/10/2024, 12:27 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MPajak.apk
Size

13.3MB
MD5

884b6cd60e352cf53578f50cdda39ad3
SHA1

ee017e9a61f08d0985ef063c2025c9c2876e0ea2
SHA256

61795af91d31cf452d602dd4ea32504fdee25f629804076f813b02b51c775617
SHA512

682fce76b43a7b16b4bb70aa4a87db900162e9603f6b8c76d3ce11e06638588a5790e556c3e20237eff8ce87dd979ac4cbafa793bce4470da57a11ff4e7c117e
SSDEEP

196608:yNpN6ujPb248uKxXAuUMZblnYhpq9OJMT2quVp5N7VKd1HzHkPq+G9oKkljberkA:+njCRxX3nYhMOJ8s7f7VOT1+/fwQDgB

Score

7^/10

collection credential_access discovery evasion execution impact persistence

Malware Config

Signatures

Makes use of the framework's Accessibility service 4 TTPs 1 IoCs

Retrieves information displayed on the phone screen using AccessibilityService.

collection evasion credential_access

Input Injection

T1516

Screen Capture

T1513

Keylogging

T1417.001

GUI Input Capture

T1417.002

description	ioc	Process
Framework service call	android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId	com.sextest.test

Queries account information for other applications stored on the device 1 TTPs 3 IoCs

Application may abuse the framework's APIs to collect account information stored on the device.

collection

Stored Application Data

T1409

description	ioc	Process
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.sextest.test
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.sextest.test:main
Framework service call	android.accounts.IAccountManager.getAccountsAsUser	com.sextest.test:s1

Queries information about running processes on the device 1 TTPs 3 IoCs

Application may abuse the framework's APIs to collect information about running processes on the device.

discovery

Process Discovery

T1424

description	ioc	Process
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.sextest.test
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.sextest.test:main
Framework service call	android.app.IActivityManager.getRunningAppProcesses	com.sextest.test:s1

Acquires the wake lock 1 IoCs

description	ioc	Process
Framework service call	android.os.IPowerManager.acquireWakeLock	com.sextest.test

Makes use of the framework's foreground persistence service 1 TTPs 1 IoCs

Application may abuse the framework's foreground service to continue running in the foreground.

evasion persistence

Foreground Persistence

T1541

description	ioc	Process
Framework service call	android.app.IActivityManager.setServiceForeground	com.sextest.test

Queries information about active data network 1 TTPs 1 IoCs

discovery

System Network Connections Discovery

T1421

description	ioc	Process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	com.sextest.test

Registers a broadcast receiver at runtime (usually for listening for system events) 1 TTPs 1 IoCs

persistence

Broadcast Receivers

T1624.001

description	ioc	Process
Framework service call	android.app.IActivityManager.registerReceiver	com.sextest.test

Schedules tasks to execute at a specified time 1 TTPs 2 IoCs

Application may abuse the framework's APIs to perform task scheduling for initial or recurring execution of malicious code.

execution persistence

Scheduled Task/Job

T1603

description	ioc	Process
Framework service call	android.app.job.IJobScheduler.schedule	com.sextest.test:main
Framework service call	android.app.job.IJobScheduler.schedule	com.sextest.test

Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 3 IoCs

impact

Data Encrypted for Impact

T1471

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.sextest.test
Framework API call	javax.crypto.Cipher.doFinal	com.sextest.test:main
Framework API call	javax.crypto.Cipher.doFinal	com.sextest.test:s1

com.sextest.test
1⤵
- Makes use of the framework's Accessibility service
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Acquires the wake lock
- Makes use of the framework's foreground persistence service
- Queries information about active data network
- Registers a broadcast receiver at runtime (usually for listening for system events)
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4283
- getprop ro.build.display.id
  2⤵
  PID:4698
- getprop ro.build.display.id
  2⤵
  PID:4811
- getprop ro.build.display.id
  2⤵
  PID:4840
- getprop ro.build.display.id
  2⤵
  PID:4870
- getprop ro.build.display.id
  2⤵
  PID:4893
- getprop ro.build.display.id
  2⤵
  PID:4928
- getprop ro.build.display.id
  2⤵
  PID:4953
- getprop ro.build.display.id
  2⤵
  PID:4988
- getprop ro.build.display.id
  2⤵
  PID:5072
- getprop ro.build.display.id
  2⤵
  PID:5124
- getprop ro.build.display.id
  2⤵
  PID:5147
- getprop ro.build.display.id
  2⤵
  PID:5185
- getprop ro.build.display.id
  2⤵
  PID:5216
- getprop ro.build.display.id
  2⤵
  PID:5243
- getprop ro.build.display.id
  2⤵
  PID:5289
- getprop ro.build.display.id
  2⤵
  PID:5316
- getprop ro.build.display.id
  2⤵
  PID:5338
- getprop ro.build.display.id
  2⤵
  PID:5377
- getprop ro.build.display.id
  2⤵
  PID:5410
- getprop ro.build.display.id
  2⤵
  PID:5429
- getprop ro.build.display.id
  2⤵
  PID:5470
- getprop ro.build.display.id
  2⤵
  PID:5497
- getprop ro.build.display.id
  2⤵
  PID:5518
- getprop ro.build.display.id
  2⤵
  PID:5554
- getprop ro.build.display.id
  2⤵
  PID:5584
- getprop ro.build.display.id
  2⤵
  PID:5602
- getprop ro.build.display.id
  2⤵
  PID:5641
- getprop ro.build.display.id
  2⤵
  PID:5667
- getprop ro.build.display.id
  2⤵
  PID:5689

com.sextest.test:main
1⤵
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Schedules tasks to execute at a specified time
- Uses Crypto APIs (Might try to encrypt user data)
PID:4377

com.sextest.test:s1
1⤵
- Queries account information for other applications stored on the device
- Queries information about running processes on the device
- Uses Crypto APIs (Might try to encrypt user data)
PID:4418

Network

DNS

semanticlocation-pa.googleapis.com

Remote address:

1.1.1.1:53

Request

semanticlocation-pa.googleapis.com

IN A

Response

semanticlocation-pa.googleapis.com

IN A

172.217.169.42

semanticlocation-pa.googleapis.com

IN A

142.250.187.202

semanticlocation-pa.googleapis.com

IN A

172.217.169.10

semanticlocation-pa.googleapis.com

IN A

172.217.16.234

semanticlocation-pa.googleapis.com

IN A

142.250.180.10

semanticlocation-pa.googleapis.com

IN A

216.58.213.10

semanticlocation-pa.googleapis.com

IN A

142.250.187.234

semanticlocation-pa.googleapis.com

IN A

216.58.212.202

semanticlocation-pa.googleapis.com

IN A

172.217.169.74

semanticlocation-pa.googleapis.com

IN A

142.250.178.10

semanticlocation-pa.googleapis.com

IN A

142.250.179.234

semanticlocation-pa.googleapis.com

IN A

142.250.200.42

semanticlocation-pa.googleapis.com

IN A

216.58.204.74

semanticlocation-pa.googleapis.com

IN A

216.58.201.106

semanticlocation-pa.googleapis.com

IN A

216.58.212.234

semanticlocation-pa.googleapis.com

IN A

142.250.200.10
DNS

www.baidu.com

Remote address:

1.1.1.1:53

Request

www.baidu.com

IN A

Response

www.baidu.com

IN CNAME

www.a.shifen.com

www.a.shifen.com

IN CNAME

www.wshifen.com

www.wshifen.com

IN A

103.235.47.188

www.wshifen.com

IN A

103.235.46.96
GET

http://www.baidu.com/

Remote address:

103.235.47.188:80

Request

GET / HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; AOSP on IA Emulator Build/PSR1.180720.122)
Host: www.baidu.com
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Content-Encoding: gzip
Content-Length: 1108
Content-Type: text/html
Server: bfe
Date: Mon, 21 Oct 2024 12:27:27 GMT
GET

http://www.baidu.com/

Remote address:

103.235.47.188:80

Request

GET / HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
Host: www.baidu.com
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Content-Encoding: gzip
Content-Length: 1108
Content-Type: text/html
Server: bfe
Date: Mon, 21 Oct 2024 12:27:29 GMT
GET

http://www.baidu.com/

Remote address:

103.235.47.188:80

Request

GET / HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
Host: www.baidu.com
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Content-Encoding: gzip
Content-Length: 1108
Content-Type: text/html
Server: bfe
Date: Mon, 21 Oct 2024 12:27:32 GMT
GET

http://www.baidu.com/

Remote address:

103.235.47.188:80

Request

GET / HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
Host: www.baidu.com
Connection: Keep-Alive
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Content-Encoding: gzip
Content-Length: 1108
Content-Type: text/html
Server: bfe
Date: Mon, 21 Oct 2024 12:27:36 GMT
DNS

android.apis.google.com

Remote address:

1.1.1.1:53

Request

android.apis.google.com

IN A

Response

android.apis.google.com

IN CNAME

clients.l.google.com

clients.l.google.com

IN A

216.58.213.14
DNS

rpc.ctyn.xyz

Remote address:

1.1.1.1:53

Request

rpc.ctyn.xyz

IN A

Response

rpc.ctyn.xyz

IN A

104.21.87.253

rpc.ctyn.xyz

IN A

172.67.149.70
DNS

rpc.ctyn.xyz

Remote address:

1.1.1.1:53

Request

rpc.ctyn.xyz

IN A
POST

https://rpc.ctyn.xyz/x/command-report?state=0&ty=0

Remote address:

104.21.87.253:443

Request

POST /x/command-report?state=0&ty=0 HTTP/2.0
host: rpc.ctyn.xyz
version: 09221307-Rebuild
type: encryption
content-type: application/json; charset=UTF-8
content-length: 55
accept-encoding: gzip
user-agent: okhttp/4.11.0

Response

HTTP/2.0 200

date: Mon, 21 Oct 2024 12:28:44 GMT
content-type: application/json; charset=UTF-8
content-length: 131
content-encoding: gzip
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-request-id: slmcHlY1t4RURSOPMxnKm31QXeVaMHVu
x-xss-protection: 1; mode=block
strict-transport-security: max-age=31536000
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L3xRS7nX3NxqQTuf7c8UJMSJ5rV9xazDysd%2B0rR5PUvTRumO6YjP5WmG2G%2FhxskHO7usJ76LE9T1cxJ7IYObWfn5v4whxFW18Pf7L4HqA2i9UoG7vL%2BDQxV%2ByUEaE50%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 8d613fc51962cd22-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=39728&sent=8&recv=8&lost=0&retrans=0&sent_bytes=3387&recv_bytes=772&delivery_rate=107657&cwnd=36&unsent_bytes=0&cid=10520102c1ee2955&ts=573&x=0"
POST

https://rpc.ctyn.xyz/x/command-report?state=0&ty=3

Remote address:

104.21.87.253:443

Request

POST /x/command-report?state=0&ty=3 HTTP/2.0
host: rpc.ctyn.xyz
version: 09221307-Rebuild
type: encryption
content-type: application/json; charset=UTF-8
content-length: 55
accept-encoding: gzip
user-agent: okhttp/4.11.0

Response

HTTP/2.0 200

date: Mon, 21 Oct 2024 12:28:44 GMT
content-type: application/json; charset=UTF-8
content-length: 131
content-encoding: gzip
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-request-id: Cg4nZzs4unzyu6gOMCuMMCs1KFQIK2SV
x-xss-protection: 1; mode=block
strict-transport-security: max-age=31536000
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ot6aiPlbhda00cKlxoNWGxDxNXrVx4lLpI3xQ9LF4qNdh1WEy4o%2Bvd053K%2FHYWxvZFm7eticu7G8IkkSAXZ8sDzfRHDiNeyP5U6igd9fr2OQIkIMM45Qj46umQv0LZE%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 8d613fc51960cd22-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=39728&sent=11&recv=8&lost=0&retrans=0&sent_bytes=4314&recv_bytes=772&delivery_rate=107657&cwnd=36&unsent_bytes=0&cid=10520102c1ee2955&ts=584&x=0"
POST

https://rpc.ctyn.xyz/x/command-report?state=0&ty=0

Remote address:

104.21.87.253:443

Request

POST /x/command-report?state=0&ty=0 HTTP/2.0
host: rpc.ctyn.xyz
version: 09221307-Rebuild
type: encryption
content-type: application/json; charset=UTF-8
content-length: 55
accept-encoding: gzip
user-agent: okhttp/4.11.0

Response

HTTP/2.0 200

date: Mon, 21 Oct 2024 12:29:08 GMT
content-type: application/json; charset=UTF-8
content-length: 131
content-encoding: gzip
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-request-id: fFCfDrhMIKudFaqTcyJVtbwsOZGv0BpD
x-xss-protection: 1; mode=block
strict-transport-security: max-age=31536000
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fGIPCJY82%2Fb8Q15qxaIw5j%2Ft84tKb1%2FG2eddenki0hyrdVLXervmHCghXDPaELiWbPM%2FDOMC624AVuRDDWeF7g8tLaYHml36rfwPL7drE5Qh9vpoD2Y9THcsYE%2BGYMw%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 8d6140602e91cd22-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=42955&sent=16&recv=12&lost=0&retrans=0&sent_bytes=4956&recv_bytes=1042&delivery_rate=115371&cwnd=36&unsent_bytes=0&cid=10520102c1ee2955&ts=25144&x=0"
POST

https://rpc.ctyn.xyz/x/command-report?state=0&ty=3

Remote address:

104.21.87.253:443

Request

POST /x/command-report?state=0&ty=3 HTTP/2.0
host: rpc.ctyn.xyz
version: 09221307-Rebuild
type: encryption
content-type: application/json; charset=UTF-8
content-length: 55
accept-encoding: gzip
user-agent: okhttp/4.11.0

Response

HTTP/2.0 200

date: Mon, 21 Oct 2024 12:29:08 GMT
content-type: application/json; charset=UTF-8
content-length: 131
content-encoding: gzip
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-request-id: OlEx3CXZ2xgCs090EG5RBHpJHA6eBLac
x-xss-protection: 1; mode=block
strict-transport-security: max-age=31536000
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OnlzJUyqepZybcsYyVfqPeuAZHHQRhUek2Sa0Cq0VLnx6hsV7v2ObKF6wH7NkaALERIAUFCRQVJ3BSrSIsFFBgMuZ3TST9DMivVel3%2F%2B0%2FLMVr%2FWiB59fQHJDd7Lhfc%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 8d6140602e95cd22-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=42955&sent=19&recv=12&lost=0&retrans=0&sent_bytes=5628&recv_bytes=1042&delivery_rate=115371&cwnd=36&unsent_bytes=0&cid=10520102c1ee2955&ts=25191&x=0"
POST

https://rpc.ctyn.xyz/x/command-report?state=0&ty=0

Remote address:

104.21.87.253:443

Request

POST /x/command-report?state=0&ty=0 HTTP/2.0
host: rpc.ctyn.xyz
version: 09221307-Rebuild
type: encryption
content-type: application/json; charset=UTF-8
content-length: 55
accept-encoding: gzip
user-agent: okhttp/4.11.0

Response

HTTP/2.0 200

date: Mon, 21 Oct 2024 12:29:39 GMT
content-type: application/json; charset=UTF-8
content-length: 131
content-encoding: gzip
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-request-id: 80mGyAkwNAWEd4ozTxRTkJIiukfhoy1y
x-xss-protection: 1; mode=block
strict-transport-security: max-age=31536000
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7uB757GChg1Lsy%2FgksoJwaEBcjDoRF7tE3wGyq8jh%2BXoPpAu2zBIQ%2FYEa9LwwYB8y%2B3VrabnGvQCyJ80Y8ugLc7YLHr8dV5Ykzewk1LRr5e1xh52jNP3dM7In%2FU5qxI%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 8d614121dc58cd22-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=49414&sent=25&recv=16&lost=0&retrans=1&sent_bytes=6888&recv_bytes=1312&delivery_rate=115371&cwnd=36&unsent_bytes=0&cid=10520102c1ee2955&ts=56140&x=0"
POST

https://rpc.ctyn.xyz/x/command-report?state=0&ty=3

Remote address:

104.21.87.253:443

Request

POST /x/command-report?state=0&ty=3 HTTP/2.0
host: rpc.ctyn.xyz
version: 09221307-Rebuild
type: encryption
content-type: application/json; charset=UTF-8
content-length: 55
accept-encoding: gzip
user-agent: okhttp/4.11.0

Response

HTTP/2.0 200

date: Mon, 21 Oct 2024 12:29:39 GMT
content-type: application/json; charset=UTF-8
content-length: 131
content-encoding: gzip
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-request-id: 3RNJN5IHqSMTSv6AxWJuqnuUVwHqvr5e
x-xss-protection: 1; mode=block
strict-transport-security: max-age=31536000
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pVyOYKbrR%2BfRwR1M4Tb2LCojqQYZujKNszgnVWqVbjkNxTiPVDYoqbvIkpsJ3mhb%2FN38VUHjdCWRyWdoPmwgeFBcTx0tENUNY4qOz%2FG8f%2BmdIUL69mHsSpCznOWcFs4%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 8d614121dc5acd22-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=49414&sent=28&recv=16&lost=0&retrans=1&sent_bytes=7561&recv_bytes=1312&delivery_rate=115371&cwnd=36&unsent_bytes=0&cid=10520102c1ee2955&ts=56144&x=0"

103.235.47.188:80

http://www.baidu.com/

http

569 B
2.9kB
9
7

HTTP Request

GET http://www.baidu.com/

HTTP Response

200
103.235.47.188:80

http://www.baidu.com/

http

741 B
3.1kB
13
13

HTTP Request

GET http://www.baidu.com/

HTTP Response

200
103.235.47.188:80

http://www.baidu.com/

http

701 B
3.6kB
12
11

HTTP Request

GET http://www.baidu.com/

HTTP Response

200
103.235.47.188:80

http://www.baidu.com/

http

821 B
3.6kB
14
11

HTTP Request

GET http://www.baidu.com/

HTTP Response

200
142.250.187.206:443

https

2.3kB
40 B
2
1
216.58.213.14:443

android.apis.google.com

tls

9.4kB
9.4kB
22
25
216.58.213.14:443

android.apis.google.com

tls

2.8kB
5.8kB
10
8
104.21.87.253:443

rpc.ctyn.xyz

tls, http2

913 B
3.7kB
10
7
104.21.87.253:443

https://rpc.ctyn.xyz/x/command-report?state=0&ty=3

tls, http2

3.0kB
9.1kB
25
29

HTTP Request

POST https://rpc.ctyn.xyz/x/command-report?state=0&ty=0

HTTP Request

POST https://rpc.ctyn.xyz/x/command-report?state=0&ty=3

HTTP Response

200

HTTP Response

200

HTTP Request

POST https://rpc.ctyn.xyz/x/command-report?state=0&ty=0

HTTP Request

POST https://rpc.ctyn.xyz/x/command-report?state=0&ty=3

HTTP Response

200

HTTP Response

200

HTTP Request

POST https://rpc.ctyn.xyz/x/command-report?state=0&ty=0

HTTP Request

POST https://rpc.ctyn.xyz/x/command-report?state=0&ty=3

HTTP Response

200

HTTP Response

200

224.0.0.251:5353

3.8kB
12
1.1.1.1:53

semanticlocation-pa.googleapis.com

dns

80 B
336 B
1
1

DNS Request

semanticlocation-pa.googleapis.com

DNS Response

172.217.169.42

142.250.187.202

172.217.169.10

172.217.16.234

142.250.180.10

216.58.213.10

142.250.187.234

216.58.212.202

172.217.169.74

142.250.178.10

142.250.179.234

142.250.200.42

216.58.204.74

216.58.201.106

216.58.212.234

142.250.200.10
1.1.1.1:53

www.baidu.com

dns

59 B
144 B
1
1

DNS Request

www.baidu.com

DNS Response

103.235.47.188

103.235.46.96
1.1.1.1:53

android.apis.google.com

dns

69 B
109 B
1
1

DNS Request

android.apis.google.com

DNS Response

216.58.213.14
1.1.1.1:53

rpc.ctyn.xyz

dns

116 B
90 B
2
1

DNS Request

rpc.ctyn.xyz

DNS Request

rpc.ctyn.xyz

DNS Response

104.21.87.253

172.67.149.70

MITRE ATT&CK Mobile v15

Initial Access

Execution

Scheduled Task/Job

T1603

Persistence

Event Triggered Execution

T1624

Broadcast Receivers

T1624.001

Foreground Persistence

T1541

Scheduled Task/Job

T1603

Privilege Escalation

Defense Evasion

Foreground Persistence

T1541

Input Injection

T1516

Credential Access

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Discovery

Process Discovery

T1424

System Network Connections Discovery

T1421

Lateral Movement

Collection

Input Capture

T1417

GUI Input Capture

T1417.002

Keylogging

T1417.001

Screen Capture

T1513

Stored Application Data

T1409

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Input Injection

T1516

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.sextest.test/no_backup/androidx.work.workdb

Filesize
100KB

MD5
02f831cd6d6a56dbad88763c475b3c3d

SHA1
a28e54e8b964d12975b50dd9802ba40a03f3a620

SHA256
796d0a37cfe4e5a14f1343358a1656e0a3a0e89863bb7b1ab384902c10dd3cf3

SHA512
6beadb446638aeaba6ef4be9441b2c1cdae6a9f3a6a4b8e653326ddb4eac178f5c6a3152c018eb5483e420c77ef1002cd3dbc34cdb54c24e492d9b8fa55764c1

Download Submit
/data/data/com.sextest.test/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/com.sextest.test/no_backup/androidx.work.workdb-wal

Filesize
410KB

MD5
f6e3e87271f06bb3d54cf794f06c2b72

SHA1
b368b764d1482af7870eccd702e8ae93b65d1155

SHA256
94725d6ebb37f815e201b719f59ee562f56b92917985ef46a3fc99a35ea6e613

SHA512
d034e01ed66e9df3c8c4da08cb75cf7043d34992359bb3f739791e237e641d65c993680467b514801e1cb6feabb451fe7346e602c0a37502c6a835abfadae705

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.