3cacfba713f28437ceaebb97b75cf37850cbe4a0c4834f1c592a57d766bafcf8

Analysis

max time kernel
92s
max time network
138s
platform
android_x86
resource
android-x86-arm-20240624-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
submitted
10-11-2024 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OnePlayer_1.2_APKPure.apk
Size

7.5MB
MD5

6ddbc371fa3b2fc5228e0428b17d3cf6
SHA1

b15da4fe4acb5da38741507ca25d46af14aea1a9
SHA256

3cacfba713f28437ceaebb97b75cf37850cbe4a0c4834f1c592a57d766bafcf8
SHA512

9e39140d1edd3bab1ac5ac2aeaca1adcae33c1c091851de144415876ad1c958e16440bccdf6b2dc550d49ccfb5e45857e08f74b85c8885448b46a9c243bd72bd
SSDEEP

196608:gr4lU2ceS9+P9lOtluPsUKDptefViX0+3u4P/c:gi3BSb+sUqgvr

Score

7^/10

discovery evasion impact

Malware Config

Signatures

Checks known Qemu pipes. 1 TTPs 2 IoCs
Checks for known pipes used by the Android emulator to communicate with the host.
evasion

System Checks
T1633.001

Processes:

live.oneplayer

ioc process

/dev/qemu_pipe live.oneplayer
/dev/socket/qemud live.oneplayer

ioc	process
/dev/qemu_pipe	live.oneplayer
/dev/socket/qemud	live.oneplayer

Loads dropped Dex/Jar 1 TTPs 3 IoCs

Runs executable file dropped to the device during analysis.

evasion

Download New Code at Runtime

T1407

Processes:

live.oneplayer/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/live.oneplayer/files/audience_network.dex --output-vdex-fd=78 --oat-fd=80 --oat-location=/data/user/0/live.oneplayer/files/oat/x86/audience_network.odex --compiler-filter=quicken --class-loader-context=&

ioc	pid	process
/data/user/0/live.oneplayer/files/audience_network.dex	4240	live.oneplayer
/data/user/0/live.oneplayer/files/audience_network.dex	4313	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/live.oneplayer/files/audience_network.dex --output-vdex-fd=78 --oat-fd=80 --oat-location=/data/user/0/live.oneplayer/files/oat/x86/audience_network.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/live.oneplayer/files/audience_network.dex	4240	live.oneplayer

Acquires the wake lock 1 IoCs

Processes:

live.oneplayer

description ioc process

Framework service call android.os.IPowerManager.acquireWakeLock live.oneplayer
Queries information about active data network 1 TTPs 1 IoCs
discovery

System Network Connections Discovery
T1421

Processes:

live.oneplayer

description ioc process

Framework service call android.net.IConnectivityManager.getActiveNetworkInfo live.oneplayer
Uses Crypto APIs (Might try to encrypt user data) 1 TTPs 1 IoCs
impact

Data Encrypted for Impact
T1471

Processes:

live.oneplayer

description ioc process

Framework API call javax.crypto.Cipher.doFinal live.oneplayer
Checks CPU information 2 TTPs 1 IoCs

System Checks
T1633.001

System Information Discovery
T1426

Processes:

live.oneplayer

description ioc process

File opened for read /proc/cpuinfo live.oneplayer

description	ioc	process
Framework service call	android.os.IPowerManager.acquireWakeLock	live.oneplayer

description	ioc	process
Framework service call	android.net.IConnectivityManager.getActiveNetworkInfo	live.oneplayer

description	ioc	process
Framework API call	javax.crypto.Cipher.doFinal	live.oneplayer

description	ioc	process
File opened for read	/proc/cpuinfo	live.oneplayer

live.oneplayer
1⤵
- Checks known Qemu pipes.
- Loads dropped Dex/Jar
- Acquires the wake lock
- Queries information about active data network
- Uses Crypto APIs (Might try to encrypt user data)
- Checks CPU information
PID:4240
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/live.oneplayer/files/audience_network.dex --output-vdex-fd=78 --oat-fd=80 --oat-location=/data/user/0/live.oneplayer/files/oat/x86/audience_network.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4313

Network

MITRE ATT&CK Mobile v15

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Download New Code at Runtime

T1407

Virtualization/Sandbox Evasion

T1633

System Checks

T1633.001

Credential Access

Discovery

System Information Discovery

T1426

System Network Connections Discovery

T1421

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Encrypted for Impact

T1471

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/live.oneplayer/databases/google_app_measurement_local.db

Filesize
16KB

MD5
9b51ab3f0cbe40efd36a0b456022f559

SHA1
15b15aff91f965ce58b060a302ed8d6ff946c817

SHA256
fe0845014a2ea66e8a49cb37c2e60db79b9c591801cf175ecdf48014f089ccaa

SHA512
d26f393343fe711d7920d629cb9416c123398df627c182ab7bc8a7beeb0d4ab8044e31d9134ad5dbe86a8c3e10161f92fa5c4dd74b95d6c1c6a05125af7a3737

Download Submit
/data/data/live.oneplayer/databases/google_app_measurement_local.db-journal

Filesize
512B

MD5
975aa37a01ae4c0f190c2e8d3672297b

SHA1
a7274469c7328fe2f9d5c45a8f3aa582a83778a6

SHA256
a4a6c2cbb46d8f749133784441d9226522d7ad4fc603e9bc44d10d35d93cb087

SHA512
5a47d7b474c6dac155f736ce96b82978bb354ee051503dbad0219cee5aaec084901585dc797feccdd8eb39afa4987f3e7f72ffa51071564a19749b7b13f6cd81

Download Submit
/data/data/live.oneplayer/databases/google_app_measurement_local.db-wal

Filesize
36KB

MD5
4d21defc93f2c535faa289db18bac897

SHA1
9af004edaf67e6f19948b7399014aa8a1615e547

SHA256
924490102d96650646e82be11c46a7834b0defad6b5bed739243620570177b1b

SHA512
3215a912d3d7b5a4b17ea25ee46666fcc3b6c586583b8d8137892ce7a2997e959b33bda93f3d79087a1fdee0e3bd233b1f5b1e0cad38c71c4072198efcf5d832

Download Submit
/data/data/live.oneplayer/files/audience_network.dex

Filesize
3.2MB

MD5
da2b94774dcd96d257284f7710cd09c9

SHA1
6825ddecefc435f1de0608ace7f4c7cdd982473d

SHA256
08db2ca6e3f51676dc1c9b114d522ac5ed211ae2e359bf6270066aca651e6932

SHA512
9d548c66030456cf28b4efc7e1c399e455daaba6a4e5f44072e4852f62305547b7d0344d7328f514e901c29130ab5c6cce1c0df5d8dfedfa129083ca1712fe82

Download Submit
/data/data/live.oneplayer/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/data/live.oneplayer/no_backup/androidx.work.workdb-journal

Filesize
512B

MD5
db6f71e4a416db2db266ef79ba1ab211

SHA1
d04c94ecfc8ec3938797b74a8ecd7b5d65260774

SHA256
bb83efe4f1e9caedf44d8136d48c60a1f998c5fe8550dad09f14f0dedc01a76e

SHA512
fabcbeee82fba6ab88378d20b190c37f5d46e4db8cf4ab3bed2248f2c80049104ecaea685d5135f6b7d02e20e2338d8a6825434a5330ab6c2cff79a6f5e4be51

Download Submit
/data/data/live.oneplayer/no_backup/androidx.work.workdb-shm

Filesize
32KB

MD5
bb7df04e1b0a2570657527a7e108ae23

SHA1
5188431849b4613152fd7bdba6a3ff0a4fd6424b

SHA256
c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479

SHA512
768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

Download Submit
/data/data/live.oneplayer/no_backup/androidx.work.workdb-wal

Filesize
16KB

MD5
01bdcca0e9a1617574e280e2c4f5ba4a

SHA1
25161aa98bdaaf2a466e93a96d7550a4ba8d625d

SHA256
348cb0139de6279cdf2154c0976c7379174171a31a562368161d2c627a687d36

SHA512
501d9fec91c14ecf9a4a9a2e08692506a439085bd316c2fbc376a726106748b6ddba82e47cd0ac22f21351454c44fed91e973a3690d056533d0ce5d39fbf6c70

Download Submit
/data/data/live.oneplayer/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
7058c6a0c88d8219134588025f61da56

SHA1
9dfc49bf7e02e1c180879312e8782aa8f8519ea0

SHA256
0343981bc7578636483917393e0391dbfdf36f4ffd8bab69f2f5fe1e30b48de1

SHA512
e1a826290dbfc71108f82977fea23c43a9ab31c04b089fc1614ae0ab24f376bd81e9630a38cd664834b711c10b8ab171bcede89b113e7b90dc8266363a972635

Download Submit
/data/data/live.oneplayer/no_backup/com.google.InstanceId.properties

Filesize
2KB

MD5
87b2d743c098eff78bb6471c4984e90f

SHA1
a320607b45ecd94a62ae1be7dd02101df2e31acf

SHA256
acde7cdb2e1940c413a926de89135ad92cff95567dd710d357cb0b9a8e6c6220

SHA512
3b6070db4250723d779e1753867197dddad99a2ebdd36054eaf5ac61ac5191e5b3fe8a293abe8190bdc266d8ad98556c391a3039df727ce6bfbab8982b1337eb

Download Submit
/data/user/0/live.oneplayer/files/audience_network.dex

Filesize
3.2MB

MD5
c182f01349440c426f8ca2373a6bd8b7

SHA1
e3a63d7a6118605a010b61f7cf8b0e228a041246

SHA256
4978887b084805cb6aa975ac738095a53c67dace937b9cf04dad16a3c23dd847

SHA512
d63ce797ebdeacbf78a5946e02439b6ce6f326f7ae6d2d72e471adefc12ec45e90619fefb6ee2a9da8cfa9c16411009b1621430cb4e4ee561081d7e28c564021

Download Submit