Analysis Overview
SHA256
480202492f12938f93798c2ecbc4d68ffdb16aac0c644d63986f17180ae46538
Threat Level: Shows suspicious behavior
The file Incredibox-Sprunki.apk was found to be: Shows suspicious behavior.
Malicious Activity Summary
Obtains sensitive information copied to the device clipboard
Loads dropped Dex/Jar
Requests dangerous framework permissions
Queries the mobile country code (MCC)
Registers a broadcast receiver at runtime (usually for listening for system events)
Checks memory information
Checks CPU information
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-11 16:26
Signatures
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-11 16:26
Reported
2024-11-11 16:29
Platform
android-x86-arm-20240624-en
Max time kernel
47s
Max time network
137s
Command Line
Signatures
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
co.median.android.leezlz
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.213.10:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | license.gonative.io | udp |
| US | 192.155.91.240:443 | license.gonative.io | tcp |
| US | 1.1.1.1:53 | events.gonative.io | udp |
| US | 172.67.132.147:443 | events.gonative.io | tcp |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| GB | 142.250.187.227:443 | update.googleapis.com | tcp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
Files
/data/data/co.median.android.leezlz/files/gonative-config/regexintext.json
| MD5 | ad12f43961ab46511df5ddb2c0a8c139 |
| SHA1 | d5202081c0033dc2a4147c97a5255ea5b6dc1a0f |
| SHA256 | 537892617ffc701ff8c306ee15bac6f81c04d427d9df47eef137dc77882a2023 |
| SHA512 | 955eb641704a9de4bd934a928e5fa3af2fc24f840b27117038f650905e9c69509b9b7f42306419363d6bda5e9b04e57bf9ba84b2690bbda85ae20091799018ee |
/data/data/co.median.android.leezlz/files/INSTALLATION
| MD5 | 26b95a35decdd0782bb7ce95065ac7b2 |
| SHA1 | 11097c0670ce7824e33886162d82b6ad7aa90634 |
| SHA256 | 65cf8049f9a0673f49fe724998b5fec03880b159cf741c7dbbe386073101a698 |
| SHA512 | 0bcc60081fe054c938f1ee91b02b54e0520b808c352cdf8093966dba1a5a056911a3e85b87f7c5d06418eab4017c9e2ebf705108834f90ae1036e4d474b00dac |
/data/misc/profiles/cur/0/co.median.android.leezlz/primary.prof
| MD5 | 3f5cfe4fc19be316d18a9c517f993ea8 |
| SHA1 | 4a86c072ef020f6dd6dad7353e9ac09a55f0e385 |
| SHA256 | 48fef3acaefdf80aae362810301bf24016a0c499eaf4ef1fca14a8cb6e0b32e3 |
| SHA512 | a98e4d143c92842ecaf448a17bc6aeb890bc239040663bc77bb844508d5e17375371ccfb8bd555342332a485062ed96b2eea207a129d4b6c07852080869222b4 |
/data/data/co.median.android.leezlz/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | 49bc1a28f791199f83c0f92bcb629c66 |
| SHA1 | 7585d0caaed4d909585e20dc8324e6c35f3aaef9 |
| SHA256 | dfa22789c82239e581f559c7cf6468e58f7fd95dd85524d4f6f1866735f7cdbb |
| SHA512 | f4c5ec7fe507c2f7ec0a25f9a354d63fbd0c554ff2734cbc89d9d2239c5d7295ef6cbf34d50a29c3eb9dc0a30e9722b045732d5953326dfbbbad2281df4d04c7 |
/data/data/co.median.android.leezlz/files/profileInstalled
| MD5 | 671c057eb6ed479e42ad8bc162111d21 |
| SHA1 | fa4a8cd71b96bab2dbf139e34654b26c263891e3 |
| SHA256 | a84239799ed416384e9629325f2ea5ec1e7387aca4d2b5afcfdd6ab1597e064c |
| SHA512 | 81d523108130b9d4aa02c614ad1af8633314fecd4e249402f9425e885c8e1c23992d37c135c8ceb8c34f156497fbb25deb43fff6d1e5c3849fd82f484223f92d |
/data/misc/profiles/cur/0/co.median.android.leezlz/primary.prof
| MD5 | c9eaa32e7f79ca0d0f50a88961534899 |
| SHA1 | b35b5af507d94eba162bd69b2b890cf68a09cdd7 |
| SHA256 | e9b982c371bdfcb9e921e54113c90ce8346c1af7b468115fe322bcfbf8fd4f5d |
| SHA512 | 24280d610cc752c49b0cea8f3d04b02235673ce5e93e1afc52821dbcf53b027b97ba93a48e39a13ee53d6d4b1fd25496ffe1ed9c11c27e9d43ea1737cad1f5d8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-11 16:26
Reported
2024-11-11 16:29
Platform
android-x64-20240624-en
Max time kernel
47s
Max time network
158s
Command Line
Signatures
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Queries the mobile country code (MCC)
| Description | Indicator | Process | Target |
| Framework service call | com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone | N/A | N/A |
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
co.median.android.leezlz
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | license.gonative.io | udp |
| US | 192.155.91.240:443 | license.gonative.io | tcp |
| US | 1.1.1.1:53 | events.gonative.io | udp |
| US | 172.67.132.147:443 | events.gonative.io | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.200.40:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| GB | 64.233.166.84:443 | accounts.google.com | tcp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| BE | 108.177.15.84:443 | accounts.google.com | tcp |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| GB | 216.58.213.3:443 | update.googleapis.com | tcp |
| GB | 142.250.180.14:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.238:443 | android.apis.google.com | tcp |
| GB | 172.217.16.228:443 | tcp | |
| GB | 172.217.16.228:443 | tcp | |
| GB | 142.250.179.238:443 | tcp | |
| GB | 142.250.200.34:443 | tcp |
Files
/data/data/co.median.android.leezlz/files/gonative-config/regexintext.json
| MD5 | ad12f43961ab46511df5ddb2c0a8c139 |
| SHA1 | d5202081c0033dc2a4147c97a5255ea5b6dc1a0f |
| SHA256 | 537892617ffc701ff8c306ee15bac6f81c04d427d9df47eef137dc77882a2023 |
| SHA512 | 955eb641704a9de4bd934a928e5fa3af2fc24f840b27117038f650905e9c69509b9b7f42306419363d6bda5e9b04e57bf9ba84b2690bbda85ae20091799018ee |
/data/data/co.median.android.leezlz/files/INSTALLATION
| MD5 | 3b4d6ac61c9abd2a3696a4e2ff5137a5 |
| SHA1 | fc6fcb74885611349d926f1bc5e101b83af213e8 |
| SHA256 | 49bd3857e3540bb35caff8bc5a696358f98d0a12ec0438f27b41d893b5807d7f |
| SHA512 | 91f14644b0a23aa8f05d1334511b891a52b1d819c2fc4227d802ae301c5634ea4d28ef230c1f1d80019477ccef38c494236632e104cf0deed97fffe008f49b0f |
/data/misc/profiles/cur/0/co.median.android.leezlz/primary.prof
| MD5 | 3f5cfe4fc19be316d18a9c517f993ea8 |
| SHA1 | 4a86c072ef020f6dd6dad7353e9ac09a55f0e385 |
| SHA256 | 48fef3acaefdf80aae362810301bf24016a0c499eaf4ef1fca14a8cb6e0b32e3 |
| SHA512 | a98e4d143c92842ecaf448a17bc6aeb890bc239040663bc77bb844508d5e17375371ccfb8bd555342332a485062ed96b2eea207a129d4b6c07852080869222b4 |
/data/data/co.median.android.leezlz/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | b0fc025ffcaa1736a8208a1c5e256f94 |
| SHA1 | 2d10a8a3e84e01e48f21f973ae90faaf154c8c3b |
| SHA256 | 9e29a4c43539838a2e89bbc8ebcc7751b67999aa4a021e0e10eb550b4fb6f68d |
| SHA512 | 8c495b30bc2c9627a837ffb0b0108df7140a06d920ceda20f4728a7857ac4cb60b27b7f3a000d7871a54d1ebfc72e4091fabecaddf6d54eefbed88bd5d6ad328 |
/data/data/co.median.android.leezlz/files/profileInstalled
| MD5 | b4c8594b561d2529ffc5f2cdf8f31193 |
| SHA1 | eb46475beda099b201c61998cdfef9c99b29727e |
| SHA256 | 19ff360238edff1a8950a2ddefced1577f8ef7149b5d42db140b6ea67d4e9433 |
| SHA512 | 67381a8696d5015f6078e168b5e8ce64042db1e3925fb2b7e60e1e8d6fb766b19d8f345dc6ec74b897dd1a732cd29cb51814b7afb2644ad0b8b3725d27fda77c |
/data/misc/profiles/cur/0/co.median.android.leezlz/primary.prof
| MD5 | c378e3fa0dc3d9d139c4503aafc3282e |
| SHA1 | 7c7f43fb7dfdafbcfd34221a505370c28ad4a341 |
| SHA256 | bb3304d0aadf9aab6187a2861ef8996c11ca3df28da08f3fcec555a6a79ae4cc |
| SHA512 | cb9764d0b193dd4bdd6bdccc87d684f99ea4ea9a27173df61f6852cfa1c40cdb97e05106733163fdc9484a8319f14484c65eb5b73e0eecd26954ab094d5542b3 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-11 16:26
Reported
2024-11-11 16:29
Platform
android-x64-arm64-20240624-en
Max time kernel
19s
Max time network
134s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /system_ext/framework/androidx.window.sidecar.jar | N/A | N/A |
| N/A | /system_ext/framework/androidx.window.sidecar.jar | N/A | N/A |
Obtains sensitive information copied to the device clipboard
| Description | Indicator | Process | Target |
| Framework service call | android.content.IClipboard.addPrimaryClipChangedListener | N/A | N/A |
Checks CPU information
| Description | Indicator | Process | Target |
| File opened for read | /proc/cpuinfo | N/A | N/A |
Checks memory information
| Description | Indicator | Process | Target |
| File opened for read | /proc/meminfo | N/A | N/A |
Processes
co.median.android.leezlz
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.238:443 | tcp | |
| GB | 142.250.187.238:443 | tcp | |
| GB | 142.250.187.238:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | license.gonative.io | udp |
| US | 192.155.91.240:443 | license.gonative.io | tcp |
| US | 1.1.1.1:53 | events.gonative.io | udp |
| US | 172.67.132.147:443 | events.gonative.io | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.201.104:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| US | 1.1.1.1:53 | accounts.google.com | udp |
| BE | 108.177.15.84:443 | accounts.google.com | tcp |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| GB | 142.250.178.3:443 | update.googleapis.com | tcp |
| GB | 142.250.200.36:443 | tcp | |
| GB | 142.250.200.36:443 | tcp | |
| US | 1.1.1.1:53 | update.googleapis.com | udp |
| GB | 142.250.200.3:443 | update.googleapis.com | tcp |
Files
/system_ext/framework/androidx.window.sidecar.jar
| MD5 | bdf3529e80318eb14e53a5bf3720c10d |
| SHA1 | 25c9ace4b1af6e80ebb2572345972c56505969ba |
| SHA256 | bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b |
| SHA512 | 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b |
/data/data/co.median.android.leezlz/files/gonative-config/regexintext.json
| MD5 | ad12f43961ab46511df5ddb2c0a8c139 |
| SHA1 | d5202081c0033dc2a4147c97a5255ea5b6dc1a0f |
| SHA256 | 537892617ffc701ff8c306ee15bac6f81c04d427d9df47eef137dc77882a2023 |
| SHA512 | 955eb641704a9de4bd934a928e5fa3af2fc24f840b27117038f650905e9c69509b9b7f42306419363d6bda5e9b04e57bf9ba84b2690bbda85ae20091799018ee |
/data/data/co.median.android.leezlz/files/INSTALLATION
| MD5 | 08e1a93cc01e68a35685d8b30f0970fd |
| SHA1 | 6d0bbd1bd1b14f2a8ba6cf9ec175582ff6eb1768 |
| SHA256 | 20bad057a3e55ec97e80e2a458a36d4f5ac432e61d3507e5e51739391ddcdd90 |
| SHA512 | 938f57d703c1c6a624f8880839be05e6a29c612835679448c692f321e69e0908158b427de1f4242e7fdc1fe3d1f654b89e64713ce3c41eb6c0425da06c823883 |
/data/misc/profiles/cur/0/co.median.android.leezlz/primary.prof
| MD5 | 3f5cfe4fc19be316d18a9c517f993ea8 |
| SHA1 | 4a86c072ef020f6dd6dad7353e9ac09a55f0e385 |
| SHA256 | 48fef3acaefdf80aae362810301bf24016a0c499eaf4ef1fca14a8cb6e0b32e3 |
| SHA512 | a98e4d143c92842ecaf448a17bc6aeb890bc239040663bc77bb844508d5e17375371ccfb8bd555342332a485062ed96b2eea207a129d4b6c07852080869222b4 |
/data/data/co.median.android.leezlz/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | e85875a16f60660da5354c0c416439b2 |
| SHA1 | d4011b30512e4a289c386e6763d1e17518910f9e |
| SHA256 | e3375a4e7eff328cc72ad0e91a188b6f702c257d44a7e1f5a0ab8534a7415228 |
| SHA512 | b0c82dacf686d2e27949fab5ae51b46d3859b04cad953b4fd2dca69e3a6a8842bd0d78cc9401c469277677aeec30a81a6f4cd4818d4428c406bf98e86b1f8c95 |