Malware Analysis Report

2024-12-01 02:56

Sample ID 241116-2lw2zavlaw
Target no_dropper.apk
SHA256 0b76e0e7ed26277903223f3b0868cf303f8a6b5c05c045eb94a6d6ca3e9a4f89
Tags
tgtoxic collection credential_access discovery evasion persistence banker execution impact infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b76e0e7ed26277903223f3b0868cf303f8a6b5c05c045eb94a6d6ca3e9a4f89

Threat Level: Known bad

The file no_dropper.apk was found to be: Known bad.

Malicious Activity Summary

tgtoxic collection credential_access discovery evasion persistence banker execution impact infostealer trojan

TgToxic payload

TgToxic

Tgtoxic family

TgToxic_v2 payload

Obtains sensitive information copied to the device clipboard

Queries information about running processes on the device

Makes use of the framework's Accessibility service

Checks known Qemu pipes.

Reads information about phone network operator.

Declares services with permission to bind to the system

Requests disabling of battery optimizations (often used to enable hiding in the background).

Acquires the wake lock

Makes use of the framework's foreground persistence service

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Performs UI accessibility actions on behalf of the user

Requests dangerous framework permissions

Schedules tasks to execute at a specified time

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-16 22:40

Signatures

TgToxic payload

Description Indicator Process Target
N/A N/A N/A N/A

TgToxic_v2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Tgtoxic family

tgtoxic

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an app to turn on the screen on, e.g. with PowerManager.ACQUIRE_CAUSES_WAKEUP. android.permission.TURN_SCREEN_ON N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows applications to use exact alarm APIs. android.permission.SCHEDULE_EXACT_ALARM N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-16 22:40

Reported

2024-11-16 22:43

Platform

android-x64-20240624-en

Max time kernel

149s

Max time network

151s

Command Line

com.example.mysoul

Signatures

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/qemu_pipe N/A N/A
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A
N/A /dev/socket/qemud N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Reads information about phone network operator.

discovery

Processes

com.example.mysoul

com.example.mysoul

com.example.mysoul

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.238:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp

Files

/data/data/com.example.mysoul/no_backup/androidx.work.workdb-journal

MD5 bd35547fbda298a099f4d729e021a19e
SHA1 75e5528df9d35bc2928bcdae4b1e53df8e8fdc48
SHA256 1b9b0cd80e2853e2fd4d1638baa168be0725a7b3edcaf0f517d77d51b83edd61
SHA512 6ab875fee0578e228aacfd7f0a5d8d95ff2004afc42b7ad1ffd0c1ae4383fa76fdc5bd94dead822989783a4dca2145f30f8f8542ce4ca51f8a00f58b948f410c

/data/data/com.example.mysoul/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.example.mysoul/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.example.mysoul/no_backup/androidx.work.workdb-wal

MD5 94052b23a753626e3a9e0365a9aae3c9
SHA1 20874dcf989edcd773260bc0e135075d3d751314
SHA256 e55bd3996ce517219c618cc8914fb5002f19a3b54cb2add030dde55b8ef09bd2
SHA512 c8e81e575cb96d1b614555799e887fe2572c3d47b907b95edb45b15d65aa1f2424fd69046035cd0e434a2ab21b44a8ab9e0a0db333ae509943b255345ffffa93

/data/data/com.example.mysoul/no_backup/androidx.work.workdb-wal

MD5 451580930c1771b865d871101986f0ad
SHA1 699a1fbaa6acbc2464a55e745e2d94d76d7e387a
SHA256 f7dec3dcfbb151ec609c0701c3f61546ea742053aed62ab1b04b545e7a4b8743
SHA512 6df4b86af562f571e3b315e1b0362a12796165e2e02d66c67dcbed48f2b52af6cfb569f56cb4a299272bcca88013b40b26181610efd658ede2fab768df506ea7

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-16 22:40

Reported

2024-11-16 22:43

Platform

android-x64-arm64-20240624-en

Max time kernel

146s

Max time network

134s

Command Line

com.example.mysoul

Signatures

TgToxic

infostealer trojan banker tgtoxic

Tgtoxic family

tgtoxic

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Performs UI accessibility actions on behalf of the user

evasion
Description Indicator Process Target
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A
N/A android.accessibilityservice.IAccessibilityServiceConnection.performGlobalAction N/A N/A

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.example.mysoul

com.example.mysoul

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.179.232:443 ssl.google-analytics.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.example.mysoul/no_backup/androidx.work.workdb-journal

MD5 615a67b77c98fde5b5cbf488adcf8b49
SHA1 0943153897123b1a2c789f41f010f2fae6e28fa9
SHA256 bcacafc35edcb67d3873cf88b4cc569c289a24eb720c38bdba21504dc74d782f
SHA512 abe6087f9cf2a8a3fb1210c5ad9a373696930f2a4f105de75f241e2ccf77da77d3bb5573af58bc0573bc0ded69a4268de453bdb594299b5bb0b457d63dfa694c

/data/data/com.example.mysoul/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/data/com.example.mysoul/no_backup/androidx.work.workdb-shm

MD5 668b6f11f96b2be76f27d5895b2d0ac2
SHA1 02a5b38e7c57988876280b38329f84e6fbd4fa7a
SHA256 de7ba27ad45e06a8671cd9f25101d469ad71701f3ca994bbe8bfb873b2793a39
SHA512 dbfb4d55681969dfff15a319dde4a0fde3a8c826a188a2f465b09d49dcfeb8af62c2d8a845a383f1f141c597ca85b253178093c0112ee24842cc9537764fe508

/data/data/com.example.mysoul/no_backup/androidx.work.workdb-wal

MD5 f3f386e602a2e2e158a5212bb3845158
SHA1 214f1b69bd1603e38d2d1dc4cb3625f584a0a958
SHA256 f9d3575c36a2770df240b7182549913340dc736057adb9acc82549fb7399d7f5
SHA512 03b07179eaf7fd9e1080acbb4c6edf47ce5fc72ba490902258da0f9c9a672bf24693ea0f8b3931c522982f9e386dbd22e09e27a92100ee7e3583f35457c9279b

/data/data/com.example.mysoul/no_backup/androidx.work.workdb-wal

MD5 7c089240f868fa557b8ee0ba99014ac5
SHA1 828eb38ba86a9589be6faf1333b25aff54bda2e6
SHA256 c9a3ef82fdbe88ad9e2ea4c2044ddde73b24ba9c4dfce3ab6d9356f6ea27d49a
SHA512 66083cb3a2a6a2ca46acce4f1e405c14d029696fdf3d38ae3a54ae935c27104e2baeea622c1b190f23f83a88b60dc91e97998953754a0264ef5c9e766ef343a9

/data/data/com.example.mysoul/files/wiekkdu739hdn

MD5 dd7c6bc95fdaa7187f3bd0ebfa2d5789
SHA1 de0e5e5185e74318294a7182734d52eba043418b
SHA256 16bfde3cb8d144ac021bd14ad319c4dbe7cf728b02ca831b5a1fb010a8fd8d0d
SHA512 48657db991207addb311aaa713355ec12ac024a2a48c03cc3d7b0aa693210f2eaccca25609748419557c0fdb833fe643a9665b321d2d81a3ccfc6d7a2325f003

/data/data/com.example.mysoul/files/lang/ar.json

MD5 545b105c014e36862f0b13293a814cb0
SHA1 0f6103ba0b3f788b9729fc60faf7c2f4aa3eeda8
SHA256 22cf8c84fafb589b6fedbdb7ec2971088cfe786df9f6ed54af3ec8aa56c526f4
SHA512 5996435e725d337f47c2f4e11266adad2d3366d0d09e8df107bad70562106e8f8986135f6dcad42b62d69a44eba685e6c3251a96a70dc2723282534134cec0c8

/data/data/com.example.mysoul/files/lang/de.json

MD5 28390d5366bb24f61c6005167cb4aef6
SHA1 e31ecde6b3ca297244595df7ea44f94408cd821d
SHA256 56c0791c25bea87720ed07c5173cfeef5e5efa98276fcf813847b8b068e93f41
SHA512 c500391c0c2f811504a8c261794d2ba31ea81b046c351c2028a24ef8f8793d3a9e4f71299aaf4ae3e8a37603916bdd05a0715896175d1cd795e5298805065f4e

/data/data/com.example.mysoul/files/lang/en.json

MD5 81b236d995dbf2fd68b7a42b76298514
SHA1 96272793bf0e67295d08c9e126627cf9c435fa33
SHA256 2e34f00db26b4b9e8660d094adaafd68c5d12d57742b21c115fb139b1e794e1a
SHA512 7e46217a77db099a2e4ecdc636724d3aa714b9bb04db3a5b0515abd316fbc941dd433d87f83abe050edc3adc83b4d6b2791ccf8a97c5b15b2920bad820254ab7

/data/data/com.example.mysoul/files/lang/es.json

MD5 d0c22f916bf3c2b38923d53f05fee6da
SHA1 2ab8d26f6688339ebca37451ff0163894f1c3962
SHA256 4e9dcf9d42a90c217bb571a25876148bbc02f3fe19e190063bf6da19cca5bf75
SHA512 33e126be9e826f420aecdaffe7841cd762fd434ed648e807da52c1f10f7a13d99ea1e86a01618095e83ebe26cd78bd9589daa2536a3735c1a9164c6f207ae86a

/data/data/com.example.mysoul/files/lang/fa.json

MD5 2dc9e3bbf460beb70d69d2e2615c6b16
SHA1 25e41757b15741562bb6a83216fc8066e98d24ad
SHA256 df260516b5d7ad84fade350c0f4e53a8c595930e13fa9e9223443057c5deba23
SHA512 905bd92d7d9f688e08633df259787fdb6df9d72cba32f252d8d5dee36fb5427b29948da65a8da934287dda3f0c68150aeacec474b1a3e84879158fc7958d728a

/data/data/com.example.mysoul/files/lang/fil.json

MD5 bdba02794c150c5c25e1e56e73d21112
SHA1 b799150823c06c8335bcb2e44628d2e28ab5f010
SHA256 47090e9d3fba7292b2f63d42a77e11f0640437be77b866edc43d689af84ca9e0
SHA512 447e6468e0a6e3e0f0d628a15ac61464e905edd9fc146851788cdc3d6e0a25c5db18ab038dcec1afcd74b6b12381efc10e4a7437dca7e19d15d63c83450b86e3

/data/data/com.example.mysoul/files/lang/fr.json

MD5 8f33671e9e923298e6228b331b5a09cd
SHA1 5969ae425c1a44fd1b8524153220e39b80f8b7c2
SHA256 8b6c89083f235e257e476d85e0948927cf6d199fa824a26f60e91b0fbdf6a68c
SHA512 2b78c61e509f1626433f08dbc2c00cf64108747e739ff536ed27f050f41538cb1261120e43c549e88355eb7b9ad94569bba28d54e966c155de7d2d758f008378

/data/data/com.example.mysoul/files/lang/hi.json

MD5 69975d95cbb0f5235367b3232f24f455
SHA1 ff542dc04fd998ad3e53c654b79cf90349c23a6e
SHA256 9107cda441ddd9eed7afb4d9d92cc06146058a2000daa9f889123a4e409a06b9
SHA512 88602027b44c6d058bf474fa602b581c37bd01cc65384dd36838782936c8d5f6f3b2423fd6ecf2a841fe7fe6d2be3c503e2e9dec4039c0508957af6c4b0b5203

/data/data/com.example.mysoul/files/lang/in.json

MD5 14702880f034ee83ee8956476faafa84
SHA1 1ec3e97a9ee9e2e5d859d8729211671f908648b7
SHA256 19b8d3677109b6a8c8c26e27e4f244e463892a5865c44fa9431dd9657dcccacf
SHA512 03df28034a17982af4811a1fc09896ae3597f1e3d2a22d597ef3b51d7e0e291323b3a7881f931a535a51f933b3d352477210546e66bdbf18e1d108435bc0cb1b

/data/data/com.example.mysoul/files/lang/it.json

MD5 a0cbf998014410919d3eac1c5f280571
SHA1 3cdbb0080a11071df58815e5b6237b8c767a991b
SHA256 03761de916dd6a2d481edb43666f724df715689ae9f6e2d68ef8b41f37b4c290
SHA512 916b67e712f9f4cebe17d3e2abdd12d11b5c2b49f414318f8aadb1b36ab14c56b7466476574f0fa8c77b4bd1329da073493bd9f06fec0d312d1a82c47690b7ed

/data/data/com.example.mysoul/files/lang/iw.json

MD5 9219244a372f7c2c7d1c6891301b7e04
SHA1 61de0f335f50fdaabd32c197eac4d67f4ae092d8
SHA256 892129c335188efbfcba6a2a9dd49102cb2c294ed5b7dc89f54d242e5f427422
SHA512 4acda517dedeac6b5915f01b6fe3fbbb0b70091d052e9bfe60f92e2272601054a7834eb1e6716d0541b6132fb38d3e319bb94c4d008d490df349854fabc2943e

/data/data/com.example.mysoul/files/lang/ja.json

MD5 142677a73350927eed61fe56e5fadb93
SHA1 28defd49ad51c90ae9e9fcbe2b12e929ca19148c
SHA256 9567b29f0095da28cf06b74e3c256f0f5e9204f541bfa217b6bfa2b1144d225a
SHA512 e7ad61c5bec1f0290b6ea2c343292393cbfe5443552e5c0a3d25e34cf871dadc971c24588be5735e156ef390f5c2bf8062394298c6966098d2507d4a8fa6e264

/data/data/com.example.mysoul/files/lang/ko.json

MD5 18ddb803c3f43dbbe98d5529153be923
SHA1 dd790840b76a6e1cbbf9410bd5ae2ce33ecf2559
SHA256 762169600f7146807fecfc0c4d19348ae115fc5c189c5abcc22e2018ca73af4a
SHA512 9cae2f2008857cad89bea5108f545dbffa10e8445f853786d55cde5040d79bf85c9a92a76d035aeb25022273ea82f3425d1198eb81e93ebb9b5fe721232fbcd3

/data/data/com.example.mysoul/files/lang/ms.json

MD5 4a17301071c69d7285c4409d0e6f21be
SHA1 a0bd18689191ab3b4c0c1f9e3f7245cc3bbb5061
SHA256 3efca51d0a94751eebde7629d9e535faa89d847ff35b1f7895e0b9637cb7ec0e
SHA512 e265ea6cee34fe2c48c6b8fe7409cb1c1341eabc0eac8a48b1ffd13bd4243a438db066c1b0a81d2da60ffbbc069e80d2dcb728594897b46e67ed9526cfcacc88

/data/data/com.example.mysoul/files/lang/pt.json

MD5 d0c3dadbc6d4f0b9c63c09d2d0fb1b1e
SHA1 a82ed8f7b46f3caf7c7be2b02cb17715bfd39c9d
SHA256 faa634dd288c56e75e14ecbaf270910d7d4bbec9125fe9d24ca671a5115a56dd
SHA512 d3e8c724a8b0f5b4a47c98213297d82a379f5164e83010a9f6acf7ce38ac3514155147932870f0333441e7a008e0ea02429754859ca1888c95c40bb7a83dc04a

/data/data/com.example.mysoul/files/lang/ru.json

MD5 e030cf7640659b7fc685716010c3c535
SHA1 f44ceed2abddedd6329028e9301f3f30b9951d3f
SHA256 21f80063bdf58bb12ad6d713f2d39e13b2a0714453905a1e1df6868dbb73fa20
SHA512 36df90541f2d89c3a38d48a71bdfbb368aceca59f176ebf7b1ba08510e0d7bf32dfb2ab0e10ebaf83b88114b73372fa267adc5441ddab2270c4444a017e1f483

/data/data/com.example.mysoul/files/lang/th.json

MD5 a17d0deb483a95bb1ca28e2499e9fef8
SHA1 fd23ff1b2b9a7bd28b30f3041eae608e5b00a017
SHA256 16f73a5869c41fe83718ff9c6a183209a51af9a4463defe7d01ba95680a8c2e9
SHA512 698d10f2f8976ad5b314a2e2856a4d9d0c98693de9d827d404971e22ff80494344c29156deddc4cda70db3f46a5c5c816ee8d4cf663ac1ae1176bb6922995b9d

/data/data/com.example.mysoul/files/lang/tr.json

MD5 219cdc66e7715b7da80e9e6a4c52c54d
SHA1 22dd396b1229a3d9fe063de926470e5bb1b272f4
SHA256 030acc91b1836cfb8ef848b4c641820660095da9fdbe7aa03472015a74ed4361
SHA512 c1456ccf921dc7da0686dc24ea8f11772c8c24149719a4d7a7b01a0743eecfb69e8a2eeda7cfffac2b95f74a2c34dcb5133987ddaff738cef75ce40e4c7bd07d

/data/data/com.example.mysoul/files/lang/vi.json

MD5 56a790d37ada3af95551ea7ed8c6c1f6
SHA1 9db6ae01a13b19011621d23fb46a7ffbe09ad462
SHA256 9063136a0da9d755d7b5b3513593a17e1bfbe8296efc1821a38f849983cc6392
SHA512 3679ac213c92608b961f1c87ce72dcf27be20580ce7a4d00f2128cb50eeff094cb910116d01f707c92701aadd72571920620be943d8df0ba262f1021d8a4e511

/data/data/com.example.mysoul/files/lang/vn.json

MD5 1296e20dd5bdcadbad40c74aa9cc0181
SHA1 d33517d23dd2c14559a3c886c0328fd51f5014ac
SHA256 90239da560823f2da0bdae010f9032cdb062a5aeba89106ce6a876029bd18063
SHA512 55fbf36f71c0233408ae2730d4a7f650224dcd4ee5cd00dea7bcad6448307bda25f76df661c76a23b8055f476ddd45dabbab2614b04a589cee84f03b7f424527

/data/data/com.example.mysoul/files/lang/zh.json

MD5 a739e5a45f28378f30c78302748c117d
SHA1 b9175d43cc2400eb2583d5cb89c61d983da69bbc
SHA256 b51c9c7bd2d46a589e1d062317fb750dbef8a7b31f11016c1b9154a003e75652
SHA512 fc4ac800cca23eead14ba53435fb47d95676e4353e3022a2ffc8a737fcbbe1c1503ce83e4b9ccdbf6c095e0df6675bd3c07efd2a7e080af5581b2395aa753def

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-16 22:40

Reported

2024-11-16 22:43

Platform

android-x86-arm-20240910-en

Max time kernel

135s

Max time network

152s

Command Line

com.example.mysoul

Signatures

Checks known Qemu pipes.

evasion
Description Indicator Process Target
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A
N/A /dev/socket/qemud N/A N/A
N/A /dev/qemu_pipe N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A
File opened for read /proc/cpuinfo N/A N/A

Processes

com.example.mysoul

com.example.mysoul

/system/bin/cat /proc/cpuinfo

com.example.mysoul

/system/bin/cat /proc/cpuinfo

com.example.mysoul

/system/bin/cat /proc/cpuinfo

com.example.mysoul

/system/bin/cat /proc/cpuinfo

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 142.250.187.196:443 tcp

Files

/data/data/com.example.mysoul/no_backup/androidx.work.workdb-journal

MD5 94a6842d0e7fa46496f5052395031a32
SHA1 e14df775b4d04e229e2410711824ca9b71606e0c
SHA256 15402371fad0a624b57ea94f30c53bc29a007a447966ee8cb5861de80d347017
SHA512 96954d1a2a1c5c48ec822b14fb9d1ad32a19bcff95e71b7c396e5665b240accc688cc5bb1546e2fe17a4facac106e61cf1491dc52c0efea5af4c6ab1e45e5d3f

/data/data/com.example.mysoul/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.example.mysoul/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.example.mysoul/no_backup/androidx.work.workdb-wal

MD5 aadbfe2ca5e87f1ff1bc7c1e4ebb94ad
SHA1 0c1bcdb2b7a841dd9ba857b400c209e26de3aa56
SHA256 3fcb67b098aeb156bd97b52830bb96e625e937c7068ab7503fda18dc48ff226b
SHA512 727f19d56c78de6b4826b2ce364d68d0f13aa4fff7203719ec9726a935413c264b400abd6714948c8111e748bf87a15dcb34c461fb9c2d8236d83644ea5a64fe

/data/data/com.example.mysoul/no_backup/androidx.work.workdb-wal

MD5 5bbe8a67400b41cb1aa6af9b066e0387
SHA1 cf3d88aeb0591a83036744b8b7a71f04e02329e4
SHA256 a582f5d6a027c0aefa3248bf260f0e98cd46a735461dc428d4a320620e8875f3
SHA512 af8af092df5bff7d7e8d2247956e24e5f12f601cfb806e590b059768a20e9ca002241e00bb10c32549eb37ef8d6d3aa51865b5174a2576c24f5a9e0ec92243e4