Analysis Overview
SHA256
1b1eebac29f8ab1a41e5f20bbdceefb3341e93bc3d55a0f995c902b0fe877fe2
Threat Level: Known bad
The file app-release.apk was found to be: Known bad.
Malicious Activity Summary
Antidot payload
Antidot family
Loads dropped Dex/Jar
Queries information about active data network
Requests dangerous framework permissions
Registers a broadcast receiver at runtime (usually for listening for system events)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-25 05:53
Signatures
Antidot family
Antidot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-25 05:53
Reported
2024-11-25 05:56
Platform
android-x86-arm-20240624-en
Max time kernel
2s
Max time network
132s
Command Line
Signatures
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
com.topjohnwu.magisk
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.200.10:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| GB | 142.250.178.10:443 | semanticlocation-pa.googleapis.com | tcp |
Files
/data/misc/profiles/cur/0/com.topjohnwu.magisk/primary.prof
| MD5 | 75a79b30aa58e1e567a00bd82c96e5f9 |
| SHA1 | 3a4c2fe041a5085f0d187343243f0e73cbade028 |
| SHA256 | a395df904939f7e8700204f0f98d2360ae9e2bb85d1d394645f66328d3165653 |
| SHA512 | dbf38af1c4ee4e701580dd44930efa22b147f9ecefb015b56aa3569615c6f15bf0a1fc8879eec40ca309f87ccc5e99091053179354647aa6b46ce6c7e86adb17 |
/data/data/com.topjohnwu.magisk/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | ce8809c22f0ec995cd351b89f6371269 |
| SHA1 | 1b6202fc9b7f7177322b9522d1207520b4bf6edb |
| SHA256 | 80ddf1d5957ce1dd92bd8c0aeab768d7556c8c6eb170c9dc6e7a2e63fa120fc9 |
| SHA512 | f79182f3b4ecfc7c0c671529b31f3eb42b08c94ddeb256b1e5f7bde2941d73d01b081884e4dd48b5d62c256f1984de421072d8018717e8c1d1d7d54ebca5f782 |
/data/data/com.topjohnwu.magisk/files/profileInstalled
| MD5 | 75b4890066fbd3ecf811b4c55a44df78 |
| SHA1 | e10ef193dd582019f1947fda28a01782ff86ee73 |
| SHA256 | d39b75f98c233bd502f0d8e7c525777595ada8f83a4a5a1bb28aa279ce1bbba5 |
| SHA512 | 150eb1e62bfc0a073c197772fdba6da7f40e9ccc81fd75fdab1ee63d2b6ac6ed225c43279f16d4a069de189a041862b55e71592cc3cd3b93c459bf2cb0ae581d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-25 05:53
Reported
2024-11-25 05:56
Platform
android-33-x64-arm64-20240624-en
Max time kernel
7s
Max time network
133s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /system_ext/framework/androidx.window.extensions.jar | N/A | N/A |
| N/A | /system_ext/framework/androidx.window.extensions.jar | N/A | N/A |
| N/A | /system_ext/framework/androidx.window.sidecar.jar | N/A | N/A |
| N/A | /system_ext/framework/androidx.window.sidecar.jar | N/A | N/A |
Processes
com.topjohnwu.magisk
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.228:443 | udp | |
| GB | 142.250.187.228:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | rcs-acs-tmo-us.jibe.google.com | udp |
| US | 216.239.36.155:443 | rcs-acs-tmo-us.jibe.google.com | tcp |
| GB | 142.250.187.238:443 | tcp | |
| GB | 142.250.187.238:443 | tcp | |
| US | 1.1.1.1:53 | remoteprovisioning.googleapis.com | udp |
| GB | 142.250.187.202:443 | remoteprovisioning.googleapis.com | tcp |
| US | 162.159.61.3:443 | tcp | |
| US | 162.159.61.3:443 | tcp | |
| US | 162.159.61.3:443 | udp | |
| GB | 172.217.16.227:443 | tcp | |
| GB | 172.217.16.227:443 | udp | |
| GB | 142.250.187.228:443 | tcp | |
| GB | 142.250.178.4:443 | tcp | |
| GB | 142.250.178.4:443 | tcp | |
| GB | 142.250.187.228:443 | udp |
Files
/system_ext/framework/androidx.window.extensions.jar
| MD5 | 3056e1bdb7d4e19789d0319eff484bd0 |
| SHA1 | 6791ae47aa9466fe0bca27ad6643f846853bbee4 |
| SHA256 | 8e6331a07c9f2ac139214c527dcaff2c82d126bbe7bd3420cdc36d6a8c9204b0 |
| SHA512 | c790980fd68d9f89e32743bc28846807d5e5947c555f494de47714dec5cbd0c08d81c3260fa463759d1b17a953af3c44ec30b14fb08bf6b29db3837346c9f658 |
/system_ext/framework/androidx.window.sidecar.jar
| MD5 | 29469324e59dfcc052f24b5af4e7b2c4 |
| SHA1 | 10c1e17ac6f598037bb51baa07945663645de4eb |
| SHA256 | 9195dc6a1c75a841384050240dfc972e48178964993fba6619788625f4b40d1a |
| SHA512 | 5e27c2b1431369a248298f2f749136a575005584f9999f2a4c204a0c47adce2e33c8df9f058bdafa1bde1c99e46d175560cedfcddcd8581718ed1d9973c37cc2 |
/data/misc/profiles/cur/0/com.topjohnwu.magisk/primary.prof
| MD5 | 21bfb2f028e93dd984e218d6ca0b9c96 |
| SHA1 | 85fd6405930177cf328a066a06eab8636e370c6c |
| SHA256 | 4b71e39a22ec559c4cc8f8306273c4d566453a743c0539b6b8995dc6d679756e |
| SHA512 | 8c9d932f0a49bb0128469a061c2197de9be9da746fa382cac241364cea7fc0dd459018abbc473c8b2d64859edf376dc656c9279ed00d748f57a0343a6ca78f9a |
/data/data/com.topjohnwu.magisk/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | af5814bac4a2f6ba3b4865c39c432a47 |
| SHA1 | bbd268bd4c5f9decaea6f01eca396d1fb51a63d3 |
| SHA256 | 73452769bf47801ac8cda0ea7149190671d858a9d563c8b0cc26df5ab3c35cb3 |
| SHA512 | 3168f725d1210091947aae1e30af6da239418f81a9aafd71b2535bec89fce76c03b33c422be16250d34af9413af91823c16a1c032040bc6879b96fe277b108ac |
/data/data/com.topjohnwu.magisk/files/profileInstalled
| MD5 | 42363cfb12037fb5704288315352ba41 |
| SHA1 | 826bd8edaa2ee145849e6b4de308f45efff0ebe4 |
| SHA256 | 8b173bead50ba3e411d8c7553a5e54f4c24fbc7b1a48a7f3be28b8d3c3f84796 |
| SHA512 | c0eb48905afcabf96abad4115e071f0863f36d6ad3066d303f3fe6a4cac8085151d397621c02111093d298dbfde3ea5d21301404af84b05c292ba283bb59c427 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-25 05:53
Reported
2024-11-25 05:56
Platform
android-x86-arm-20240624-en
Max time kernel
7s
Max time network
131s
Command Line
Signatures
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
Processes
com.topjohnwu.magisk
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.180.10:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
Files
/data/data/com.topjohnwu.magisk/code_cache/res.apk
| MD5 | 04d345a7d7a47bff8d3668fc078b0209 |
| SHA1 | fffd08c3bb41379f9b8fed47f47cf54f7d3e328e |
| SHA256 | 68e19e24dae20a5e4d1598434065cc29d245b5ee33e3bbc3c83a7a853882fb2e |
| SHA512 | a4a1f386ea330b578763296be465b9ea2a280487a54ca92aea673b28478d2c11c5d27ecac47fa84a6c50df90be598f59c7afbf4e525b539bec8fa562bf789934 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-25 05:53
Reported
2024-11-25 05:56
Platform
android-x64-20240624-en
Max time kernel
7s
Max time network
136s
Command Line
Signatures
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
Processes
com.topjohnwu.magisk
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 172.217.169.72:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.179.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.200.14:443 | android.apis.google.com | tcp |
| GB | 142.250.179.228:443 | tcp | |
| GB | 142.250.179.228:443 | tcp |
Files
/data/data/com.topjohnwu.magisk/code_cache/res.apk
| MD5 | 04d345a7d7a47bff8d3668fc078b0209 |
| SHA1 | fffd08c3bb41379f9b8fed47f47cf54f7d3e328e |
| SHA256 | 68e19e24dae20a5e4d1598434065cc29d245b5ee33e3bbc3c83a7a853882fb2e |
| SHA512 | a4a1f386ea330b578763296be465b9ea2a280487a54ca92aea673b28478d2c11c5d27ecac47fa84a6c50df90be598f59c7afbf4e525b539bec8fa562bf789934 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-25 05:53
Reported
2024-11-25 05:56
Platform
android-x64-arm64-20240910-en
Max time kernel
6s
Max time network
154s
Command Line
Signatures
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Processes
com.topjohnwu.magisk
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.201.110:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | www.youtube.com | udp |
| GB | 216.58.204.78:443 | www.youtube.com | udp |
| GB | 216.58.204.78:443 | www.youtube.com | tcp |
| GB | 172.217.16.238:443 | www.youtube.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.201.104:443 | ssl.google-analytics.com | tcp |
| US | 216.239.36.223:443 | tcp | |
| GB | 142.250.187.206:443 | www.youtube.com | tcp |
| GB | 142.250.187.193:443 | tcp | |
| GB | 216.58.201.97:443 | tcp | |
| US | 216.239.34.223:443 | tcp | |
| US | 216.239.34.223:443 | tcp |