Analysis Overview
SHA256
cd37275d2fd81ca39fdd7785d6592c4a746821c68a92472bb825073e760742f6
Threat Level: Known bad
The file f608d71b0e87b52c5679afd08902b5f5.apk was found to be: Known bad.
Malicious Activity Summary
Antidot payload
Antidot family
Queries information about running processes on the device
Declares services with permission to bind to the system
Requests dangerous framework permissions
Queries information about active data network
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-25 08:15
Signatures
Antidot family
Antidot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by VPN services to bind with the system. Allows apps to provision VPN services. | android.permission.BIND_VPN_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application a broad access to external storage in scoped storage. | android.permission.MANAGE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
| Allows an application to read image files from external storage. | android.permission.READ_MEDIA_IMAGES | N/A | N/A |
| Allows an application to read video files from external storage. | android.permission.READ_MEDIA_VIDEO | N/A | N/A |
| Allows an application to read audio files from external storage. | android.permission.READ_MEDIA_AUDIO | N/A | N/A |
| Required to be able to connect to paired Bluetooth devices. | android.permission.BLUETOOTH_CONNECT | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an application to read image files from external storage. | android.permission.READ_MEDIA_IMAGES | N/A | N/A |
| Allows an application to read video files from external storage. | android.permission.READ_MEDIA_VIDEO | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-25 08:15
Reported
2024-11-25 08:19
Platform
android-x64-arm64-20240624-en
Max time kernel
149s
Max time network
132s
Command Line
Signatures
Queries information about running processes on the device
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.getRunningAppProcesses | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Processes
com.ranger.cheat
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.179.238:443 | tcp | |
| GB | 142.250.179.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.187.206:443 | android.apis.google.com | tcp |
| HK | 156.236.107.21:10001 | tcp | |
| HK | 156.236.107.21:10001 | tcp | |
| US | 1.1.1.1:53 | kgoyt.com | udp |
| IN | 62.72.28.35:443 | kgoyt.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.187.196:443 | tcp | |
| GB | 142.250.187.196:443 | tcp |
Files
/data/misc/profiles/cur/0/com.ranger.cheat/primary.prof
| MD5 | 874bffb97ee10e6d0ded298258846d0a |
| SHA1 | c1f6ccf57986a7ba77ef850078030dabc38c8db2 |
| SHA256 | b1a6b1960cd65907f926f46e0e0fae3bfb4f2234419f7309906de743fd485903 |
| SHA512 | 87cdc2aacf45e57a4c5d2fd164731644d4a66b94311b11b9d81f83e9d33ee34b9df30d3ab5639a441ff7c769584b41eed85daf412b0c75640069a3ad82506cbd |
/data/user/0/com.ranger.cheat/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | f9c8c727be3071594103b6354925a87c |
| SHA1 | fa76ba1be32408a13c6ea8512eecb9ba86d7cee1 |
| SHA256 | a8ad8986ba47910427c41c8a81b0ae234152978f5a07b825cd77b1ce75cf590b |
| SHA512 | 17d4b635d0cd3150bfcf2d5b75ff2a3a4a16853e3cc089436d924a71079e3dc85d0fe33e3cef30bcf34fdbbf13d25caa19679a4f92581006194369583bd2dbf0 |