Malware Analysis Report

2025-01-19 06:51

Sample ID 241125-j5mcrsxma1
Target f608d71b0e87b52c5679afd08902b5f5.apk
SHA256 cd37275d2fd81ca39fdd7785d6592c4a746821c68a92472bb825073e760742f6
Tags
antidot discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd37275d2fd81ca39fdd7785d6592c4a746821c68a92472bb825073e760742f6

Threat Level: Known bad

The file f608d71b0e87b52c5679afd08902b5f5.apk was found to be: Known bad.

Malicious Activity Summary

antidot discovery

Antidot payload

Antidot family

Queries information about running processes on the device

Declares services with permission to bind to the system

Requests dangerous framework permissions

Queries information about active data network

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-25 08:15

Signatures

Antidot family

antidot

Antidot payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by VPN services to bind with the system. Allows apps to provision VPN services. android.permission.BIND_VPN_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-25 08:15

Reported

2024-11-25 08:19

Platform

android-x64-arm64-20240624-en

Max time kernel

149s

Max time network

132s

Command Line

com.ranger.cheat

Signatures

Queries information about running processes on the device

discovery
Description Indicator Process Target
Framework service call android.app.IActivityManager.getRunningAppProcesses N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.ranger.cheat

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
HK 156.236.107.21:10001 tcp
HK 156.236.107.21:10001 tcp
US 1.1.1.1:53 kgoyt.com udp
IN 62.72.28.35:443 kgoyt.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.196:443 tcp
GB 142.250.187.196:443 tcp

Files

/data/misc/profiles/cur/0/com.ranger.cheat/primary.prof

MD5 874bffb97ee10e6d0ded298258846d0a
SHA1 c1f6ccf57986a7ba77ef850078030dabc38c8db2
SHA256 b1a6b1960cd65907f926f46e0e0fae3bfb4f2234419f7309906de743fd485903
SHA512 87cdc2aacf45e57a4c5d2fd164731644d4a66b94311b11b9d81f83e9d33ee34b9df30d3ab5639a441ff7c769584b41eed85daf412b0c75640069a3ad82506cbd

/data/user/0/com.ranger.cheat/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 f9c8c727be3071594103b6354925a87c
SHA1 fa76ba1be32408a13c6ea8512eecb9ba86d7cee1
SHA256 a8ad8986ba47910427c41c8a81b0ae234152978f5a07b825cd77b1ce75cf590b
SHA512 17d4b635d0cd3150bfcf2d5b75ff2a3a4a16853e3cc089436d924a71079e3dc85d0fe33e3cef30bcf34fdbbf13d25caa19679a4f92581006194369583bd2dbf0