Malware Analysis Report

2025-01-19 05:49

Sample ID 241127-3dlrpsvpfz
Target 19605d10876e75e584278116e31b97832c6348054c2505ae9a2aa77a3135aef6
SHA256 19605d10876e75e584278116e31b97832c6348054c2505ae9a2aa77a3135aef6
Tags
octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan tanglebot spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

19605d10876e75e584278116e31b97832c6348054c2505ae9a2aa77a3135aef6

Threat Level: Known bad

The file 19605d10876e75e584278116e31b97832c6348054c2505ae9a2aa77a3135aef6 was found to be: Known bad.

Malicious Activity Summary

octo banker collection credential_access discovery evasion impact infostealer persistence rat trojan tanglebot spyware

TangleBot

Tanglebot family

Octo

Octo payload

Octo family

TangleBot payload

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Queries the phone number (MSISDN for GSM devices)

Obtains sensitive information copied to the device clipboard

Checks Android system properties for emulator presence.

Makes use of the framework's foreground persistence service

Reads information about phone network operator.

Acquires the wake lock

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Queries the unique device ID (IMEI, MEID, IMSI)

Requests dangerous framework permissions

Declares services with permission to bind to the system

Queries the mobile country code (MCC)

Registers a broadcast receiver at runtime (usually for listening for system events)

Uses Crypto APIs (Might try to encrypt user data)

Checks CPU information

Checks memory information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-27 23:23

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an application to read image or video files from external storage that a user has selected via the permission prompt photo picker. android.permission.READ_MEDIA_VISUAL_USER_SELECTED N/A N/A
Allows an application to access any geographic locations persisted in the user's shared collection. android.permission.ACCESS_MEDIA_LOCATION N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-27 23:23

Reported

2024-11-27 23:26

Platform

android-33-x64-arm64-20240624-en

Max time kernel

149s

Max time network

155s

Command Line

com.zreceiver96soundcontacts

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.zreceiver96soundcontacts/app_latin/EJEX.json N/A N/A
N/A /data/user/0/com.zreceiver96soundcontacts/[email protected] N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.zreceiver96soundcontacts

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.196:443 udp
GB 142.250.187.196:443 tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
US 1.1.1.1:53 6c6df3c5ebbb3100852ec64722f62131.shop udp
US 1.1.1.1:53 fc218b26ecc036dd530fe66b864602fa.info udp
US 1.1.1.1:53 9cbba8c695d9176502cfc2d22cc08e14.xyz udp
US 1.1.1.1:53 f3878445008c391c7e85238e4ee1b72f.org udp
DE 188.40.187.129:443 f3878445008c391c7e85238e4ee1b72f.org tcp
US 1.1.1.1:53 4642b5c1d0e89bef50c5defea344cc3d.net udp
US 1.1.1.1:53 156350786312d7feba2b1c9b7577097b.com udp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
GB 216.58.212.238:443 udp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
GB 216.58.213.10:443 remoteprovisioning.googleapis.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.187.195:443 tcp
US 172.64.41.3:443 udp
GB 142.250.187.195:443 udp
GB 142.250.187.196:443 tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.187.196:443 udp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
GB 142.250.187.227:443 tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp
US 104.131.68.180:443 156350786312d7feba2b1c9b7577097b.com tcp

Files

/data/data/com.zreceiver96soundcontacts/app_latin/EJEX.json

MD5 d832a074f0c18189b8ad22fc38ed9ecb
SHA1 0a2a8aadd27593ced29b5f0dca95d3b892eb077b
SHA256 9cb827430b98aa72322c7ee02360dba91c26ad89d188e11cc65af3a7b48759d8
SHA512 1e28a3656ce9c813e2e6d9412adb9d5c66168af73f4d9f0313d1db41c502998802654075a8a50083cd4b77eee5fc4a8cd99a0f3112fb6e6db75f42e11ce7105e

/data/data/com.zreceiver96soundcontacts/app_latin/EJEX.json

MD5 6e5cc4086ff2dad1000d89c97b6eb58c
SHA1 f297ebba898bc0ec9ce7d4f253cda35e98e76147
SHA256 d2bf4c155beea24c0b99dc8cca14bd0eb2c3ae90bad48499e76c8787c7b4f7be
SHA512 7f182ccca5b7ffa0fc2fbfc156ab9a34aa1366b3aae66508cb531f27cec13570c61046f395f77d9164d7a7204166e59a7bfbf8b48bdb8d5dd177c6ca746147b9

/data/user/0/com.zreceiver96soundcontacts/app_latin/EJEX.json

MD5 8b851ae922999f19e421de87a22b6ac9
SHA1 9198fff2b4bdd9d7844492736c1e1a7d0de4666a
SHA256 8c10e7ea546ccefb5b0bd71b8ee69ce362a528d71e7aeba809c7b05b9673bb6a
SHA512 46b7e78c28b3b991898a318a921fddf5615d5497759bf25810b7de5896d62ed0818751c390e5501000ceea2b0704ed153b347cf3ec948c4dbc03e0d52ff7193e

/data/data/com.zreceiver96soundcontacts/files/.n

MD5 77dc50489b9323274732d27dc8a4e803
SHA1 0e02a3595b62489d0739d771881da8604d117c65
SHA256 c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820
SHA512 0684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58

/data/user/0/com.zreceiver96soundcontacts/[email protected]

MD5 f7dc9528a65c9692d9c0cd1d8495cfb1
SHA1 94b04526df4a11244a07bb7eb2e43382a099954e
SHA256 ee0e5da53f5f387eff24587225a48ab1bcfc86c05d05006fe67c0929b6391be5
SHA512 73134e0124f74850ce1a369dcb6cd88f6bcd5f4ded5ddd22a0b7e7c782e8788d5f572c4ae3dc99815045f125d50898a45c152a25a55173ba6cacda8a3687f080

/data/data/com.zreceiver96soundcontacts/oat/x86_64/[email protected]

MD5 29373ce8d64ccc3f48062afb063f8241
SHA1 bc167bf72f4445a75a458a066bff2b58e94f06dc
SHA256 760a50eb208c59b3b9af7ce8ce4004720ce906bc31ef00c334ec9635637d9e78
SHA512 6b635e81618442c3ae9f453c65effd2e820c1fc70a79a7b8f9cbbb00611511ea134654196b06e7aba5ee62901bf3093f239f000a311bbdd5ac3fa80f465e557c

/data/data/com.zreceiver96soundcontacts/.global.com.zreceiver96soundcontacts

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-27 23:23

Reported

2024-11-27 23:26

Platform

android-x86-arm-20240624-en

Max time kernel

7s

Max time network

134s

Command Line

com.walnut.document

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.walnut.document/app_kidney/Hj.json N/A N/A
N/A /data/user/0/com.walnut.document/app_kidney/Hj.json N/A N/A

Processes

com.walnut.document

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.walnut.document/app_kidney/Hj.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.walnut.document/app_kidney/oat/x86/Hj.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp

Files

/data/data/com.walnut.document/app_kidney/Hj.json

MD5 a964b1ae4b934a1904456496fee42a49
SHA1 830037f4f85130b0b408d26844e4bf5433bd7b08
SHA256 30f57febc66a9ff47936654f2917381cda18222e8670f4d77006c8b9e004a0f0
SHA512 7ccd704a1b1e8dc413b0a6252e416796ad8769469c1ad4e68ff1e7886a85b9fd11248d668809d23217b7b87edccef1fdf3f4025a687fc8ed3d36aa5ad38c14e3

/data/data/com.walnut.document/app_kidney/Hj.json

MD5 e1c8658c0ecf7b198a0d2e56ed2aa354
SHA1 12d76b3c3b1736e9423940528bab4b65cf381ce1
SHA256 a5762c300f142ddb65c9b6a494cba432696e0163098953e04dd90747e60030c9
SHA512 79fb27774da49abc3960a57e8d16602b8f02112b9bf6ecd14307e685f37072aa50a1e63bd0630cd68a8e8fcfce41935ceaeeae7bb61825d95f59c32ea9c60805

/data/user/0/com.walnut.document/app_kidney/Hj.json

MD5 118fe68c141e4958813a16679d197c36
SHA1 e8c765c07791786fb44523c33353ace376f77e6d
SHA256 bf5d7574bf3e09ab48d98b4230a661cedc6330761304346214700b419b1be208
SHA512 fa50aed12ecf072854248277e61036bf7bacb6cf23465c8a3bd1fa6d76b56b2e50d2a2c4d8b2004d503fc5b1f95174e51a6c5c696e5d112df665a5e305912b17

/data/user/0/com.walnut.document/app_kidney/Hj.json

MD5 dd40fff1cfa5cbd88621eff2df43c2b4
SHA1 64957fb3a28eb763785d86e7013fda273e8c1646
SHA256 369b82a96b75cf578e52de2b19f279b7093136752cd0d001b5aa8c274dfc4265
SHA512 60e76962956fbcd28680d39901dd3aa604c4ffbefb5149b51a1d588cdddd56428ad9a1643e420a0b09d3770358b73528133a40d804097dcc36d949c4c6f73973

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-27 23:23

Reported

2024-11-27 23:26

Platform

android-x64-20240624-en

Max time kernel

7s

Max time network

158s

Command Line

com.walnut.document

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.walnut.document/app_kidney/Hj.json N/A N/A

Processes

com.walnut.document

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.201.110:443 android.apis.google.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.walnut.document/app_kidney/Hj.json

MD5 a964b1ae4b934a1904456496fee42a49
SHA1 830037f4f85130b0b408d26844e4bf5433bd7b08
SHA256 30f57febc66a9ff47936654f2917381cda18222e8670f4d77006c8b9e004a0f0
SHA512 7ccd704a1b1e8dc413b0a6252e416796ad8769469c1ad4e68ff1e7886a85b9fd11248d668809d23217b7b87edccef1fdf3f4025a687fc8ed3d36aa5ad38c14e3

/data/data/com.walnut.document/app_kidney/Hj.json

MD5 e1c8658c0ecf7b198a0d2e56ed2aa354
SHA1 12d76b3c3b1736e9423940528bab4b65cf381ce1
SHA256 a5762c300f142ddb65c9b6a494cba432696e0163098953e04dd90747e60030c9
SHA512 79fb27774da49abc3960a57e8d16602b8f02112b9bf6ecd14307e685f37072aa50a1e63bd0630cd68a8e8fcfce41935ceaeeae7bb61825d95f59c32ea9c60805

/data/user/0/com.walnut.document/app_kidney/Hj.json

MD5 118fe68c141e4958813a16679d197c36
SHA1 e8c765c07791786fb44523c33353ace376f77e6d
SHA256 bf5d7574bf3e09ab48d98b4230a661cedc6330761304346214700b419b1be208
SHA512 fa50aed12ecf072854248277e61036bf7bacb6cf23465c8a3bd1fa6d76b56b2e50d2a2c4d8b2004d503fc5b1f95174e51a6c5c696e5d112df665a5e305912b17

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-27 23:23

Reported

2024-11-27 23:26

Platform

android-x64-arm64-20240624-en

Max time kernel

7s

Max time network

133s

Command Line

com.walnut.document

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.walnut.document/app_kidney/Hj.json N/A N/A

Processes

com.walnut.document

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

/data/data/com.walnut.document/app_kidney/Hj.json

MD5 a964b1ae4b934a1904456496fee42a49
SHA1 830037f4f85130b0b408d26844e4bf5433bd7b08
SHA256 30f57febc66a9ff47936654f2917381cda18222e8670f4d77006c8b9e004a0f0
SHA512 7ccd704a1b1e8dc413b0a6252e416796ad8769469c1ad4e68ff1e7886a85b9fd11248d668809d23217b7b87edccef1fdf3f4025a687fc8ed3d36aa5ad38c14e3

/data/data/com.walnut.document/app_kidney/Hj.json

MD5 e1c8658c0ecf7b198a0d2e56ed2aa354
SHA1 12d76b3c3b1736e9423940528bab4b65cf381ce1
SHA256 a5762c300f142ddb65c9b6a494cba432696e0163098953e04dd90747e60030c9
SHA512 79fb27774da49abc3960a57e8d16602b8f02112b9bf6ecd14307e685f37072aa50a1e63bd0630cd68a8e8fcfce41935ceaeeae7bb61825d95f59c32ea9c60805

/data/user/0/com.walnut.document/app_kidney/Hj.json

MD5 118fe68c141e4958813a16679d197c36
SHA1 e8c765c07791786fb44523c33353ace376f77e6d
SHA256 bf5d7574bf3e09ab48d98b4230a661cedc6330761304346214700b419b1be208
SHA512 fa50aed12ecf072854248277e61036bf7bacb6cf23465c8a3bd1fa6d76b56b2e50d2a2c4d8b2004d503fc5b1f95174e51a6c5c696e5d112df665a5e305912b17

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-27 23:23

Reported

2024-11-27 23:26

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

154s

Command Line

com.zreceiver96soundcontacts

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks Android system properties for emulator presence.

evasion
Description Indicator Process Target
Accessed system property key: ro.product.model N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.zreceiver96soundcontacts/app_latin/EJEX.json N/A N/A
N/A /data/user/0/com.zreceiver96soundcontacts/app_latin/EJEX.json N/A N/A
N/A Anonymous-DexFile@0xd3cf8000-0xd3d7bae4 N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.zreceiver96soundcontacts

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.zreceiver96soundcontacts/app_latin/EJEX.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.zreceiver96soundcontacts/app_latin/oat/x86/EJEX.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 9cbba8c695d9176502cfc2d22cc08e14.xyz udp
US 1.1.1.1:53 156350786312d7feba2b1c9b7577097b.com udp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp

Files

/data/data/com.zreceiver96soundcontacts/app_latin/EJEX.json

MD5 d832a074f0c18189b8ad22fc38ed9ecb
SHA1 0a2a8aadd27593ced29b5f0dca95d3b892eb077b
SHA256 9cb827430b98aa72322c7ee02360dba91c26ad89d188e11cc65af3a7b48759d8
SHA512 1e28a3656ce9c813e2e6d9412adb9d5c66168af73f4d9f0313d1db41c502998802654075a8a50083cd4b77eee5fc4a8cd99a0f3112fb6e6db75f42e11ce7105e

/data/data/com.zreceiver96soundcontacts/app_latin/EJEX.json

MD5 6e5cc4086ff2dad1000d89c97b6eb58c
SHA1 f297ebba898bc0ec9ce7d4f253cda35e98e76147
SHA256 d2bf4c155beea24c0b99dc8cca14bd0eb2c3ae90bad48499e76c8787c7b4f7be
SHA512 7f182ccca5b7ffa0fc2fbfc156ab9a34aa1366b3aae66508cb531f27cec13570c61046f395f77d9164d7a7204166e59a7bfbf8b48bdb8d5dd177c6ca746147b9

/data/user/0/com.zreceiver96soundcontacts/app_latin/EJEX.json

MD5 8b851ae922999f19e421de87a22b6ac9
SHA1 9198fff2b4bdd9d7844492736c1e1a7d0de4666a
SHA256 8c10e7ea546ccefb5b0bd71b8ee69ce362a528d71e7aeba809c7b05b9673bb6a
SHA512 46b7e78c28b3b991898a318a921fddf5615d5497759bf25810b7de5896d62ed0818751c390e5501000ceea2b0704ed153b347cf3ec948c4dbc03e0d52ff7193e

/data/user/0/com.zreceiver96soundcontacts/app_latin/EJEX.json

MD5 f08d32b63129d945402caf05c1f742cb
SHA1 dc6276908e78ebe0b2780b8692fe30968f28ff6d
SHA256 931564b7fad72b8bb275610f82bdc68dc9aaf191e3e9d30e8a00cb904aece31d
SHA512 2ae993de156e0a0a8659de22383124114d79eda383e4bb043e81a0333f07db02e6192328ea3350a52314d2429bccf93d7c6b4cb93bf438925171bef0ddcc4046

/data/data/com.zreceiver96soundcontacts/files/.n

MD5 4e73947cabb5db3f92ca85004981b754
SHA1 6d9667fdb0280ed2dcb782b4683e422a51bdc601
SHA256 6db94232e756b90ed437f1bc87dc38cf20fb2e7c7a19a5e40c6c17254b7e234c
SHA512 be8b500a7070af1dfb53b0cf1a7b327dadc4e163a6dad905496ac228c58cd1ed87b054533917924455d35e9b300683ae33e1bcdd91935a5dbae1d693c3e13d69

Anonymous-DexFile@0xd3cf8000-0xd3d7bae4

MD5 f7dc9528a65c9692d9c0cd1d8495cfb1
SHA1 94b04526df4a11244a07bb7eb2e43382a099954e
SHA256 ee0e5da53f5f387eff24587225a48ab1bcfc86c05d05006fe67c0929b6391be5
SHA512 73134e0124f74850ce1a369dcb6cd88f6bcd5f4ded5ddd22a0b7e7c782e8788d5f572c4ae3dc99815045f125d50898a45c152a25a55173ba6cacda8a3687f080

/data/data/com.zreceiver96soundcontacts/.global.com.zreceiver96soundcontacts

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c