Analysis Overview
SHA256
0b9d3e86a4f5e2912a50892206d4ec33c0283142e7d2de8f8fab6ec4fab42790
Threat Level: Known bad
The file 0b9d3e86a4f5e2912a50892206d4ec33c0283142e7d2de8f8fab6ec4fab42790.bin was found to be: Known bad.
Malicious Activity Summary
Android SoumniBot payload
SoumniBot
Soumnibot family
Loads dropped Dex/Jar
Requests dangerous framework permissions
Queries information about active data network
Requests disabling of battery optimizations (often used to enable hiding in the background).
Acquires the wake lock
Attempts to obfuscate APK file format
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-01 22:08
Signatures
Attempts to obfuscate APK file format
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read image files from external storage. | android.permission.READ_MEDIA_IMAGES | N/A | N/A |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
| Allows an application to read video files from external storage. | android.permission.READ_MEDIA_VIDEO | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-01 22:08
Reported
2024-12-01 22:11
Platform
android-x86-arm-20240910-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Android SoumniBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SoumniBot
Soumnibot family
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/rjfk.zlqc.gq/app_dex/classes.dex | N/A | N/A |
| N/A | /data/user/0/rjfk.zlqc.gq/app_dex/classes.dex | N/A | N/A |
| N/A | /data/user/0/rjfk.zlqc.gq/app_dex/classes.dex | N/A | N/A |
Acquires the wake lock
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Processes
rjfk.zlqc.gq
/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/rjfk.zlqc.gq/app_dex/classes.dex --output-vdex-fd=44 --oat-fd=45 --oat-location=/data/user/0/rjfk.zlqc.gq/app_dex/oat/x86/classes.odex --compiler-filter=quicken --class-loader-context=&
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | graph.org | udp |
| NL | 149.154.164.13:443 | graph.org | tcp |
| GB | 142.250.200.46:443 | tcp | |
| GB | 142.250.200.46:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 216.58.212.206:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | telegra.ph | udp |
| NL | 149.154.164.13:443 | telegra.ph | tcp |
Files
/data/data/rjfk.zlqc.gq/app_dex/classes.dex
| MD5 | f24ce658d27b0586bcb096b2deae7538 |
| SHA1 | a85fed66d7f18b24d85b0005d839d08eaca1da9e |
| SHA256 | b1377637888c231260b569e5ec270187494a7ee10b0b59c7ff1f7c247f099390 |
| SHA512 | 9ba43600b738f678124639307bfcd692507d967f6fb3f26a93b1ff8342f067785da899b242604dba352e45eb3a6607521832df8c4d6a012b442e8d200576e1a6 |
/data/user/0/rjfk.zlqc.gq/app_dex/classes.dex
| MD5 | a1e5aa629954ba1f8fc2bddf4cb26755 |
| SHA1 | 7db08ea76bcb958d35edb6321d1e5aa70daa6d1f |
| SHA256 | f1c74b8d04abaec3b3292b5ef4e57ef320aad304f35ceb7b9756338606c72257 |
| SHA512 | 9506796992fe26b5dd01e2cf433137a8567e4a6e9c9af3b96eda54a1a9a8d57a25fcd100681a596e1647fddee288ace3aff924875c301e4fc35971a3f0c4181a |
/data/data/rjfk.zlqc.gq/files/PersistedInstallation7246969340474115072tmp
| MD5 | ab606e58ec45f4f6dc9ef44b41edd257 |
| SHA1 | c1ea6cfc994458d32b6761ec45a788065ce1041d |
| SHA256 | 96996b7eb02b6f342c1fd36ad3c674462bbf66b08b110478b30707dab2238f3c |
| SHA512 | ec0ff05c48badfac177744c88f70092df55d15fe9928ccdbc821a56cfea2bc34d7f33255906148430b958866143ad05e1e6f0825c9c8fb69d3a7c712bec3ccb6 |
/data/data/rjfk.zlqc.gq/no_backup/androidx.work.workdb-journal
| MD5 | cdbc5f1c57856bb3767eba59904ac5b3 |
| SHA1 | e0f5980e4207a1e5d381442bcdfedccc4485cf39 |
| SHA256 | 2d9b402576aa1fd0f5e266cfb2a7a939e60951da65110b4911bcf21d41c9b11b |
| SHA512 | b93e431705169c458332639144905cd014de25fa5e0c81e0fc3d87787da47d98b0e76c027de0504e83e24a67dc29023f4f60245633366f1b8a49c9984a502310 |
/data/data/rjfk.zlqc.gq/no_backup/androidx.work.workdb
| MD5 | f2b4b0190b9f384ca885f0c8c9b14700 |
| SHA1 | 934ff2646757b5b6e7f20f6a0aa76c7f995d9361 |
| SHA256 | 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514 |
| SHA512 | ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1 |
/data/data/rjfk.zlqc.gq/no_backup/androidx.work.workdb-shm
| MD5 | bb7df04e1b0a2570657527a7e108ae23 |
| SHA1 | 5188431849b4613152fd7bdba6a3ff0a4fd6424b |
| SHA256 | c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479 |
| SHA512 | 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012 |
/data/data/rjfk.zlqc.gq/no_backup/androidx.work.workdb-wal
| MD5 | b6eb122922ba6dc365ae2e10c61caa5f |
| SHA1 | 9970180c0da29bbdc4b679abc97f9b0696030bcb |
| SHA256 | ef2bcddb75b67bd32e325fd7decf0a318edb91915a9f982ed9bb203558018eda |
| SHA512 | 44e8595c4a464505ba1111dba669ce1826d29aee30eb9a4beddc7ef38f9f2c3be9f90e5c5b148907232a5e8a21ba7757171c153953b435c7942dbbb81ceb0fc0 |
/data/data/rjfk.zlqc.gq/files/mmkv/mmkv.default
| MD5 | 620f0b67a91f7f74151bc5be745b7110 |
| SHA1 | 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d |
| SHA256 | ad7facb2586fc6e966c004d7d1d16b024f5805ff7cb47c7a85dabd8b48892ca7 |
| SHA512 | 2d23913d3759ef01704a86b4bee3ac8a29002313ecc98a7424425a78170f219577822fd77e4ae96313547696ad7d5949b58e12d5063ef2ee063b595740a3a12d |
/data/data/rjfk.zlqc.gq/no_backup/androidx.work.workdb-wal
| MD5 | 10ca53fe3676e0ed397e388eb8ef03f8 |
| SHA1 | 56a1f563e9d84c1045c4dea4cc387f0131379b4c |
| SHA256 | 4b00cba239f1c93235efa2022899abbbce87b66bd844a3237514fd50607109cf |
| SHA512 | 1d29b696c625865d6968765c6be1f053676307517a3aa484e1a9adc31bb4773554c2307aa3441e1e29b07f039797c972f370a51caf1327985ea9103f024114c3 |
/data/data/rjfk.zlqc.gq/files/PersistedInstallation2428070283739475478tmp
| MD5 | c2a5519c298094e7ae706bc8e906b8de |
| SHA1 | bfd1b9add5c648b5f014d1eb84357c099037d7a0 |
| SHA256 | 29cc17a8238e5acb1bd13d61bb78a31bfba9b1353de0979bc4ab176e85dda538 |
| SHA512 | da0b1f3f7bc38fa07900f08f7fd5c143c7d6d6a7761140e3300d595b76ad25d1a3d3bc34264dd1c23c63bed962efd8528c974415f62dbf2cb3e069fde8b27caa |
/data/data/rjfk.zlqc.gq/cache/image_manager_disk_cache/journal.tmp
| MD5 | 8c92de9ce46d41a22f3b20f77404cc1d |
| SHA1 | 8671a6dca00edb72be47363a7071be65cf270373 |
| SHA256 | 68bb33ddeed9200be85a71f70b377985f9ee68e91578afbde8321463396f1274 |
| SHA512 | 30f45fe9954215d6adafcc8f0a060a7ff41963a64f9b849a37f0d18fe045038d429ec13bf15226769c4ba78dad3c52f3d9e0dbbb4fcdea4828a1efe956e48f56 |
/data/data/rjfk.zlqc.gq/no_backup/androidx.work.workdb-wal
| MD5 | 0273bb7f756ed055b025961662027ab3 |
| SHA1 | 704e211c774f63bf0dafc14387ff18441ca355dd |
| SHA256 | 6843061ca46a057d53b68c5dc398ffd64a312616d3b7255ce3765bd3b1f6fb03 |
| SHA512 | 726f02de267ab6a64c46477dd15c1c7ee4e792a1a0ea93ea61f16980ac4273856bb2ed5375d81fdf7df48a6650e0258978cdc275ffcd0671f1dc825b6b88821f |
/data/data/rjfk.zlqc.gq/cache/image_manager_disk_cache/journal
| MD5 | 16a32559ff60385966e73769320fc47a |
| SHA1 | 99dc629f36569817bcef80abdea8d21ff876d14b |
| SHA256 | 4e2f0a2e3b5baa917d879a17acc900ae1b17d325f2dbab11312daac6ba588e96 |
| SHA512 | 1b7394581056f3270c09d8e852114608f03d3b135d675b136e686a822fa1c523f3e010c3cfc4348e5c4a68447c65c16e37c44157d2e8572054d56a39f21b64aa |
/data/data/rjfk.zlqc.gq/cache/image_manager_disk_cache/88bfcb6bce24319bc05d6aa5fe4b75a5e42802c10bdd3167fc1c87916054b13a.0.tmp
| MD5 | f75aaa920b08fa0e17bc524bcddc3747 |
| SHA1 | 08b960b03fc9c3373940da5ed8ba8955f367c8de |
| SHA256 | 00af88628626e15db3ddf56bfba14e390b40b299d714998594d26e0714fef657 |
| SHA512 | c1811b5eaddd24f114b9b37644006f4751adcfa7b859912fb013fdf44d4866f726d3375fd931781b5070bfb3d92c3dcb053f43b6216648dcfaa71592f273a371 |