Malware Analysis Report

2025-01-19 05:50

Sample ID 241201-2b96vavlex
Target 7e792ff22711078c41f2623730a69ad6818b87764f712c7841984794604069a7
SHA256 7e792ff22711078c41f2623730a69ad6818b87764f712c7841984794604069a7
Tags
tanglebot evasion infostealer spyware trojan octo banker collection credential_access discovery impact persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e792ff22711078c41f2623730a69ad6818b87764f712c7841984794604069a7

Threat Level: Known bad

The file 7e792ff22711078c41f2623730a69ad6818b87764f712c7841984794604069a7 was found to be: Known bad.

Malicious Activity Summary

tanglebot evasion infostealer spyware trojan octo banker collection credential_access discovery impact persistence rat

Octo payload

Tanglebot family

Octo family

Octo

TangleBot payload

TangleBot

Queries the phone number (MSISDN for GSM devices)

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Loads dropped Dex/Jar

Obtains sensitive information copied to the device clipboard

Attempts to obfuscate APK file format

Requests disabling of battery optimizations (often used to enable hiding in the background).

Declares services with permission to bind to the system

Requests dangerous framework permissions

Reads information about phone network operator.

Declares broadcast receivers with permission to handle system events

Queries the mobile country code (MCC)

Queries the unique device ID (IMEI, MEID, IMSI)

Acquires the wake lock

Makes use of the framework's foreground persistence service

Uses Crypto APIs (Might try to encrypt user data)

Registers a broadcast receiver at runtime (usually for listening for system events)

Checks memory information

Checks CPU information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-01 22:25

Signatures

Attempts to obfuscate APK file format

Declares broadcast receivers with permission to handle system events

Description Indicator Process Target
Required by device admin receivers to bind with the system. Allows apps to manage device administration features. android.permission.BIND_DEVICE_ADMIN N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to read video files from external storage. android.permission.READ_MEDIA_VIDEO N/A N/A
Required to be able to connect to paired Bluetooth devices. android.permission.BLUETOOTH_CONNECT N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an application a broad access to external storage in scoped storage. android.permission.MANAGE_EXTERNAL_STORAGE N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to read image files from external storage. android.permission.READ_MEDIA_IMAGES N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read image or video files from external storage that a user has selected via the permission prompt photo picker. android.permission.READ_MEDIA_VISUAL_USER_SELECTED N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to access any geographic locations persisted in the user's shared collection. android.permission.ACCESS_MEDIA_LOCATION N/A N/A
Allows an application to read audio files from external storage. android.permission.READ_MEDIA_AUDIO N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-01 22:25

Reported

2024-12-01 22:28

Platform

android-x86-arm-20240624-en

Max time kernel

9s

Max time network

133s

Command Line

com.book.present

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.book.present/app_subject/ey.json N/A N/A
N/A /data/user/0/com.book.present/app_subject/ey.json N/A N/A

Processes

com.book.present

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.book.present/app_subject/ey.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.book.present/app_subject/oat/x86/ey.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp

Files

/data/data/com.book.present/app_subject/ey.json

MD5 2bb0481569721e1462f93d3b8b24259a
SHA1 5374aa5b409c89dc41f4f1a1e6f17cadafce818a
SHA256 372faccc66c3d64706600f91641f4dd75f49886bb387c2a37399f4d68196d738
SHA512 cd6235164831a433507c64f63c4e536f0892d0d6773a29c8225336cb727a60b97a00734942b1b6b3b44c3c6538066e6175a8853179e34a57d0e3372de3bc53ec

/data/data/com.book.present/app_subject/ey.json

MD5 4afc235db7f581f134b778546c579409
SHA1 4d835b73441165bd6ab93b7b846698489457cefc
SHA256 4d19f78042e6642df1915d8197771cb80f8d6e30eb675b65c53af2fa68cf3880
SHA512 f98ac3d79fba1d025c9a622a370540b37fdbd0de35399882a1d4b3212494341189a3c9b900338f66a8b402725c062ffe23bd51b8fb1fa733af4ea160e067b552

/data/user/0/com.book.present/app_subject/ey.json

MD5 e74d826e0437470ffa0ba67318ab3aec
SHA1 3b4a101b79279b00427420c0b3c6b744e5320d57
SHA256 df12eaf75223c9830ca572608b91f0f17ad3533fab30ee39125a57406adc6b39
SHA512 9785fe65d9b97f00e8ccf0c671b38bfa3887297f419aa9e28e47f539769a357ff7274e9e855cd4cebbf218f77462b88dd5a891bb7bc3d5ac2933e987a18de04c

/data/user/0/com.book.present/app_subject/ey.json

MD5 991e7aea02bef1098ffa18ce7b608695
SHA1 f75961efaf6c09924342bd42d2b6b62d02544778
SHA256 b74c691ed2c436fef4cfc0f6c43d4db1d5d33452e2c71f6aba1588bed1186ffd
SHA512 ecd84c0043970102734c6806612d7f29bba6de454573223fb0b518a23f059581811f682dd7967b0e228727ee1de8e491f45acd31b14f749b6f7c76c78b7f1687

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-01 22:25

Reported

2024-12-01 22:28

Platform

android-x64-20240624-en

Max time kernel

7s

Max time network

159s

Command Line

com.book.present

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.book.present/app_subject/ey.json N/A N/A

Processes

com.book.present

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 172.217.16.228:443 tcp
GB 172.217.16.228:443 tcp

Files

/data/data/com.book.present/app_subject/ey.json

MD5 2bb0481569721e1462f93d3b8b24259a
SHA1 5374aa5b409c89dc41f4f1a1e6f17cadafce818a
SHA256 372faccc66c3d64706600f91641f4dd75f49886bb387c2a37399f4d68196d738
SHA512 cd6235164831a433507c64f63c4e536f0892d0d6773a29c8225336cb727a60b97a00734942b1b6b3b44c3c6538066e6175a8853179e34a57d0e3372de3bc53ec

/data/data/com.book.present/app_subject/ey.json

MD5 4afc235db7f581f134b778546c579409
SHA1 4d835b73441165bd6ab93b7b846698489457cefc
SHA256 4d19f78042e6642df1915d8197771cb80f8d6e30eb675b65c53af2fa68cf3880
SHA512 f98ac3d79fba1d025c9a622a370540b37fdbd0de35399882a1d4b3212494341189a3c9b900338f66a8b402725c062ffe23bd51b8fb1fa733af4ea160e067b552

/data/user/0/com.book.present/app_subject/ey.json

MD5 e74d826e0437470ffa0ba67318ab3aec
SHA1 3b4a101b79279b00427420c0b3c6b744e5320d57
SHA256 df12eaf75223c9830ca572608b91f0f17ad3533fab30ee39125a57406adc6b39
SHA512 9785fe65d9b97f00e8ccf0c671b38bfa3887297f419aa9e28e47f539769a357ff7274e9e855cd4cebbf218f77462b88dd5a891bb7bc3d5ac2933e987a18de04c

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-01 22:25

Reported

2024-12-01 22:28

Platform

android-x64-arm64-20240624-en

Max time kernel

7s

Max time network

134s

Command Line

com.book.present

Signatures

TangleBot

trojan infostealer spyware tanglebot

TangleBot payload

Description Indicator Process Target
N/A N/A N/A N/A

Tanglebot family

tanglebot

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.book.present/app_subject/ey.json N/A N/A

Processes

com.book.present

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.46:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.201.104:443 ssl.google-analytics.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

/data/data/com.book.present/app_subject/ey.json

MD5 2bb0481569721e1462f93d3b8b24259a
SHA1 5374aa5b409c89dc41f4f1a1e6f17cadafce818a
SHA256 372faccc66c3d64706600f91641f4dd75f49886bb387c2a37399f4d68196d738
SHA512 cd6235164831a433507c64f63c4e536f0892d0d6773a29c8225336cb727a60b97a00734942b1b6b3b44c3c6538066e6175a8853179e34a57d0e3372de3bc53ec

/data/data/com.book.present/app_subject/ey.json

MD5 4afc235db7f581f134b778546c579409
SHA1 4d835b73441165bd6ab93b7b846698489457cefc
SHA256 4d19f78042e6642df1915d8197771cb80f8d6e30eb675b65c53af2fa68cf3880
SHA512 f98ac3d79fba1d025c9a622a370540b37fdbd0de35399882a1d4b3212494341189a3c9b900338f66a8b402725c062ffe23bd51b8fb1fa733af4ea160e067b552

/data/user/0/com.book.present/app_subject/ey.json

MD5 e74d826e0437470ffa0ba67318ab3aec
SHA1 3b4a101b79279b00427420c0b3c6b744e5320d57
SHA256 df12eaf75223c9830ca572608b91f0f17ad3533fab30ee39125a57406adc6b39
SHA512 9785fe65d9b97f00e8ccf0c671b38bfa3887297f419aa9e28e47f539769a357ff7274e9e855cd4cebbf218f77462b88dd5a891bb7bc3d5ac2933e987a18de04c

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-01 22:25

Reported

2024-12-01 22:28

Platform

android-x86-arm-20240624-en

Max time kernel

149s

Max time network

156s

Command Line

com.ckservice74_access

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ckservice74_access/app_village/erLYgyN.json N/A N/A
N/A /data/user/0/com.ckservice74_access/app_village/erLYgyN.json N/A N/A
N/A Anonymous-DexFile@0xd2711000-0xd27947fc N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Queries the unique device ID (IMEI, MEID, IMSI)

discovery

Reads information about phone network operator.

discovery

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ckservice74_access

/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.ckservice74_access/app_village/erLYgyN.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/com.ckservice74_access/app_village/oat/x86/erLYgyN.odex --compiler-filter=quicken --class-loader-context=&

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.200.42:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 fc218b26ecc036dd530fe66b864602fa.info udp
US 1.1.1.1:53 f3878445008c391c7e85238e4ee1b72f.org udp
DE 188.40.187.129:443 f3878445008c391c7e85238e4ee1b72f.org tcp
US 1.1.1.1:53 82c77e3982c749966904584503b6d4eb.biz udp
US 1.1.1.1:53 9cbba8c695d9176502cfc2d22cc08e14.xyz udp
US 1.1.1.1:53 4642b5c1d0e89bef50c5defea344cc3d.net udp
US 1.1.1.1:53 6c6df3c5ebbb3100852ec64722f62131.shop udp
US 1.1.1.1:53 156350786312d7feba2b1c9b7577097b.com udp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp
NL 178.62.201.34:443 156350786312d7feba2b1c9b7577097b.com tcp

Files

/data/data/com.ckservice74_access/app_village/erLYgyN.json

MD5 b9f2667d60e0ff924be4d7a8c00f38ae
SHA1 54efeebc7f3e87bbb7d94da31aef9cf58f397045
SHA256 253a6a55480343d24230113512b99d7c6321a11c1d2043d4a06a7b69b841bd6b
SHA512 5dd89323edd89c051259fa42a8a277fab78683a5a87456b2e9881f2fdcc165ffddb5fdcf0b3e1a6c46f55d2cd6893d926ea5dc5dd4793053b4333bf5a98ab80a

/data/data/com.ckservice74_access/app_village/erLYgyN.json

MD5 7f8db5e827c319f55b2692240fc2a920
SHA1 a0bbd3c0b5223801e96bc88f74a191a16c53882f
SHA256 e33ff6b08c970b6f85e3c0e764195e8e68f6f5fa81de6f72c02a8e1c2b376389
SHA512 bc71d1ff3d795a9f27223bca51393b8564c67162af5b0449ad6a48c22856faa88ad8806eeba96d7eb1b4f892ce629345cf4ea3cf49322cc86b5564b932d84fd9

/data/user/0/com.ckservice74_access/app_village/erLYgyN.json

MD5 7755d273042ceed8904cdce5e1dd187a
SHA1 152b254f3dfd018b7981e4f98ab6c51a302d13ed
SHA256 bdf1204942b9e98595c8182ca1f6562ba2383f73f518b49ad4ecca09fd7d1fad
SHA512 f6403bddfe131f9873a82706c7886f4eec220db999b7c4655fb1f3aaded1027053db0ba15387d39888c2cb8da52a8102d7ac0131a41c855418ae5b56ae4c0383

/data/user/0/com.ckservice74_access/app_village/erLYgyN.json

MD5 1f4c4d517b3b589cd240752e494f4298
SHA1 c5726c9cbd7095d77824f16ffaf52fd3df074627
SHA256 125862702261cbcbcdfdb65acdffb9b1deab83e7592dded13f8aa49150218689
SHA512 ee97e6263b377c07588359cc5b6b47827cafdac19f05cc3b587158ca2dd8470b7ca7c11fdc73e54e76a351e88400981f1b4b09bf2f8346d89bec5d1d23d4d357

/data/data/com.ckservice74_access/files/.p

MD5 4e73947cabb5db3f92ca85004981b754
SHA1 6d9667fdb0280ed2dcb782b4683e422a51bdc601
SHA256 6db94232e756b90ed437f1bc87dc38cf20fb2e7c7a19a5e40c6c17254b7e234c
SHA512 be8b500a7070af1dfb53b0cf1a7b327dadc4e163a6dad905496ac228c58cd1ed87b054533917924455d35e9b300683ae33e1bcdd91935a5dbae1d693c3e13d69

Anonymous-DexFile@0xd2711000-0xd27947fc

MD5 84ec3d750815bdd25a99df5c8af0549f
SHA1 bbed13cece979438f26695ae55b74321a91b653f
SHA256 9e1c828daee14326d29814bee4ff6ac0f8c356137239245590f415eba536f7e4
SHA512 0f1f4f0fb054d13e394811738740623fbcda78a3dff6d772a42533f2d6367087c2acbbb0b5dc6d3004eaf8f26b38f858d57a3475ed3a373ae30f6168fd62eba9

/data/data/com.ckservice74_access/.global.com.ckservice74_access

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c

Analysis: behavioral5

Detonation Overview

Submitted

2024-12-01 22:25

Reported

2024-12-01 22:28

Platform

android-x64-20240624-en

Max time kernel

44s

Max time network

161s

Command Line

com.ckservice74_access

Signatures

Octo

banker trojan infostealer rat octo

Octo family

octo

Octo payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /data/user/0/com.ckservice74_access/app_village/erLYgyN.json N/A N/A
N/A /data/user/0/com.ckservice74_access/[email protected] N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Obtains sensitive information copied to the device clipboard

collection credential_access impact
Description Indicator Process Target
Framework service call android.content.IClipboard.addPrimaryClipChangedListener N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries the phone number (MSISDN for GSM devices)

discovery

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Reads information about phone network operator.

discovery

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Uses Crypto APIs (Might try to encrypt user data)

impact
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Checks CPU information

Description Indicator Process Target
File opened for read /proc/cpuinfo N/A N/A

Checks memory information

Description Indicator Process Target
File opened for read /proc/meminfo N/A N/A

Processes

com.ckservice74_access

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 fc218b26ecc036dd530fe66b864602fa.info udp
US 1.1.1.1:53 156350786312d7feba2b1c9b7577097b.com udp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp
GB 142.250.180.4:443 tcp
GB 142.250.178.3:443 tcp
BE 142.250.110.188:5228 tcp
US 216.239.32.223:443 tcp
US 216.239.32.223:443 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.179.228:443 www.google.com tcp
US 1.1.1.1:53 g.tenor.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
US 1.1.1.1:53 accounts.google.com udp
BE 74.125.133.84:443 accounts.google.com tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp
SG 45.77.249.79:443 156350786312d7feba2b1c9b7577097b.com tcp

Files

/data/data/com.ckservice74_access/app_village/erLYgyN.json

MD5 b9f2667d60e0ff924be4d7a8c00f38ae
SHA1 54efeebc7f3e87bbb7d94da31aef9cf58f397045
SHA256 253a6a55480343d24230113512b99d7c6321a11c1d2043d4a06a7b69b841bd6b
SHA512 5dd89323edd89c051259fa42a8a277fab78683a5a87456b2e9881f2fdcc165ffddb5fdcf0b3e1a6c46f55d2cd6893d926ea5dc5dd4793053b4333bf5a98ab80a

/data/data/com.ckservice74_access/app_village/erLYgyN.json

MD5 7f8db5e827c319f55b2692240fc2a920
SHA1 a0bbd3c0b5223801e96bc88f74a191a16c53882f
SHA256 e33ff6b08c970b6f85e3c0e764195e8e68f6f5fa81de6f72c02a8e1c2b376389
SHA512 bc71d1ff3d795a9f27223bca51393b8564c67162af5b0449ad6a48c22856faa88ad8806eeba96d7eb1b4f892ce629345cf4ea3cf49322cc86b5564b932d84fd9

/data/user/0/com.ckservice74_access/app_village/erLYgyN.json

MD5 1f4c4d517b3b589cd240752e494f4298
SHA1 c5726c9cbd7095d77824f16ffaf52fd3df074627
SHA256 125862702261cbcbcdfdb65acdffb9b1deab83e7592dded13f8aa49150218689
SHA512 ee97e6263b377c07588359cc5b6b47827cafdac19f05cc3b587158ca2dd8470b7ca7c11fdc73e54e76a351e88400981f1b4b09bf2f8346d89bec5d1d23d4d357

/data/data/com.ckservice74_access/files/.p

MD5 77dc50489b9323274732d27dc8a4e803
SHA1 0e02a3595b62489d0739d771881da8604d117c65
SHA256 c5684e792d1ebefea6aac09fed45911703fd58c899f8a08133d49dd91429a820
SHA512 0684a92f3e9c525384cfa53f531afba61e5930e1c27032a7e27e3315f72761b62e122dc34768d8162ba08f9bed53d148aa8dc034b46456bdd211f230637eba58

/data/user/0/com.ckservice74_access/[email protected]

MD5 84ec3d750815bdd25a99df5c8af0549f
SHA1 bbed13cece979438f26695ae55b74321a91b653f
SHA256 9e1c828daee14326d29814bee4ff6ac0f8c356137239245590f415eba536f7e4
SHA512 0f1f4f0fb054d13e394811738740623fbcda78a3dff6d772a42533f2d6367087c2acbbb0b5dc6d3004eaf8f26b38f858d57a3475ed3a373ae30f6168fd62eba9

/data/data/com.ckservice74_access/oat/x86_64/[email protected]

MD5 76e917ddbba414caa9972ba1ceaba9c5
SHA1 31e7b05596d3f21a839a3bd02e18e3aa37e688da
SHA256 fc2c861c1f3e1b9d3b8621d2ab08d2a112c7b87c7a66c15e1858ef924419e6f2
SHA512 6b6640cebccdf215c3499138b6236aa3302dfe88aabaaeea3ea200178f96c9480ce088b822f164154d0d1d4db5e89f01061296da301331946b378edd350ee8f1

/data/data/com.ckservice74_access/.global.com.ckservice74_access

MD5 046a414913add6f5bb60072c7db819b6
SHA1 451ee4f6809260aec622d772fd329c7d0297a842
SHA256 b66c1320cb063a1d391c94273572ea6edae76c8c8b0a07f8d75c88686f0df72a
SHA512 4e6355f3051ed5e811ab030abde1f5be7f5e1cf33be99cd08477e9b6c015deb1d8bd75a09fb9c7176b8511c5ad0a67abc0902a3531e97564ccb6afc57496a47c