Malware Analysis Report

2025-01-19 06:50

Sample ID 241211-mbzb1sykev
Target Magisk-28.1(28100).apk
SHA256 8bfd3346b3da5814f82eff6f1b1b5fedd0ad585f39a25709b23eb54aac45691d
Tags
antidot persistence evasion discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8bfd3346b3da5814f82eff6f1b1b5fedd0ad585f39a25709b23eb54aac45691d

Threat Level: Known bad

The file Magisk-28.1(28100).apk was found to be: Known bad.

Malicious Activity Summary

antidot persistence evasion discovery

Antidot family

Antidot payload

Loads dropped Dex/Jar

Queries information about active data network

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-11 10:18

Signatures

Antidot family

antidot

Antidot payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-11 10:18

Reported

2024-12-11 10:21

Platform

android-x86-arm-20240624-en

Max time kernel

2s

Max time network

129s

Command Line

com.topjohnwu.magisk

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.topjohnwu.magisk

su --mount-master

Network

Country Destination Domain Proto
GB 142.250.180.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.201.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/com.topjohnwu.magisk/primary.prof

MD5 12ade2275cbe887e0559d74347973235
SHA1 3bd792627b62ef615a7d339d684aa0d330714c10
SHA256 66e211c4a355c5f973622410f98d5b597c0271ada16ff9da20d7ee7ad30b09be
SHA512 a9feaaa0f8e51be69d538d6efd9ef16174313f61086d35eccdbf830965c833a5bf2e65a986ff57dbf76f9b04166a54a17dcf58607b258084427c3a54c6da741c

/data/data/com.topjohnwu.magisk/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 cb1629b3490195cd1b6bd4f46760661d
SHA1 911aaf0a0c336d192b69881bbbd43b4dd9bee9f7
SHA256 25b019f409ae937097db16b54c53d66e3df41bd7a711c438e37ca2a214362981
SHA512 2973c28d8a5d77247050130e2611732e27937fd693a81037ece34de575debe941ad50fa0721f22ed5847a918ff8af5c966179e59dca60fed84d7b44920c9f75e

/data/data/com.topjohnwu.magisk/files/profileInstalled

MD5 4ac0abf77fc30bc2dcfc2a36207b128f
SHA1 030be60f88dfba380f56a76d7e5acf473cc5575e
SHA256 1bbc67cbe8e728d413512276e1cea744ece8f009fb47344e717ce4a7d0ea012b
SHA512 13a7f80652de86e593c12e1771fc074ceedd804aa97f2bb3417de0e99b277f680a7742b233f92709f5916d08f98c2abcc174ae502df3e024a948e69c3012bbf9

/data/user_de/0/com.topjohnwu.magisk/cache/main.jar

MD5 51fc1652a346f9ade84aabfb44fa8853
SHA1 4c4da2058dec4b5457c109f5e807592a75b19a29
SHA256 ae7fdb8b70bd2c1cc2c27043e985f8dc5cfff2cb9142a1576dcdbc889763ef7b
SHA512 2b79aec9dbe7f1a1db081c8bfb35784de44d6c394fb9f19f47f5053d6210eed34ba920dface04cc12502fd6cb44449518be389cd04cd5417f4548ffe0ba89af3

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-11 10:18

Reported

2024-12-11 10:21

Platform

android-33-x64-arm64-20240624-en

Max time kernel

8s

Max time network

133s

Command Line

com.topjohnwu.magisk

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /system_ext/framework/androidx.window.extensions.jar N/A N/A
N/A /system_ext/framework/androidx.window.extensions.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A

Processes

com.topjohnwu.magisk

Network

Country Destination Domain Proto
GB 142.250.187.196:443 udp
GB 142.250.187.196:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 tcp
GB 216.58.212.238:443 udp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 216.58.201.99:443 tcp
US 172.64.41.3:443 udp
GB 216.58.201.99:443 udp
GB 142.250.187.196:443 tcp
GB 172.217.169.68:443 tcp
GB 172.217.169.68:443 tcp
GB 142.250.187.196:443 udp
GB 142.250.187.227:443 tcp

Files

/system_ext/framework/androidx.window.extensions.jar

MD5 3056e1bdb7d4e19789d0319eff484bd0
SHA1 6791ae47aa9466fe0bca27ad6643f846853bbee4
SHA256 8e6331a07c9f2ac139214c527dcaff2c82d126bbe7bd3420cdc36d6a8c9204b0
SHA512 c790980fd68d9f89e32743bc28846807d5e5947c555f494de47714dec5cbd0c08d81c3260fa463759d1b17a953af3c44ec30b14fb08bf6b29db3837346c9f658

/system_ext/framework/androidx.window.sidecar.jar

MD5 29469324e59dfcc052f24b5af4e7b2c4
SHA1 10c1e17ac6f598037bb51baa07945663645de4eb
SHA256 9195dc6a1c75a841384050240dfc972e48178964993fba6619788625f4b40d1a
SHA512 5e27c2b1431369a248298f2f749136a575005584f9999f2a4c204a0c47adce2e33c8df9f058bdafa1bde1c99e46d175560cedfcddcd8581718ed1d9973c37cc2

/data/misc/profiles/cur/0/com.topjohnwu.magisk/primary.prof

MD5 1f2079901f970c35d3bf81af01c1ac96
SHA1 2d7e67239754adba4b79131143d9b610c739c72a
SHA256 bce7dd03c3d6008615732d0eb24ed5a4a522331d94bd21ec7b25e69270c07740
SHA512 6149d61cb7d6f43d3174efd1f858ebd0ea592a152296e4de0750a2fa482eed00f151c49428b660571180d6d8a0d6b476bf7475aed3c1db76e6bd993b00d06b66

/data/data/com.topjohnwu.magisk/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 e140437d86f4cc736c2f8c9053f6ae97
SHA1 f5ecd4d6bac46dde9a90883cc4f48b0e42d4e493
SHA256 d7960caa5003d30a76330ef1cadf2609cee2bdc67c3d58d198b828c082965c95
SHA512 5b39df3456023f1aa46af429826b6fc99887d3bbbe2fdfb515aa8c505f60824bad83fdba28cccc31c8ed06178fae665be9f753ba19e74963226773d33569b7bf

/data/data/com.topjohnwu.magisk/files/profileInstalled

MD5 8a85937d8613c7a214463e08776132dd
SHA1 d44e1237f052dd26f07856aea6de1e4e159a410d
SHA256 1cb895291d2135826c8f42d3fb349aa6e733a36fc5d45740cd6f94ecfa74fed0
SHA512 944fcf3e7465218b161f7f53ed08a3c25299246a7ac2c7cea5b2e8734d775edb644ab4c29607fb8738996bd54e9be814a9c4e0870fd499caf5124d5e156408ed

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-11 10:18

Reported

2024-12-11 10:21

Platform

android-x86-arm-20240624-en

Max time kernel

7s

Max time network

137s

Command Line

com.topjohnwu.magisk

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Processes

com.topjohnwu.magisk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.204.74:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp

Files

/data/data/com.topjohnwu.magisk/code_cache/res.apk

MD5 7fe1455cb7afe5276f3b4b71c6763370
SHA1 e22a3f797c3a97d1bbeb2f27fb9da095ef0ee1dd
SHA256 d6826fb7c94d42486972d58b31ce7e1a80368ee083743de4381d3b34558cf9a1
SHA512 24065a6c4785186f67147fc05ab5fad67554faa9e99e6d180ecf52b51318815def4a4cf55a7d8c78c805f6a7727c954845261df4f7954d6ee5528de330a48f1e

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-11 10:18

Reported

2024-12-11 10:21

Platform

android-x64-20240624-en

Max time kernel

7s

Max time network

137s

Command Line

com.topjohnwu.magisk

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Processes

com.topjohnwu.magisk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.178.8:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp

Files

/data/data/com.topjohnwu.magisk/code_cache/res.apk

MD5 7fe1455cb7afe5276f3b4b71c6763370
SHA1 e22a3f797c3a97d1bbeb2f27fb9da095ef0ee1dd
SHA256 d6826fb7c94d42486972d58b31ce7e1a80368ee083743de4381d3b34558cf9a1
SHA512 24065a6c4785186f67147fc05ab5fad67554faa9e99e6d180ecf52b51318815def4a4cf55a7d8c78c805f6a7727c954845261df4f7954d6ee5528de330a48f1e

Analysis: behavioral5

Detonation Overview

Submitted

2024-12-11 10:18

Reported

2024-12-11 10:21

Platform

android-x64-arm64-20240624-en

Max time kernel

7s

Max time network

134s

Command Line

com.topjohnwu.magisk

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

com.topjohnwu.magisk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp

Files

N/A