Analysis Overview
SHA256
8bfd3346b3da5814f82eff6f1b1b5fedd0ad585f39a25709b23eb54aac45691d
Threat Level: Known bad
The file Magisk-28.1(28100).apk was found to be: Known bad.
Malicious Activity Summary
Antidot family
Antidot payload
Loads dropped Dex/Jar
Queries information about active data network
Requests dangerous framework permissions
Registers a broadcast receiver at runtime (usually for listening for system events)
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-11 10:18
Signatures
Antidot family
Antidot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-11 10:18
Reported
2024-12-11 10:21
Platform
android-x86-arm-20240624-en
Max time kernel
2s
Max time network
129s
Command Line
Signatures
Registers a broadcast receiver at runtime (usually for listening for system events)
| Description | Indicator | Process | Target |
| Framework service call | android.app.IActivityManager.registerReceiver | N/A | N/A |
Processes
com.topjohnwu.magisk
su --mount-master
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.180.10:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 216.58.201.110:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.16.238:443 | android.apis.google.com | tcp |
Files
/data/misc/profiles/cur/0/com.topjohnwu.magisk/primary.prof
| MD5 | 12ade2275cbe887e0559d74347973235 |
| SHA1 | 3bd792627b62ef615a7d339d684aa0d330714c10 |
| SHA256 | 66e211c4a355c5f973622410f98d5b597c0271ada16ff9da20d7ee7ad30b09be |
| SHA512 | a9feaaa0f8e51be69d538d6efd9ef16174313f61086d35eccdbf830965c833a5bf2e65a986ff57dbf76f9b04166a54a17dcf58607b258084427c3a54c6da741c |
/data/data/com.topjohnwu.magisk/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | cb1629b3490195cd1b6bd4f46760661d |
| SHA1 | 911aaf0a0c336d192b69881bbbd43b4dd9bee9f7 |
| SHA256 | 25b019f409ae937097db16b54c53d66e3df41bd7a711c438e37ca2a214362981 |
| SHA512 | 2973c28d8a5d77247050130e2611732e27937fd693a81037ece34de575debe941ad50fa0721f22ed5847a918ff8af5c966179e59dca60fed84d7b44920c9f75e |
/data/data/com.topjohnwu.magisk/files/profileInstalled
| MD5 | 4ac0abf77fc30bc2dcfc2a36207b128f |
| SHA1 | 030be60f88dfba380f56a76d7e5acf473cc5575e |
| SHA256 | 1bbc67cbe8e728d413512276e1cea744ece8f009fb47344e717ce4a7d0ea012b |
| SHA512 | 13a7f80652de86e593c12e1771fc074ceedd804aa97f2bb3417de0e99b277f680a7742b233f92709f5916d08f98c2abcc174ae502df3e024a948e69c3012bbf9 |
/data/user_de/0/com.topjohnwu.magisk/cache/main.jar
| MD5 | 51fc1652a346f9ade84aabfb44fa8853 |
| SHA1 | 4c4da2058dec4b5457c109f5e807592a75b19a29 |
| SHA256 | ae7fdb8b70bd2c1cc2c27043e985f8dc5cfff2cb9142a1576dcdbc889763ef7b |
| SHA512 | 2b79aec9dbe7f1a1db081c8bfb35784de44d6c394fb9f19f47f5053d6210eed34ba920dface04cc12502fd6cb44449518be389cd04cd5417f4548ffe0ba89af3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-11 10:18
Reported
2024-12-11 10:21
Platform
android-33-x64-arm64-20240624-en
Max time kernel
8s
Max time network
133s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /system_ext/framework/androidx.window.extensions.jar | N/A | N/A |
| N/A | /system_ext/framework/androidx.window.extensions.jar | N/A | N/A |
| N/A | /system_ext/framework/androidx.window.sidecar.jar | N/A | N/A |
| N/A | /system_ext/framework/androidx.window.sidecar.jar | N/A | N/A |
Processes
com.topjohnwu.magisk
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.196:443 | udp | |
| GB | 142.250.187.196:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.212.238:443 | tcp | |
| GB | 216.58.212.238:443 | tcp | |
| GB | 216.58.212.238:443 | udp | |
| US | 1.1.1.1:53 | rcs-acs-tmo-us.jibe.google.com | udp |
| US | 216.239.36.155:443 | rcs-acs-tmo-us.jibe.google.com | tcp |
| US | 1.1.1.1:53 | remoteprovisioning.googleapis.com | udp |
| US | 172.64.41.3:443 | tcp | |
| US | 172.64.41.3:443 | tcp | |
| GB | 216.58.201.99:443 | tcp | |
| US | 172.64.41.3:443 | udp | |
| GB | 216.58.201.99:443 | udp | |
| GB | 142.250.187.196:443 | tcp | |
| GB | 172.217.169.68:443 | tcp | |
| GB | 172.217.169.68:443 | tcp | |
| GB | 142.250.187.196:443 | udp | |
| GB | 142.250.187.227:443 | tcp |
Files
/system_ext/framework/androidx.window.extensions.jar
| MD5 | 3056e1bdb7d4e19789d0319eff484bd0 |
| SHA1 | 6791ae47aa9466fe0bca27ad6643f846853bbee4 |
| SHA256 | 8e6331a07c9f2ac139214c527dcaff2c82d126bbe7bd3420cdc36d6a8c9204b0 |
| SHA512 | c790980fd68d9f89e32743bc28846807d5e5947c555f494de47714dec5cbd0c08d81c3260fa463759d1b17a953af3c44ec30b14fb08bf6b29db3837346c9f658 |
/system_ext/framework/androidx.window.sidecar.jar
| MD5 | 29469324e59dfcc052f24b5af4e7b2c4 |
| SHA1 | 10c1e17ac6f598037bb51baa07945663645de4eb |
| SHA256 | 9195dc6a1c75a841384050240dfc972e48178964993fba6619788625f4b40d1a |
| SHA512 | 5e27c2b1431369a248298f2f749136a575005584f9999f2a4c204a0c47adce2e33c8df9f058bdafa1bde1c99e46d175560cedfcddcd8581718ed1d9973c37cc2 |
/data/misc/profiles/cur/0/com.topjohnwu.magisk/primary.prof
| MD5 | 1f2079901f970c35d3bf81af01c1ac96 |
| SHA1 | 2d7e67239754adba4b79131143d9b610c739c72a |
| SHA256 | bce7dd03c3d6008615732d0eb24ed5a4a522331d94bd21ec7b25e69270c07740 |
| SHA512 | 6149d61cb7d6f43d3174efd1f858ebd0ea592a152296e4de0750a2fa482eed00f151c49428b660571180d6d8a0d6b476bf7475aed3c1db76e6bd993b00d06b66 |
/data/data/com.topjohnwu.magisk/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat
| MD5 | e140437d86f4cc736c2f8c9053f6ae97 |
| SHA1 | f5ecd4d6bac46dde9a90883cc4f48b0e42d4e493 |
| SHA256 | d7960caa5003d30a76330ef1cadf2609cee2bdc67c3d58d198b828c082965c95 |
| SHA512 | 5b39df3456023f1aa46af429826b6fc99887d3bbbe2fdfb515aa8c505f60824bad83fdba28cccc31c8ed06178fae665be9f753ba19e74963226773d33569b7bf |
/data/data/com.topjohnwu.magisk/files/profileInstalled
| MD5 | 8a85937d8613c7a214463e08776132dd |
| SHA1 | d44e1237f052dd26f07856aea6de1e4e159a410d |
| SHA256 | 1cb895291d2135826c8f42d3fb349aa6e733a36fc5d45740cd6f94ecfa74fed0 |
| SHA512 | 944fcf3e7465218b161f7f53ed08a3c25299246a7ac2c7cea5b2e8734d775edb644ab4c29607fb8738996bd54e9be814a9c4e0870fd499caf5124d5e156408ed |
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-11 10:18
Reported
2024-12-11 10:21
Platform
android-x86-arm-20240624-en
Max time kernel
7s
Max time network
137s
Command Line
Signatures
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
Processes
com.topjohnwu.magisk
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.204.74:443 | tcp | |
| US | 1.1.1.1:53 | semanticlocation-pa.googleapis.com | udp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.178.14:443 | android.apis.google.com | tcp |
Files
/data/data/com.topjohnwu.magisk/code_cache/res.apk
| MD5 | 7fe1455cb7afe5276f3b4b71c6763370 |
| SHA1 | e22a3f797c3a97d1bbeb2f27fb9da095ef0ee1dd |
| SHA256 | d6826fb7c94d42486972d58b31ce7e1a80368ee083743de4381d3b34558cf9a1 |
| SHA512 | 24065a6c4785186f67147fc05ab5fad67554faa9e99e6d180ecf52b51318815def4a4cf55a7d8c78c805f6a7727c954845261df4f7954d6ee5528de330a48f1e |
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-11 10:18
Reported
2024-12-11 10:21
Platform
android-x64-20240624-en
Max time kernel
7s
Max time network
137s
Command Line
Signatures
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
Processes
com.topjohnwu.magisk
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.178.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.180.14:443 | android.apis.google.com | tcp |
| GB | 142.250.180.4:443 | tcp | |
| GB | 142.250.180.4:443 | tcp |
Files
/data/data/com.topjohnwu.magisk/code_cache/res.apk
| MD5 | 7fe1455cb7afe5276f3b4b71c6763370 |
| SHA1 | e22a3f797c3a97d1bbeb2f27fb9da095ef0ee1dd |
| SHA256 | d6826fb7c94d42486972d58b31ce7e1a80368ee083743de4381d3b34558cf9a1 |
| SHA512 | 24065a6c4785186f67147fc05ab5fad67554faa9e99e6d180ecf52b51318815def4a4cf55a7d8c78c805f6a7727c954845261df4f7954d6ee5528de330a48f1e |
Analysis: behavioral5
Detonation Overview
Submitted
2024-12-11 10:18
Reported
2024-12-11 10:21
Platform
android-x64-arm64-20240624-en
Max time kernel
7s
Max time network
134s
Command Line
Signatures
Queries information about active data network
| Description | Indicator | Process | Target |
| Framework service call | android.net.IConnectivityManager.getActiveNetworkInfo | N/A | N/A |
Processes
com.topjohnwu.magisk
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.206:443 | tcp | |
| GB | 142.250.187.206:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.169.14:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 216.58.204.72:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.187.228:443 | tcp | |
| GB | 142.250.187.228:443 | tcp |