Malware Analysis Report

2025-01-19 06:51

Sample ID 241220-vbnvaazrhr
Target magisk-delta-r65c0a20a-kitsune.apk
SHA256 af26d6133f5729cfb029d129ca8bab77e9d7bb2903565ba2389f657e7d1e2a91
Tags
antidot persistence discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af26d6133f5729cfb029d129ca8bab77e9d7bb2903565ba2389f657e7d1e2a91

Threat Level: Known bad

The file magisk-delta-r65c0a20a-kitsune.apk was found to be: Known bad.

Malicious Activity Summary

antidot persistence discovery

Antidot family

Antidot payload

Requests dangerous framework permissions

Queries information about active data network

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-20 16:49

Signatures

Antidot family

antidot

Antidot payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-20 16:49

Reported

2024-12-20 16:51

Platform

android-x86-arm-20240624-en

Max time kernel

2s

Max time network

131s

Command Line

io.github.huskydg.magisk

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

io.github.huskydg.magisk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/io.github.huskydg.magisk/primary.prof

MD5 a02364eb156d8a8bcc281f6133d013ed
SHA1 a42918a07aac5cc8337647281cbdb987c5d20614
SHA256 907c57ce1bf5d1286ff334868b7dd152f95e26854b22752524e64a5fcfaa3425
SHA512 0a697c2622b67270c2fc95ef20db11723373681599cc668e845de2e639aa8d4e80bbfd8c3d13ebdf266af906f3add1fe1f8c42d986cc8c93dc51fae06d16c6c1

/data/data/io.github.huskydg.magisk/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 00afff76f2e66c6ee8e9ed73114be464
SHA1 4f2acf7684adb47e2f160c53a69da8af85be66f3
SHA256 35cb616f3f8abee98d3f33250132d7a4933438137247903104e7bbbbd9bc5112
SHA512 b6728217aabd1e62663ecc25a75812468d153f95d7e0294139e9e8d1ab116b3782dbb18423ba0f1fc4253bd998a251b5c9a746852c7bd75228053ed68c03e9ba

/data/data/io.github.huskydg.magisk/files/profileInstalled

MD5 ea5c80f0b488188057e9530df2e5439c
SHA1 1260d228d68c9b4df77f90248beac06e89fbffd3
SHA256 e44a7072d6b505c6877ca6dd85432ecc0af4becbe2adb30b68eb8ebf1da805ac
SHA512 37970e182b80b18d3014f8af977994aa96ff4f6252da170388367d5cab17268d5d79a90e08867f63fde09bf7c36ae92114abd5213f4dc7ba2f3a95a12b1ece74

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-20 16:49

Reported

2024-12-20 16:51

Platform

android-x64-20240624-en

Max time kernel

2s

Max time network

147s

Command Line

io.github.huskydg.magisk

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

io.github.huskydg.magisk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.16.232:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 172.217.16.238:443 tcp
GB 142.250.179.226:443 tcp

Files

/data/misc/profiles/cur/0/io.github.huskydg.magisk/primary.prof

MD5 a02364eb156d8a8bcc281f6133d013ed
SHA1 a42918a07aac5cc8337647281cbdb987c5d20614
SHA256 907c57ce1bf5d1286ff334868b7dd152f95e26854b22752524e64a5fcfaa3425
SHA512 0a697c2622b67270c2fc95ef20db11723373681599cc668e845de2e639aa8d4e80bbfd8c3d13ebdf266af906f3add1fe1f8c42d986cc8c93dc51fae06d16c6c1

/data/data/io.github.huskydg.magisk/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 5244bba935c014bd97c41bf95940188c
SHA1 a81a4ba7d6c06fac53f3c84fd36040bbd5e96ab4
SHA256 d98a5b9482ecd524cd31a04da5c01fa2575457486a5fb653dadfedd3b63a16ac
SHA512 76bf6a095bf69aea85f97d589ff2f0eabec4b48822460c9df5e56a486f92fcabb1a6b4de15f32fcad4bf0e0f068baa81670e509b2f35d7b36152a452e0ad45a8

/data/data/io.github.huskydg.magisk/files/profileInstalled

MD5 f688e10ce9cf6d2c32d95f8c0b11d8b1
SHA1 2d4a00d4b43f6fa0446ed638ab78ec4b5bc1c138
SHA256 39c83ba2c9e4de022cda5314ff9ab089ce15bc259231d3d131e8deeccbdd1de7
SHA512 acc81ff1c4f56f0591665d22b42f12b1172b586843869043fc2aaafd2aeb193f4815e096376ca2693aa28f5549a8589aedac8186ba24906c687731e29e2bcd34

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-20 16:49

Reported

2024-12-20 16:51

Platform

android-x86-arm-20240624-en

Max time kernel

7s

Max time network

131s

Command Line

io.github.huskydg.magisk

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Processes

io.github.huskydg.magisk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.187.202:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 huskydg.github.io udp
US 185.199.109.153:443 huskydg.github.io tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/io.github.huskydg.magisk/code_cache/res.apk

MD5 e8279715dc245a7d6cdf9fc674949454
SHA1 23834b4f917a0849e176e61542d2a98911b925a1
SHA256 1e7bf7405c3fee7910b48068befd76ea5a9d40bd5e5534b77a982b55b3657a92
SHA512 978f5cf3b1fbaf00c83731075ec3a171f1962a1c9baed264b6126f3ba3c6d87293c71df03f36a598df1cf5f636ce31f883adab7a92a1821fa6d8f7976efa87b3

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-20 16:49

Reported

2024-12-20 16:51

Platform

android-x64-20240910-en

Max time kernel

5s

Max time network

152s

Command Line

io.github.huskydg.magisk

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Processes

io.github.huskydg.magisk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 huskydg.github.io udp
US 185.199.108.153:443 huskydg.github.io tcp
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.180.14:443 android.apis.google.com tcp

Files

/data/data/io.github.huskydg.magisk/code_cache/res.apk

MD5 ca1584a81fba70c375e192c4eca65ae7
SHA1 71c645a657c06a8aed1498cad1c6bc8327b3dff0
SHA256 ae8765429231906ce35c3b6d0d10974dd55c768e08cb4b11338db8935a31e741
SHA512 468f5394f87ff3fe47e49d5a7e0bd6f2badb072b21ef31d4e2010f5b060886b52ea3406966107fabbbca88291cb60e7c19569195830f218afd5a9e751ff98799

Analysis: behavioral5

Detonation Overview

Submitted

2024-12-20 16:49

Reported

2024-12-20 16:51

Platform

android-x64-arm64-20240910-en

Max time kernel

5s

Max time network

150s

Command Line

io.github.huskydg.magisk

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

io.github.huskydg.magisk

Network

Country Destination Domain Proto
GB 142.250.200.46:443 tcp
GB 142.250.200.46:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.200.46:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 1.1.1.1:53 huskydg.github.io udp
US 185.199.110.153:443 huskydg.github.io tcp
US 216.239.32.223:443 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.187.193:443 tcp
US 216.239.32.223:443 tcp
GB 216.58.204.65:443 tcp
US 216.239.32.223:443 tcp

Files

N/A