Malware Analysis Report

2025-01-19 06:50

Sample ID 241221-df9twa1lay
Target af26d6133f5729cfb029d129ca8bab77e9d7bb2903565ba2389f657e7d1e2a91.apk
SHA256 af26d6133f5729cfb029d129ca8bab77e9d7bb2903565ba2389f657e7d1e2a91
Tags
evasion discovery antidot persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af26d6133f5729cfb029d129ca8bab77e9d7bb2903565ba2389f657e7d1e2a91

Threat Level: Known bad

The file af26d6133f5729cfb029d129ca8bab77e9d7bb2903565ba2389f657e7d1e2a91.apk was found to be: Known bad.

Malicious Activity Summary

evasion discovery antidot persistence

Antidot family

Antidot payload

Loads dropped Dex/Jar

Queries information about active data network

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-21 02:58

Signatures

Antidot family

antidot

Antidot payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-21 02:58

Reported

2024-12-21 03:01

Platform

android-33-x64-arm64-20240624-en

Max time kernel

2s

Max time network

133s

Command Line

io.github.huskydg.magisk

Signatures

Loads dropped Dex/Jar

evasion
Description Indicator Process Target
N/A /system_ext/framework/androidx.window.extensions.jar N/A N/A
N/A /system_ext/framework/androidx.window.extensions.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A
N/A /system_ext/framework/androidx.window.sidecar.jar N/A N/A

Processes

io.github.huskydg.magisk

Network

Country Destination Domain Proto
GB 142.250.200.36:443 udp
GB 142.250.200.36:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp
GB 172.217.169.78:443 android.apis.google.com tcp
US 1.1.1.1:53 huskydg.github.io udp
US 185.199.108.153:443 huskydg.github.io tcp
US 1.1.1.1:53 rcs-acs-tmo-us.jibe.google.com udp
US 216.239.36.155:443 rcs-acs-tmo-us.jibe.google.com tcp
US 1.1.1.1:53 remoteprovisioning.googleapis.com udp
US 172.64.41.3:443 tcp
US 172.64.41.3:443 tcp
GB 142.250.179.227:443 tcp
US 172.64.41.3:443 udp
GB 142.250.179.227:443 udp
GB 142.250.200.36:443 tcp
GB 216.58.204.68:443 tcp
GB 216.58.204.68:443 tcp
GB 142.250.200.36:443 udp
GB 216.58.201.99:443 tcp

Files

/system_ext/framework/androidx.window.extensions.jar

MD5 3056e1bdb7d4e19789d0319eff484bd0
SHA1 6791ae47aa9466fe0bca27ad6643f846853bbee4
SHA256 8e6331a07c9f2ac139214c527dcaff2c82d126bbe7bd3420cdc36d6a8c9204b0
SHA512 c790980fd68d9f89e32743bc28846807d5e5947c555f494de47714dec5cbd0c08d81c3260fa463759d1b17a953af3c44ec30b14fb08bf6b29db3837346c9f658

/system_ext/framework/androidx.window.sidecar.jar

MD5 29469324e59dfcc052f24b5af4e7b2c4
SHA1 10c1e17ac6f598037bb51baa07945663645de4eb
SHA256 9195dc6a1c75a841384050240dfc972e48178964993fba6619788625f4b40d1a
SHA512 5e27c2b1431369a248298f2f749136a575005584f9999f2a4c204a0c47adce2e33c8df9f058bdafa1bde1c99e46d175560cedfcddcd8581718ed1d9973c37cc2

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-21 02:58

Reported

2024-12-21 03:00

Platform

android-x86-arm-20240624-en

Max time kernel

7s

Max time network

138s

Command Line

io.github.huskydg.magisk

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Processes

io.github.huskydg.magisk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 huskydg.github.io udp
US 185.199.111.153:443 huskydg.github.io tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.178.14:443 android.apis.google.com tcp
GB 216.58.213.10:443 tcp

Files

/data/data/io.github.huskydg.magisk/code_cache/res.apk

MD5 e1ccb73372f9711c3f6a6af6aef3beda
SHA1 77481b9fff50b0c4e67f75a5ed0fd2b5e1eb235f
SHA256 d592157cbd03c4a7eb34ca4b5ec0c22d9cd5c336a994467acb3c3449d6725fba
SHA512 723dbf2470ede199508a53c52157b3dc7fd3d40bce5403b088f69290d2f76831308ad3fc5851d50c47f4a18f5432025d371c2787dee4cd4e38ed599b942bc60c

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-21 02:58

Reported

2024-12-21 03:01

Platform

android-x64-20240624-en

Max time kernel

7s

Max time network

134s

Command Line

io.github.huskydg.magisk

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Processes

io.github.huskydg.magisk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 huskydg.github.io udp
US 185.199.108.153:443 huskydg.github.io tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
GB 216.58.201.100:443 tcp
GB 216.58.201.100:443 tcp

Files

/data/data/io.github.huskydg.magisk/code_cache/res.apk

MD5 f38ba5f13fe1ae9203ef9c00bfbdc670
SHA1 6d6c4ba10c5dfb4f89068f66fb9644b649ffade3
SHA256 68a4a2fc20d4cf41e80efc47c66459759fa82c7b13fc8dedf1112fffebc261ac
SHA512 b240645034da27439db862a2a5f3e470d6f71132dda509beaf564e4ca2e2b19716899f7fe5ab3f7a6f3f9607d1c542b71e686768fd5bf0b9331c3c4f6e498988

Analysis: behavioral5

Detonation Overview

Submitted

2024-12-21 02:58

Reported

2024-12-21 03:01

Platform

android-x64-arm64-20240624-en

Max time kernel

7s

Max time network

134s

Command Line

io.github.huskydg.magisk

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

io.github.huskydg.magisk

Network

Country Destination Domain Proto
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
GB 142.250.187.238:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
US 1.1.1.1:53 huskydg.github.io udp
US 185.199.108.153:443 huskydg.github.io tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.180.8:443 ssl.google-analytics.com tcp
GB 142.250.200.36:443 tcp
GB 142.250.200.36:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-21 02:58

Reported

2024-12-21 03:01

Platform

android-x86-arm-20240624-en

Max time kernel

2s

Max time network

133s

Command Line

io.github.huskydg.magisk

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

io.github.huskydg.magisk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.78:443 android.apis.google.com tcp

Files

/data/misc/profiles/cur/0/io.github.huskydg.magisk/primary.prof

MD5 a02364eb156d8a8bcc281f6133d013ed
SHA1 a42918a07aac5cc8337647281cbdb987c5d20614
SHA256 907c57ce1bf5d1286ff334868b7dd152f95e26854b22752524e64a5fcfaa3425
SHA512 0a697c2622b67270c2fc95ef20db11723373681599cc668e845de2e639aa8d4e80bbfd8c3d13ebdf266af906f3add1fe1f8c42d986cc8c93dc51fae06d16c6c1

/data/data/io.github.huskydg.magisk/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 796a4069c030536a15c6fd73d08f73a5
SHA1 fa6ff281fc8004190f8bfec0bd2b9a3e55f3daf5
SHA256 f7b13c1dcd48e40334047a5610e80b82afa98acd574e2bd5533df927543c8209
SHA512 ff1c83e6eb76e4aa3584bde226627563806abe0517d28da955801822169c847cd7e920229834181b9cd0425aa6f90d67782d5b9135b087b896f6a3c3e79ce249

/data/data/io.github.huskydg.magisk/files/profileInstalled

MD5 1703d8841dee08d217650f1cb33383c1
SHA1 d556a5997fe0565ffbced48e7bcd24844d68ed5c
SHA256 a6173b3acb42b756c2ddf0710d726bfd9fcfde0ce3b7221e3b4e532c380df4be
SHA512 58c964dc2df15796c8cecba245c980c9d68b0c85737fe4e2727a10224dd8d7287a69bbd3fb8c4caace8625feb344fd0db4a45e6777227a4ccc5af9086347324b