Malware Analysis Report

2025-01-19 06:50

Sample ID 241222-bty87axnfx
Target 81a390f63cb70395ee3fe9d1111bfb23.bin
SHA256 c5b445e1c2b7f3813c37f6047fb83734b1230e59e70e16c693fafec9e61b41b9
Tags
discovery antidot persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c5b445e1c2b7f3813c37f6047fb83734b1230e59e70e16c693fafec9e61b41b9

Threat Level: Known bad

The file 81a390f63cb70395ee3fe9d1111bfb23.bin was found to be: Known bad.

Malicious Activity Summary

discovery antidot persistence

Antidot family

Antidot payload

Queries information about active data network

Requests dangerous framework permissions

Registers a broadcast receiver at runtime (usually for listening for system events)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-22 01:27

Signatures

Antidot family

antidot

Antidot payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-22 01:26

Reported

2024-12-22 01:29

Platform

android-x86-arm-20240624-en

Max time kernel

7s

Max time network

133s

Command Line

io.github.huskydg.magisk

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Processes

io.github.huskydg.magisk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 huskydg.github.io udp
US 185.199.110.153:443 huskydg.github.io tcp
GB 216.58.204.78:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.179.234:443 semanticlocation-pa.googleapis.com tcp

Files

/data/data/io.github.huskydg.magisk/code_cache/res.apk

MD5 96f51f1a397712515aaa3bfe0d08d71b
SHA1 197235c21b304b7d5c013bc7429307c326892cab
SHA256 604e0cfd4afbc5b36d340ddc5988a9cf86eb34b132374fdbc173e27b79f5f5c4
SHA512 475e7dd395c0c80cab0c5ca8c4a7c224d763e9d423caa5ed5bee054eb23a5d497297694f6a96850e64dcccc2a297c49d8462932c3bcba777d78789fb54a4b630

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-22 01:26

Reported

2024-12-22 01:29

Platform

android-x64-20240624-en

Max time kernel

7s

Max time network

156s

Command Line

io.github.huskydg.magisk

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to post notifications. android.permission.POST_NOTIFICATIONS N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A

Processes

io.github.huskydg.magisk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 huskydg.github.io udp
US 185.199.108.153:443 huskydg.github.io tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.200.40:443 ssl.google-analytics.com tcp
GB 142.250.179.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
GB 142.250.180.4:443 tcp
GB 142.250.180.4:443 tcp
GB 216.58.201.98:443 tcp
GB 172.217.169.46:443 tcp

Files

/data/data/io.github.huskydg.magisk/code_cache/res.apk

MD5 bd20d51cfe768656c10e7098f57ce2c4
SHA1 25f17e02b887a63245f16b155be4209b7ebd8d08
SHA256 74ac174e8c422daf9182d9bc06abd42a446960d238acb82b094b4ae976c09299
SHA512 dcec0fbbc95bcd7c8cb1b36e8d6d1e79c76c4ca587a5f003b884411c4f0b6d555ce69ed02c9bcf94685b33a91baf5cd45ca38a324ab4e708855430536f752438

Analysis: behavioral5

Detonation Overview

Submitted

2024-12-22 01:26

Reported

2024-12-22 01:29

Platform

android-x64-arm64-20240624-en

Max time kernel

7s

Max time network

134s

Command Line

io.github.huskydg.magisk

Signatures

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Processes

io.github.huskydg.magisk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
US 1.1.1.1:53 huskydg.github.io udp
US 185.199.111.153:443 huskydg.github.io tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-22 01:26

Reported

2024-12-22 01:29

Platform

android-x86-arm-20240624-en

Max time kernel

2s

Max time network

133s

Command Line

io.github.huskydg.magisk

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

io.github.huskydg.magisk

su --mount-master

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.200.14:443 android.apis.google.com tcp
GB 216.58.204.74:443 semanticlocation-pa.googleapis.com tcp

Files

/data/misc/profiles/cur/0/io.github.huskydg.magisk/primary.prof

MD5 a02364eb156d8a8bcc281f6133d013ed
SHA1 a42918a07aac5cc8337647281cbdb987c5d20614
SHA256 907c57ce1bf5d1286ff334868b7dd152f95e26854b22752524e64a5fcfaa3425
SHA512 0a697c2622b67270c2fc95ef20db11723373681599cc668e845de2e639aa8d4e80bbfd8c3d13ebdf266af906f3add1fe1f8c42d986cc8c93dc51fae06d16c6c1

/data/data/io.github.huskydg.magisk/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 9512d77586bb0a993fb3f70c4f0c4618
SHA1 6d4743cd569a09cbda32798bc24e51987f19f4c4
SHA256 3554c3d4881c1865c929b90936ba00cd64677b448374e1c3568d932d938e1bc7
SHA512 95882da8263c590ab6c81370ce902eeef7ce9ae4ad6b3c00a5c5d8e559c5c2e40e7086bac040c863c3ef28763b65213c2f48bab305c2bd55b8f3859defea1f04

/data/data/io.github.huskydg.magisk/files/profileInstalled

MD5 3e7dbf51c7b32fee156fca033b55a62a
SHA1 147ce62d33464188a6be779494d87d9bd4e6e301
SHA256 65dcc2cd5907bde5a410c8a8a637b09f41b94c61d30d56df853433468bfb0d57
SHA512 361b3b4039d0f2b3a6254705c59b011d04727f2d1be61914911a1b7e0e401d2fbf902bff457596d2779b12e9bdca42730af3973f150ed713d2bb0092f60c276a

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-22 01:26

Reported

2024-12-22 01:29

Platform

android-x64-20240624-en

Max time kernel

2s

Max time network

151s

Command Line

io.github.huskydg.magisk

Signatures

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

io.github.huskydg.magisk

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.232:443 ssl.google-analytics.com tcp
GB 142.250.200.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.169.46:443 android.apis.google.com tcp
GB 142.250.187.228:443 tcp
GB 142.250.187.228:443 tcp
GB 216.58.213.14:443 tcp
GB 142.250.178.2:443 tcp

Files

/data/user_de/0/io.github.huskydg.magisk/cache/main.jar

MD5 803d520477442e45318b1b0fc76c6c15
SHA1 68e0102a3a91f7a050cda807889b3ffa0e25ba18
SHA256 4efaf47682fe8bf49c1aaa9ee7b907ced7246277ca996086da2284324fc8a9ab
SHA512 2523395f82258842bce3edd4033af92c0b1e10d664ad8817f6622b9ea701851ca0ba03bb2c06b9bc956f5e8ee988eacd41e9042e5873045449dabe78d6dcd913

/data/misc/profiles/cur/0/io.github.huskydg.magisk/primary.prof

MD5 a02364eb156d8a8bcc281f6133d013ed
SHA1 a42918a07aac5cc8337647281cbdb987c5d20614
SHA256 907c57ce1bf5d1286ff334868b7dd152f95e26854b22752524e64a5fcfaa3425
SHA512 0a697c2622b67270c2fc95ef20db11723373681599cc668e845de2e639aa8d4e80bbfd8c3d13ebdf266af906f3add1fe1f8c42d986cc8c93dc51fae06d16c6c1

/data/data/io.github.huskydg.magisk/files/profileinstaller_profileWrittenFor_lastUpdateTime.dat

MD5 2276edff60205e6237b0abda43998bfe
SHA1 0460b78e6be6c9ac9bd622a9a2c556c5f36759eb
SHA256 3c261c0ed650aba76e11d3c8d4a48cefee7877cccd55b3a2fcc87bfb48f2f182
SHA512 66c1b0118ee9ea1e92c187c920f90727f34d97d4d4889a43d4e53887cdd2751fa1e46b3f0873bfe3198fbb1665127a05e66631cf9825e9551318607bf0f1adeb

/data/data/io.github.huskydg.magisk/files/profileInstalled

MD5 e62e058f7795aa6d8fd3574471ac5720
SHA1 0ec11bb046009f560c0a743ff005b6d033b1abad
SHA256 1a6f14954e5f2c1a535f8d6e619441891964f493b73f1b17db715ee26b2a7621
SHA512 2516f229630f191f86a372c77da81425bc248b8a09f498cb68e8b908a91afafdaf5aeac8b657d726ec39f7cae9cd5df945d70745d88debf0c8ce1be8ecb63e36