Malware Analysis Report

2025-01-19 05:21

Sample ID 241224-1wth6aylcx
Target 0f6a93a698d0d2a19eab56bffcb6714eeb9f4b5aa686735eecdd99144931007b.bin
SHA256 0f6a93a698d0d2a19eab56bffcb6714eeb9f4b5aa686735eecdd99144931007b
Tags
otpstealer anubis banker collection credential_access discovery evasion persistence stealth trojan execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Mobile Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f6a93a698d0d2a19eab56bffcb6714eeb9f4b5aa686735eecdd99144931007b

Threat Level: Known bad

The file 0f6a93a698d0d2a19eab56bffcb6714eeb9f4b5aa686735eecdd99144931007b.bin was found to be: Known bad.

Malicious Activity Summary

otpstealer anubis banker collection credential_access discovery evasion persistence stealth trojan execution

Otpstealer family

Otpstealer payload

Anubis family

Removes its main activity from the application launcher

Queries account information for other applications stored on the device

Reads the content of the calendar entry data.

Reads the content of the call log.

Requests cell location

Reads the contacts stored on the device.

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

Makes use of the framework's Accessibility service

Queries the mobile country code (MCC)

Requests disabling of battery optimizations (often used to enable hiding in the background).

Queries information about active data network

Declares services with permission to bind to the system

Makes use of the framework's foreground persistence service

Requests dangerous framework permissions

Acquires the wake lock

Queries information about the current Wi-Fi connection

Listens for changes in the sensor environment (might be used to detect emulation)

Registers a broadcast receiver at runtime (usually for listening for system events)

Schedules tasks to execute at a specified time

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-24 22:00

Signatures

Anubis family

anubis

Otpstealer family

otpstealer

Otpstealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Declares services with permission to bind to the system

Description Indicator Process Target
Required by accessibility services to bind with the system. Allows apps to access accessibility features. android.permission.BIND_ACCESSIBILITY_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A
Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. android.permission.BIND_NOTIFICATION_LISTENER_SERVICE N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to collect component usage statistics. android.permission.PACKAGE_USAGE_STATS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. android.permission.SYSTEM_ALERT_WINDOW N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to request installing packages. android.permission.REQUEST_INSTALL_PACKAGES N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read or write the system settings. android.permission.WRITE_SETTINGS N/A N/A
Allows an application to read the user's calendar data. android.permission.READ_CALENDAR N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-24 22:00

Reported

2024-12-24 22:03

Platform

android-x86-arm-20240910-en

Max time kernel

19s

Max time network

151s

Command Line

com.tencent.mm

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/data/phones N/A N/A

Reads the content of the calendar entry data.

collection
Description Indicator Process Target
URI accessed for read content://com.android.calendar/events N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
GB 142.250.187.206:443 tcp
GB 142.250.187.206:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
IN 154.61.80.131:6008 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mangasiso.top udp
IN 154.61.80.131:6008 tcp
US 1.1.1.1:53 www.geoip-db.com udp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
GB 216.58.201.106:443 semanticlocation-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.179.238:443 android.apis.google.com tcp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
GB 142.250.200.2:443 tcp

Files

/data/data/com.tencent.mm/databases/evernote_jobs.db-journal

MD5 1036d676288d4858b5ab1bbee3cf6ed0
SHA1 6a0cc59d06d67b0dd2aaba7a154198b8f0f7114a
SHA256 9e7c41069c5a99f5197f8976617cf36cd38cd7ede761e9b8319419ba91ed9c02
SHA512 537f22e6d6d4d0d68607863cc664fbbcd605d872d63d8dabbe39d1b326cf4cb7cbc2823ba1b7224a9eb54458c337a7fa9969435fc60201e77359e19aed266f25

/data/data/com.tencent.mm/databases/evernote_jobs.db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.tencent.mm/databases/evernote_jobs.db-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.tencent.mm/databases/evernote_jobs.db-wal

MD5 a9736459f147a66f60f4baa7d6d78967
SHA1 d2a3348d294fbf679436abef5254cc5bf910dbb4
SHA256 72e1f2f955e151fb3810e6df5ac5b962d313ca56109f69275ca30de2a4c7295b
SHA512 d2e0c91343ac9ff71eb710838b40a5ba6a8f94e4e81216592a095dc767eb5bbf231911410283ac09ea3cbfa85adf06677f62f7861d1cea52023f097efdbb83f3

/storage/emulated/0/Config/sys/apps/log/log-2024-12-24.txt

MD5 a9256f55737b655c8cff95418411997c
SHA1 d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24
SHA256 bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412
SHA512 10d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574

/storage/emulated/0/Config/sys/apps/log/log-2024-12-24.txt

MD5 e48057c3603c907cacbe1568a7dbfc41
SHA1 6e100086b53e20e499a9be069aa1b452faf82ba3
SHA256 4b36685dbf772b2de007f4c98f824966f4f3a132075692d3d3d8f11e84e5468e
SHA512 787e1140832e8c308039f0287ee801c00040544d5241425b0c0c8e8dc19ecf3feefa50706723f7a21be209c13b24ab3dbe0691ec42118fdfe18611b13155fb9a

/data/data/com.tencent.mm/databases/Dname-journal

MD5 eb2c3391096875a623e0a623f5ab60b2
SHA1 ab8d72b725b0966854449ba5e83ef636158fee19
SHA256 f97a917784b602d41c310d1af0c9d5ff70cb8a6d018885bb991bb3f66efa1d89
SHA512 e46e9e317055d4f107ba8b4396acc989598110ebf561b91c0c21102bcbe95547bd5d43ee72b77ee2c7d3af22a220491d88f6bbafe8ab9e3f2c121c06620c48aa

/data/data/com.tencent.mm/databases/Dname-wal

MD5 4f277d0ebc376f8f77d2c27fdfabc661
SHA1 08755eef5680c132d38b81749ccfce1802a4696a
SHA256 f4f60ea2d5c067c96255a978a3e4fa0d8e62f7430eadb75a0a27f449d14d46fe
SHA512 b2d5e8271549260943a71dfca0b1ce2343006bb3c71611f233698cfd23e51a4492e0c0fdaafd14564219264d9edd7c0e8a74991aa80da0fa7f0f4892ca881f77

/data/data/com.tencent.mm/files/accounts.txt

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

/data/data/com.tencent.mm/files/CallLogs.txt

MD5 58e0494c51d30eb3494f7c9198986bb9
SHA1 cd0d4cc32346750408f7d4f5e78ec9a6e5b79a0d
SHA256 37517e5f3dc66819f61f5a7bb8ace1921282415f10551d2defa5c3eb0985b570
SHA512 b7a9336ed3a424b5d4d59d9b20d0bbc33217207b584db6b758fddb9a70b99e7c8c9f8387ef318a6b2039e62f09a3a2592bf5c76d6947a6ea1d107b924d7461f4

/data/data/com.tencent.mm/files/netinfo.txt

MD5 81aaf7b8503feb625b796c0a329f5435
SHA1 717e398e70f484cbe36f7ffda8847601f6cacb95
SHA256 94b421c32aa376caf98471650abe7d92b93da8c5ec046e83e34778fbb00e404e
SHA512 6f9c66d8adb7a190c1039363ae3e40358d5fe85a3089d15204b47d19baa7c3366b9a8777c69604b7b56b9279b50d330995983f0334d636306433957840e967b8

/data/data/com.tencent.mm/files/Tree.txt

MD5 47e35fc7605a42a94b736ac167a3e31c
SHA1 6dd208544324ed1163b432b708873192b1e4a51a
SHA256 b1437a65b808976e4b5b8d536d17b8f8b17c6acade44dc1981de4114296cdc91
SHA512 23b9102a6e8bf8ae4b572083ea3945ac237ceec2345c3f82acf346ff74cfabe7f1b11884708cfcef192b26a08360878449453545f0f1ee94ca9b92748f56b8a9

/data/data/com.tencent.mm/files/pkinfo.txt

MD5 9857c0caa99fde5d0bf47c0ee0fd821b
SHA1 ef4629899e6ebbdbaf45ca4885f5b960da25538f
SHA256 d68311a5561ada62ee327cda3a9b29c41ed0d7bc16586f9af6d5595a96d497a8
SHA512 312c11c7b41384fd5a7ef466f06813c09f6c661ade0ed4ffe6e8e88969f2ba31257a90333b13ce8d4b2ab0692318b638f06aecfea11aeb2df3739580e635a148

/data/data/com.tencent.mm/files/GP.txt

MD5 fb5441b8026c19545c5192312e61ab79
SHA1 bbc67d6abfe343b76d73123ff7efb7504e934dcf
SHA256 c3fdf76ac9b93f1e55b6ea3ccb99d28d766bac9d7578d7bcb89aa584ce5247fa
SHA512 12ed119fd8aefffd74627fcf6ea01e1c55f38d937f712abc38910f8cf5c71c08d9554e05cf5ba7637fed4126513b6f3e220ebd205a8635a2170e163eeaa7c4f6

/data/data/com.tencent.mm/files/GP.txt

MD5 8d9b97e4fb72072fe9633660494e2e86
SHA1 de382891fa94871eca089ad4dc9bf6078ea83fab
SHA256 02b01a063340c0a58dc68a7031859b0f7c4e7559d1bfeb9194028ef74f22cdd1
SHA512 4f9e8b1d57503dc10484eac4e17e81a8022b896178ce276986421ebb67d2e21c475963ea94d4a6309fe4dbb0425f90b1fdb445c81043386c9085941bbfe72aaf

/storage/emulated/0/Config/sys/apps/log/log-2024-12-24.txt

MD5 2fea6fcd7b73787ea80ce21066f22bb5
SHA1 c31ad28bebaa4436e3f66b518e708fd60f145164
SHA256 917032a07f9e4b0e36b58f89001e310b87d6a3b8ba3b9249014026a0ff8d2113
SHA512 9cf2f442ea6a7b6057a7cf51c1546671e873c6c3bcdb5796e35aa66fed2c791de375ceb594abb83620c0c8a98ae5c6cf6d399e0647191aa7ab8a897d0e737af6

/data/data/com.tencent.mm/files/netinfo.txt

MD5 87d3e11045b3f30c1699db610d987b0c
SHA1 39f9bc37810c9538e85b320ed1005d7d837c7b6b
SHA256 1e0a7bee468fcdd252627421714a9c33ea722fb59f1c3f8531e08d1c72d9ff3b
SHA512 2eff7f965d3abdebcfeee2306b2b0be6491a61c20bd972348c2ba86e63b3a99575436f6f884450eff8f11ac7508c61b4a61d4e237ba7bf77d2c67b59038513be

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-24 22:00

Reported

2024-12-24 22:03

Platform

android-x64-20240624-en

Max time kernel

46s

Max time network

156s

Command Line

com.tencent.mm

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccounts N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/data/phones N/A N/A

Reads the content of the calendar entry data.

collection
Description Indicator Process Target
URI accessed for read content://com.android.calendar/events N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about active data network

discovery
Description Indicator Process Target
Framework service call android.net.IConnectivityManager.getActiveNetworkInfo N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Queries the mobile country code (MCC)

discovery
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getNetworkCountryIsoForPhone N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Registers a broadcast receiver at runtime (usually for listening for system events)

persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.registerReceiver N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.204.72:443 ssl.google-analytics.com tcp
IN 154.61.80.131:6008 tcp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 mangasiso.top udp
IN 154.61.80.131:6008 tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 172.217.16.238:443 android.apis.google.com tcp
US 1.1.1.1:53 www.google.com udp
GB 216.58.201.100:443 www.google.com tcp
IN 154.61.80.131:6008 tcp
US 1.1.1.1:53 www.geoip-db.com udp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
GB 142.250.187.234:443 semanticlocation-pa.googleapis.com tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
GB 142.250.178.10:443 semanticlocation-pa.googleapis.com tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
GB 142.250.179.228:443 tcp
GB 142.250.179.228:443 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp

Files

/data/data/com.tencent.mm/databases/evernote_jobs.db-journal

MD5 d43f3c3f7943386fcccf1e46dfb97aeb
SHA1 7d4f54531a35531ed167fdd1d9b80d56ba43b692
SHA256 991ef4abc5667758091f1d015b0e3bc1be9b46ac5952e716be40d88e7bb3c325
SHA512 02e2818b79466a388cded504f31ac98d4c6822b4f9409eacb41401e3ef81e69483686c8957259494e669c625c15ea9d0950684c375898fc5127bcdeaef5d06a6

/data/data/com.tencent.mm/databases/evernote_jobs.db

MD5 b3b033635a848ac987e4b3d49056b24b
SHA1 ec44a7f9483be168f845b205fb23fe14cf470dc7
SHA256 43339746d606afc7120946063006f08f1b452260584ba03872070d83f2096f6e
SHA512 25ef0cd5a94c5c3209bb81b00a79789867b21720091a671dbdef1d03537d8fe87e29747051e6c95e2ef848de0fd683d62733fce072742bcf7827b1aa8f4c06ed

/data/data/com.tencent.mm/databases/evernote_jobs.db-journal

MD5 b0ceda8dd56793962f6c3529897e3b8b
SHA1 bd62a40d2d56ab383d7370d9d7640f560f40d326
SHA256 9060efb7b25755000a5780dfa6422ffa19a54c5bfee8fd96e9443567478c65b9
SHA512 f6548da83375bdb5baeadbc5172d675cae6c68e1bfd5167a755dc65d626cafbfe409f7ba008653e4977756d551c8659b39859834c76cd302c5ee2f618cba0a6d

/data/data/com.tencent.mm/databases/evernote_jobs.db-journal

MD5 e1fd233c21981448fb1ce27b2233596a
SHA1 badec0228a2aaec3bf939168a68255a1c8a7d21f
SHA256 307d9c7fdcdc0f8e5fee0d4405449b4869de53702cc617e965792261ccdd6f5c
SHA512 7424e2c93c02fa4005cbb7575721d9fd235eaabfd189174bd5dc9d08114dace019d689730eb50bf53db3c7281a6371eeb560467ba7740f73ce92adeafcc805e8

/data/data/com.tencent.mm/databases/evernote_jobs.db-journal

MD5 f58b45f7fe9e8c54067a2772d0d7dffa
SHA1 efb08bbccd9717aeb818e5b7a6d2c1091986abb2
SHA256 57577036c65badde3f52a8f62cdfdc82d37aefad4fa06e6b2b144a4c13355305
SHA512 089d2bfd8c9b423b85b0b9636e3245e11a467e2c2d4014c9583a24dad8ac859bb6b1639c0c0d7f0ddf9ff2c746108ab483819ed99e03291d4ac64eacb6faa3c0

/storage/emulated/0/Config/sys/apps/log/log-2024-12-24.txt

MD5 a9256f55737b655c8cff95418411997c
SHA1 d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24
SHA256 bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412
SHA512 10d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574

/storage/emulated/0/Config/sys/apps/log/log-2024-12-24.txt

MD5 e48057c3603c907cacbe1568a7dbfc41
SHA1 6e100086b53e20e499a9be069aa1b452faf82ba3
SHA256 4b36685dbf772b2de007f4c98f824966f4f3a132075692d3d3d8f11e84e5468e
SHA512 787e1140832e8c308039f0287ee801c00040544d5241425b0c0c8e8dc19ecf3feefa50706723f7a21be209c13b24ab3dbe0691ec42118fdfe18611b13155fb9a

/data/data/com.tencent.mm/databases/Dname-journal

MD5 2c52bee2d774613a4e9da899292e8598
SHA1 9d22965c4d14bbfd0293a0ba6ce310e1dfe7e174
SHA256 d48229d950f34dfd2c6649aaf6898e492ffdf3b0dde5bbe88089497e274ef4d9
SHA512 219ec364b33f5bd544afd7e823aac5975884fbe0f86d160011b9d2eb1fe4e2e7a37fc1dbf64dadb97a130a27b4966c6e0f5e607fb9665fc0dfbce1ad36d4ca81

/data/data/com.tencent.mm/databases/Dname

MD5 0ec8d5e24581e56eb01c45155efe2049
SHA1 4de2aebc5e22d0420e54cb553c2739e50481e50a
SHA256 5bb1fd7e82a28019975971aae5f49b0eb2ddef4a943663b654ede402d2f7f616
SHA512 23f87b81f1b49b80a88b1eab7d5e08e7001486b135bedc434601eed4ab74b72804ae4f907ede18213454dfa9da7058692b012861170306adbe6b12650dd51fd4

/data/data/com.tencent.mm/databases/Dname-journal

MD5 9e53c02d2367456c1f0f0d9c3ba79142
SHA1 a140950e28f87e073fc94a6cf8e6e8438303611b
SHA256 a14fded15332a689fd69b8007932ee026bf4b5a5eaa7b5b6e6a87be10323ddd2
SHA512 b9036988433c528d8d90b869c19c82f261f0bcde5226125c81fc12ee0304aef340081b3c4bba854b9521b75589e8958bd33422484d3214ccbb601c52c88a2e98

/data/data/com.tencent.mm/databases/Dname-journal

MD5 97fb3cc9835c02a866922796976b5690
SHA1 50f9752dea461f7cfef5946ee7a13a0143f3e785
SHA256 0ab07682423b32d2f28c52555956e30eec71c88b93cf3763a62283e4deb18735
SHA512 44e389e96c25a19b740b4307f82aed366fe199064764d6dc1aa421830f7e0ffe0bb89119bb2a4b7ca2a4b46946ee7ebd030da3f9dde2c4b38c17f1e552b64277

/data/data/com.tencent.mm/databases/Dname-journal

MD5 4677f9d71715cc18858a19c8a5c0d337
SHA1 fda689683ecb78c3229ec0159a2a6e1bd9761f41
SHA256 772f59a2cd721e0038edf757ba451aadce9bbe1069162b64ef93629d500dd277
SHA512 22197550dd3e71669884d76f54d01b9411f7fd2f1a148856b76f19a9ebfeb36267991dfa198c94dcf47033c00cf5b7d81708d5b28fb15d2469d80b6be80f1bcc

/data/data/com.tencent.mm/files/accounts.txt

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

/data/data/com.tencent.mm/files/CallLogs.txt

MD5 58e0494c51d30eb3494f7c9198986bb9
SHA1 cd0d4cc32346750408f7d4f5e78ec9a6e5b79a0d
SHA256 37517e5f3dc66819f61f5a7bb8ace1921282415f10551d2defa5c3eb0985b570
SHA512 b7a9336ed3a424b5d4d59d9b20d0bbc33217207b584db6b758fddb9a70b99e7c8c9f8387ef318a6b2039e62f09a3a2592bf5c76d6947a6ea1d107b924d7461f4

/data/data/com.tencent.mm/files/netinfo.txt

MD5 a5c803b94ada991ee682153cd694fd29
SHA1 c65dfcafd3c7bf722ea2c93f51cbbb431cfa123e
SHA256 3aef653072de26c327bb632b5b6aa01d839ab005c65cc596a6440aa67826493d
SHA512 45ec27d9aa70f42bf2ec076c433035a2371852bf8317bacefea57783672d56d72ab5993578920a4cbedc9fd05896379d9b344d94580eca11f88846b6793fc94a

/data/data/com.tencent.mm/files/Tree.txt

MD5 533046aeb3cde18865995fbe6442c17e
SHA1 3aedc6263fcfc88006d1613e6bb0d12663aa6db3
SHA256 d98fa1de90ae745400ddb704e4957941f937bcc69de2e78d0be005761f6ebe2f
SHA512 3243813f2b2d9e7462800da0195164d97610581a49de1ab3f89a26ff366406f29e60d68cb505982ab4630c1dd2ed95f65bf5ab228d9c1d7f67df16b935329336

/data/data/com.tencent.mm/databases/Dname-journal

MD5 c0bd4af72393650d4c787924fa93a14a
SHA1 b6644f2d915a9ed4dba5a03f993a109c98d88a19
SHA256 8d20bf38703916ed90285c4fd6d66faf5d5d1c354dca435f728e0c25ebb36c56
SHA512 867198945948e91bc8b22f4cc680161cdee2cda0b6ead3d8c3a3e03719c58eee5a83c36c4ada1d2981a71f13c2bed20c7b29220367b79e203810bfbfa2e80fe4

/data/data/com.tencent.mm/files/pkinfo.txt

MD5 de42df6381f44c0dc45891054c656259
SHA1 5a76c1ad2ff42094034a18774912bfaa79489c29
SHA256 51c06cbd2eee387145a0eac5b55b387f2da3797cfb737cbb151aacc1b145e747
SHA512 700f8a3e85a7ea4f1d15aa3046d6c96ef898ac628b797616f94737570b802ee22db555e4d81c3fe91a90c3c92e9bc45aa940d55dc2c876a6488387743eabc037

/data/data/com.tencent.mm/files/GP.txt

MD5 39e89b811f481a371bdee223b5657f66
SHA1 967624a44e7155dd159cdfab194deaa09e2006c4
SHA256 13395ac7093709d550e8b067e2fd502b93df2c7e831dcf51b1fac430879b619b
SHA512 e40b5836e70fd21ee22ab21bc2552b46b624ff4502ee1ce33d19ac452463ebe2bc24ffac9618975b1b18aae749e1a0e7483bb699ba6053be038d5b8e8932d179

/data/data/com.tencent.mm/files/GP.txt

MD5 5a8e4fab22ef014f1bb2abf9a31918aa
SHA1 640f69c041a34035c56a83bc8c72acbc31f88b45
SHA256 af491101b26326fbe95cd5aafd8b8c5271b06b57d1cc8e82566bfdefee250711
SHA512 ef632a2b54fa7237a7763245e0971831efe9ab9f427ef4e6cbff890db87dff5872e7b96be87ce3d0e3c715c7e0ed39fb606303c11952a09aea8d0328e2d35ba3

/storage/emulated/0/Config/sys/apps/log/log-2024-12-24.txt

MD5 ca83936d0c0ffdb4a991046e32ccc956
SHA1 6d34827e6fd5b8f716cc5f7d7843b581713aeab3
SHA256 b50da55ec1fcb8d0589b49d5b3dfef915d77f3dbb24416bb1305441f81c507d2
SHA512 61bb1d4d033b0ddfa7ae802d5732c00af6db3aa5bcfbda0c60a0f12bd9fbbbd03123990c55d5abbd3d6e967471101b82e409f1620a73a3cf8c627452f61440d4

/data/data/com.tencent.mm/files/netinfo.txt

MD5 6f9bd0be5ba173cca5667cdcca742a1c
SHA1 9d2aed733d5fdf8afdba3b7aa1ac6a653e332358
SHA256 76f7a213188d3ef9bae8500764a094250c7a6e90961dbfd50ab15d27e7af725b
SHA512 28849abe1022d2c1dc8c2ba90480a1cc4931e921b5ee351c8eb1da473cb1e82e70e28dcee0eb34c47b2e8fd8206adf94cd5d0aae4bb5e0749d8483f3226e4e83

/data/data/com.tencent.mm/databases/evernote_jobs.db-journal

MD5 180314f33f0380719757f15d481d9cb5
SHA1 d77b59893ff055861f6deb1382ffbbfe22198cd2
SHA256 6b091b7e5ff6454cb6546f78f71b075b9397541387fc509c947322c19c2f7b7c
SHA512 4e2617dbc4f941115cf8d04a176c07dee57aae738568a81a0b2a28ea7b7892232e56b53bf0c1fbd8130d25609bcc7450688716eea46e3c048507c833700701b7

/data/data/com.tencent.mm/databases/evernote_jobs.db-journal

MD5 78aad662fd9a5d69774aeb11d5a2e03d
SHA1 3ec703de454f36b474ca7d26b8bd4e3077668c49
SHA256 2d1e6c4077a40f770d6a1fe404be7242973a1e517bfbff8474910d6120ff669b
SHA512 d02231804c2dac1cb4e536b990b1c61c402e5bafbb25faf563ab0fc18246ff32ad53ec2b3c836934c7bea77bdd6cac0562a79095907c697ac2773d4d68a0ab75

/data/data/com.tencent.mm/files/GP.txt

MD5 7e945c559f96dac48ca64243dba7af0a
SHA1 f8c96b46c18f1914659380816b6675efb5abf0b0
SHA256 d1e190215fea818bfa4738d1d720527b186607404b88dda082c12186bd3eb7e2
SHA512 6513b72f624606986ebfd7ba33c793d739d421c88a3f3c1c1c41562125b670ae72a138d9340537eae3cbc8a5242710fefbca5f92080602cb894c7d2929d93ee3

/data/data/com.tencent.mm/files/GP.txt

MD5 a2090a7f12b43ff4968d4aef9b6a4c9d
SHA1 57c972ee45cff866e35254568fa5e1d6a3e2fe91
SHA256 eac1ac0a06443181ef351b2e6dc3bd1ade72d2a46831f73e497d98f3f54daf9e
SHA512 4bd1835d4a139003bdac6b77bbccf730eceb359880e3f81be583a08fa49760363bb7806d4ef77f878a050edd03261490d993b860176d718e398fe4df0cc497c2

/data/data/com.tencent.mm/files/GP.txt

MD5 cc6f553a3d0215d3d21968d1b4b3d6c1
SHA1 eefd32d5f2e9ca03c17a90f04c594331c20c7adb
SHA256 9a9cad02065b31c5d95b0a65e4b2df6dab61b9c99347915b129cb66f7763784f
SHA512 d055ae6925d9c1960ad7cca3c42a0d47c8b6592b334bcb427fb6c732d3d932cdefefb967b77bb91de7277dee80df32c8ef84ea90829825aeffff1debcc153d6e

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-24 22:00

Reported

2024-12-24 22:03

Platform

android-x64-arm64-20240910-en

Max time kernel

23s

Max time network

153s

Command Line

com.tencent.mm

Signatures

Removes its main activity from the application launcher

stealth trojan evasion
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Makes use of the framework's Accessibility service

collection evasion credential_access
Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps)

banker discovery

Queries account information for other applications stored on the device

collection
Description Indicator Process Target
Framework service call android.accounts.IAccountManager.getAccountsAsUser N/A N/A

Reads the contacts stored on the device.

collection
Description Indicator Process Target
URI accessed for read content://com.android.contacts/data/phones N/A N/A

Reads the content of the calendar entry data.

collection
Description Indicator Process Target
URI accessed for read content://com.android.calendar/events N/A N/A

Reads the content of the call log.

collection
Description Indicator Process Target
URI accessed for read content://call_log/calls N/A N/A

Requests cell location

collection discovery evasion
Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Makes use of the framework's foreground persistence service

evasion persistence
Description Indicator Process Target
Framework service call android.app.IActivityManager.setServiceForeground N/A N/A

Queries information about the current Wi-Fi connection

discovery
Description Indicator Process Target
Framework service call android.net.wifi.IWifiManager.getConnectionInfo N/A N/A

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Listens for changes in the sensor environment (might be used to detect emulation)

evasion
Description Indicator Process Target
Framework API call android.hardware.SensorManager.registerListener N/A N/A

Schedules tasks to execute at a specified time

execution persistence
Description Indicator Process Target
Framework service call android.app.job.IJobScheduler.schedule N/A N/A

Processes

com.tencent.mm

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 www.youtube.com udp
GB 216.58.201.110:443 www.youtube.com tcp
GB 142.250.200.14:443 www.youtube.com udp
GB 142.250.200.14:443 www.youtube.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.204.78:443 android.apis.google.com tcp
GB 142.250.178.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
IN 154.61.80.131:6008 tcp
US 1.1.1.1:53 mangasiso.top udp
US 1.1.1.1:53 www.geoip-db.com udp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
US 1.1.1.1:53 www.google.com udp
IN 154.61.80.131:6008 tcp
GB 142.250.200.4:443 www.google.com tcp
US 216.239.34.223:443 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
US 216.239.36.223:443 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
GB 142.250.187.206:443 www.youtube.com tcp
IN 154.61.80.131:6008 tcp
GB 142.250.187.193:443 tcp
GB 216.58.201.97:443 tcp
US 216.239.34.223:443 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp
IN 154.61.80.131:6008 tcp

Files

/data/user/0/com.tencent.mm/databases/evernote_jobs.db-journal

MD5 e0e07b902c41adc33059313d9a8e3290
SHA1 d615aaff7086545b551b29b519d708f0a02f65b6
SHA256 950730fbebde8965a131eba1d5cbf9bb3f1bb62e3b26ad1992ebe9c8c0c973b6
SHA512 385af5a382934db476c6c83ee461b2de6e67a55f7bd61de10daed4603c1caa264e20ddeeaa2578433b4e9fac73ef81ad9de7d4fe1bfd0c1c4d87942657c9ed17

/data/user/0/com.tencent.mm/databases/evernote_jobs.db

MD5 a487762f813ccd394d22230d5ca1b3b0
SHA1 81355be2809bc687dae31dcf09c53045617754fa
SHA256 62746b7708ce3e4eec15939c89fc87e2aaac15293b1927b21b6f6decd99108ca
SHA512 d526301082939288cf5431c5065384058d8af4f20afa3f92edc8f29c0de3927454938e1d04519bada40e90e5ee28ad6b035818f15b6eb3d987306553c9053f64

/data/user/0/com.tencent.mm/databases/evernote_jobs.db-journal

MD5 c144210ca145f7ddd2636a8e51756aec
SHA1 15ff348c166f3140ef389b77af71e29b7f43422e
SHA256 ca252dcaae1d7e09126e057bc480276b48879c991278f74328a16e4c57af45c6
SHA512 90f8454b7959e2885941f075400548a1f52038bb8aaff36c9557e268a91c68653f532227ea9b512f0ee1aea85504ca2c48e0fc27ab37ca1bee8214d0de5d619b

/data/user/0/com.tencent.mm/databases/evernote_jobs.db-journal

MD5 b85913139be2b4eafb8bc3fe40c3b5bf
SHA1 350c7ad7c43810ac69361702e914044b65492e2a
SHA256 99a66e2ba895d25921b795e515255aa5e7752894f7d6e20ab2e93cd96f693cf1
SHA512 72c60bae7e52b9add136533a64ff0b734c0d115e9c7b9b13c577987f23151323a211dbe358715cc18ee888d72289ab0d8c83b3b0b965e9dabc8600cea456ecbb

/data/user/0/com.tencent.mm/databases/evernote_jobs.db-journal

MD5 6d8d6193fcc84abf2dfb1869cb689929
SHA1 b9806a408bd99ab502cc1948c110af92114934b5
SHA256 f2eb441b598b81d725a42eb481c53f3e66762b1117895118f209eb5a529a46e7
SHA512 d5760648ff85a3cd0811a295bf19efac89abfa4a61453284d5228de5f3b7aaa6e028622f49efc203f3a98b7e7569cca076a4cc3bfa89c9dcf03ff163b30c79d2

/storage/emulated/0/Config/sys/apps/log/log-2024-12-24.txt

MD5 a9256f55737b655c8cff95418411997c
SHA1 d81a4e85ecef3a4f08d50da9c75c49a3c64ffe24
SHA256 bad705c44807d12463fb587087c4e9eb24769d82981229ac8b74abc9b1a44412
SHA512 10d10a6498973ed65d47c74ba6d8831dad94213a5071353dc445de46e021689284fbbf4accf5ba1f97a0675a7652ec069ac70f38d63ba36b8595a8caf8d37574

/storage/emulated/0/Config/sys/apps/log/log-2024-12-24.txt

MD5 e48057c3603c907cacbe1568a7dbfc41
SHA1 6e100086b53e20e499a9be069aa1b452faf82ba3
SHA256 4b36685dbf772b2de007f4c98f824966f4f3a132075692d3d3d8f11e84e5468e
SHA512 787e1140832e8c308039f0287ee801c00040544d5241425b0c0c8e8dc19ecf3feefa50706723f7a21be209c13b24ab3dbe0691ec42118fdfe18611b13155fb9a

/data/user/0/com.tencent.mm/databases/Dname-journal

MD5 0d63e0fde6915987f070edc74f9fb48a
SHA1 92b6193118beaefce187a45e4e6dbee87dd72faa
SHA256 6f595172321ac204fe6055d68b16cf36a051f3e421e41e582de044a5775ada6b
SHA512 1e2bae5fd141a927ce199984d2c7ad71495ea0210ceade619e2f5d041a61cdd3615d57c7eea9c304d7c2b22a5840b0e0c3ded138dc7bd2bd122fa89eb760995e

/data/user/0/com.tencent.mm/databases/Dname

MD5 1854505a3f6d683ed7eb81612934370c
SHA1 4f710add9a652d2fb92b7ce45589e27bf03f0b2a
SHA256 8100330a266f3027b929ea1bde99440ce4a544c9d9a0abb2ef0d1a73aa4cd9a4
SHA512 104a6e9c840b1fddd22ae579624a549c911abfbb48dc4454d3d231619c41a9abbf22f0dc5362a80c8c8245cc18566661f3645ac48c61259132886d4bf4678962

/data/user/0/com.tencent.mm/databases/Dname-journal

MD5 380e904e931c9f2481d16643b498fe4d
SHA1 3b7549965a3021ae3063e8f6b1b07f203ccdd083
SHA256 39b9114c3226477ab30dd82b75b5152196aa0469cf2b7c9570ca14a17b8c0152
SHA512 bf007cc27d42fa39d6f9a484a695eb5ff288e38f55632ba8279865193162c0c957fd107cd9fd91cee46fb85f2bb130d87e897edf3eaddc4ebc5b0d39d88295e3

/data/user/0/com.tencent.mm/databases/Dname-journal

MD5 21588b62f0dbe7a136a8df74c0074a09
SHA1 caf3f2f5b663d84c03c829f90eeb859495b6c99e
SHA256 6f8c44860c497a1bbce42c4b7977f8a05dd2c8da1a0ef81c2e731a288a7bb532
SHA512 de39961dc33f1668adaa9fe0946dcc451badab7c173d4cf8c5b8f0340a902e0ca0d953a36de2c83bf48c6e4ec6eb22c506ba5628a6406a918a7e5db7ddd879b4

/data/user/0/com.tencent.mm/databases/Dname-journal

MD5 88fc58fd66c2418f8c6097415a130445
SHA1 02a8ff00f768dc491f82bcde494cb053869bb9f4
SHA256 a57d130116f54f350f60415b2e4fe91200473b1ecaff01432bd958d8e3ede80c
SHA512 0b73402ec418da3c5dc3f7a97b719eb9ebf67bce658a5aa9ae9d003bfb6a2a3e9b3a319f6733264c53fdd0e8c0bc1a40eb813ccc902815509b05a2d3e1f27c15

/data/user/0/com.tencent.mm/files/accounts.txt

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

/data/user/0/com.tencent.mm/files/CallLogs.txt

MD5 58e0494c51d30eb3494f7c9198986bb9
SHA1 cd0d4cc32346750408f7d4f5e78ec9a6e5b79a0d
SHA256 37517e5f3dc66819f61f5a7bb8ace1921282415f10551d2defa5c3eb0985b570
SHA512 b7a9336ed3a424b5d4d59d9b20d0bbc33217207b584db6b758fddb9a70b99e7c8c9f8387ef318a6b2039e62f09a3a2592bf5c76d6947a6ea1d107b924d7461f4

/data/user/0/com.tencent.mm/files/netinfo.txt

MD5 3f8b010344a083b83ea0fc5f00fa7474
SHA1 6265c05b67e88419116c70eb86410f57a8a8f13d
SHA256 57a264699c9329f6f4aaea99cce031290988e4d2510b5f4732e99bdae97209b9
SHA512 cb3a4376deb51f611d8e6b0e7f8787c473c1e74f724d2ca9105e6ec31b13d2a8b299773a6d900ed9cff9033d7a111f4721f8d7e7834391127db511d1dd43b494

/data/user/0/com.tencent.mm/files/Tree.txt

MD5 5d0d51c29ca98c51c1e5688ae78ebe09
SHA1 d0df65122201d6c0bab279c0568e52b326b20be4
SHA256 a98d8869f4d54dbd45046dc5c48a4df88e0b91ba33ceafa4a790cafabb509eb1
SHA512 ab6f1841acf277d789d5fc60fc6a4160c11d9f6884dfcc8334bc2b7e9028b2731593a871bec2f3c40679b99c2dc8806f0ed5d99b656dbe3383acd4369fdc893d

/data/user/0/com.tencent.mm/databases/Dname-journal

MD5 b03d7164149c7c49d90e70065ad2dbe7
SHA1 e9780457550871fcf7fe08320f176bd3115bd7f3
SHA256 1cf2ef5e4151be163e6fde165e6239cb703a19ca53bd4354a2060e34b4856fe1
SHA512 6b82cbc417b55b2bcec0f940e694c7a6668dd942648c8fb61eaaf55a7bd17262a576a916df77c6f3a88993f93f0e5efee659294bd44f63c60eac511026bb0b17

/data/user/0/com.tencent.mm/files/pkinfo.txt

MD5 b593d0594fc2e98f60b0288475ba950b
SHA1 1c10ef393a2666d7640ca45e663321019a5675fb
SHA256 49e287b4855336cc22b24d4f912538f43d226ddca9b322d769fb3ef0306d9411
SHA512 7ba2ceeddfbc8efee39b6a5d9f81001cca3e07d6d6311ae16e0eff38fd395567fa3236aa7f7b59def32a5a7ed27d24cd852b3936d32bd05b467dbd1ed8dcd40b

/data/user/0/com.tencent.mm/files/GP.txt

MD5 d2e807ccb004d6572ca4157f7af48511
SHA1 630aac61af552865429e3363105037dfc2907795
SHA256 a77e56fd7d2809615abe4de1766854ea0680a01fe38a1650af645c55e1237f1d
SHA512 35b951140c78b4f9b2e8c08dc602deb9611ab6f4f146b4b6280de32fb6ebeba6129fbcd9941c07d2b16b966856a19e789fb51898a0effc7d6fe5ff76d91bd998

/storage/emulated/0/Config/sys/apps/log/log-2024-12-24.txt

MD5 d2126d9fc9e1ee250e0272ee7d6775b4
SHA1 be81c76cb8c8cb20879582a38be90827feedcbee
SHA256 dc91ac84aa21024b24a9133c035f36c9d39497738cfdf067155c45b293dc8942
SHA512 3afa1210834d864df0fe48de8734f806c13b61c31824318377313c9bd69c84321fc0671c1ca29cf3b5971423c6457a50f9e80f4e008bcdd76c4ff73535aa5e70

/data/user/0/com.tencent.mm/files/netinfo.txt

MD5 f35e3986c2dd506d544024032a5495c1
SHA1 03ab8326f5d41a714dadb055c4ff5e17c4bfa054
SHA256 fc21d5de31a6dbdccb5ccb93e02a6591648e4a0e647622111b1bcd285323c7e2
SHA512 9941789628308e80538cf275cdaa9005f883abe4892c9ae6720ee8514cc03beeb1b74309438666e3432b07f31c5393679e7fbf4af5dbf06c20af8c579e99cfd0

/data/user/0/com.tencent.mm/databases/evernote_jobs.db-journal

MD5 03f457337f3d8f2df06ed6e572062fba
SHA1 5557052ced8ad09eae1d9c87f076215e981d64b9
SHA256 dd28ae733276f575e09c6e8a65f9f74906ef111fa9bc9a10ed47f4e38dc13ca9
SHA512 266d414e97b98dbd2c56054ba6d744c6670ea8355b0278dc9e8f57e0e50bcb5aa1ee35aaca00e60271ed48d85890cb90d28f108efd4b9c0ef45a033d5b6a6af2

/data/user/0/com.tencent.mm/databases/evernote_jobs.db-journal

MD5 9a6a82bee62fbfe9df52b4aca538eec1
SHA1 5fe3cb6279082d3d9112035a1816579332d275c7
SHA256 3fe5552c614f5f247b1531dd066323f145baff6c4a40d5a64d3b07e37e4fb48e
SHA512 d136bd5335ee4936c174a310d93a892c074eb2d5e6e68622cc64246a083a52355515287e48bb38b3614988bf9c681e5794005b3b6e203acbe745edf78b4c96f3