Overview

overview

10

Static

static

6

aba8466f81...6d.apk

android-9-x86

7

aba8466f81...6d.apk

android-10-x64

7

aba8466f81...6d.apk

android-11-x64

7

deper.apk

android-9-x86

10

deper.apk

android-10-x64

10

deper.apk

android-11-x64

10

Resubmissions

25/02/2025, 17:16 UTC

250225-vs31jayl16 10

24/02/2025, 03:26 UTC

250224-dzkzvszncm 10

Analysis

  • max time kernel
    6s
  • max time network
    137s
  • platform
    android_x86
  • resource
    android-x86-arm-20240624-en
  • resource tags

    androidarch:armarch:x86image:android-x86-arm-20240624-enlocale:en-usos:android-9-x86system
  • submitted
    24/02/2025, 03:26 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aba8466f8162846c8adc7be242bb78a346775804de2c14a978d69649b0639c6d.apk

  • Size

    10.9MB

  • MD5

    548ede0959d30a22484ae452f535a0db

  • SHA1

    7b34fc3a7d4f2d6ce38f3f0de08df80ed4859e27

  • SHA256

    aba8466f8162846c8adc7be242bb78a346775804de2c14a978d69649b0639c6d

  • SHA512

    564feb15f3ff884fee96e3a54793379d969c49d97163d9214707e6c77e50dfe6c61be04dcdb8a444f86ed96844f82a4691093d51f05654ad28ac9c1ad9b618d7

  • SSDEEP

    196608:3XeOWRtCAvekoDLWGxXfyzTn9P3m5AC+FX6JagEQVZxkpUSlPJn:3OX/3xYLpxXfyzjtd3FX61PVZx8USlPp

Score
7/10
evasion

Malware Config

Signatures

  • Loads dropped Dex/Jar 1 TTPs 2 IoCs

    Runs executable file dropped to the device during analysis.

    evasion
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

Processes

  • tfskbi.ztdwnc.yfprwh
    1⤵
    • Loads dropped Dex/Jar
    PID:4258
    • /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/tfskbi.ztdwnc.yfprwh/app_veteran/iox.json --output-vdex-fd=41 --oat-fd=42 --oat-location=/data/user/0/tfskbi.ztdwnc.yfprwh/app_veteran/oat/x86/iox.odex --compiler-filter=quicken --class-loader-context=&
      2⤵
      • Loads dropped Dex/Jar
      PID:4284

Network

  • flag-au
    DNS
    api.ipify.org
    Remote address:
    1.1.1.1:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN A
    104.26.12.205
    api.ipify.org
    IN A
    104.26.13.205
    api.ipify.org
    IN A
    172.67.74.152
  • flag-us
    GET
    https://api.ipify.org/
    Remote address:
    104.26.12.205:443
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/5.0
    Host: api.ipify.org
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Date: Mon, 24 Feb 2025 03:26:59 GMT
    Content-Type: text/plain
    Content-Length: 14
    Connection: keep-alive
    Vary: Origin
    cf-cache-status: DYNAMIC
    Server: cloudflare
    CF-RAY: 916c5b77ea35bd7b-LHR
    server-timing: cfL4;desc="?proto=TCP&rtt=41393&min_rtt=34039&rtt_var=21098&sent=7&recv=5&lost=0&retrans=1&sent_bytes=3634&recv_bytes=412&delivery_rate=47474&cwnd=250&unsent_bytes=0&cid=8d89233dcfc239b4&ts=212&x=0"
  • flag-au
    DNS
    check-mate.digital
    Remote address:
    1.1.1.1:53
    Request
    check-mate.digital
    IN A
    Response
    check-mate.digital
    IN A
    193.163.203.46
  • flag-ru
    POST
    https://check-mate.digital/mars/tiktokmx/js.php
    Remote address:
    193.163.203.46:443
    Request
    POST /mars/tiktokmx/js.php HTTP/1.1
    Content-Type: application/json;charset=UTF-8
    Accept: application/json
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 9; Pixel 2 Build/PSR1.180720.122)
    Host: check-mate.digital
    Connection: Keep-Alive
    Accept-Encoding: gzip
    Content-Length: 143
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Mon, 24 Feb 2025 03:27:00 GMT
    Content-Type: text/html; charset=UTF-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Vary: Accept-Encoding
    Strict-Transport-Security: max-age=31536000
    Content-Encoding: gzip
  • flag-au
    DNS
    android.apis.google.com
    Remote address:
    1.1.1.1:53
    Request
    android.apis.google.com
    IN A
    Response
    android.apis.google.com
    IN CNAME
    clients.l.google.com
    clients.l.google.com
    IN A
    142.250.200.46
  • 104.26.12.205:443
    https://api.ipify.org/
    tls, http
    912 B
     4.5kB
     9
    8

    HTTP Request

    GET https://api.ipify.org/

    HTTP Response

    200
  • 193.163.203.46:443
    https://check-mate.digital/mars/tiktokmx/js.php
    tls, http
    1.2kB
     4.0kB
     10
    9

    HTTP Request

    POST https://check-mate.digital/mars/tiktokmx/js.php

    HTTP Response

    200
  • 142.250.200.46:443
    tls, https
    858 B
     40 B
     1
    1
  • 142.250.200.46:443
    android.apis.google.com
    tls
    6.5kB
     8.5kB
     16
    23
  • 224.0.0.251:5353
    3.8kB
     12
  • 1.1.1.1:53
    api.ipify.org
    dns
    59 B
     107 B
     1
    1

    DNS Request

    api.ipify.org

    DNS Response

    104.26.12.205
    104.26.13.205
    172.67.74.152

  • 1.1.1.1:53
    check-mate.digital
    dns
    64 B
     80 B
     1
    1

    DNS Request

    check-mate.digital

    DNS Response

    193.163.203.46

  • 1.1.1.1:53
    android.apis.google.com
    dns
    69 B
     109 B
     1
    1

    DNS Request

    android.apis.google.com

    DNS Response

    142.250.200.46

MITRE ATT&CK Mobile v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • /data/data/tfskbi.ztdwnc.yfprwh/app_veteran/iox.json
    Filesize

    573KB

    MD5

    66733db48d9cba8a319e7e1451336263

    SHA1

    f74be1920661841d7eee576f4be0b8ae2ba028f3

    SHA256

    dfb28b0b140228245af52b34aa9d09cff2925fff9d3d342a741580b75698e091

    SHA512

    4b5f0d8b1421fd8934dcd154ecdaa46f86b157c9973dac5f0808b591195d3a7f061e4ccf0d90942d43921e7178a2161fb07bbb73b4e2b535a5fcaf9472c795a0

    Download Submit

  • /data/data/tfskbi.ztdwnc.yfprwh/app_veteran/iox.json
    Filesize

    573KB

    MD5

    c491f888e98327a6a43588598dabd1b6

    SHA1

    4afdb7524284f7195ddf37ba5e8d1daf0c0b2801

    SHA256

    d0569859013122e742a96e170860862eb814ae93c9aa689db0e0afe4c4084848

    SHA512

    2a1436a153ba0532ea5fab3506fa3c4da30e256b9627bdbaf9d63b6f8298865b6d850e3d990ceb47046b44440bf3b8997937c9f5bc8c4e9ed65f2322a8607a3d

    Download Submit

  • /data/user/0/tfskbi.ztdwnc.yfprwh/app_veteran/iox.json
    Filesize

    1.2MB

    MD5

    686bc5e0a5321eef3e910c95bdb4d06c

    SHA1

    7db19a9b3001d82e247c1b21d3bfb500c27e9782

    SHA256

    dac86926a8bd886a8b9451eee45b39927b24395afabfde84f6cd42d5b8d24f91

    SHA512

    bb59a9b8d0e007c7f05570e1ae7f640871b2049ea9e35edb3c967a4f67c6bdc58a7842d8fe3cbc2d99f8b169c3ea69e27a673663bfd2f323ae23b735ca135131

    Download Submit

  • /data/user/0/tfskbi.ztdwnc.yfprwh/app_veteran/iox.json
    Filesize

    1.2MB

    MD5

    d83f3b2e9163dbfcf3f0b85d4c8ffda7

    SHA1

    43bd3678f168a0f0da2413d4f0de6788c88d34c3

    SHA256

    4b81c2ee643d0f68b2b47733c310b24f47827e01f41aedd8153f449900c4ded3

    SHA512

    a4e8b017d92b827f6ec27b7d13325b353322712b55c925fefdb3869a4558c921c5016c9f87601f544c1a89c4b2137c8aef8be5eebab7277a1f07724efa39dacc

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.