Analysis Overview
SHA256
e862491b3a5c56df9d7afcbe3f354d573f40bf232be1e501d79b5397d83dfe45
Threat Level: Known bad
The file FM_3313_25.apk was found to be: Known bad.
Malicious Activity Summary
Android Triada payload
Triada family
Loads dropped Dex/Jar
Declares services with permission to bind to the system
Requests dangerous framework permissions
MITRE ATT&CK
Mobile Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-08 14:22
Signatures
Android Triada payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Triada family
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by chooser target services to bind with the system. Allows apps to modify targets that handle user actions. | android.permission.BIND_CHOOSER_TARGET_SERVICE | N/A | N/A |
| Required by remote views services to bind with the system. Allows apps to share and display views across different processes. | android.permission.BIND_REMOTEVIEWS | N/A | N/A |
| Required by telecom connection services to bind with the system. Allows apps to manage phone call aspects such as call setup and notifications. | android.permission.BIND_TELECOM_CONNECTION_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an app to post notifications. | android.permission.POST_NOTIFICATIONS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows read access to the device's phone number(s). | android.permission.READ_PHONE_NUMBERS | N/A | N/A |
| Required to be able to connect to paired Bluetooth devices. | android.permission.BLUETOOTH_CONNECT | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to access any geographic locations persisted in the user's shared collection. | android.permission.ACCESS_MEDIA_LOCATION | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows applications to use exact alarm APIs. | android.permission.SCHEDULE_EXACT_ALARM | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to read audio files from external storage. | android.permission.READ_MEDIA_AUDIO | N/A | N/A |
| Allows an application to read image files from external storage. | android.permission.READ_MEDIA_IMAGES | N/A | N/A |
| Allows an application to read video files from external storage. | android.permission.READ_MEDIA_VIDEO | N/A | N/A |
| Allows an application to read image or video files from external storage that a user has selected via the permission prompt photo picker. | android.permission.READ_MEDIA_VISUAL_USER_SELECTED | N/A | N/A |
| Allows an application to request installing packages. | android.permission.REQUEST_INSTALL_PACKAGES | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Required to be able to advertise and connect to nearby devices via Wi-Fi. | android.permission.NEARBY_WIFI_DEVICES | N/A | N/A |
| Required to be able to discover and pair nearby Bluetooth devices. | android.permission.BLUETOOTH_SCAN | N/A | N/A |
| Required to be able to advertise to nearby Bluetooth devices. | android.permission.BLUETOOTH_ADVERTISE | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-08 14:21
Reported
2025-03-08 14:25
Platform
android-x64-arm64-20240910-en
Max time kernel
1s
Max time network
150s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /system_ext/framework/androidx.window.sidecar.jar | N/A | N/A |
| N/A | /system_ext/framework/androidx.window.sidecar.jar | N/A | N/A |
Processes
com.fabulously.pal
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.169.14:443 | tcp | |
| AU | 1.1.1.1:53 | android.apis.google.com | udp |
| AU | 1.1.1.1:53 | www.youtube.com | udp |
| GB | 216.58.213.14:443 | www.youtube.com | tcp |
| GB | 172.217.16.238:443 | www.youtube.com | tcp |
| GB | 172.217.16.238:443 | www.youtube.com | tcp |
| AU | 1.1.1.1:53 | digitalassetlinks.googleapis.com | udp |
| US | 216.239.32.223:443 | tcp | |
| AU | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| GB | 142.250.180.8:443 | ssl.google-analytics.com | tcp |
| GB | 142.250.187.193:443 | tcp | |
| GB | 142.250.187.225:443 | tcp | |
| US | 216.239.32.223:443 | tcp |
Files
/system_ext/framework/androidx.window.sidecar.jar
| MD5 | bdf3529e80318eb14e53a5bf3720c10d |
| SHA1 | 25c9ace4b1af6e80ebb2572345972c56505969ba |
| SHA256 | bbc8300dd1e9cd08de8f66560c1ac2c928615b72b51cef9649f88974f586d64b |
| SHA512 | 48b9c2d01171bb651b9b54826baa51f4add48431a3efd8ceb5f7cc3bcd6f8f37edf47fabb24349dd15b3a02329cd450f90a8d164bf4f8dfae554bf3b35a8a55b |
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-08 14:21
Reported
2025-03-08 14:25
Platform
android-33-x64-arm64-20240910-en
Max time kernel
1s
Max time network
156s
Command Line
Signatures
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /system_ext/framework/androidx.window.extensions.jar | N/A | N/A |
| N/A | /system_ext/framework/androidx.window.extensions.jar | N/A | N/A |
| N/A | /system_ext/framework/androidx.window.sidecar.jar | N/A | N/A |
| N/A | /system_ext/framework/androidx.window.sidecar.jar | N/A | N/A |
Processes
com.fabulously.pal
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| AU | 1.1.1.1:53 | digitalassetlinks.googleapis.com | udp |
| AU | 1.1.1.1:53 | rcs-acs-tmo-us.jibe.google.com | udp |
| US | 216.239.36.155:443 | rcs-acs-tmo-us.jibe.google.com | tcp |
| AU | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 172.217.169.78:443 | android.apis.google.com | tcp |
| GB | 172.217.169.78:443 | android.apis.google.com | udp |
| AU | 1.1.1.1:53 | remoteprovisioning.googleapis.com | udp |
| GB | 216.58.204.74:443 | remoteprovisioning.googleapis.com | tcp |
| GB | 172.217.169.74:443 | remoteprovisioning.googleapis.com | tcp |
| GB | 216.58.212.228:443 | tcp | |
| AU | 1.1.1.1:53 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| AU | 1.1.1.1:53 | www.google.com | udp |
| GB | 142.250.179.228:443 | www.google.com | tcp |
| GB | 216.58.213.6:80 | tcp | |
| GB | 216.58.212.193:443 | tcp | |
| GB | 172.217.169.65:443 | tcp | |
| GB | 172.217.169.65:443 | tcp | |
| GB | 142.250.187.238:443 | tcp | |
| GB | 172.217.169.65:443 | tcp | |
| GB | 172.217.169.65:443 | tcp | |
| GB | 142.250.200.35:443 | tcp | |
| US | 216.239.34.36:443 | tcp | |
| GB | 172.217.169.74:443 | remoteprovisioning.googleapis.com | tcp |
| GB | 172.217.169.74:443 | remoteprovisioning.googleapis.com | tcp |
| GB | 172.217.169.34:443 | tcp | |
| GB | 216.58.213.6:443 | tcp | |
| GB | 216.58.204.66:443 | tcp | |
| GB | 172.217.169.34:443 | tcp |
Files
/system_ext/framework/androidx.window.extensions.jar
| MD5 | 3056e1bdb7d4e19789d0319eff484bd0 |
| SHA1 | 6791ae47aa9466fe0bca27ad6643f846853bbee4 |
| SHA256 | 8e6331a07c9f2ac139214c527dcaff2c82d126bbe7bd3420cdc36d6a8c9204b0 |
| SHA512 | c790980fd68d9f89e32743bc28846807d5e5947c555f494de47714dec5cbd0c08d81c3260fa463759d1b17a953af3c44ec30b14fb08bf6b29db3837346c9f658 |
/system_ext/framework/androidx.window.sidecar.jar
| MD5 | 29469324e59dfcc052f24b5af4e7b2c4 |
| SHA1 | 10c1e17ac6f598037bb51baa07945663645de4eb |
| SHA256 | 9195dc6a1c75a841384050240dfc972e48178964993fba6619788625f4b40d1a |
| SHA512 | 5e27c2b1431369a248298f2f749136a575005584f9999f2a4c204a0c47adce2e33c8df9f058bdafa1bde1c99e46d175560cedfcddcd8581718ed1d9973c37cc2 |