ID: 351315 Sample Name: zQDTleF1Sc.apk Cookbook: defaultandroidfilecookbook.jbs Time: 14:52:38 Date: 10/02/2021 Version: 31.0.0 Emerald Table of Contents

Table of Contents 2 Analysis Report zQDTleF1Sc.apk 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Yara Overview 4 Signature Overview 4 AV Detection: 4 Compliance: 4 Destruction: 5 Persistence and Installation Behavior: 5 Anti Debugging: 5 Stealing of Sensitive Information: 5 Mitre Att&ck Matrix 5 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Detection 6 Initial Sample 6 Dropped Files 6 Domains 6 URLs 6 Domains and IPs 8 Contacted Domains 8 URLs from Memory and Binaries 8 Contacted IPs 10 Public 10 General Information 10 Joe Sandbox View / Context 11 IPs 11 Domains 12 ASN 12 JA3 Fingerprints 13 Dropped Files 14 Created / dropped Files 14 Static File Info 15 General 15 File Icon 16 Static APK Info 16 General 16 Activities 16 Receivers 16 Services 17 Permission Requested 17 Certificate 17 Resources 17 Network Behavior 20 Network Port Distribution 20 TCP Packets 20 UDP Packets 22 DNS Queries 22 DNS Answers 22 HTTPS Packets 22 APK Behavior 23 Installation 23

Copyright null 2021 Page 2 of 24 Miscellaneous 23 System Calls 23 By Permission (executed) 24 By Permission (non-executed) 24 Disassembly 24 0 Executed Methods 24 0 Non-Executed Methods 24

Copyright null 2021 Page 3 of 24 Analysis Report zQDTleF1Sc.apk

Overview

General Information Detection Signatures Classification

Sample zQDTleF1Sc.apk Name: AAnntttiiivviiirrruuss /// SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubb…

Analysis ID: 351315 MAnuutlllitttviii iArAuVVs SS/ cScaacnnanneenrrre drd eedttteetccetttciiiootinno nfffoo frrro srs uusbbumb… MD5: 0a0b0b86b67fb3a… AMAccuccletei ssAssV ttth hSeec cacllnlaanssess r l llodoaeadtdeeecrrr t (i((oonfffttt eefonnr ddsoounnbeem…

SHA1: 380b007333a170… Ransomware CACococnnetttaasiisinn stsh fffeuu nncclcatttiisioosnn alaollliiaitttydy etttoor (llleoeafatkek n ss eednnossniiitettiii… Miner Spreading SHA256: 670fbae11c84102… CCroreenaattateeinss s aa f unnneecwwt i ojjaanrra ffliillteey ((tloliikk elellyay k tto os elloonaasddit iaa CCrrreeaattteess aa nneeww jjjaarrr fffiiilllee (((llliiikkeelllyy tttoo lllooaadd aa… mmaallliiiccciiioouusss Most interesting Screenshot: malicious Evader Phishing

sssuusssppiiiccciiioouusss DCDereellleeattteess ooattt hhneerrrw pp ajaccrk kfaialgege e(slsikely to load a suspicious

cccllleeaann

clean RDReeglgeiiistsettteserr rsos t aha e bbrrr ropoaadcdckcaasgsttet rsrreecceeiiivveerrr tttoo iiinnttt…

Exploiter Banker SRSeettgtssi s iiitttseseerslllfff aa ssb trtthoheae d ddceeafffasatuu rlllttet ScSeMivSSe raa ptpopp lilliniicct…

USUsesetesss i ctcsooemlf masaa nnthdde lll iiindnee f tattoouooltllls sS tttMoo Siiinn sasttptaapllllll incn… Spyware Trojan / Bot

Adware AUAbsboeorrsrttt ssc oaam bbmrrrooaandddcc aalisnsttte ee tvvoeeonnlsttt ((t(totthh iiisns s iiistsa oollf fftntt… Score: 84 Range: 0 - 100 AAcbccoceertssss eaes sb /r//poprraroodcccast event (this is oft

Whitelisted: false AAcccceesssseess a/apnnrdodrrcrooiiidd OSS bbuuiiillldd fffiiieelllddss Confidence: 100% CAChchceeeccskksse CCsP PaUUn d ddreoettitadai iillOlssS build fields

CChheecckkss aCannP iUiinnt ttedererrnntaeeitttl s ccoonnnneecctttiiioonn iiiss aavv…

CChheecckkss iiaifff n aa i SnStIIIeMr n cceaatr rrdcdo iiisns n iiinenscstttaiaolllllnlee ddis av Yara Overview CCrrhreeeaactttkeess iSfS Ma SS I dMdaa tcttaa r(((dee ...iggs.. . i PnPsDDtUaUl))l)ed

DCDereetteaectcetteesd dS TTMCCSPP d ooarrt aUU D(DePP.g t.tr raPaffDffiicUc o)onn nnoonn No yara matches DDeettteeccttteedd TTCCPP oorrr UUDDPP tttrrraaffffffiiicc oonn nnoonn…

DDiieiaatllelssc pptehhdoo nnTeeC nPnuu omrb bUeeDrrrssP traffic on non

EDEninaaalbsb lllepeshs o oonrrr e dd iniissuaambbllbleeessr Ws IIIFFIII

EExnxeaecbcuulettteses so nrn aadtttiiisivvaeeb ccleoosm WmIaaFnnIddss Signature Overview FEFoxoueuncndud t pepasa rrrnssaeetrrri v cceoo dcdeoe m fffoomrrr iaiinnnccdoosmiiinngg SSMSS… AV Detection • FFoouunndd spsuausrssppeiiiccri iiocouousds e cc oofomr minaacnondmd sisntttrrgriiin nSggMss …S • Location Tracking • Privilege EsHFHcoaauslsa n atadinon sn uunnsnnpaaictttuiuorrruaaslll rrrceeoccmeeiiimvveearrrn ppdrrr iiisootrrriiitttnyyg (((soo fff… • Compliance • Spreading HHaass papenerr rmuniiisnssasiiitoounnr a tttolo r cechchaeaninvggeeer pttthhreieo rWityIIIF F(IoII …f Networking • HHaass ppeerrrmiiissssiiioonn tttoo dcdrhraawwn g ooevv etehrr e oo tWthheeIFrr Iaa • Key, MouseHH, aaCssl i ppbeeorrrmariiisdss,s iiMioonnic ttrtoo p ddhrrraoawnwe oo avvneedrrr ooSttthchreeerrre aan… Capturing E-Banking Fraud • HHaass ppeerrrmiiissssiiioonn tttoo edexrxaeewccu uottteve e ccroo oddteeh eaarfff tttaee… • Spam, unwanted Advertisements and Ransom Demands • Operating SHHyaasstse ppmee rrrDmeiiissstsriiiuoocnnt ittotoon mexooeuucnnutttt eoo rrrc uoundnme oaoufutnen… • Change of System Appearance • System SumHHmaassa prpyeerrrmiiissssiiioonn tttoo pmpeeorrrfuffoonrrrtm o rpp huhononmneeo cucana… • Data Obfuscation • PersistenceHH aaanssd pp Ieenrrrsmtaiiislslsasiitiooionnn tt toBo eqpqhueuaerefvrroryiyor mttrthh eep hllliiisosttnt oeoff f c cca… Boot Survival • HHaass ppeerrrmiiissssiiioonn tttoo rrqreeuaaeddr y cc otohnnettta alcicsttttss of c • Hooking and other Techniques for Hiding and Protection Malware Analysis System Evasion • HHaass ppeerrrmiiissssiiioonn tttoo rrreeaadd ttcthhoeen StSaMctSsS sstttoo… • Anti Debugging • HIPS / PFWHH /aa Oss ppeerrramtiiinsssgsii iooSnny stttoote rrrmeea aPddr ottthhteec cSctiaaoMlllnlll S l lloEo sggvtaosion • Language, Device and Operating System Detection • Stealing of HSHeaanss s ppiteeivrrrme iIiisnssfsoiiioornmn tattoot i orrreenaadd ttthhee pcphaholol nnloeegss ss… Remote Access Functionality • HHaass ppeerrrmiiissssiiioonn tttoo rrreecacedeii ivvtheee SS pMhSoS n iiinen s ttth hs…

HHaass ppeerrrmiiissssiiioonn tttoo srseecnneddi v SSeM SSSM iiiSnn ttithnhe et h …

Click to jump to signature section HHaass ppeerrrmiiissssiiioonn tttoo ttstaaekkneed p pShhMootttSoos sin the

HHaass ppeerrrmiiissssiiioonn tttoo wtwarrrkiiittetee p tttoho o ttththoees SSMSS …

IIHInnasststtaa pllllllses r aamnni s aasppioppnllliiic ctaoatt tiiwioonrni t sesh htoorr rtttchcueutt t S ooMnn Sttthh … AV Detection: KIKniiilslllllstsa///ttltelesrrr maniiinn aapttteepssli cpparrrotoicocenes ssssheeossrtcut on th

LKLiiissllttstss/ t aeanrnmdd idndeaelltleetttsee sps rfffoiiillleceses s iiinsn e ttthshee ssaamee cc… Antivirus / Scanner detection for submitted sample MLiasatyys aaccnccdee sdsses ltethhtee s AA fnnildedrsroo iidnd ktkheeeyy gsguauamarrded (c(ll Multi AV Scanner detection for submitted file Maayy aacccceessss ttthhee AAnnddrrrooiiidd kkeeyygguuaarrrdd (((lll…

Maayy babllcloocccekks psph htohonene eA cncaadlllrlllsos i //d/ A Akcceccyeegssussaeersds pp(l…

Compliance: Maayy dbdiiliaoallcl pkph hpoohnnoeen nenu ucmalbblsee rr/r Accesses p May dial phone number Copyright null 2021 Page 4 of 24 Uses secure TLS version for HTTPS connections

Operating System Destruction:

Deletes other packages

Persistence and Installation Behavior:

Uses command line tools to install new APKs

Anti Debugging:

Access the class loader (often done to load a new code)

Creates a new jar file (likely to load a new code)

Stealing of Sensitive Information:

Contains functionality to leak sensitive phone information (IMEI or IMSI via HTTP)

Registers a broadcast receiver to intercept incoming SMS

Sets itself as the default SMS application

Mitre Att&ck Matrix

Remote Initial Privilege Defense Credential Lateral Command Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Network Effects Effects Valid Windows Path Path Application Capture System Remote Access Exfiltration Encrypted Exploit SS7 to Remotely Accounts Management Interception Interception Discovery 1 SMS Network Services Contact Over Other Channel 1 Redirect Phone Track Device Instrumentation Messages 2 Connections List 1 Network Calls/SMS 2 Without Discovery 1 Medium Authorization Default Scheduled Boot or Boot or Obfuscated LSASS System Remote Location Exfiltration Non-Standard Eavesdrop on Remotely Accounts Task/Job Logon Logon Files or Memory Network Desktop Tracking 1 1 Over Port 1 Insecure Network Wipe Data Initialization Initialization Information 1 Configuration Protocol Bluetooth Communication 1 Without Scripts Scripts Discovery 2 Authorization Domain At (Linux) Logon Script Logon Obfuscated Security Location SMB/Windows Network Automated Non- Exploit SS7 to Obtain Accounts (Windows) Script Files or Account Tracking 1 1 Admin Shares Information Exfiltration Application Track Device Device (Windows) Information Manager Discovery 3 Layer Location Cloud Protocol 1 Backups Local At (Windows) Logon Script Logon Binary Padding NTDS Application Distributed Capture SMS Scheduled Application SIM Card Swap Accounts (Mac) Script Discovery 1 Component Messages 2 Transfer Layer (Mac) Object Model Protocol 2 Cloud Cron Network Network Software LSA Secrets System SSH Keylogging Data Fallback Manipulate Device Accounts Logon Script Logon Packing Information Transfer Channels Communication Script Discovery 2 Size Limits

Replication Launchd Rc.common Rc.common Steganography Cached Process VNC GUI Input Exfiltration Multiband Jamming or Denial Through Domain Discovery 1 Capture Over C2 Communication of Service Removable Credentials Channel Media

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright null 2021 Page 5 of 24 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link zQDTleF1Sc.apk 24% Metadefender Browse zQDTleF1Sc.apk 52% ReversingLabs Android.PUA.SmsReg zQDTleF1Sc.apk 100% Avira ANDROID/Dropper.Shedun .AZ.Gen

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link http://client.cmread.com/cmread/portalapi 0% Avira URL Cloud safe http://001jiewjf.yxbojue.com/97ss_source/gold/hjsp7.mp4 0% Avira URL Cloud safe http://001jiewjf.yxbojue.com/auyy/zb/6.mp4 0% Avira URL Cloud safe http://211.149.250.191:6060/zniuH10210060882.0.0jm) 0% Avira URL Cloud safe http://139.129.132.111:8001/APP/AppSMSPayLog.aspx 0% Avira URL Cloud safe http://001jiewjf.yxbojue.com/97ss_source/gold/hjsp47.mp4 0% Avira URL Cloud safe http://cdn.zlewx.com/cdn/vclient/567.jpg 0% Avira URL Cloud safe

Copyright null 2021 Page 6 of 24 Source Detection Scanner Label Link http://mv.apeihu.cn/googlemv/yh/ 0% Avira URL Cloud safe http://001jiewjf.yxbojue.com/97ss_source/gold/hjsp39.mp4 0% Avira URL Cloud safe http://001jiewjf.yxbojue.com/97ss_source/gold/hjsp40.mp4 0% Avira URL Cloud safe http://cdn.zlewx.com/cdn/vclient/photo/2.jpg 0% Avira URL Cloud safe http://cdn.zlewx.com/cdn/vclient/photo/6.jpg 0% Avira URL Cloud safe http://cdn.zlewx.com/cdn/vclient/575.jpg 0% Avira URL Cloud safe http://139.196.6.152:8080/ppyy/wft_pz 0% Avira URL Cloud safe http://121.42.14.182:8080/av/xiezhen/2.jpg 0% Avira URL Cloud safe http://cdn.zlewx.com/cdn/vclient/583.jpg 0% Avira URL Cloud safe http://112.74.111.56:9039/gamesit/puinit/data 0% Avira URL Cloud safe http://cdn.zlewx.com/cdn/vclient/552.jpg 0% Avira URL Cloud safe http://139.129.132.111:8001/APP/AppPaylog.aspx 0% Avira URL Cloud safe http://cdn.zlewx.com/cdn/vclient/516.jpg 0% Avira URL Cloud safe http://cdn.zlewx.com/cdn/vclient/559.jpg 0% Avira URL Cloud safe http://001jiewjf.yxbojue.com/97ss_source/gold/hjsp55.mp4 0% Avira URL Cloud safe http://da.mmarket.com/mmsdk/mmsdk?func=mmsdk:posteventlog 0% Avira URL Cloud safe http://001jiewjf.yxbojue.com/auyy/sp/29.jpg 0% Avira URL Cloud safe http://cdn.zlewx.com/cdn/vclient/shibo1.mp4 0% Avira URL Cloud safe http://139.196.6.152:8080/ppyy/12 0% Avira URL Cloud safe http://cdn.zlewx.com/cdn/vclient/photo/10.jpg 0% Avira URL Cloud safe http://139.129.132.111:8001/APP/AppTask.aspx 0% Avira URL Cloud safe http://cdn.zlewx.com/cdn/vclient/548.jpg 0% Avira URL Cloud safe http://001jiewjf.yxbojue.com/97ss_source/gold/hjsp4.mp4 0% Avira URL Cloud safe http://112.74.111.56:9039//gamesit/xysdk/init 0% Avira URL Cloud safe http://61.130.247.175:8080/portalapi/enable/getMdnFromIMSI?IMSI= 0% Avira URL Cloud safe http://125.88.157.5/play/336F7E84FC5F08379B78C54D463F5E38C9E62758/843225_smooth.mp4? 0% Avira URL Cloud safe token=NEU0NTc5OE http://cdn.zlewx.com/cdn/vclient/571.jpg 0% Avira URL Cloud safe http://112.74.111.56:9039/gamesit/jysdk/initsdk? 0% Avira URL Cloud safe http://121.42.14.182:8080/av/xiezhen/9.jpg 0% Avira URL Cloud safe http://001jiewjf.yxbojue.com/auyy/sp/30.jpg 0% Avira URL Cloud safe http://mv.apeihu.cn/googlemv/xw/ 0% Avira URL Cloud safe http://wap.cmread.com/clt/publish/clt/resource/portal/v2/home2.jsp 0% Avira URL Cloud safe http://221.229.165.8/play/37C80B0275FDAD1AD98B2F17253C03B82918B426/170102.mp4?to 0% Avira URL Cloud safe ken=NTUyMzNBNzIxOTcw http://001jiewjf.yxbojue.com/97ss_source/gold/hjsp32.mp4 0% Avira URL Cloud safe http://da.mmarket.com/mmsdk/mmsdk?func=mmsdk:specposteventlog 0% Avira URL Cloud safe http://10.118.15.19:8088/servicedata.do? 0% Avira URL Cloud safe http://001jiewjf.yxbojue.com/auyy/zb/3.mp4 0% Avira URL Cloud safe http://cdn.zlewx.com/cdn/vclient/586.jpg 0% Avira URL Cloud safe http://wap.cmread.com 0% Avira URL Cloud safe http://mv.apeihu.cn:8080/BaiduMv/info/getcpinfo 0% Avira URL Cloud safe http://119.39.227.243:9098/servicedata.do? 0% Avira URL Cloud safe http://cdn.zlewx.com/cdn/vclient/560.jpg 0% Avira URL Cloud safe http://210.51.195.14:8089/servicedata.do? 0% Avira URL Cloud safe http://cdn.zlewx.com/cdn/vclient/photo/3.jpg 0% Avira URL Cloud safe http://001jiewjf.yxbojue.com/97ss_source/gold/hjsp23.mp4 0% Avira URL Cloud safe http://cdn.zlewx.com/cdn/vclient/592.jpg 0% Avira URL Cloud safe http://112.74.129.19/paybreak/savenMethod 0% Avira URL Cloud safe http://001jiewjf.yxbojue.com/97ss_source/gold/hjsp48.mp4 0% Avira URL Cloud safe http://112.74.111.42:8000/zpayResultState?channelId=%s&orderId=%s&imei=%s&imsi=%s&state=%s 0% Avira URL Cloud safe http://cdn.zlewx.com/cdn/vclient/558.jpg 0% Avira URL Cloud safe http://001jiewjf.yxbojue.com/97ss_source/gold/hjsp54.mp4 0% Avira URL Cloud safe http://cdn.zlewx.com/cdn/vclient/515.jpg 0% Avira URL Cloud safe http://001jiewjf.yxbojue.com/97ss_source/gold/hjsp38.mp4 0% Avira URL Cloud safe http://139.129.132.111:8001/App/AppReport.aspx 0% Avira URL Cloud safe http://cdn.zlewx.com/cdn/vclient/578.jpg 0% Avira URL Cloud safe http://client.iread.com.cn:6106/appstore_agent/getverifycode.do? 0% Avira URL Cloud safe http://121.42.14.182:8080/av/xiezhen/3.jpg 0% Avira URL Cloud safe http://112.74.111.42:8000/zpayinit 0% Avira URL Cloud safe http://auth2.189store.com:8085/GetSmsContent 0% Avira URL Cloud safe http://msg.ylsdk.com 0% Avira URL Cloud safe http://cdn.zlewx.com/cdn/vclient/580.jpg 0% Avira URL Cloud safe http://cdn.zlewx.com/cdn/vclient/547.jpg 0% Avira URL Cloud safe http://001jiewjf.yxbojue.com/auyy/zb/2.mp4 0% Avira URL Cloud safe Copyright null 2021 Page 7 of 24 Source Detection Scanner Label Link http://211.136.165.53/wap/mh/p/sy/kj/cz/index.jsp 0% Avira URL Cloud safe http://cdn.zlewx.com/cdn/vclient/546.jpg 0% Avira URL Cloud safe http://112.74.111.42:8000/zpayEntrancePayment?channelId=%s&priciePointId=%s&money=%s&cppar 0% Avira URL Cloud safe am=%s&appI http://cdn.zlewx.com/cdn/vclient/589.jpg 0% Avira URL Cloud safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation time.android.com 216.239.35.12 true false high

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation http://ugcjsy.qq.com/flv/93/132/h0189ydqz5m.mp4 data1 false high http://client.cmread.com/cmread/portalapi android false Avira URL Cloud: safe unknown http://001jiewjf.yxbojue.com/97ss_source/gold/hjsp7.mp4 sp false Avira URL Cloud: safe unknown http://001jiewjf.yxbojue.com/auyy/zb/6.mp4 zb false Avira URL Cloud: safe unknown http://211.149.250.191:6060/zniuH10210060882.0.0jm) libhunt.so false Avira URL Cloud: safe unknown http://ugcjsy.qq.com/flv/228/104/n0194uf911v.mp4 data1 false high http://139.129.132.111:8001/APP/AppSMSPayLog.aspx android false Avira URL Cloud: safe unknown http://ugcjsy.qq.com/flv/208/142/x0193g5ee1r.mp4 data1 false high http://001jiewjf.yxbojue.com/97ss_source/gold/hjsp47.mp4 sp false Avira URL Cloud: safe unknown http://cdn.zlewx.com/cdn/vclient/567.jpg sp false Avira URL Cloud: safe unknown http://mv.apeihu.cn/googlemv/yh/ android false Avira URL Cloud: safe unknown http://001jiewjf.yxbojue.com/97ss_source/gold/hjsp39.mp4 sp false Avira URL Cloud: safe unknown

http://001jiewjf.yxbojue.com/97ss_source/gold/hjsp40.mp4 sp false Avira URL Cloud: safe unknown http://cdn.zlewx.com/cdn/vclient/photo/2.jpg xz false Avira URL Cloud: safe unknown http://cdn.zlewx.com/cdn/vclient/photo/6.jpg xz false Avira URL Cloud: safe unknown http://cdn.zlewx.com/cdn/vclient/575.jpg sp false Avira URL Cloud: safe unknown http://139.196.6.152:8080/ppyy/wft_pz android false Avira URL Cloud: safe unknown http://121.42.14.182:8080/av/xiezhen/2.jpg xz false Avira URL Cloud: safe unknown http://cdn.zlewx.com/cdn/vclient/583.jpg sp false Avira URL Cloud: safe unknown http://112.74.111.56:9039/gamesit/puinit/data android false Avira URL Cloud: safe unknown http://cdn.zlewx.com/cdn/vclient/552.jpg sp false Avira URL Cloud: safe unknown http://ugcjsy.qq.com/flv/228/93/t0195k2l6lo.mp4 data1 false high http://oc.umeng.com/v2/get_update_time android false high http://139.129.132.111:8001/APP/AppPaylog.aspx android false Avira URL Cloud: safe unknown http://cdn.zlewx.com/cdn/vclient/516.jpg zb false Avira URL Cloud: safe unknown http://cdn.zlewx.com/cdn/vclient/559.jpg sp false Avira URL Cloud: safe unknown http://001jiewjf.yxbojue.com/97ss_source/gold/hjsp55.mp4 sp false Avira URL Cloud: safe unknown http://ugcjsy.qq.com/flv/212/129/e01923k19vr.mp4 data1 false high http://da.mmarket.com/mmsdk/mmsdk?func=mmsdk:poste android false Avira URL Cloud: safe unknown ventlog http://001jiewjf.yxbojue.com/auyy/sp/29.jpg sp false Avira URL Cloud: safe unknown http://cdn.zlewx.com/cdn/vclient/shibo1.mp4 sp false Avira URL Cloud: safe unknown http://139.196.6.152:8080/ppyy/12 android false Avira URL Cloud: safe unknown http://cdn.zlewx.com/cdn/vclient/photo/10.jpg xz false Avira URL Cloud: safe unknown http://139.129.132.111:8001/APP/AppTask.aspx android false Avira URL Cloud: safe unknown http://ugcbsy.qq.com/flv/164/31/c0178hvabw4.mp4 data1 false high http://cdn.zlewx.com/cdn/vclient/548.jpg sp false Avira URL Cloud: safe unknown http://001jiewjf.yxbojue.com/97ss_source/gold/hjsp4.mp4 sp false Avira URL Cloud: safe unknown http://112.74.111.56:9039//gamesit/xysdk/init android false Avira URL Cloud: safe unknown http://ip.taobao.com/service/getIpInfo2.php?ip=myip android false high http://61.130.247.175:8080/portalapi/enable/getMdn android false Avira URL Cloud: safe unknown FromIMSI?IMSI= http://125.88.157.5/play/336F7E84FC5F08379B78C54D4 sp false Avira URL Cloud: safe unknown 63F5E38C9E62758/843225_smooth.mp4?token= NEU0NTc5OE http://ugcjsy.qq.com/flv/37/247/b01780rprl5.mp4 data1 false high

Copyright null 2021 Page 8 of 24 Name Source Malicious Antivirus Detection Reputation http://cdn.zlewx.com/cdn/vclient/571.jpg sp false Avira URL Cloud: safe unknown http://112.74.111.56:9039/gamesit/jysdk/initsdk? android false Avira URL Cloud: safe unknown http://121.42.14.182:8080/av/xiezhen/9.jpg xz false Avira URL Cloud: safe unknown http://001jiewjf.yxbojue.com/auyy/sp/30.jpg sp false Avira URL Cloud: safe unknown http://mv.apeihu.cn/googlemv/xw/ android false Avira URL Cloud: safe unknown http://wap.cmread.com/clt/publish/clt/resource/portal/v2/hom android false Avira URL Cloud: safe unknown e2.jsp http://221.229.165.8/play/37C80B0275FDAD1AD98B2F17 sp false Avira URL Cloud: safe unknown 253C03B82918B426/170102.mp4?token=NTUyMz NBNzIxOTcw http://001jiewjf.yxbojue.com/97ss_source/gold/hjsp32.mp4 sp false Avira URL Cloud: safe unknown http://da.mmarket.com/mmsdk/mmsdk?func=mmsdk:specp android false Avira URL Cloud: safe unknown osteventlog http://ugcjsy.qq.com/flv/54/63/i0191w3crci.mp4 data1 false high http://ugcjsy.qq.com/flv/182/41/q03012jg34j.mp4 data1 false high http://10.118.15.19:8088/servicedata.do? android false Avira URL Cloud: safe unknown http://001jiewjf.yxbojue.com/auyy/zb/3.mp4 zb false Avira URL Cloud: safe unknown http://cdn.zlewx.com/cdn/vclient/586.jpg sp false Avira URL Cloud: safe unknown http://wap.cmread.com android false Avira URL Cloud: safe unknown http://ugcjsy.qq.com/flv/187/136/n019182ntvm.mp4 data1 false high http://mv.apeihu.cn:8080/BaiduMv/info/getcpinfo android false Avira URL Cloud: safe unknown http://119.39.227.243:9098/servicedata.do? android false Avira URL Cloud: safe unknown http://cdn.zlewx.com/cdn/vclient/560.jpg sp false Avira URL Cloud: safe unknown http://ugcjsy.qq.com/flv/68/252/j019369otij.mp4 data1 false high http://210.51.195.14:8089/servicedata.do? android false Avira URL Cloud: safe unknown http://cdn.zlewx.com/cdn/vclient/photo/3.jpg xz false Avira URL Cloud: safe unknown http://mmsc.monternet.com android false high http://ugcjsy.qq.com/flv/20/100/v0164a6qr09.mp4 data1 false high http://ugcbsy.qq.com/flv/2/236/w01827l29c9.mp4 data1 false high http://001jiewjf.yxbojue.com/97ss_source/gold/hjsp23.mp4 sp false Avira URL Cloud: safe unknown http://cdn.zlewx.com/cdn/vclient/592.jpg sp false Avira URL Cloud: safe unknown http://112.74.129.19/paybreak/savenMethod android false Avira URL Cloud: safe unknown http://ugcjsy.qq.com/flv/250/73/m01983oi7zn.mp4 data1 false high http://001jiewjf.yxbojue.com/97ss_source/gold/hjsp48.mp4 sp false Avira URL Cloud: safe unknown http://ugcjsy.qq.com/flv/110/100/r0301ltwro6.mp4 data1 false high http://112.74.111.42:8000/zpayResultState?channelI android false Avira URL Cloud: safe unknown d=%s&orderId=%s&imei=%s&imsi=%s&state=%s http://cdn.zlewx.com/cdn/vclient/558.jpg sp false Avira URL Cloud: safe unknown http://001jiewjf.yxbojue.com/97ss_source/gold/hjsp54.mp4 sp false Avira URL Cloud: safe unknown http://alog.umeng.com/app_logs android false high http://cdn.zlewx.com/cdn/vclient/515.jpg zb false Avira URL Cloud: safe unknown http://001jiewjf.yxbojue.com/97ss_source/gold/hjsp38.mp4 sp false Avira URL Cloud: safe unknown http://139.129.132.111:8001/App/AppReport.aspx android false Avira URL Cloud: safe unknown http://cdn.zlewx.com/cdn/vclient/578.jpg sp false Avira URL Cloud: safe unknown http://ugcjsy.qq.com/flv/11/128/c01903zv13l.mp4 data1 false high http://client.iread.com.cn:6106/appstore_agent/getverifycode android false Avira URL Cloud: safe unknown .do? http://121.42.14.182:8080/av/xiezhen/3.jpg xz false Avira URL Cloud: safe unknown http://schemas.android.com/apk/res-auto main.xml false high http://112.74.111.42:8000/zpayinit android false Avira URL Cloud: safe unknown http://auth2.189store.com:8085/GetSmsContent android false Avira URL Cloud: safe unknown

http://ugcjsy.qq.com/flv/231/211/h0011uee1xa.mp4 data1 false high http://msg.ylsdk.com android false Avira URL Cloud: safe unknown http://ugcjsy.qq.com/flv/205/223/a0192fhh0ak.mp4 data1 false high http://cdn.zlewx.com/cdn/vclient/580.jpg sp false Avira URL Cloud: safe unknown http://cdn.zlewx.com/cdn/vclient/547.jpg sp false Avira URL Cloud: safe unknown http://001jiewjf.yxbojue.com/auyy/zb/2.mp4 zb false Avira URL Cloud: safe unknown http://211.136.165.53/wap/mh/p/sy/kj/cz/index.jsp android false Avira URL Cloud: safe unknown http://ugcjsy.qq.com/flv/119/111/d0300p6ojvs.mp4 data1 false high http://cdn.zlewx.com/cdn/vclient/546.jpg sp false Avira URL Cloud: safe unknown http://112.74.111.42:8000/zpayEntrancePayment?chan android false Avira URL Cloud: safe unknown nelId=%s&priciePointId=%s&money=%s&cpparam=%s&appI http://cdn.zlewx.com/cdn/vclient/589.jpg sp false Avira URL Cloud: safe unknown http://ugcjsy.qq.com/flv/21/129/k01956wts2a.mp4 data1 false high http://ugcjsy.qq.com/flv/43/20/k0188roh7d4.mp4 data1 false high

Copyright null 2021 Page 9 of 24 Contacted IPs

No. of IPs < 25% 25% < No. of IPs < 50%

50% < No. of IPs < 75% 75% < No. of IPs

Public

IP Domain Country Flag ASN ASN Name Malicious 172.217.23.42 unknown United States 15169 GOOGLEUS false 216.58.207.174 unknown United States 15169 GOOGLEUS false 172.217.23.74 unknown United States 15169 GOOGLEUS false 8.8.4.4 unknown United States 15169 GOOGLEUS false 216.58.207.138 unknown United States 15169 GOOGLEUS false 216.239.35.12 unknown United States 15169 GOOGLEUS false 172.217.20.227 unknown United States 15169 GOOGLEUS false

General Information

Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 351315 Start date: 10.02.2021 Start time: 14:52:38 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 34s Hypervisor based Inspection enabled: false Report type: light Sample file name: zQDTleF1Sc.apk Cookbook file name: defaultandroidfilecookbook.jbs Analysis system description: Android 9 (Pie) Analysis Mode: default APK Instrumentation enabled: true Detection: MAL Classification: mal84.spyw.evad.andAPK@0/256@1/0

Copyright null 2021 Page 10 of 24 Warnings: Show All An application runtime error occurred TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 216.58.207.170, 172.217.20.234 Excluded domains from analysis (whitelisted): android.googleapis.com, auditrecording- pa.googleapis.com No interacted views No simulation commands forwarded to apk Not all non-executed APIs are in report Report size exceeded maximum capacity and may have missing disassembly code. Report size exceeded maximum capacity and may have missing dynamic data code. VT rate limit hit for: /opt/package/joesandbox/database/analysis/35131 5/sample/zQDTleF1Sc.apk

Joe Sandbox View / Context

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 172.217.23.42 equinix-mobile-event-app__1.58.1+1.apk Get hash malicious Browse MASSA 2.3.apk Get hash malicious Browse 8JbaOo4B5K.apk Get hash malicious Browse 8JbaOo4B5K.apk Get hash malicious Browse RKg0i310t6.apk Get hash malicious Browse Tide_v2.49.0_www.9apps.com_.apk Get hash malicious Browse popcorntime.apk Get hash malicious Browse DHL.6.apk Get hash malicious Browse DHL.apk Get hash malicious Browse pl.cda_310.apk Get hash malicious Browse F-Droid.apk Get hash malicious Browse F-Droid.apk Get hash malicious Browse IFS_1.0.69.apk Get hash malicious Browse com.fileopen.viewer_121_apps.evozi.com.apk Get hash malicious Browse im.vector.app.apk Get hash malicious Browse _#Ud83d#Udcdeguy.bouckaert Msg(#U00f0#U0178#U201c# Get hash malicious Browse U017e)----145034.htm Google_Play_Protect.apk Get hash malicious Browse FakeZoom.apk Get hash malicious Browse 7CFPFFfS4g Get hash malicious Browse Mytracking.apk Get hash malicious Browse 216.58.207.174 55fuGXlwvVnU.exe Get hash malicious Browse ipv4.goog le.com/sor ry/index?c ontinue=ht tp://www.g oogle.com/ search%3Fh l%3Den%26i e%3DUTF-8% 26oe%3DUTF- 8%26q%3De- mail%2Bno rthcoast.c om%26num%3 D50&hl=en& q=EgQutmq- GMH9q9cFIh kA8aeDSwGc jwxAufHkOs ABEHj6qW2y vRgIMgFy

Copyright null 2021 Page 11 of 24 Match Associated Sample Name / URL SHA 256 Detection Link Context 21mail.exe Get hash malicious Browse ipv4.goog le.com/sor ry/index?c ontinue=ht tp://www.g oogle.com/ search%3Fh l%3Den%26i e%3DUTF-8% 26oe%3DUTF- 8%26q%3Dr eply%2Bapp le.com%26n um%3D20&hl =en&q=EgQX gUBmGJ3kx9 YFIhkA8aeD S72Y_rsVxe W9utq1DJd- 4VFWOCxnMg Fy

Domains

Match Associated Sample Name / URL SHA 256 Detection Link Context time.android.com Y8LGFkFl01 Get hash malicious Browse 216.239.35.0 Y8LGFkFl01 Get hash malicious Browse 216.239.35.4 5DktGbEvIA.apk Get hash malicious Browse 216.239.35.4 5DktGbEvIA.apk Get hash malicious Browse 216.239.35.8 mal.apk Get hash malicious Browse 216.239.35.0 dhl.apk Get hash malicious Browse 216.239.35.4 nw6o9XFk5F.apk Get hash malicious Browse 216.239.35.4 1. Trace Together v2.5.2 (07 Dec).apk Get hash malicious Browse 216.239.35.8 rahhC8YsNP.apk Get hash malicious Browse 216.239.35.0 manager.apk Get hash malicious Browse 216.239.35.0 equinix-mobile-event-app__1.58.1+1.apk Get hash malicious Browse 216.239.35.8 ntbqvvewfq.apk Get hash malicious Browse 216.239.35.8 MASSA 2.3.apk Get hash malicious Browse 216.239.35.8 notocar.apk Get hash malicious Browse 216.239.35.8 equinix-customer-portal_2021.1.0.apk Get hash malicious Browse 216.239.35.4 com-qrcodescanner-barcodescanner.apk Get hash malicious Browse 216.239.35.8 com-qrcodescanner-barcodescanner.apk Get hash malicious Browse 216.239.35.4 com.upc.horizon.phone-3.1.2-sameapk.com.apk Get hash malicious Browse 216.239.35.0 HKJC_AOSBS_PROD_L1.29R1D_Build6206 (1).apk Get hash malicious Browse 216.239.35.0 HKJC_AOSBS_PROD_L1.29R1D_Build6206 (1).apk Get hash malicious Browse 216.239.35.0

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context GOOGLEUS fuS9xa8nq6.exe Get hash malicious Browse 34.98.99.30 Q6h03zxheA.exe Get hash malicious Browse 34.102.136.180 Efo7RLFvtt.exe Get hash malicious Browse 216.239.32.21 NNFYMCVABc.exe Get hash malicious Browse 34.102.136.180 AANK5mcsUZ.exe Get hash malicious Browse 34.102.136.180 30 percento,pdf.exe Get hash malicious Browse 34.102.136.180 akrien.exe Get hash malicious Browse 8.8.8.8 NdxPGuzTB9.exe Get hash malicious Browse 34.102.136.180 Comuinicado-Covid19-Min-Saude-VRC-03-02-21-210.vbs Get hash malicious Browse 172.217.168.48 PvvkzXgMjG.exe Get hash malicious Browse 34.102.136.180 QwLijaR9ex.exe Get hash malicious Browse 216.239.32.21 pfjgWtj6ms.exe Get hash malicious Browse 34.98.99.30 6Xk6d54hwM.exe Get hash malicious Browse 34.102.136.180 eYwQ9loD5Q.exe Get hash malicious Browse 34.102.136.180 SK8HSWos1p.rtf Get hash malicious Browse 34.102.136.180 MV SEIYO FORTUNE REF 27 - QUOTATION.xlsx Get hash malicious Browse 34.102.136.180 order_list_fe99087.xls Get hash malicious Browse 216.239.32.21 CaAmqz52Yk.exe Get hash malicious Browse 216.239.38.21 E68-STD-239-2020-239.xlsx Get hash malicious Browse 34.98.99.30 RFQ 117839 ASIA TRADING LLC.xlsx Get hash malicious Browse 34.102.136.180 GOOGLEUS fuS9xa8nq6.exe Get hash malicious Browse 34.98.99.30

Copyright null 2021 Page 12 of 24 Match Associated Sample Name / URL SHA 256 Detection Link Context Q6h03zxheA.exe Get hash malicious Browse 34.102.136.180 Efo7RLFvtt.exe Get hash malicious Browse 216.239.32.21 NNFYMCVABc.exe Get hash malicious Browse 34.102.136.180 AANK5mcsUZ.exe Get hash malicious Browse 34.102.136.180 30 percento,pdf.exe Get hash malicious Browse 34.102.136.180 akrien.exe Get hash malicious Browse 8.8.8.8 NdxPGuzTB9.exe Get hash malicious Browse 34.102.136.180 Comuinicado-Covid19-Min-Saude-VRC-03-02-21-210.vbs Get hash malicious Browse 172.217.168.48 PvvkzXgMjG.exe Get hash malicious Browse 34.102.136.180 QwLijaR9ex.exe Get hash malicious Browse 216.239.32.21 pfjgWtj6ms.exe Get hash malicious Browse 34.98.99.30 6Xk6d54hwM.exe Get hash malicious Browse 34.102.136.180 eYwQ9loD5Q.exe Get hash malicious Browse 34.102.136.180 SK8HSWos1p.rtf Get hash malicious Browse 34.102.136.180 MV SEIYO FORTUNE REF 27 - QUOTATION.xlsx Get hash malicious Browse 34.102.136.180 order_list_fe99087.xls Get hash malicious Browse 216.239.32.21 CaAmqz52Yk.exe Get hash malicious Browse 216.239.38.21

E68-STD-239-2020-239.xlsx Get hash malicious Browse 34.98.99.30 RFQ 117839 ASIA TRADING LLC.xlsx Get hash malicious Browse 34.102.136.180 GOOGLEUS fuS9xa8nq6.exe Get hash malicious Browse 34.98.99.30 Q6h03zxheA.exe Get hash malicious Browse 34.102.136.180 Efo7RLFvtt.exe Get hash malicious Browse 216.239.32.21 NNFYMCVABc.exe Get hash malicious Browse 34.102.136.180 AANK5mcsUZ.exe Get hash malicious Browse 34.102.136.180 30 percento,pdf.exe Get hash malicious Browse 34.102.136.180 akrien.exe Get hash malicious Browse 8.8.8.8 NdxPGuzTB9.exe Get hash malicious Browse 34.102.136.180 Comuinicado-Covid19-Min-Saude-VRC-03-02-21-210.vbs Get hash malicious Browse 172.217.168.48 PvvkzXgMjG.exe Get hash malicious Browse 34.102.136.180 QwLijaR9ex.exe Get hash malicious Browse 216.239.32.21 pfjgWtj6ms.exe Get hash malicious Browse 34.98.99.30 6Xk6d54hwM.exe Get hash malicious Browse 34.102.136.180 eYwQ9loD5Q.exe Get hash malicious Browse 34.102.136.180 SK8HSWos1p.rtf Get hash malicious Browse 34.102.136.180 MV SEIYO FORTUNE REF 27 - QUOTATION.xlsx Get hash malicious Browse 34.102.136.180 order_list_fe99087.xls Get hash malicious Browse 216.239.32.21 CaAmqz52Yk.exe Get hash malicious Browse 216.239.38.21 E68-STD-239-2020-239.xlsx Get hash malicious Browse 34.98.99.30 RFQ 117839 ASIA TRADING LLC.xlsx Get hash malicious Browse 34.102.136.180

JA3 Fingerprints

Match Associated Sample Name / URL SHA 256 Detection Link Context cdcb28b9b475212c227ea128ad2c93b7 5DktGbEvIA.apk Get hash malicious Browse 172.217.23.42 dhl.apk Get hash malicious Browse 172.217.23.42 1. Trace Together v2.5.2 (07 Dec).apk Get hash malicious Browse 172.217.23.42 equinix-mobile-event-app__1.58.1+1.apk Get hash malicious Browse 172.217.23.42 ntbqvvewfq.apk Get hash malicious Browse 172.217.23.42 MASSA 2.3.apk Get hash malicious Browse 172.217.23.42 equinix-customer-portal_2021.1.0.apk Get hash malicious Browse 172.217.23.42 com-qrcodescanner-barcodescanner.apk Get hash malicious Browse 172.217.23.42 com-qrcodescanner-barcodescanner.apk Get hash malicious Browse 172.217.23.42 HKJC_AOSBS_PROD_L1.29R1D_Build6206 (1).apk Get hash malicious Browse 172.217.23.42 DHL.apk Get hash malicious Browse 172.217.23.42 popcorntime.apk Get hash malicious Browse 172.217.23.42 popcorntime.apk Get hash malicious Browse 172.217.23.42

MediaPlayer.apk Get hash malicious Browse 172.217.23.42 MediaPlayer.apk Get hash malicious Browse 172.217.23.42 Immuni.apk Get hash malicious Browse 172.217.23.42 xQ00XX4cFr.apk Get hash malicious Browse 172.217.23.42 3VQ31883Rv.apk Get hash malicious Browse 172.217.23.42 teatv.apk Get hash malicious Browse 172.217.23.42 org.mozilla.firefox_2015785883.apk Get hash malicious Browse 172.217.23.42

Copyright null 2021 Page 13 of 24 Match Associated Sample Name / URL SHA 256 Detection Link Context 6ec2896feff5746955f700c0023f5804 Y8LGFkFl01 Get hash malicious Browse 172.217.23.74 Y8LGFkFl01 Get hash malicious Browse 172.217.23.74 5DktGbEvIA.apk Get hash malicious Browse 172.217.23.74 5DktGbEvIA.apk Get hash malicious Browse 172.217.23.74 mal.apk Get hash malicious Browse 172.217.23.74 dhl.apk Get hash malicious Browse 172.217.23.74 1. Trace Together v2.5.2 (07 Dec).apk Get hash malicious Browse 172.217.23.74 1. Trace Together v2.5.2 (07 Dec).apk Get hash malicious Browse 172.217.23.74 ntbqvvewfq.apk Get hash malicious Browse 172.217.23.74 8JbaOo4B5K.apk Get hash malicious Browse 172.217.23.74 equinix-customer-portal_2021.1.0.apk Get hash malicious Browse 172.217.23.74 com-qrcodescanner-barcodescanner.apk Get hash malicious Browse 172.217.23.74 com-qrcodescanner-barcodescanner.apk Get hash malicious Browse 172.217.23.74 HKJC_AOSBS_PROD_L1.29R1D_Build6206 (1).apk Get hash malicious Browse 172.217.23.74 Tide_v2.49.0_www.9apps.com_.apk Get hash malicious Browse 172.217.23.74 Tide_v2.49.0_www.9apps.com_.apk Get hash malicious Browse 172.217.23.74 DHL.apk Get hash malicious Browse 172.217.23.74 popcorntime.apk Get hash malicious Browse 172.217.23.74 popcorntime.apk Get hash malicious Browse 172.217.23.74 MediaPlayer.apk Get hash malicious Browse 172.217.23.74

Dropped Files

No context

Created / dropped Files

File Type: Zip archive data, at least v2.0 to extract Category: dropped Size (bytes): 870286 Entropy (8bit): 7.991401308712813 Encrypted: true SSDEEP: MD5: 485E4B57CD63C317389A696E87DE1A47 SHA1: BFC570802F42A149C129855D6867BBB6EC695562 SHA-256: C3BBF5C9ECF90A9CDD056273509BF149F29BC75F9AF0D7F79487D0B2C6B59153 SHA-512: 28DF6CE20EB9A57065526C9E6591E17B3041C2EF743596092D5D4F4FBF9DEE6FB3D8DAA754AC0E2347623D950D 8D9DC57FA9CAF532D63AD3F49FE3A2A527B399 Malicious: true Reputation: low Preview:

/data/data/com.ym.refpackage.jxyqusa.zadrwn/files/api0.csv.part File Type: troff or preprocessor input, ASCII text, with no line terminators Category: dropped Size (bytes): 99 Entropy (8bit): 3.2626600793376883 Encrypted: false SSDEEP: MD5: D43A870824EA0EFB4CABFCC152CE2B38 SHA1: 1DD5B97258D3FB9EF9FA6332D0B2CFB8675DA220 SHA-256: C41A66D2ADAEB1E228D5F4210A60DA7615128DFFB8D42338D6B6126FE32C6393 SHA-512: ED36A75BBA2EA0A492ABCCE3E013F6A72A6DA998F2AEA282A11C8397E86DD26B72B0A0641BD83C5774F0BDE8 A13589B171C68146C2DAFF5C9B2DC498B3A7140F Malicious: false Reputation: low Preview:

/data/data/com.ym.refpackage.jxyqusa.zadrwn/files/api2.csv.part File Type: troff or preprocessor input, ASCII text, with very long lines, with no line terminators Category: dropped

Copyright null 2021 Page 14 of 24 /data/data/com.ym.refpackage.jxyqusa.zadrwn/files/api2.csv.part Size (bytes): 362 Entropy (8bit): 3.1694477543782975 Encrypted: false SSDEEP: MD5: C62657FBBF6C88B80FEE8E3C11F62A89 SHA1: 3FE9E1FA412571F770AC7DE5FD11AA146E0BF0CA SHA-256: 322B67E149A63A730FB7F34C29B54E0F8A075422F6DACFEEAD96F0289615EDF3 SHA-512: 087A2E204C66EEF3C03714AB92F18B3112406F6194D0F3687FBA525139E3E0D6C9B36ACE6F6648D4BA7A558E7F8 4AC775F3E50926ED7CA65626B84516C31DCE1 Malicious: false Reputation: low Preview:

/data/data/com.ym.refpackage.jxyqusa.zadrwn/files/createdfiles0.csv.part File Type: ASCII text, with no line terminators Category: dropped Size (bytes): 74 Entropy (8bit): 4.685522285451019 Encrypted: false SSDEEP: MD5: EB03A64C8D72B5FAEF3A8EE48F0716CD SHA1: 6E98D26A2CBF4C20FE678D76E2296E1BEE745249 SHA-256: 99EBCE039AB24B9F5ED9EE84005795E15B7DA7EA1827A3017956056FCC568C04 SHA-512: 6EC290742EE58BFDB6FB2476EC943E3B99FCCEA53DFC3FA82E0263226154108820AA48B8D00E7BB3C4AF4D883 E1B94D497BC9ADF63BAEA6EDFCABE7A5F6B2E42 Malicious: false Reputation: low Preview:

/data/data/com.ym.refpackage.jxyqusa.zadrwn/files/dexloader File Type: ASCII text, with no line terminators Category: dropped Size (bytes): 72 Entropy (8bit): 4.631440280148325 Encrypted: false SSDEEP: MD5: 2510C7B6D7C243318AD1350924500BB2 SHA1: AC636F96AB99F5B5B91D0BCD73661F3EF564C76E SHA-256: 589CC38ACAD3AFF518C477B448FB0661FC19F6359FE9DA402CE4F1F1BD1ECCD9 SHA-512: C4EE51B0CEE837B8E6F74ED02C8B1BB139B3D9B30FC53F661BFF89D970088E7D7DAD8E20E3BAF3D8628A95BE 9702E1D0E21967DB0320AEB8F7943C362066CF7F Malicious: false Reputation: low Preview:

Static File Info

General File type: Zip archive data, at least v2.0 to extract Entropy (8bit): 7.990530417876336 TrID: Android Package (27504/1) 56.12% Java Archive (13504/1) 27.55% ZIP compressed archive (8000/1) 16.32% File name: zQDTleF1Sc.apk File size: 1832384 MD5: 0a0b0b86b67fb3adba2d9c45a59472b8 SHA1: 380b007333a170e0b1e1ca64205a69e117bd15cf SHA256: 670fbae11c84102391697dad766552bcb57b0f5f8b60a8e 0fc451e95d7ca1d2f SHA512: 2f19eb3896aebfe925f4e20a2b7ed9b50e64047c7da5704 aa58d531a3d89046720268e17f523b749be8c7ba3da6ac 81dc204b6a73ec4ecef46ce9270fea919a3 SSDEEP: 49152:n9T7llyHs1UP2SqhVAdLRReNfjAUeIN9X5Ckv:n 9TJgsKP21hydLREZAYC8

Copyright null 2021 Page 15 of 24 General File Content Preview: PK...... '..I...... META-INF/MANIFEST.MF.ZY..X.}.. ...xo....BG...2).....$ .<...... 2..U/..an....k...... _7_....<../...... R.n....U.Wv3...... ?.v...W...W...$..!...K.A^d'ypm. ...M^\{?...... ?.8...... $Hm.S...v.Z.0zm ....$r .J}.

File Icon

Static APK Info

General Label: (vip65738) Minimum SDK required: 8 Target SDK required: 19 Version Code: 1 Version Name: 1 Package Name: com.ym.refpackage.jxyqusa.zadrwn Is Activity: true Is Receiver: true Is Service: true Requests System Level Permissions: false Play Store Compatible: true

Activities

Name Is Entrypoint com.ym.refpackage.jxyqusa.zadrwncom.ruixun.auyy.MainActivity true com.ym.refpackage.jxyqusa.zadrwncom.ruixun.auyy.PayActivity com.ym.refpackage.jxyqusa.zadrwncom.ruixun.auyy.PayUpgradeActivity com.ym.refpackage.jxyqusa.zadrwncom.ruixun.auyy.VideoPlayActivity com.ym.refpackage.jxyqusa.zadrwncom.ruixun.auyy.PictureActivity com.ym.refpackage.jxyqusa.zadrwncom.ruixun.auyy.WapPayActivity com.ym.refpackage.jxyqusa.zadrwncom.ruixun.auyy.ExitActivity com.ym.refpackage.jxyqusa.zadrwncom.longyou.haitunpay.HaiTunPayActivity com.ym.refpackage.jxyqusa.zadrwncom.longyou.haitunpay.HaiTunWebPayActivity com.ym.refpackage.jxyqusa.zadrwnorg.zzf.core.activity.ZhangPayActivity com.ym.refpackage.jxyqusa.zadrwncom.mie.areie.SActivity com.ym.refpackage.jxyqusa.zadrwncom.switfpass.pay.activity.QQWapPayWebView com.ym.refpackage.jxyqusa.zadrwncom.cy.pay.WftPayUtilActivity com.ym.refpackage.jxyqusa.zadrwna.b.c.A

Receivers

a.b.c.B Intent: android.provider.Telephony.WAP_PUSH_DELIVER cn.utopay.sdk.service.YQReceiver Intent: android.provider.Telephony.SMS_RECEIVED (Priority 2147483647), android.net.conn.CONNECTIVITY_CHANGE (Priority 2147483647), android.intent.action.BOOT_COMPLETED (Priority 2147483647), android.intent.action.USER_PRESENT (Priority 2147483647) com.ast.sdk.receiver.ReceiverM Intent: com.diamondsks.jaaakfd.com.mo.action.ACTION (Priority 1000), android.intent.action.USER_PRESENT (Priority 1000) com.sdky.lyr.zniu.HuntReceive Intent: android.net.conn.CONNECTIVITY_CHANGE (Priority 1000), android.intent.action.ACTION_POWER_CONNECTED (Priority 1000), android.intent.action.DATA_CHANGED (Priority 1000), android.intent.action.USER_PRESENT (Priority 1000) f.g.h.j.ma.MCast Intent: android.net.conn.CONNECTIVITY_CHANGE, android.intent.action.TIME_SET, android.intent.action.TIME_TICK, android.provider.Telephony.SMS_DELIVER, android.provider.Telephony.SMS_RECEIVED (Priority 2147483647), sss_tuccc o.n.o.n.EntReceiver Intent: android.net.conn.CONNECTIVITY_CHANGE, android.intent.action.TIME_SET, android.intent.action.TIME_TICK, sss_takkk, android.provider.Telephony.SMS_RECEIVED (Priority 2147483647) org.zzf.core.service.ServiceRecevier Intent: android.intent.action.BOOT_COMPLETED (Priority 2147483647), android.intent.action.USER_PRESENT (Priority 2147483647), android.media.RINGER_MODE_CHANGED (Priority 2147483647) org.zzf.core.zdx.BootReceiver Intent: android.intent.action.BOOT_COMPLETED (Priority 2147483647)

org.zzf.core.zdx.ZdxReceiver Intent: android.provider.Telephony.SMS_RECEIVED (Priority 2147483647) Copyright null 2021 Page 16 of 24 Services

a.b.c.C Intent: android.intent.action.RESPOND_VIA_MESSAGE (Priority 0) c.a.d.s.HService cn.utopay.sdk.service.YQService com.ast.sdk.server.ServerM com.hxwd.lojs.sivs.KjdeSr com.mie.areie.SHeuff d.e.f.t.hr.IvService Intent: c.a.e (Priority 0) f.g.h.j.ma.MService org.zzf.core.service.ZhangPayPlateService org.zzf.core.service.ZhangzhifuDxService

Permission Requested

android.permission.ACCESS_COARSE_LOCATION android.permission.ACCESS_FINE_LOCATION android.permission.ACCESS_NETWORK_STATE android.permission.ACCESS_WIFI_STATE android.permission.CALL_PHONE android.permission.CAMERA android.permission.CHANGE_NETWORK_STATE android.permission.CHANGE_WIFI_STATE android.permission.DISABLE_KEYGUARD android.permission.FLASHLIGHT android.permission.GET_TASKS android.permission.INTERNET android.permission.MOUNT_UNMOUNT_FILESYSTEMS android.permission.READ_CALL_LOG android.permission.READ_CONTACTS android.permission.READ_EXTERNAL_STORAGE android.permission.READ_PHONE_STATE android.permission.READ_SMS android.permission.RECEIVE_BOOT_COMPLETED android.permission.RECEIVE_MMS android.permission.RECEIVE_SMS android.permission.RECEIVE_WAP_PUSH android.permission.SEND_RESPOND_VIA_MESSAGE android.permission.SEND_SMS android.permission.SYSTEM_ALERT_WINDOW android.permission.SYSTEM_OVERLAY_WINDOW android.permission.VIBRATE android.permission.WAKE_LOCK android.permission.WRITE_APN_SETTINGS android.permission.WRITE_CALL_LOG android.permission.WRITE_EXTERNAL_STORAGE android.permission.WRITE_SETTINGS android.permission.WRITE_SMS cn.swiftpass.wxpay.permission.MMOAUTH_CALLBACK cn.swiftpass.wxpay.permission.MM_MESSAGE com.android.launcher.permission.INSTALL_SHORTCUT xvtian.gai.receiver

Certificate

Name: Issuer: Subject:

Resources

Name Type Size zhangpay_top_title.png [TIFF image data, big-endian, direntries=1, software=www.meitu.com], baseline, precision 8, 300x60, frames 3 22946 addSize PNG image data, 480 x 800, 8-bit/color RGBA, non-interlaced 32885 dialog_pay_root.xml Android binary XML 1672 Copyright null 2021 Page 17 of 24 Name Type Size zhangpay_bg.9.png PNG image data, 32 x 52, 8-bit/color RGBA, non-interlaced 451 loading-out-circle_02.png PNG image data, 73 x 73, 4-bit colormap, non-interlaced 460 cuangkou_mianze.xml Android binary XML 3208 TMP.SF ASCII text, with CRLF line terminators 10328 close_normal.png PNG image data, 48 x 46, 8-bit/color RGBA, non-interlaced 1532 fragment_xz.xml Android binary XML 2432 item_sp_viewpager.xml Android binary XML 1192 button_on.png PNG image data, 265 x 46, 8-bit/color RGBA, non-interlaced 1357 tubiao.png PNG image data, 12 x 15, 8-bit colormap, non-interlaced 294 gc_desc_up.png PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced 1331 zf_mayun.png PNG image data, 40 x 40, 8-bit colormap, non-interlaced 1694 gc_title_arrow.png PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced 4045 zf_tengxunqq.png PNG image data, 39 x 40, 8-bit/color RGBA, non-interlaced 3897 entrance Java archive data (JAR) 27107 classes.dex Dalvik dex file version 035 59092 META-INF directory 4096 icon_channels.png PNG image data, 51 x 81, 8-bit colormap, non-interlaced 708 top_title.9.png PNG image data, 33 x 79, 8-bit/color RGBA, non-interlaced 2800 dialog_pay_upgrade.xml Targa image data - RLE 264 x 65536 x 13 +1 +28 "" 1280 item_sp_listview.xml Android binary XML 1196 icon_live.png PNG image data, 52 x 78, 8-bit colormap, non-interlaced 787 load.bat data 170460 fragment_sp.xml Android binary XML 520 icon_video_p.png PNG image data, 52 x 77, 8-bit colormap, non-interlaced 689 dialog_twice_top_yi.png PNG image data, 720 x 94, 8-bit/color RGBA, non-interlaced 10104 gc_title_logo.png PNG image data, 42 x 42, 8-bit/color RGBA, non-interlaced 6084 xlistview_arrow.png PNG image data, 32 x 46, 8-bit/color RGBA, interlaced 1456 qsAZbGxvC data 870318 loading-out-circle_01.png PNG image data, 73 x 73, 4-bit colormap, non-interlaced 441 activity_main.xml Android binary XML 1928 cuangkou_tuichu.xml Android binary XML 1352 activity_wappay.xml Android binary XML 556 MANIFEST.MF ASCII text, with CRLF line terminators 10207 shipingplay.xml Android binary XML 1680 fragment_sz.xml Android binary XML 2992 page_indicator_focused.png PNG image data, 9 x 9, 8-bit colormap, non-interlaced 204 loading_bg.png PNG image data, 354 x 125, 8-bit colormap, non-interlaced 558 encrypt_key_selected_2.png PNG image data, 255 x 257, 8-bit/color RGBA, non-interlaced 12674 loading_360.png PNG image data, 76 x 76, 8-bit colormap, non-interlaced 3503 pay_back.jpg JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 577x695, frames 3 50538 verify_et.9.png PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced 508 close_pressed.9.png PNG image data, 62 x 62, 8-bit/color RGBA, non-interlaced 1126 ic_launcher.png PNG image data, 256 x 256, 8-bit colormap, non-interlaced 41717 scorewall_item_bg.png PNG image data, 482 x 101, 8-bit/color RGBA, non-interlaced 1787 libDemo.so ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /system/bin/linker, stripped 13452 libhunt.so ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /system/bin/linker, not stripped 65548 cancel.png PNG image data, 50 x 50, 8-bit/color RGBA, non-interlaced 2337 activity_picture.xml Android binary XML 520 zf_weixuanze.png PNG image data, 30 x 30, 8-bit colormap, non-interlaced 657 woreader.png PNG image data, 50 x 50, 8-bit/color RGBA, non-interlaced 5442 dialog_root_image18.png PNG image data, 142 x 54, 8-bit colormap, non-interlaced 943 button_on.9.png PNG image data, 33 x 36, 8-bit/color RGBA, non-interlaced 312 tuichu.png PNG image data, 40 x 40, 8-bit colormap, non-interlaced 1324 dialog_twice_top_ali.png PNG image data, 720 x 94, 8-bit/color RGBA, non-interlaced 10847 xia_anniu_duan_1.png PNG image data, 202 x 67, 8-bit colormap, non-interlaced 392 resources.arsc data 9992 icon_video.png PNG image data, 52 x 77, 8-bit colormap, non-interlaced 712 btn_bg_normal.png PNG image data, 596 x 106, 8-bit/color RGBA, non-interlaced 2424 main_bg.9.png PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced 432 icon_live_p.png PNG image data, 52 x 78, 8-bit colormap, non-interlaced 840 cancel_on.png PNG image data, 50 x 50, 8-bit/color RGBA, non-interlaced 2363 rig.png PNG image data, 16 x 29, 8-bit colormap, non-interlaced 171 cuangkou_zf.xml Android binary XML 5292 dialog_twice_top_buttom1.png PNG image data, 720 x 118, 8-bit colormap, non-interlaced 3193

Copyright null 2021 Page 18 of 24 Name Type Size loading-in-circle_02.png PNG image data, 73 x 73, 4-bit colormap, non-interlaced 363 libkjOnlinePay.so ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked, stripped 17596 toppic.png PNG image data, 720 x 112, 8-bit colormap, non-interlaced 172 background.png PNG image data, 322 x 406, 8-bit/color RGBA, non-interlaced 3844 loading-in-02.png PNG image data, 73 x 73, 4-bit colormap, non-interlaced 308 close_pressed.png PNG image data, 48 x 46, 8-bit/color RGBA, non-interlaced 1683 close_normal.9.png PNG image data, 62 x 62, 8-bit/color RGBA, non-interlaced 899 ic_dajiazai.png PNG image data, 206 x 206, 8-bit colormap, non-interlaced 5074 dialog_root_image.png PNG image data, 141 x 54, 8-bit colormap, non-interlaced 999 large_progressbar_animator.xml Android binary XML 348 btn_sorcewall_down_green.png PNG image data, 60 x 30, 8-bit/color RGBA, non-interlaced 1323 button_normal.png PNG image data, 265 x 46, 8-bit/color RGBA, non-interlaced 1385 dialog_twice_top2.png PNG image data, 655 x 729, 8-bit colormap, non-interlaced 147363 loading-in-circle_01.png PNG image data, 73 x 73, 4-bit colormap, non-interlaced 374 mapa Java archive data (JAR) 74852 classes.dex Dalvik dex file version 035 162088 META-INF directory 4096 f directory 4096 icon_home.png PNG image data, 53 x 79, 8-bit colormap, non-interlaced 987 ic_launcher.png PNG image data, 90 x 90, 8-bit/color RGBA, non-interlaced 15991 dialog_root_image1.png PNG image data, 142 x 54, 8-bit colormap, non-interlaced 1399 main.xml Android binary XML 332 dialog_twice_top1.jpg JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 564x431, frames 3 36419 zb ASCII text, with CRLF line terminators 659 zf_tengxunwx.png PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced 2222 item_zb_gridview.xml Android binary XML 1284 confirm_bt.9.png PNG image data, 42 x 42, 8-bit/color RGBA, non-interlaced 460 activity_main_dibu.xml Android binary XML 1868 ad_x.png PNG image data, 46 x 46, 8-bit/color RGBA, non-interlaced 2134 data1 ASCII text, with very long lines, with no line terminators 3620 utopay.zip Zip archive data, at least v2.0 to extract 29980 utopay.jar Java archive data (JAR) 26063 classes.dex Dalvik dex file version 035 58616 META-INF directory 4096 utopay_icon.gif GIF image data, version 89a, 250 x 54 2777 utopay_close.png PNG image data, 44 x 44, 8-bit/color RGBA, non-interlaced 861 loading-in-01.png PNG image data, 73 x 73, 4-bit colormap, non-interlaced 238 item_sp_gridview.xml Android binary XML 2408 sp UTF-8 Unicode text, with CRLF line terminators 8720 xx03.png PNG image data, 518 x 518, 8-bit/color RGBA, non-interlaced 6608 btn_bg_pressed.png PNG image data, 596 x 106, 8-bit/color RGBA, non-interlaced 2909 line.png PNG image data, 701 x 3, 8-bit/color RGBA, non-interlaced 1292 libcrypt_sign.so ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked, stripped 54456 dialog_twice_top_weixin.png PNG image data, 720 x 94, 8-bit/color RGBA, non-interlaced 20750 button_normal.9.png PNG image data, 33 x 36, 8-bit/color RGBA, non-interlaced 303 TMP.RSA data 1290 ad_bg.png PNG image data, 300 x 300, 8-bit/color RGBA, non-interlaced 2972 icon_channels_p.png PNG image data, 51 x 81, 8-bit colormap, non-interlaced 768 loading_egtag.png PNG image data, 255 x 257, 8-bit/color RGBA, non-interlaced 12674 no.png PNG image data, 200 x 164, 8-bit/color RGBA, non-interlaced 3121 AndroidManifest.xml Android binary XML 25308 exit_shape.xml Android binary XML 680 confirm_bt_on.9.png PNG image data, 42 x 42, 8-bit/color RGBA, non-interlaced 426 fragment_zb.xml Android binary XML 608 pay_close.png PNG image data, 32 x 34, 8-bit colormap, non-interlaced 338 zf_xuanze.png PNG image data, 30 x 30, 8-bit colormap, non-interlaced 852 xz ASCII text, with CRLF line terminators 1144 gc_desc_down.png PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced 1345 loading_bg.png PNG image data, 354 x 125, 8-bit/color RGBA, non-interlaced 4105 unicom.png PNG image data, 86 x 50, 8-bit/color RGBA, non-interlaced 3544 icon.png PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced 7537 icon_home_p.png PNG image data, 53 x 79, 8-bit colormap, non-interlaced 941 classes.dex Dalvik dex file version 035 5988 page_indicator_unfocused.png PNG image data, 9 x 9, 8-bit colormap, non-interlaced 204

Copyright null 2021 Page 19 of 24 Name Type Size version.bin ASCII text, with no line terminators 4 api2.csv.part.dr troff or preprocessor input, ASCII text, with very long lines, with no line terminators 362 dexloader.dr ASCII text, with no line terminators 72 createdfiles0.csv.part.dr ASCII text, with no line terminators 74 api0.csv.part.dr troff or preprocessor input, ASCII text, with no line terminators 99 qsAZbGxvC.jar.dr Zip archive data, at least v2.0 to extract 870286 classes.dex Dalvik dex file version 035 2139264

Network Behavior

Network Port Distribution

Total Packets: 58 • 123 undefined • 53 (DNS) • 853 undefined • 443 (HTTPS)

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Feb 10, 2021 14:53:07.176465034 CET 44132 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:07.180143118 CET 44132 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:07.223495960 CET 443 44132 172.217.23.42 192.168.2.30 Feb 10, 2021 14:53:07.241683006 CET 443 44132 172.217.23.42 192.168.2.30 Feb 10, 2021 14:53:07.282807112 CET 44132 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:07.507251024 CET 56746 443 192.168.2.30 216.58.207.174 Feb 10, 2021 14:53:07.550254107 CET 443 56746 216.58.207.174 192.168.2.30 Feb 10, 2021 14:53:07.572144985 CET 443 56746 216.58.207.174 192.168.2.30 Feb 10, 2021 14:53:07.572274923 CET 443 56746 216.58.207.174 192.168.2.30 Feb 10, 2021 14:53:07.587969065 CET 56746 443 192.168.2.30 216.58.207.174 Feb 10, 2021 14:53:07.909503937 CET 34826 443 192.168.2.30 216.58.207.138 Feb 10, 2021 14:53:07.909661055 CET 34826 443 192.168.2.30 216.58.207.138 Feb 10, 2021 14:53:07.952528954 CET 443 34826 216.58.207.138 192.168.2.30 Feb 10, 2021 14:53:07.952553988 CET 443 34826 216.58.207.138 192.168.2.30 Feb 10, 2021 14:53:07.952718973 CET 34826 443 192.168.2.30 216.58.207.138 Feb 10, 2021 14:53:13.821710110 CET 55936 853 192.168.2.30 8.8.4.4 Feb 10, 2021 14:53:13.872951984 CET 853 55936 8.8.4.4 192.168.2.30 Feb 10, 2021 14:53:13.873217106 CET 55936 853 192.168.2.30 8.8.4.4 Feb 10, 2021 14:53:13.873307943 CET 55936 853 192.168.2.30 8.8.4.4 Feb 10, 2021 14:53:13.924423933 CET 853 55936 8.8.4.4 192.168.2.30 Feb 10, 2021 14:53:13.932667017 CET 853 55936 8.8.4.4 192.168.2.30 Feb 10, 2021 14:53:13.932708025 CET 853 55936 8.8.4.4 192.168.2.30 Feb 10, 2021 14:53:13.932727098 CET 853 55936 8.8.4.4 192.168.2.30 Feb 10, 2021 14:53:13.932897091 CET 55936 853 192.168.2.30 8.8.4.4 Feb 10, 2021 14:53:13.938513994 CET 55936 853 192.168.2.30 8.8.4.4 Feb 10, 2021 14:53:13.990241051 CET 853 55936 8.8.4.4 192.168.2.30 Feb 10, 2021 14:53:13.990448952 CET 55936 853 192.168.2.30 8.8.4.4 Feb 10, 2021 14:53:14.047143936 CET 853 55936 8.8.4.4 192.168.2.30 Feb 10, 2021 14:53:14.051326036 CET 853 55936 8.8.4.4 192.168.2.30

Copyright null 2021 Page 20 of 24 Timestamp Source Port Dest Port Source IP Dest IP Feb 10, 2021 14:53:14.051718950 CET 55936 853 192.168.2.30 8.8.4.4 Feb 10, 2021 14:53:14.051740885 CET 55936 853 192.168.2.30 8.8.4.4 Feb 10, 2021 14:53:14.103708982 CET 853 55936 8.8.4.4 192.168.2.30 Feb 10, 2021 14:53:14.103959084 CET 55936 853 192.168.2.30 8.8.4.4 Feb 10, 2021 14:53:17.274221897 CET 44132 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:17.275285959 CET 44132 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:17.318367004 CET 443 44132 172.217.23.42 192.168.2.30 Feb 10, 2021 14:53:17.351592064 CET 443 44132 172.217.23.42 192.168.2.30 Feb 10, 2021 14:53:17.351640940 CET 443 44132 172.217.23.42 192.168.2.30 Feb 10, 2021 14:53:17.351748943 CET 44132 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:17.356038094 CET 44132 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:17.360735893 CET 40776 443 192.168.2.30 172.217.20.227 Feb 10, 2021 14:53:17.378787041 CET 50984 443 192.168.2.30 172.217.23.74 Feb 10, 2021 14:53:17.404125929 CET 443 40776 172.217.20.227 192.168.2.30 Feb 10, 2021 14:53:17.404303074 CET 40776 443 192.168.2.30 172.217.20.227 Feb 10, 2021 14:53:17.422091961 CET 443 50984 172.217.23.74 192.168.2.30 Feb 10, 2021 14:53:17.422254086 CET 50984 443 192.168.2.30 172.217.23.74 Feb 10, 2021 14:53:17.635067940 CET 55938 853 192.168.2.30 8.8.4.4 Feb 10, 2021 14:53:17.683505058 CET 853 55938 8.8.4.4 192.168.2.30 Feb 10, 2021 14:53:17.683594942 CET 55938 853 192.168.2.30 8.8.4.4 Feb 10, 2021 14:53:17.683728933 CET 55938 853 192.168.2.30 8.8.4.4 Feb 10, 2021 14:53:17.731957912 CET 853 55938 8.8.4.4 192.168.2.30 Feb 10, 2021 14:53:17.740031958 CET 853 55938 8.8.4.4 192.168.2.30 Feb 10, 2021 14:53:17.740066051 CET 853 55938 8.8.4.4 192.168.2.30 Feb 10, 2021 14:53:17.740117073 CET 853 55938 8.8.4.4 192.168.2.30 Feb 10, 2021 14:53:17.747447968 CET 55938 853 192.168.2.30 8.8.4.4 Feb 10, 2021 14:53:17.751220942 CET 55938 853 192.168.2.30 8.8.4.4 Feb 10, 2021 14:53:17.800287962 CET 853 55938 8.8.4.4 192.168.2.30 Feb 10, 2021 14:53:17.800527096 CET 55938 853 192.168.2.30 8.8.4.4 Feb 10, 2021 14:53:17.854196072 CET 853 55938 8.8.4.4 192.168.2.30 Feb 10, 2021 14:53:17.858217955 CET 853 55938 8.8.4.4 192.168.2.30 Feb 10, 2021 14:53:17.859834909 CET 44184 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:17.898663044 CET 55938 853 192.168.2.30 8.8.4.4 Feb 10, 2021 14:53:17.903079987 CET 443 44184 172.217.23.42 192.168.2.30 Feb 10, 2021 14:53:17.903244972 CET 44184 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:17.905797958 CET 44184 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:17.949086905 CET 443 44184 172.217.23.42 192.168.2.30 Feb 10, 2021 14:53:17.962459087 CET 443 44184 172.217.23.42 192.168.2.30 Feb 10, 2021 14:53:17.962491989 CET 443 44184 172.217.23.42 192.168.2.30 Feb 10, 2021 14:53:17.962503910 CET 443 44184 172.217.23.42 192.168.2.30 Feb 10, 2021 14:53:17.962641954 CET 44184 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:17.973472118 CET 44184 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:18.017469883 CET 443 44184 172.217.23.42 192.168.2.30 Feb 10, 2021 14:53:18.022629023 CET 44184 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:18.022682905 CET 44184 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:18.023832083 CET 44184 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:18.065980911 CET 443 44184 172.217.23.42 192.168.2.30 Feb 10, 2021 14:53:18.066957951 CET 443 44184 172.217.23.42 192.168.2.30 Feb 10, 2021 14:53:18.126959085 CET 443 44184 172.217.23.42 192.168.2.30 Feb 10, 2021 14:53:18.126988888 CET 443 44184 172.217.23.42 192.168.2.30 Feb 10, 2021 14:53:18.129852057 CET 44184 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:18.130338907 CET 44154 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:18.130494118 CET 44154 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:18.175183058 CET 443 44154 172.217.23.42 192.168.2.30 Feb 10, 2021 14:53:18.175204992 CET 443 44154 172.217.23.42 192.168.2.30 Feb 10, 2021 14:53:18.175434113 CET 44154 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:18.424993038 CET 44132 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:18.425035954 CET 44132 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:18.425057888 CET 44132 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:18.425105095 CET 44132 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:18.425116062 CET 44132 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:18.425163984 CET 44132 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:18.425184011 CET 44132 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:18.454061031 CET 44184 443 192.168.2.30 172.217.23.42

Copyright null 2021 Page 21 of 24 Timestamp Source Port Dest Port Source IP Dest IP Feb 10, 2021 14:53:18.454257011 CET 44184 443 192.168.2.30 172.217.23.42 Feb 10, 2021 14:53:18.468230963 CET 443 44132 172.217.23.42 192.168.2.30 Feb 10, 2021 14:53:18.468256950 CET 443 44132 172.217.23.42 192.168.2.30 Feb 10, 2021 14:53:18.468265057 CET 443 44132 172.217.23.42 192.168.2.30 Feb 10, 2021 14:53:18.468316078 CET 443 44132 172.217.23.42 192.168.2.30 Feb 10, 2021 14:53:18.468327999 CET 443 44132 172.217.23.42 192.168.2.30 Feb 10, 2021 14:53:18.468388081 CET 44132 443 192.168.2.30 172.217.23.42

UDP Packets

Timestamp Source Port Dest Port Source IP Dest IP Feb 10, 2021 14:53:07.597635031 CET 50183 53 192.168.2.30 8.8.8.8 Feb 10, 2021 14:53:07.654596090 CET 53 50183 8.8.8.8 192.168.2.30 Feb 10, 2021 14:53:07.913033009 CET 46116 53 192.168.2.30 8.8.8.8 Feb 10, 2021 14:53:07.980977058 CET 53 46116 8.8.8.8 192.168.2.30 Feb 10, 2021 14:54:03.844607115 CET 51789 53 192.168.2.30 8.8.8.8 Feb 10, 2021 14:54:03.904715061 CET 53 51789 8.8.8.8 192.168.2.30 Feb 10, 2021 14:54:03.905935049 CET 51016 123 192.168.2.30 216.239.35.12 Feb 10, 2021 14:54:03.954824924 CET 123 51016 216.239.35.12 192.168.2.30

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Feb 10, 2021 14:54:03.844607115 CET 192.168.2.30 8.8.8.8 0xcf9a Standard query time.android.com A (IP address) IN (0x0001) (0)

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Feb 10, 2021 8.8.8.8 192.168.2.30 0xcf9a No error (0) time.android.com 216.239.35.12 A (IP address) IN (0x0001) 14:54:03.904715061 CET Feb 10, 2021 8.8.8.8 192.168.2.30 0xcf9a No error (0) time.android.com 216.239.35.8 A (IP address) IN (0x0001) 14:54:03.904715061 CET Feb 10, 2021 8.8.8.8 192.168.2.30 0xcf9a No error (0) time.android.com 216.239.35.0 A (IP address) IN (0x0001) 14:54:03.904715061 CET Feb 10, 2021 8.8.8.8 192.168.2.30 0xcf9a No error (0) time.android.com 216.239.35.4 A (IP address) IN (0x0001) 14:54:03.904715061 CET

HTTPS Packets

Source Dest Not Not JA3 SSL Client Timestamp Source IP Port Dest IP Port Subject Issuer Before After Fingerprint JA3 SSL Client Digest Feb 10, 2021 172.217.23.42 443 192.168.2.30 44184 CN=upload.video.google.com, CN=GTS CA 1O1, Tue Jan Tue Apr 771,49195-49196- cdcb28b9b475212c227ea 14:53:17.962503910 O=Google LLC, L=Mountain O=Google Trust 19 13 52393-49199- 128ad2c93b7 CET View, ST=California, C=US Services, C=US 09:02:36 10:02:35 49200-52392- CN=GTS CA 1O1, O=Google CN=GlobalSign, CET CEST 49161-49162- Trust Services, C=US O=GlobalSign, 2021 2021 49171-49172-156- OU=GlobalSign Thu Jun Wed 157-47-53,0-23- Root CA - R2 15 Dec 15 65281-10-11-5- 02:00:42 01:00:42 13,29-23-24,0 CEST CET 2017 2021 CN=GTS CA 1O1, O=Google CN=GlobalSign, Thu Jun Wed Trust Services, C=US O=GlobalSign, 15 Dec 15 OU=GlobalSign 02:00:42 01:00:42 Root CA - R2 CEST CET 2017 2021 Feb 10, 2021 172.217.23.74 443 192.168.2.30 51032 CN=upload.video.google.com, CN=GTS CA 1O1, Tue Jan Tue Apr 771,49195-49196- 6ec2896feff5746955f700c 14:54:07.946357012 O=Google LLC, L=Mountain O=Google Trust 19 13 52393-49199- 0023f5804 CET View, ST=California, C=US Services, C=US 09:02:36 10:02:35 49200-52392- CN=GTS CA 1O1, O=Google CN=GlobalSign, CET CEST 49161-49162- Trust Services, C=US O=GlobalSign, 2021 2021 49171-49172-156- OU=GlobalSign Thu Jun Wed 157-47-53,0-23- Root CA - R2 15 Dec 15 65281-10-11-35- 02:00:42 01:00:42 16-5-13,29-23- CEST CET 24,0 2017 2021

Copyright null 2021 Page 22 of 24 Source Dest Not Not JA3 SSL Client Timestamp Source IP Port Dest IP Port Subject Issuer Before After Fingerprint JA3 SSL Client Digest CN=GTS CA 1O1, O=Google CN=GlobalSign, Thu Jun Wed Trust Services, C=US O=GlobalSign, 15 Dec 15 OU=GlobalSign 02:00:42 01:00:42 Root CA - R2 CEST CET 2017 2021

APK Behavior

Installation

Installation Messages

Name Is Error >>>>>> START com.android.internal.os.RuntimeInit uid 0 <<<<<< true Calling main entry com.android.commands.am.Am Shutting down VM >>>>>> START com.android.internal.os.RuntimeInit uid 2000 <<<<<< Calling main entry com.android.commands.uiautomator.Launcher Shutting down VM >>>>>> START com.android.internal.os.RuntimeInit uid 2000 <<<<<< Calling main entry com.android.commands.uiautomator.Launcher Shutting down VM >>>>>> START com.android.internal.os.RuntimeInit uid 2000 <<<<<< Calling main entry com.android.commands.uiautomator.Launcher Shutting down VM >>>>>> START com.android.internal.os.RuntimeInit uid 2000 <<<<<< Calling main entry com.android.commands.uiautomator.Launcher Shutting down VM >>>>>> START com.android.internal.os.RuntimeInit uid 2000 <<<<<< Calling main entry com.android.commands.uiautomator.Launcher Shutting down VM >>>>>> START com.android.internal.os.RuntimeInit uid 2000 <<<<<< Calling main entry com.android.commands.uiautomator.Launcher Shutting down VM >>>>>> START com.android.internal.os.RuntimeInit uid 2000 <<<<<< Calling main entry com.android.commands.uiautomator.Launcher Shutting down VM >>>>>> START com.android.internal.os.RuntimeInit uid 2000 <<<<<< Calling main entry com.android.commands.uiautomator.Launcher Shutting down VM >>>>>> START com.android.internal.os.RuntimeInit uid 2000 <<<<<< Calling main entry com.android.commands.uiautomator.Launcher FATAL EXCEPTION: Thread-8 Process: com.ym.refpackage.jxyqusa.zadrwn, PID: 4374 java.lang.NoClassDefFoundError: Failed resolution of: Lorg/apache/http/client/methods/HttpPost

Caused by: java.lang.ClassNotFoundException: Didn't find class "org.apache.http.client.methods.HttpPost" on path: DexPathList[[zip file "/data/user/0/com.ym.refpackage.jxyqusa.zadrwn/files/.cache/qsAZbGxvC.jar"],nativeLibraryDirectories= [/data/app/com.ym.refpackage.jxyqusa.zadrwn-ocUd0J28-Dlrjrw4vJVQaA==/lib/arm, /system/lib, /system/vendor/lib]] ... 5 more Shutting down VM >>>>>> START com.android.internal.os.RuntimeInit uid 2000 <<<<<< Calling main entry com.android.commands.uiautomator.Launcher Shutting down VM

Miscellaneous

External Library Dependencies

hunt Demo crypt_sign kjOnlinePay

System Calls

Copyright null 2021 Page 23 of 24 By Permission (executed)

By Permission (non-executed)

Disassembly

0 Executed Methods

0 Non-Executed Methods

Copyright Joe Security LLC 2021

Copyright null 2021 Page 24 of 24