Android.PUA.Dnotua

Threat

com.erfannew.silsinhack

ماسک هکر ها را بپوش

android evasion

Analyzed on 2022-08-13T03:15:19.528747

4

permissions

3

activities

0

services

0

receivers

2

domains

File sums

MD5 cc1b3128b27cd51736fa88009f0d64f6
SHA1 7702f1a80a3681a74b89011688358e5055c799c0
SHA256 f333cc6bbcb5de96f325af4778223fbba6973146b497b41ce7d05af0a1812521
Size 1.79MB

APKiD

Information computed with APKiD.

/tmp/tmps8ymf5q2!classes.dex
compiler
  • dexlib 2.x

SSdeep

Information computed with ssdeep.

APK file 49152:fZ1AHv6NMn7MzwkF4OSrfyCSFkviucHf9MEc/u8qL7y/vZ8:fZmHv6NiMEOSbyCKJl1Me8q/y3m
Manifest 96:RN7gScjQsDNOFyOmzHKZr36pjqZBAt2fJ:/gSOkFyOmTKZr4GZWyJ
classes.dex 6144:/HSxhNaZcdlgCbSYfM/mwG3W/gdQpMqnY6WfqSwkyuwGOqiyARqYxhsh:/OdGLKW…

Dexofuzzy

Information computed with Dexofuzzy.

APK file 48:zKtBCxcyhA+5YO9SJrUSSR6HT3UxfEg/ge3MJI2onLUjq6LK4AyDaXNYgQg63l5X:z…
classes.dex 48:zKtBCxcyhA+5YO9SJrUSSR6HT3UxfEg/ge3MJI2onLUjq6LK4AyDaXNYgQg63l5X:z…

APK details

Information computed with AndroGuard and Pithus.

Package com.erfannew.silsinhack
App name ماسک هکر ها را بپوش
Version name 1.1
Version code 12
SDK 10 - 21
UAID 252cb0dbd0350fd49de80be3ab0aa280edef8ce4
Signature Signature V1
Frosting Not frosted

Certificate details

Information computed with AndroGuard.

MD5 e89b158e4bcf988ebd09eb83f5378e87
SHA1 61ed377e85d386a8dfee6b864bd85b0bfaa5af81
SHA256 a40da80a59d170caa950cf15c18c454d47a39b26989d8b640ecd745ba71bf5dc
Issuer Email Address: android@android.com, Common Name: Android, Organizational Unit: Android, Organization: Android, Locality: Mountain View, State/Province: California, Country: US
Not before 2008-02-29T01:33:46+00:00
Not after 2035-07-17T01:33:46+00:00

Manifest analysis

Information computed with MobSF.

Medium Application Data can be Backed up[android:allowBackup=true]
This flag allows anyone to backup your application data via adb. It allows users who have enabled USB debugging to copy application data off of the device.

Main Activity

Information computed with AndroGuard.

com.sanazdroid2.aroossho.SplashActivity

Activities

Information computed with AndroGuard.

com.sanazdroid2.aroossho.SplashActivity
ir.adad.AdadActivity
com.sanazdroid2.aroossho.MainActivity

Sample timeline

Certificate valid not before Feb. 29, 2008, 1:33 a.m.
Oldest file found in APK Feb. 29, 2008, 6:03 a.m.
Latest file found in APK Feb. 29, 2008, 6:03 a.m.
First submission on VT Nov. 11, 2016, 8:24 p.m.
Last submission on VT Aug. 20, 2021, 2 p.m.
Upload on Pithus Aug. 13, 2022, 3:15 a.m.
Certificate valid not after July 17, 2035, 1:33 a.m.

MalwareBazaar

First seen 2022-05-10 02:36:19
Last seen None
Report https://bazaar.abuse.ch/sample/f333cc6bbcb5de96f325af4778223fbba6973146b497b41ce7d05af0a1812521/
ReversingLabs
Threat name Android.PUA.Dnotua
Status MALICIOUS
First seen 2016-11-12 06:28:52
Score 8/26
Hatching Triage
Score 7/10
Tags android evasion
Report https://tria.ge/reports/220510-c35yrsegh8/
CERT-PL MWDB
Detection None
Report https://mwdb.cert.pl/sample/f333cc6bbcb5de96f325af4778223fbba6973146b497b41ce7d05af0a1812521/

VirusTotal

Score 25/63
Report https://www.virustotal.com/gui/file/f333cc6bbcb5de96f325af4778223fbba6973146b497b41ce7d05af0a1812521/detection

Most Popular AV Detections

Provided by VirusTotal

Threat name: dnotua Identified 4 times
Threat name: ewind Identified 3 times
Threat name: artemis Identified 2 times

NIAP analysis

Information computed with MobSF.

FCS_RBG_EXT.1.1 The application use no DRBG functionality for its cryptographic operations.
Random Bit Generation Services
FCS_STO_EXT.1.1 The application does not store any credentials to non-volatile memory.
Storage of Credentials
FCS_CKM_EXT.1.1 The application generate no asymmetric cryptographic keys.
Cryptographic Key Generation Services
FDP_DEC_EXT.1.1 The application has access to ['camera', 'network connectivity'].
Access to Platform Resources
FDP_DEC_EXT.1.2 The application has access to no sensitive information repositories.
Access to Platform Resources
FDP_NET_EXT.1.1 The application has user/application initiated network communications.
Network Communications
FDP_DAR_EXT.1.1 The application does not encrypt files in non-volatile memory.
Encryption Of Sensitive Application Data
FMT_MEC_EXT.1.1 The application invoke the mechanisms recommended by the platform vendor for storing and setting configuration options.
Supported Configuration Mechanism
FTP_DIT_EXT.1.1 The application does not encrypt any data in traffic or does not transmit any data between itself and another trusted IT product.
Protection of Data in Transit
FCS_COP.1.1(2) The application perform cryptographic hashing services not in accordance with FCS_COP.1.1(2) and uses the cryptographic algorithm RC2/RC4/MD4/MD5.
Cryptographic Operation - Hashing

Code analysis

Information computed with MobSF.

Low
CVSS:7.5
The App logs information. Sensitive information should never be logged.
MASVS: MSTG-STORAGE-3
CWE-532 Insertion of Sensitive Information into Log File
Files:
 ir/adad/AdadActivity.java
ir/adad/AdadJavascriptInterfaceImpl.java
com/sanazdroid2/aroossho/MyLicenseStore.java
ir/adad/l.java
com/sanazdroid2/aroossho/MainActivity.java
ir/adad/p.java
ir/adad/AdView.java
com/myandroid/views/ScaleGestureDetector.java
High
CVSS:5.5
App can read/write to External Storage. Any App can read data written to External Storage.
MASVS: MSTG-STORAGE-2
CWE-276 Incorrect Default Permissions
M2: Insecure Data Storage
Files:
 com/sanazdroid2/aroossho/MainActivity.java
Medium
CVSS:7.5
The App uses an insecure Random Number Generator.
MASVS: MSTG-CRYPTO-6
CWE-330 Use of Insufficiently Random Values
M5: Insufficient Cryptography
Files:
 ir/adad/p.java
Medium
CVSS:7.4
MD5 is a weak hash known to have hash collisions.
MASVS: MSTG-CRYPTO-4
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
M5: Insufficient Cryptography
Files:
 ir/adad/p.java
Medium
CVSS:8.8
Insecure WebView Implementation. Execution of user controlled code in WebView is a critical Security Hole.
MASVS: MSTG-PLATFORM-7
CWE-749 Exposed Dangerous Method or Function
M1: Improper Platform Usage
Files:
 ir/adad/AdadActivity.java
ir/adad/AdView.java
Pygal Germany: 100 United Kingdom: 100

Map computed by Pithus.

Domains analysis

Information computed with MobSF.

DE token.s.adad.ir 94.130.163.40
GB telegram.me 149.154.167.99

URL analysis

Information computed with MobSF.

http://$TOKEN.s.adad.ir/
Defined in ir/adad/l.java
https://telegram.me/rozblack1
Defined in Android String Resource

Permissions analysis

Information computed with MobSF.

High android.permission.CAMERA take pictures and videos
Allows application to take pictures and videos with the camera. This allows the application to collect images that the camera is seeing at any time.
High android.permission.WRITE_EXTERNAL_STORAGE read/modify/delete external storage contents
Allows an application to write to external storage.
High android.permission.READ_EXTERNAL_STORAGE read external storage contents
Allows an application to read from external storage.
Low android.permission.INTERNET full Internet access
Allows an application to create network sockets.

Threat analysis

Information computed with Quark-Engine.

Confidence:
100%
Implicit intent(view a web page, make a phone call, etc.)
Confidence:
100%
Read sensitive data(SMS, CALLLOG, etc)
Confidence:
100%
Open a file from given absolute path of the file
Confidence:
100%
Implicit intent(view a web page, make a phone call, etc.) via setData
Confidence:
100%
Monitor the broadcast action events (BOOT_COMPLETED)
Confidence:
100%
Get absolute path of the file and store in string
Confidence:
100%
Method reflection
Confidence:
100%
Query data from URI (SMS, CALLLOGS)

Behavior analysis

Information computed with MobSF.

Get installed applications
       ir/adad/AdadJavascriptInterfaceImpl.java
ir/adad/AdView.java
Get system service
       ir/adad/l.java
ir/adad/AdView.java
Http connection
       ir/adad/AdadJavascriptInterfaceImpl.java
Inter process communication
       ir/adad/AdadActivity.java
ir/adad/AdadJavascriptInterface.java
ir/adad/AdadJavascriptInterfaceImpl.java
com/sanazdroid2/aroossho/MainActivity.java
ir/adad/AdView.java
com/sanazdroid2/aroossho/SplashActivity.java
Local file i/o operations
       com/sanazdroid2/aroossho/MyLicenseStore.java
ir/adad/l.java
com/sanazdroid2/aroossho/MainActivity.java
Message digest
       ir/adad/p.java
Starting activity
       ir/adad/AdadJavascriptInterfaceImpl.java
com/sanazdroid2/aroossho/MainActivity.java
com/sanazdroid2/aroossho/SplashActivity.java
Webview get request
       ir/adad/h.java
Webview javascript interface
       ir/adad/AdView.java

Control flow graphs analysis

Information computed by Pithus.

The application probably dynamically loads code

The application probably gets different information regarding the telephony capabilities