Analysis Overview
SHA256
fba2aa4b133352b9fe45b4c69cc926a8147655c715d1d7f0c6d1f1a3967155d5
Threat Level: Known bad
The file HOT.7z was found to be: Known bad.
Malicious Activity Summary
Spynote family
Octo
Octo payload
Makes use of the framework's Accessibility service.
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
Requests dangerous framework permissions
Loads dropped Dex/Jar
Acquires the wake lock.
Requests disabling of battery optimizations (often used to enable hiding in the background).
Reads information about phone network operator.
Removes a system notification.
Uses Crypto APIs (Might try to encrypt user data).
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-04-14 09:37
Signatures
Spynote family
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2023-04-14 09:37
Reported
2023-04-14 09:40
Platform
android-x64-20220823-en
Max time kernel
2132942s
Max time network
163s
Command Line
Signatures
Processes
involvement.lights.systematic
involvement.lights.systematic:remote
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| JP | 134.122.166.235:6655 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| JP | 134.122.166.235:6655 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| JP | 134.122.166.235:6655 | tcp | |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| JP | 134.122.166.235:6655 | tcp |
Files
/storage/emulated/0/Config/sys/apps/log/log-2023-04-14.txt
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/involvement.lights.systematic/shared_prefs/involvement.lights.systematic.xml
| MD5 | e0ae18ee51f8080061f538d00a4a2b1f |
| SHA1 | b39e93a0da5a827e9154142070e5eb93eb2a6314 |
| SHA256 | cb60eb5f68387d91f47eecbf64f465400f1d0dfd29dca34c2f7835a381f2c1ee |
| SHA512 | 646b099795a1e9232a3548f78cd3e0025695f2cfd002cb9eae73c0ce14c64dc253ad3ceb7dd53e6289b38b5f556ed511c103e99c197c0685f80361aa0d97c96e |
Analysis: behavioral5
Detonation Overview
Submitted
2023-04-14 09:37
Reported
2023-04-14 09:40
Platform
android-x64-arm64-20220823-en
Max time kernel
2133014s
Max time network
164s
Command Line
Signatures
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Processes
involvement.lights.systematic
involvement.lights.systematic:remote
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| DE | 142.250.186.174:443 | tcp | |
| DE | 142.250.186.174:443 | tcp | |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.250.179.136:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| JP | 134.122.166.235:6655 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| DE | 172.217.23.206:443 | android.apis.google.com | tcp |
| JP | 134.122.166.235:6655 | tcp | |
| JP | 134.122.166.235:6655 | tcp | |
| JP | 134.122.166.235:6655 | tcp |
Files
/data/user/0/involvement.lights.systematic/shared_prefs/involvement.lights.systematic.xml
| MD5 | e0ae18ee51f8080061f538d00a4a2b1f |
| SHA1 | b39e93a0da5a827e9154142070e5eb93eb2a6314 |
| SHA256 | cb60eb5f68387d91f47eecbf64f465400f1d0dfd29dca34c2f7835a381f2c1ee |
| SHA512 | 646b099795a1e9232a3548f78cd3e0025695f2cfd002cb9eae73c0ce14c64dc253ad3ceb7dd53e6289b38b5f556ed511c103e99c197c0685f80361aa0d97c96e |
/storage/emulated/0/Config/sys/apps/log/log-2023-04-14.txt
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-14 09:37
Reported
2023-04-14 09:40
Platform
android-x86-arm-20220823-en
Max time kernel
2133010s
Max time network
157s
Command Line
Signatures
Octo
Octo payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
Queries a list of all the installed applications on the device (Might be used in an attempt to overlay legitimate apps).
| Description | Indicator | Process | Target |
| Framework service call | android.content.pm.IPackageManager.getInstalledApplications | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.sayearth85/cache/eaogohlxni | N/A | N/A |
| N/A | /data/user/0/com.sayearth85/cache/eaogohlxni | N/A | N/A |
Reads information about phone network operator.
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.sayearth85
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| NL | 142.251.36.46:443 | android.apis.google.com | tcp |
| US | 1.1.1.1:53 | infinitedata-pa.googleapis.com | udp |
| NL | 142.250.179.202:443 | infinitedata-pa.googleapis.com | tcp |
| US | 1.1.1.1:53 | kghdrt6756hu5e4h65.top | udp |
| US | 1.1.1.1:53 | ltgyehve5tfctdrhh.xyz | udp |
| US | 1.1.1.1:53 | www.ip-api.com | udp |
| US | 208.95.112.1:80 | www.ip-api.com | tcp |
| US | 1.1.1.1:53 | 65yh6546yujuthryr.site | udp |
| US | 1.1.1.1:53 | fe5gt6reghruj56.online | udp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 1.1.1.1:53 | fe5gt6reghruj56.online | udp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 1.1.1.1:853 | tcp | |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 1.1.1.1:853 | tcp | |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 1.1.1.1:853 | tcp | |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 1.1.1.1:853 | tcp | |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 1.1.1.1:853 | tcp | |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
Files
/data/user/0/com.sayearth85/cache/eaogohlxni
| MD5 | 638e489cf0204f33f7ab1c2c7817df43 |
| SHA1 | 55599d62bf0dfd01ce5f2b94b6f4538a7cd4f99b |
| SHA256 | fe28cfaeb4da1101dff4b09dcfc5ebd7c7672c11a405a0aa80f9aaf0ca09e241 |
| SHA512 | 85445a94ed4b82ccc700b3330822dd5205880fc6f91b3e39bb330540ceee0ff7634cc0228fbb6093cf08cdc1c9fe26e1cf4dd23a646bfb30c5f5d39363b34f45 |
/data/user/0/com.sayearth85/cache/eaogohlxni.x86.flock
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.sayearth85/cache/eaogohlxni
| MD5 | 638e489cf0204f33f7ab1c2c7817df43 |
| SHA1 | 55599d62bf0dfd01ce5f2b94b6f4538a7cd4f99b |
| SHA256 | fe28cfaeb4da1101dff4b09dcfc5ebd7c7672c11a405a0aa80f9aaf0ca09e241 |
| SHA512 | 85445a94ed4b82ccc700b3330822dd5205880fc6f91b3e39bb330540ceee0ff7634cc0228fbb6093cf08cdc1c9fe26e1cf4dd23a646bfb30c5f5d39363b34f45 |
/data/user/0/com.sayearth85/cache/eaogohlxni
| MD5 | 638e489cf0204f33f7ab1c2c7817df43 |
| SHA1 | 55599d62bf0dfd01ce5f2b94b6f4538a7cd4f99b |
| SHA256 | fe28cfaeb4da1101dff4b09dcfc5ebd7c7672c11a405a0aa80f9aaf0ca09e241 |
| SHA512 | 85445a94ed4b82ccc700b3330822dd5205880fc6f91b3e39bb330540ceee0ff7634cc0228fbb6093cf08cdc1c9fe26e1cf4dd23a646bfb30c5f5d39363b34f45 |
/data/user/0/com.sayearth85/cache/oat/eaogohlxni.cur.prof
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.sayearth85/shared_prefs/main.xml
| MD5 | 74407af5df4f68ba64e55ffe01096b71 |
| SHA1 | 468cbcfc54881ebe229e9267090a25eeb64b7b13 |
| SHA256 | 3ec00a8081a447ccb79cc59b65a53dfc5bc3dd0811d2f469b6cdee38712fc066 |
| SHA512 | a1a93e0cea64adb51546e41107816ad14f0a591ee48d3952f4977335fda33febe6e243759c5027fe0e97c73ae8ff8983acf5d65697c98919462cf8343aeb0c12 |
/data/user/0/com.sayearth85/shared_prefs/main.xml
| MD5 | d19cdb0c63b913499a0463fadb46485d |
| SHA1 | dec17221ad806cd4e88f34ecd2d20527e44f67bd |
| SHA256 | af725499adf3e980fc7d0bad4fe9f9f036ecd9baff2d0b577fbc311d0571bf0c |
| SHA512 | 06c53c07a5685b3e4e377a325b22dfe5ca6c54206328c00de06a8ab0fe93d7c10e26d6931f2f910f13063426ee8a0668d71341905155d29e56e694189cd79e9d |
/data/user/0/com.sayearth85/app_webview/variations_seed_new
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.sayearth85/app_webview/variations_stamp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.sayearth85/app_webview/webview_data.lock
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.sayearth85/shared_prefs/WebViewChromiumPrefs.xml
| MD5 | 21223e9184445fe043476484cd8cb1f9 |
| SHA1 | 2b4813f849121d60ba35eb0889080668bb62c778 |
| SHA256 | bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af |
| SHA512 | be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48 |
/data/user/0/com.sayearth85/app_webview/Web Data
| MD5 | dc79f9ce5f3ab5270b33e61119dfc959 |
| SHA1 | 1844bf222a5144b513dcf2fb50a18c011701c647 |
| SHA256 | 47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65 |
| SHA512 | 18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e |
/data/user/0/com.sayearth85/app_webview/metrics_guid
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.sayearth85/app_webview/metrics_guid
| MD5 | a600dfc8177d01b62c9ae9ff4f1acc93 |
| SHA1 | 00a501f1ac9f9f4b54991bf057bff581e33ef43f |
| SHA256 | b12326aa57fe303fe0efc8190c170d9f9f4373575efc173baf46c47e6023d203 |
| SHA512 | 4d0a7fddb1456d8bd2f08a87b5d093bf14ca48d32f411b9f646794e3bd50adc2b000180dad86a97ae08da6641ed7708e2e82486d07e618c51f2c7c3b6131bfdf |
/data/user/0/com.sayearth85/app_webview/Web Data-journal
| MD5 | 3da59d1cf2371374d21281390020880c |
| SHA1 | ad683ade66779e6422de8f6c00499ac14028eb9b |
| SHA256 | c74f8459760d605d0bf37c83941521dc1a26bec87ce1c17232adcd2700883388 |
| SHA512 | 5c517c997dbf842775fed43994b687895ec2c37d7aaaf4fb016758cabdc152c09640c4905cd21d2183c2c45a09f7939a610973f6b808e2248f78548ca5f70754 |
/data/user/0/com.sayearth85/app_webview/GPUCache/index
| MD5 | 93027d42b314432c4216e6cfca48b384 |
| SHA1 | 43448dd8102979c3926828182579691945eedd4e |
| SHA256 | 3cda72e67c62e52a342309c44f2cb3b6c1019c7b11822e2f628e48e254e2b41c |
| SHA512 | a52d13cf7f5be196d1e2f135b8a010f80558c5d35e90e7792441d1c976517d55cf1c9587949db69ebef294cc6ef79529a65e7d779964793016efecacd152f70e |
/data/user/0/com.sayearth85/kl.txt
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.sayearth85/app_webview/GPUCache/index-dir/temp-index
| MD5 | 453c8d56cb617cce72b7937567d53035 |
| SHA1 | d22de2165a7c04a9a45ee080112934a61e7da36b |
| SHA256 | 00d8bd9a4e13a4e493ee3f4a3b31014e83cc4c2ff2d2efad38d479e64f87952f |
| SHA512 | b69ba1696aedf774e57cd830e92013926687beed0c4ed0b722413004ed567d360ecac832e359860469c507f80de6eea5787b594016241f78a0d97e6694d0c02b |
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-14 09:37
Reported
2023-04-14 09:40
Platform
android-x64-20220823-en
Max time kernel
2133012s
Max time network
161s
Command Line
Signatures
Octo
Octo payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped Dex/Jar
| Description | Indicator | Process | Target |
| N/A | /data/user/0/com.sayearth85/cache/eaogohlxni | N/A | N/A |
| N/A | /data/user/0/com.sayearth85/cache/eaogohlxni | N/A | N/A |
Reads information about phone network operator.
Uses Crypto APIs (Might try to encrypt user data).
| Description | Indicator | Process | Target |
| Framework API call | javax.crypto.Cipher.doFinal | N/A | N/A |
Processes
com.sayearth85
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | www.ip-api.com | udp |
| US | 1.1.1.1:53 | fe5gt6reghruj56.online | udp |
| US | 1.1.1.1:53 | ssl.google-analytics.com | udp |
| NL | 142.250.179.136:443 | ssl.google-analytics.com | tcp |
| US | 1.1.1.1:53 | www.ip-api.com | udp |
| US | 208.95.112.1:80 | www.ip-api.com | tcp |
| US | 1.1.1.1:53 | fe5gt6reghruj56.online | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | fe5gt6reghruj56.online | udp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 1.1.1.1:53 | kghdrt6756hu5e4h65.top | udp |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| US | 1.1.1.1:53 | kghdrt6756hu5e4h65.top | udp |
| US | 1.1.1.1:53 | ltgyehve5tfctdrhh.xyz | udp |
| US | 1.1.1.1:53 | kghdrt6756hu5e4h65.top | udp |
| US | 1.1.1.1:53 | 65yh6546yujuthryr.site | udp |
| US | 1.1.1.1:53 | ltgyehve5tfctdrhh.xyz | udp |
| US | 1.1.1.1:53 | fe5gt6reghruj56.online | udp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 1.1.1.1:53 | kghdrt6756hu5e4h65.top | udp |
| US | 1.1.1.1:53 | 65yh6546yujuthryr.site | udp |
| US | 1.1.1.1:53 | 65yh6546yujuthryr.site | udp |
| US | 1.1.1.1:53 | 65yh6546yujuthryr.site | udp |
| US | 1.1.1.1:53 | fe5gt6reghruj56.online | udp |
| US | 1.1.1.1:53 | 65yh6546yujuthryr.site | udp |
| US | 1.1.1.1:53 | fe5gt6reghruj56.online | udp |
| US | 1.1.1.1:53 | fe5gt6reghruj56.online | udp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 1.1.1.1:53 | fe5gt6reghruj56.online | udp |
| US | 1.1.1.1:53 | fe5gt6reghruj56.online | udp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 1.1.1.1:53 | fe5gt6reghruj56.online | udp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 1.1.1.1:53 | fe5gt6reghruj56.online | udp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
| US | 1.1.1.1:53 | fe5gt6reghruj56.online | udp |
| US | 1.1.1.1:53 | fe5gt6reghruj56.online | udp |
| US | 1.1.1.1:53 | fe5gt6reghruj56.online | udp |
| US | 198.54.117.242:443 | fe5gt6reghruj56.online | tcp |
Files
/data/user/0/com.sayearth85/cache/eaogohlxni
| MD5 | 638e489cf0204f33f7ab1c2c7817df43 |
| SHA1 | 55599d62bf0dfd01ce5f2b94b6f4538a7cd4f99b |
| SHA256 | fe28cfaeb4da1101dff4b09dcfc5ebd7c7672c11a405a0aa80f9aaf0ca09e241 |
| SHA512 | 85445a94ed4b82ccc700b3330822dd5205880fc6f91b3e39bb330540ceee0ff7634cc0228fbb6093cf08cdc1c9fe26e1cf4dd23a646bfb30c5f5d39363b34f45 |
/data/user/0/com.sayearth85/cache/eaogohlxni
| MD5 | 638e489cf0204f33f7ab1c2c7817df43 |
| SHA1 | 55599d62bf0dfd01ce5f2b94b6f4538a7cd4f99b |
| SHA256 | fe28cfaeb4da1101dff4b09dcfc5ebd7c7672c11a405a0aa80f9aaf0ca09e241 |
| SHA512 | 85445a94ed4b82ccc700b3330822dd5205880fc6f91b3e39bb330540ceee0ff7634cc0228fbb6093cf08cdc1c9fe26e1cf4dd23a646bfb30c5f5d39363b34f45 |
/data/user/0/com.sayearth85/cache/eaogohlxni
| MD5 | 638e489cf0204f33f7ab1c2c7817df43 |
| SHA1 | 55599d62bf0dfd01ce5f2b94b6f4538a7cd4f99b |
| SHA256 | fe28cfaeb4da1101dff4b09dcfc5ebd7c7672c11a405a0aa80f9aaf0ca09e241 |
| SHA512 | 85445a94ed4b82ccc700b3330822dd5205880fc6f91b3e39bb330540ceee0ff7634cc0228fbb6093cf08cdc1c9fe26e1cf4dd23a646bfb30c5f5d39363b34f45 |
/data/user/0/com.sayearth85/cache/oat/eaogohlxni.cur.prof
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
/data/user/0/com.sayearth85/shared_prefs/main.xml
| MD5 | 74407af5df4f68ba64e55ffe01096b71 |
| SHA1 | 468cbcfc54881ebe229e9267090a25eeb64b7b13 |
| SHA256 | 3ec00a8081a447ccb79cc59b65a53dfc5bc3dd0811d2f469b6cdee38712fc066 |
| SHA512 | a1a93e0cea64adb51546e41107816ad14f0a591ee48d3952f4977335fda33febe6e243759c5027fe0e97c73ae8ff8983acf5d65697c98919462cf8343aeb0c12 |
/data/user/0/com.sayearth85/shared_prefs/main.xml
| MD5 | 5c71d0f84c33be8170af02776cd94a10 |
| SHA1 | dd9a7186dcd6432c01da508c563b1af8bcac7714 |
| SHA256 | 142659fcfe304187356211c984f02469e3a6c836446c0fe36cb9c585a28bfc5c |
| SHA512 | 8a5bb86c2a362e5ef876088d981fd64657f244c42192081ed711d91bd39226fda1cf89765814d31054087fc5ce7f2f15e828b480377c7380869e7e776681cc97 |
Analysis: behavioral3
Detonation Overview
Submitted
2023-04-14 09:37
Reported
2023-04-14 09:40
Platform
android-x86-arm-20220823-en
Max time kernel
2133000s
Max time network
146s
Command Line
Signatures
Makes use of the framework's Accessibility service.
| Description | Indicator | Process | Target |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId | N/A | N/A |
| Framework service call | android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId | N/A | N/A |
Acquires the wake lock.
| Description | Indicator | Process | Target |
| Framework service call | android.os.IPowerManager.acquireWakeLock | N/A | N/A |
Requests disabling of battery optimizations (often used to enable hiding in the background).
| Description | Indicator | Process | Target |
| Intent action | android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS | N/A | N/A |
Removes a system notification.
| Description | Indicator | Process | Target |
| Framework service call | android.app.INotificationManager.cancelNotificationWithTag | N/A | N/A |
Processes
involvement.lights.systematic
involvement.lights.systematic:remote
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| JP | 134.122.166.235:6655 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| US | 1.1.1.1:853 | tcp | |
| JP | 134.122.166.235:6655 | tcp | |
| JP | 134.122.166.235:6655 | tcp |
Files
/data/user/0/involvement.lights.systematic/shared_prefs/involvement.lights.systematic.xml
| MD5 | e0ae18ee51f8080061f538d00a4a2b1f |
| SHA1 | b39e93a0da5a827e9154142070e5eb93eb2a6314 |
| SHA256 | cb60eb5f68387d91f47eecbf64f465400f1d0dfd29dca34c2f7835a381f2c1ee |
| SHA512 | 646b099795a1e9232a3548f78cd3e0025695f2cfd002cb9eae73c0ce14c64dc253ad3ceb7dd53e6289b38b5f556ed511c103e99c197c0685f80361aa0d97c96e |
/storage/emulated/0/Config/sys/apps/log/log-2023-04-14.txt
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |