Malware Analysis Report

2025-01-23 12:37

Sample ID 230421-qkhx6shf2t
Target bradesco.apk
SHA256 2f922df9bde2e816064bbc23c5e4d4ec833f8f0d822c0f097f3b584ec81df032
Tags
spynote evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f922df9bde2e816064bbc23c5e4d4ec833f8f0d822c0f097f3b584ec81df032

Threat Level: Known bad

The file bradesco.apk was found to be: Known bad.

Malicious Activity Summary

spynote evasion

Spynote family

Makes use of the framework's Accessibility service.

Requests dangerous framework permissions

Acquires the wake lock.

Legitimate hosting services abused for malware hosting/C2

Requests disabling of battery optimizations (often used to enable hiding in the background).

Removes a system notification.

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-21 13:19

Signatures

Spynote family

spynote

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. android.permission.PROCESS_OUTGOING_CALLS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an application to record audio. android.permission.RECORD_AUDIO N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A
Allows an app to access precise location. android.permission.ACCESS_FINE_LOCATION N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-21 13:19

Reported

2023-04-21 13:21

Platform

android-x86-arm-20220823-en

Max time kernel

2751087s

Max time network

160s

Command Line

keen.cache.explosion

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Legitimate hosting services abused for malware hosting/C2

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

keen.cache.explosion

keen.cache.explosion:remote

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 1.tcp.sa.ngrok.io udp
BR 18.231.93.153:26109 1.tcp.sa.ngrok.io tcp
BR 18.231.93.153:26109 1.tcp.sa.ngrok.io tcp
BR 18.231.93.153:26109 1.tcp.sa.ngrok.io tcp
BR 18.231.93.153:26109 1.tcp.sa.ngrok.io tcp
BR 18.231.93.153:26109 1.tcp.sa.ngrok.io tcp
BR 18.231.93.153:26109 1.tcp.sa.ngrok.io tcp
BR 18.231.93.153:26109 1.tcp.sa.ngrok.io tcp
BR 18.231.93.153:26109 1.tcp.sa.ngrok.io tcp
BR 18.231.93.153:26109 1.tcp.sa.ngrok.io tcp
BR 18.231.93.153:26109 1.tcp.sa.ngrok.io tcp
BR 18.231.93.153:26109 1.tcp.sa.ngrok.io tcp
BR 18.231.93.153:26109 1.tcp.sa.ngrok.io tcp
BR 18.231.93.153:26109 1.tcp.sa.ngrok.io tcp
BR 18.231.93.153:26109 1.tcp.sa.ngrok.io tcp
BR 18.231.93.153:26109 1.tcp.sa.ngrok.io tcp
BR 18.231.93.153:26109 1.tcp.sa.ngrok.io tcp
BR 18.231.93.153:26109 1.tcp.sa.ngrok.io tcp
BR 18.231.93.153:26109 1.tcp.sa.ngrok.io tcp
US 1.1.1.1:853 tcp
US 1.1.1.1:853 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
BR 18.229.248.167:26109 tcp
US 1.1.1.1:853 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp
BR 18.229.146.63:26109 tcp

Files

/data/user/0/keen.cache.explosion/shared_prefs/keen.cache.explosion.xml

MD5 e0ae18ee51f8080061f538d00a4a2b1f
SHA1 b39e93a0da5a827e9154142070e5eb93eb2a6314
SHA256 cb60eb5f68387d91f47eecbf64f465400f1d0dfd29dca34c2f7835a381f2c1ee
SHA512 646b099795a1e9232a3548f78cd3e0025695f2cfd002cb9eae73c0ce14c64dc253ad3ceb7dd53e6289b38b5f556ed511c103e99c197c0685f80361aa0d97c96e

/storage/emulated/0/Config/sys/apps/log/log-2023-04-21.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/keen.cache.explosion/shared_prefs/ProtectedApps.xml

MD5 214fb59450fb63c2eba0eb00cbef71bb
SHA1 d55306c66d10c8256ced135b9a245fb3de50b096
SHA256 29cd87115f57a3d714e8f666d08c6d1bd53fd644a77b8172dfa29ac2aea1bf46
SHA512 83c6d8af079e1224d78056316e5bebc3947871194afe325493599131b82fc6a381cc7c72ab93378ddcca3ab6b5ed9c14c6da2e73086e29d48c6dafa550a1622b

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-21 13:19

Reported

2023-04-21 13:21

Platform

android-x64-20220823-en

Max time kernel

2751025s

Max time network

165s

Command Line

keen.cache.explosion

Signatures

Legitimate hosting services abused for malware hosting/C2

Processes

keen.cache.explosion

keen.cache.explosion:remote

Network

Country Destination Domain Proto
DE 142.250.185.130:443 tcp
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 accounts.google.com udp
NL 142.251.39.109:443 accounts.google.com tcp
US 1.1.1.1:53 accounts.google.com udp
NL 142.251.36.45:443 accounts.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.8:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 1.tcp.sa.ngrok.io udp
US 1.1.1.1:53 pljoamvd udp
US 1.1.1.1:53 jkacpyosjun udp
US 1.1.1.1:53 nsoshstpjat udp
US 1.1.1.1:53 1.tcp.sa.ngrok.io udp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
US 1.1.1.1:53 pljoamvd udp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
US 1.1.1.1:53 1.tcp.sa.ngrok.io udp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
US 1.1.1.1:53 1.tcp.sa.ngrok.io udp
US 1.1.1.1:53 1.tcp.sa.ngrok.io udp
BR 18.231.93.153:26109 1.tcp.sa.ngrok.io tcp

Files

/data/user/0/keen.cache.explosion/shared_prefs/keen.cache.explosion.xml

MD5 e0ae18ee51f8080061f538d00a4a2b1f
SHA1 b39e93a0da5a827e9154142070e5eb93eb2a6314
SHA256 cb60eb5f68387d91f47eecbf64f465400f1d0dfd29dca34c2f7835a381f2c1ee
SHA512 646b099795a1e9232a3548f78cd3e0025695f2cfd002cb9eae73c0ce14c64dc253ad3ceb7dd53e6289b38b5f556ed511c103e99c197c0685f80361aa0d97c96e

/storage/emulated/0/Config/sys/apps/log/log-2023-04-21.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/keen.cache.explosion/shared_prefs/ProtectedApps.xml

MD5 214fb59450fb63c2eba0eb00cbef71bb
SHA1 d55306c66d10c8256ced135b9a245fb3de50b096
SHA256 29cd87115f57a3d714e8f666d08c6d1bd53fd644a77b8172dfa29ac2aea1bf46
SHA512 83c6d8af079e1224d78056316e5bebc3947871194afe325493599131b82fc6a381cc7c72ab93378ddcca3ab6b5ed9c14c6da2e73086e29d48c6dafa550a1622b

Analysis: behavioral3

Detonation Overview

Submitted

2023-04-21 13:19

Reported

2023-04-21 13:21

Platform

android-x64-arm64-20220823-en

Max time kernel

2751094s

Max time network

169s

Command Line

keen.cache.explosion

Signatures

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Legitimate hosting services abused for malware hosting/C2

Requests disabling of battery optimizations (often used to enable hiding in the background).

evasion
Description Indicator Process Target
Intent action android.settings.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS N/A N/A

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Processes

keen.cache.explosion

keen.cache.explosion:remote

Network

Country Destination Domain Proto
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
DE 172.217.23.206:443 android.apis.google.com tcp
NL 142.250.179.142:443 android.apis.google.com tcp
N/A 224.0.0.251:5353 udp
NL 172.217.168.226:443 tcp
NL 142.251.39.102:443 tcp
NL 142.251.39.106:80 play.googleapis.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 216.58.208.104:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 1.tcp.sa.ngrok.io udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 1.tcp.sa.ngrok.io udp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
BR 54.94.248.37:26109 1.tcp.sa.ngrok.io tcp
US 1.1.1.1:53 1.tcp.sa.ngrok.io udp
US 1.1.1.1:53 1.tcp.sa.ngrok.io udp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
US 1.1.1.1:53 android.apis.google.com udp
DE 172.217.23.206:443 android.apis.google.com tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
BR 18.229.248.167:26109 1.tcp.sa.ngrok.io tcp
US 1.1.1.1:53 1.tcp.sa.ngrok.io udp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp
BR 18.228.115.60:26109 1.tcp.sa.ngrok.io tcp

Files

/storage/emulated/0/Config/sys/apps/log/log-2023-04-21.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/keen.cache.explosion/shared_prefs/keen.cache.explosion.xml

MD5 e0ae18ee51f8080061f538d00a4a2b1f
SHA1 b39e93a0da5a827e9154142070e5eb93eb2a6314
SHA256 cb60eb5f68387d91f47eecbf64f465400f1d0dfd29dca34c2f7835a381f2c1ee
SHA512 646b099795a1e9232a3548f78cd3e0025695f2cfd002cb9eae73c0ce14c64dc253ad3ceb7dd53e6289b38b5f556ed511c103e99c197c0685f80361aa0d97c96e

/data/user/0/keen.cache.explosion/shared_prefs/ProtectedApps.xml

MD5 214fb59450fb63c2eba0eb00cbef71bb
SHA1 d55306c66d10c8256ced135b9a245fb3de50b096
SHA256 29cd87115f57a3d714e8f666d08c6d1bd53fd644a77b8172dfa29ac2aea1bf46
SHA512 83c6d8af079e1224d78056316e5bebc3947871194afe325493599131b82fc6a381cc7c72ab93378ddcca3ab6b5ed9c14c6da2e73086e29d48c6dafa550a1622b