Malware Analysis Report

2024-10-19 13:03

Sample ID 231009-1wwnhsag34
Target 60a84a9c1f41257573d5c2ee96926ae56c2e7255b62526b432bff3818a95d438.bin
SHA256 60a84a9c1f41257573d5c2ee96926ae56c2e7255b62526b432bff3818a95d438
Tags
ermac hook banker evasion infostealer ransomware rat stealth trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

60a84a9c1f41257573d5c2ee96926ae56c2e7255b62526b432bff3818a95d438

Threat Level: Known bad

The file 60a84a9c1f41257573d5c2ee96926ae56c2e7255b62526b432bff3818a95d438.bin was found to be: Known bad.

Malicious Activity Summary

ermac hook banker evasion infostealer ransomware rat stealth trojan

Ermac2 payload

Hook

Ermac

Makes use of the framework's Accessibility service.

Removes its main activity from the application launcher

Loads dropped Dex/Jar

Requests dangerous framework permissions

Acquires the wake lock.

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data).

Removes a system notification.

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-10-09 22:00

Signatures

Requests dangerous framework permissions

Description Indicator Process Target
Allows an application to write the user's contacts data. android.permission.WRITE_CONTACTS N/A N/A
Allows an application to read SMS messages. android.permission.READ_SMS N/A N/A
Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. android.permission.CALL_PHONE N/A N/A
Allows an application to read from external storage. android.permission.READ_EXTERNAL_STORAGE N/A N/A
Allows an application to receive SMS messages. android.permission.RECEIVE_SMS N/A N/A
Allows an application to read the user's contacts data. android.permission.READ_CONTACTS N/A N/A
Allows an application to send SMS messages. android.permission.SEND_SMS N/A N/A
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A
Required to be able to access the camera device. android.permission.CAMERA N/A N/A
Allows an app to access location in the background. android.permission.ACCESS_BACKGROUND_LOCATION N/A N/A
Allows an application to write to external storage. android.permission.WRITE_EXTERNAL_STORAGE N/A N/A
Allows read access to the device's phone number(s). android.permission.READ_PHONE_NUMBERS N/A N/A
Allows access to the list of accounts in the Accounts Service. android.permission.GET_ACCOUNTS N/A N/A
Allows an application to read the user's call log. android.permission.READ_CALL_LOG N/A N/A
Allows an app to access approximate location. android.permission.ACCESS_COARSE_LOCATION N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-10-09 22:00

Reported

2023-10-09 22:03

Platform

android-x64-arm64-20230831-en

Max time kernel

376912s

Max time network

163s

Command Line

com.zeriyatetahelo.hodi

Signatures

Ermac

banker trojan infostealer ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.zeriyatetahelo.hodi/app_DynamicOptDex/XXhAsT.json N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.zeriyatetahelo.hodi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
NL 142.251.36.46:443 tcp
NL 142.251.36.46:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
RU 91.215.85.37:3434 tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.250.179.168:443 ssl.google-analytics.com tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.251.36.14:443 android.apis.google.com tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp

Files

/data/user/0/com.zeriyatetahelo.hodi/app_DynamicOptDex/XXhAsT.json

MD5 853bfb626a4e20e1fddb36028d018634
SHA1 6e536a55d87814bad019e52b20d8303e91124778
SHA256 41d3ecbf5cba680bdf23a9d40ec2ab6c561dea6e68820a09117c62483a48da84
SHA512 074941cc4e68a1c053dfdb664e3afbfbe5b3d731e5d547035620ce552c866b8042473224313649231a294cdfc96b7560893a26c540cb4fe74d75b4e99c484869

/data/user/0/com.zeriyatetahelo.hodi/app_DynamicOptDex/XXhAsT.json

MD5 35e82027ddab7996192175d175ba488c
SHA1 be9fa31102efffbb44d7a20dd1a8e7a4b185a2ad
SHA256 edc5038411ed851fe488e54e869df9dc5a0121270b779d33e89effbcc88a0f91
SHA512 de8fdf7044f6aa5fe95f67a58c9c99b988c4f12c6acfb952bccea3fbfba7f4beee858ee9705d6e8e9e5b020258760f4b5ad177c695df7eadcde71001ad2daadc

/data/user/0/com.zeriyatetahelo.hodi/app_DynamicOptDex/XXhAsT.json

MD5 4fdb4489998b24cd1c9c6625769ec3ec
SHA1 e515c55c75be675060e143fa525f770f1534ad50
SHA256 3f1ff2d8838ded4ab4cbfdb11576185e51c8504d61bfffad0a981c050b5d9c85
SHA512 5375341dd4f4cb146d31ddfc38dddc47e682f68267d27f2d50913cd5478778f17601327f1cb06156567f8d98a2ff37c05729f435888e6bf348db4efe437a9471

/data/user/0/com.zeriyatetahelo.hodi/no_backup/androidx.work.workdb-journal

MD5 cee3c49ccdfbba5b1362c53ed76494fa
SHA1 756e93e38fb0d03a7adb6542d637d4cabea2cfd4
SHA256 a0e9301f7d07b168f1b68e2958fe9c5a70ea38acb43b3201bbf78ff8cdff799e
SHA512 86ea7e1e0c19d3792b17111843688c703b624423e7cfeed43f367177630205ad65fd81afe952917812360fec16ea20341ca3160eff47f3c55feeb20580a8cce2

/data/user/0/com.zeriyatetahelo.hodi/no_backup/androidx.work.workdb

MD5 7e858c4054eb00fcddc653a04e5cd1c6
SHA1 2e056bf31a8d78df136f02a62afeeca77f4faccf
SHA256 9010186c5c083155a45673017d1e31c2a178e63cc15a57bbffde4d1956a23dad
SHA512 d0c7a120940c8e637d5566ef179d01eff88a2c2650afda69ad2a46aad76533eaace192028bba3d60407b4e34a950e7560f95d9f9b8eebe361ef62897d88b30cb

/data/user/0/com.zeriyatetahelo.hodi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/user/0/com.zeriyatetahelo.hodi/no_backup/androidx.work.workdb-wal

MD5 8fda5fa63dfffb3ee7f767a90d115d17
SHA1 ca878208dd2e575fc4adc73cd7525ab682697f8b
SHA256 876707ae65b2611b7e875aed9e294468d5b15abd6542611f21ab978a9e030579
SHA512 c6d247275056082695e41aa2dc92be6684d27c204c969e5c33bc85ee0dc0fd1c4520765c841cf40b0ad2e24a3c46d8769864b80f2cd5205870d51eee8ac881aa

/data/user/0/com.zeriyatetahelo.hodi/no_backup/androidx.work.workdb-wal

MD5 a2284c70b6fbb8c4aa03dffecbfaa61c
SHA1 7b9224a10c0e84fae23c2941d4bb30229f94d13b
SHA256 d0290bc9ae9ee2e027c64c1232c1b38e5e85a57947964ea4b4db447b0e70257d
SHA512 ddc6736b0a876c9525a28e130665ceb772224fc4a73bdd9a67d5ae917c5a48c332e1e66dd9c8a8e1d6315900644923eb3ddf1455393d6538e09c1b441a7ee378

/data/user/0/com.zeriyatetahelo.hodi/no_backup/androidx.work.workdb-wal

MD5 df3bfc9450f0a24aa61486460007a8e2
SHA1 cb2f852f0bef5357fe5d3df44696c063309f4f6b
SHA256 6e0b3f57a431f342c36a086da0203cbccfe5b5a81cf1d04cc036678fbc76a6da
SHA512 f8dcd66aade643679b7ad2031fe3283a36b6dd4cdeb5609f329121e83029e951f5c2335b64081acd6c76c255fe319fbcca2b350598c623ef4e5c612a62d5f8f4

/data/user/0/com.zeriyatetahelo.hodi/app_DynamicOptDex/oat/XXhAsT.json.cur.prof

MD5 441e0c96f0ea2f6365b04ecd7e8bf6be
SHA1 02c1296993e24818181ac6f46cdd4073343a4708
SHA256 8b72acdc94daf6fb3e3e62f8e4b11f47088d8afae8f6973e7c9f513d8253c90d
SHA512 b2ba42f56d72d57240058df437f1b968e3a3f519f5c249d67492f05de4f48ed4f9977a76c9d036e1081baee4261802962c889eed8a5ff037745cd12f628aaf33

Analysis: behavioral7

Detonation Overview

Submitted

2023-10-09 22:00

Reported

2023-10-09 22:03

Platform

win10v2004-20230915-en

Max time kernel

143s

Max time network

148s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\jquery-2.2.0.min.js

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\jquery-2.2.0.min.js

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp

Files

memory/1460-0-0x000002545DC40000-0x000002545DC50000-memory.dmp

memory/1460-16-0x000002545DD40000-0x000002545DD50000-memory.dmp

memory/1460-32-0x0000025466030000-0x0000025466031000-memory.dmp

memory/1460-34-0x0000025466060000-0x0000025466061000-memory.dmp

memory/1460-35-0x0000025466060000-0x0000025466061000-memory.dmp

memory/1460-36-0x0000025466170000-0x0000025466171000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-09 22:00

Reported

2023-10-09 22:03

Platform

android-x86-arm-20230831-en

Max time kernel

376908s

Max time network

156s

Command Line

com.zeriyatetahelo.hodi

Signatures

Ermac

banker trojan infostealer ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.zeriyatetahelo.hodi/app_DynamicOptDex/XXhAsT.json N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.zeriyatetahelo.hodi

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 142.250.179.170:443 infinitedata-pa.googleapis.com tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
NL 142.251.39.110:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
NL 142.250.179.142:443 android.apis.google.com tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
NL 142.251.39.106:443 infinitedata-pa.googleapis.com tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp

Files

/data/data/com.zeriyatetahelo.hodi/app_DynamicOptDex/XXhAsT.json

MD5 853bfb626a4e20e1fddb36028d018634
SHA1 6e536a55d87814bad019e52b20d8303e91124778
SHA256 41d3ecbf5cba680bdf23a9d40ec2ab6c561dea6e68820a09117c62483a48da84
SHA512 074941cc4e68a1c053dfdb664e3afbfbe5b3d731e5d547035620ce552c866b8042473224313649231a294cdfc96b7560893a26c540cb4fe74d75b4e99c484869

/data/data/com.zeriyatetahelo.hodi/app_DynamicOptDex/XXhAsT.json

MD5 35e82027ddab7996192175d175ba488c
SHA1 be9fa31102efffbb44d7a20dd1a8e7a4b185a2ad
SHA256 edc5038411ed851fe488e54e869df9dc5a0121270b779d33e89effbcc88a0f91
SHA512 de8fdf7044f6aa5fe95f67a58c9c99b988c4f12c6acfb952bccea3fbfba7f4beee858ee9705d6e8e9e5b020258760f4b5ad177c695df7eadcde71001ad2daadc

/data/user/0/com.zeriyatetahelo.hodi/app_DynamicOptDex/XXhAsT.json

MD5 4fdb4489998b24cd1c9c6625769ec3ec
SHA1 e515c55c75be675060e143fa525f770f1534ad50
SHA256 3f1ff2d8838ded4ab4cbfdb11576185e51c8504d61bfffad0a981c050b5d9c85
SHA512 5375341dd4f4cb146d31ddfc38dddc47e682f68267d27f2d50913cd5478778f17601327f1cb06156567f8d98a2ff37c05729f435888e6bf348db4efe437a9471

/data/data/com.zeriyatetahelo.hodi/no_backup/androidx.work.workdb-journal

MD5 193420c65e5a90976ff0e0413848de59
SHA1 ebe0f7430b9dc770e1ca2c78e08cd783371ab5c5
SHA256 6501408cb4216221af18abaeec77ac0262bc97e69d22c31b0067ddc96ba4bf09
SHA512 94511d6ccb0d6c967afb3f3a6c5e26674341b6131020fc389e8cae2c2040b67f6293ca3e57a08cf3f0007d64d6950e9be58f2575b190c6834010df985c80e8c7

/data/data/com.zeriyatetahelo.hodi/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.zeriyatetahelo.hodi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.zeriyatetahelo.hodi/no_backup/androidx.work.workdb-wal

MD5 fffbb209ec8c6a0f4c44d9e83dc999c5
SHA1 4d300a94d19947061d97cb67d7dee9147b6f30b1
SHA256 accec939f7b7f376a51f22915ceb03716616aa2af755d55bf7a5916b9abde63b
SHA512 c05dad50cd1c676584061e4e5dc2bfcaad1cc9c69026e874cb3ab8f99bd95662b3e2afdf69864c744d7e39421638d5b80867039e14fb72134947011e2e1e475d

/data/data/com.zeriyatetahelo.hodi/no_backup/androidx.work.workdb-wal

MD5 8000bc3c04b4283609170daa94d8fb6b
SHA1 7b346cb637a6d54f87297b30535c40ade6b53146
SHA256 6138eed610e227f5e2b744ec3f7c8fa472aaa4dcdac2c465079752ff8d6635b8
SHA512 dfc8392c942ead228273c607c422db27cc068c50610660daf9bb84d5486ac041cb2971e046c0b4a1151db91a784151d5aa63e0c823d43342b964ea99a430ef8c

/data/data/com.zeriyatetahelo.hodi/no_backup/androidx.work.workdb-wal

MD5 f9846ab7ed8016429b6b76cbf86c6fca
SHA1 e0c61c3573467959a2deaef66742938a211d36f3
SHA256 0427124dd7a2f88e0fc22706750d3212bfd0d9c4f3225aefbbd0d41feb15ed9a
SHA512 c0807d2c75e450bc1c88e5285cd9254ed5aed2c51649b49d57a1653241404d68e3ecbbdaedfbcb660d95341c820a27e791b963aa64a6aae1414481ba4d9200f3

/data/data/com.zeriyatetahelo.hodi/app_DynamicOptDex/oat/XXhAsT.json.cur.prof

MD5 75d1ccab8520bfabd34d4444274ea03e
SHA1 f08adeb49c1d9718d3137efc845b2d1163d9298c
SHA256 09703d7d10745add74575a38296ca703f71d1b3a29c3df733b6ea9ff290da23b
SHA512 91faa42be41fdd59309a6b5caed6f6dcfc895e6b12bd14b3027fc4815c05f4f7e8f4b0e2563cf6e212f6dcbaf0893055d366be21be7b663a07db40bf5eac7a8f

/data/data/com.zeriyatetahelo.hodi/app_DynamicOptDex/oat/XXhAsT.json.cur.prof

MD5 2fbc4b051768196ebd081846bac0be8e
SHA1 47ac2f9e7996127f07e3188928428f6fa00eef58
SHA256 88c7e5c8b69e1151e2b3f2283ba3d574064522972659b08bff9563da7f0cfc52
SHA512 e7a00aa134949f489e4f5e2def9cf47ee62a0af7949e96b89ecd60b391f0168747e171c35c150aad7c62d815956f91c7330a8d3d13a69666c5e4eb40db0ded71

/data/data/com.zeriyatetahelo.hodi/app_DynamicOptDex/oat/XXhAsT.json.cur.prof

MD5 3c1247dd247a5c7e7d426e3e1f78ec17
SHA1 2931c8a190ddda1aced4d66e47dfb1cd1b4fe2ca
SHA256 9bcc30ac5a67b06305013e234ee77652eadb18968ce783a2f3bc79ebd4216c86
SHA512 883b802bd3ae9833c75009533e126b1cd2dde2b7ab2876e55355ea9bffaad167a06e2cd25cba60fce9904e7764c4a959eb26c5f059ae9c8c26261b83b4586b1f

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-09 22:00

Reported

2023-10-09 22:03

Platform

android-x64-20230831-en

Max time kernel

376906s

Max time network

159s

Command Line

com.zeriyatetahelo.hodi

Signatures

Ermac

banker trojan infostealer ermac

Ermac2 payload

Description Indicator Process Target
N/A N/A N/A N/A

Hook

rat trojan infostealer hook

Makes use of the framework's Accessibility service.

Description Indicator Process Target
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByViewId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfoByAccessibilityId N/A N/A
Framework service call android.accessibilityservice.IAccessibilityServiceConnection.findAccessibilityNodeInfosByText N/A N/A

Removes its main activity from the application launcher

stealth trojan
Description Indicator Process Target
N/A N/A N/A N/A

Acquires the wake lock.

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Loads dropped Dex/Jar

Description Indicator Process Target
N/A /data/user/0/com.zeriyatetahelo.hodi/app_DynamicOptDex/XXhAsT.json N/A N/A

Reads information about phone network operator.

Removes a system notification.

evasion
Description Indicator Process Target
Framework service call android.app.INotificationManager.cancelNotificationWithTag N/A N/A

Uses Crypto APIs (Might try to encrypt user data).

ransomware
Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

com.zeriyatetahelo.hodi

Network

Country Destination Domain Proto
US 1.1.1.1:53 android.apis.google.com udp
NL 216.58.214.10:80 play.googleapis.com tcp
N/A 224.0.0.251:5353 udp
DE 172.217.23.202:80 play.googleapis.com tcp
US 1.1.1.1:53 infinitedata-pa.googleapis.com udp
NL 216.58.214.10:443 infinitedata-pa.googleapis.com tcp
US 1.1.1.1:53 android.apis.google.com udp
US 1.1.1.1:53 ssl.google-analytics.com udp
NL 142.251.36.8:443 ssl.google-analytics.com tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
NL 216.58.214.10:443 infinitedata-pa.googleapis.com tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp
RU 91.215.85.37:3434 tcp

Files

/data/data/com.zeriyatetahelo.hodi/app_DynamicOptDex/XXhAsT.json

MD5 853bfb626a4e20e1fddb36028d018634
SHA1 6e536a55d87814bad019e52b20d8303e91124778
SHA256 41d3ecbf5cba680bdf23a9d40ec2ab6c561dea6e68820a09117c62483a48da84
SHA512 074941cc4e68a1c053dfdb664e3afbfbe5b3d731e5d547035620ce552c866b8042473224313649231a294cdfc96b7560893a26c540cb4fe74d75b4e99c484869

/data/data/com.zeriyatetahelo.hodi/app_DynamicOptDex/XXhAsT.json

MD5 35e82027ddab7996192175d175ba488c
SHA1 be9fa31102efffbb44d7a20dd1a8e7a4b185a2ad
SHA256 edc5038411ed851fe488e54e869df9dc5a0121270b779d33e89effbcc88a0f91
SHA512 de8fdf7044f6aa5fe95f67a58c9c99b988c4f12c6acfb952bccea3fbfba7f4beee858ee9705d6e8e9e5b020258760f4b5ad177c695df7eadcde71001ad2daadc

/data/user/0/com.zeriyatetahelo.hodi/app_DynamicOptDex/XXhAsT.json

MD5 4fdb4489998b24cd1c9c6625769ec3ec
SHA1 e515c55c75be675060e143fa525f770f1534ad50
SHA256 3f1ff2d8838ded4ab4cbfdb11576185e51c8504d61bfffad0a981c050b5d9c85
SHA512 5375341dd4f4cb146d31ddfc38dddc47e682f68267d27f2d50913cd5478778f17601327f1cb06156567f8d98a2ff37c05729f435888e6bf348db4efe437a9471

/data/data/com.zeriyatetahelo.hodi/no_backup/androidx.work.workdb-journal

MD5 6cc91848513937a6435071c5a520b620
SHA1 3afadc63bb534dc911679724721bf0b057ab0794
SHA256 b764702d8a7109367e6898e63dbf7fe9e08c6a04556f294a10b780d27c958524
SHA512 feb78ce8e9e2d175f164a16bd861e1f69083fc3e866cb738ad45b0ed320d3c2d899222d6ab40f3b0f28bf3f840f843f616bde1cf7321272c107cc3341c2daec1

/data/data/com.zeriyatetahelo.hodi/no_backup/androidx.work.workdb

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/com.zeriyatetahelo.hodi/no_backup/androidx.work.workdb-shm

MD5 bb7df04e1b0a2570657527a7e108ae23
SHA1 5188431849b4613152fd7bdba6a3ff0a4fd6424b
SHA256 c35020473aed1b4642cd726cad727b63fff2824ad68cedd7ffb73c7cbd890479
SHA512 768007e06b0cd9e62d50f458b9435c6dda0a6d272f0b15550f97c478394b743331c3a9c9236e09ab5b9cb3b423b2320a5d66eb3c7068db9ea37891ca40e47012

/data/data/com.zeriyatetahelo.hodi/no_backup/androidx.work.workdb-wal

MD5 4ead9b58cdeda19b6dc093efb9d216da
SHA1 1de1fc7956bb0bb1c5d06bae151a1e46f7a69356
SHA256 b8288570f8d0b3f540f8983ecd417dd3d2e16ca7f9d50c329f230222e696f62e
SHA512 4e95f3fadc806d5fb9d3492c407407063786463b6cfd394de7aa7f9626740f5a2123672d6e179d28538a9e17fa099b3534347f1ee09f252f02ffa7db4d83612c

/data/data/com.zeriyatetahelo.hodi/no_backup/androidx.work.workdb-wal

MD5 25a6227318bdddfdaf22f7a77d040707
SHA1 0ddd2d4e7b09094f797a5796990f908b576038bd
SHA256 b2adcaa5a7d1bab35a42a160d4fbb83d00d6296a343e9f7360644aa94ee2de66
SHA512 beb7bfc071921016c25d87472d457c9f5c317869a20d01b58f529bbb4bb2a3a846a755cefff13cf7f895bf8fefbf7f4219980e012076d66eff9c7ac7b3ef276e

/data/data/com.zeriyatetahelo.hodi/no_backup/androidx.work.workdb-wal

MD5 a9f88ff9c6fbc72e011ad4c9bdbf5bd1
SHA1 5ffbb47cdd4f4da6e126858f5c5679a739482759
SHA256 3611c1a4b2f8a7436d28c5902e232bf848e2a7d7ebdc846806c2c50b82589731
SHA512 ea776f885bef09e4925ef2b2be8940733d08320b749ea225a956734178d22653762563118ebc0ebfe45e75b9a473c40ead062688a1e72ba8a3e936c73a5e5a77

/data/data/com.zeriyatetahelo.hodi/app_DynamicOptDex/oat/XXhAsT.json.cur.prof

MD5 9678d0725ede8cabff3aa6acfa68e7d7
SHA1 3f1d7c3d151a1c0cc43aa7051c2a8a9076b7b848
SHA256 f38b2b1432eb76ad9d803a3a564a14904a88391adfd9fee0fc55c0bcddf1060e
SHA512 d51022e47736cdcc87dc57581e2acad8a48fedcd447962f1861f0b62e161ef47da874bb69beeb62c1ca3f3a79d4d409fd15077e450067a9e10fb01499e0f01eb

/data/data/com.zeriyatetahelo.hodi/app_DynamicOptDex/oat/XXhAsT.json.cur.prof

MD5 e59ce670b2ec4c32acbac372b2dfafb4
SHA1 92e557be050b3a979dd9f7fa41bb9aeafed9dad7
SHA256 5290aae937ea61243af752eb6d2418d5896d95d675053121abc718d0c1c4c5d7
SHA512 fc4c9a647fe6fab1f56f58d0172ab51e02074588041a79e99e66cd98ae1f4ec48a669f2e3d3368a834a591ea02a2bc8ecdef0c749204a681ac8720ffe23f9570

Analysis: behavioral12

Detonation Overview

Submitted

2023-10-09 22:00

Reported

2023-10-09 22:03

Platform

debian9-armhf-20230831-en

Max time kernel

1s

Max time network

125s

Command Line

[/tmp/libnative-filters.so]

Signatures

N/A

Processes

/tmp/libnative-filters.so

[/tmp/libnative-filters.so]

Network

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2023-10-09 22:00

Reported

2023-10-09 22:03

Platform

win7-20230831-en

Max time kernel

122s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\mraid.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\mraid.js

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-10-09 22:00

Reported

2023-10-09 22:03

Platform

win7-20230831-en

Max time kernel

120s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\core_wrapper.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\core_wrapper.js

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-10-09 22:00

Reported

2023-10-09 22:03

Platform

debian9-armhf-20230831-en

Max time kernel

1s

Max time network

126s

Command Line

[/tmp/libcrashlytics.so]

Signatures

N/A

Processes

/tmp/libcrashlytics.so

[/tmp/libcrashlytics.so]

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-10-09 22:00

Reported

2023-10-09 22:03

Platform

debian9-armhf-20230831-en

Max time kernel

2s

Max time network

125s

Command Line

[/tmp/libcrashlytics-handler.so]

Signatures

N/A

Processes

/tmp/libcrashlytics-handler.so

[/tmp/libcrashlytics-handler.so]

Network

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2023-10-09 22:00

Reported

2023-10-09 22:03

Platform

debian9-armhf-en-20211208

Max time kernel

2s

Max time network

126s

Command Line

[/tmp/libimagepipeline.so]

Signatures

N/A

Processes

/tmp/libimagepipeline.so

[/tmp/libimagepipeline.so]

Network

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2023-10-09 22:00

Reported

2023-10-09 22:03

Platform

debian9-armhf-20230831-en

Max time kernel

1s

Max time network

126s

Command Line

[/tmp/librsjni.so]

Signatures

N/A

Processes

/tmp/librsjni.so

[/tmp/librsjni.so]

Network

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2023-10-09 22:00

Reported

2023-10-09 22:03

Platform

ubuntu1804-amd64-20230831-en

Max time kernel

4s

Max time network

112s

Command Line

[/tmp/libtoolChecker.so]

Signatures

N/A

Processes

/tmp/libtoolChecker.so

[/tmp/libtoolChecker.so]

Network

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2023-10-09 22:00

Reported

2023-10-09 22:03

Platform

win10v2004-20230915-en

Max time kernel

145s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\mraid.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\mraid.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-10-09 22:00

Reported

2023-10-09 22:03

Platform

win7-20230831-en

Max time kernel

119s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\jquery-2.2.0.min.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\jquery-2.2.0.min.js

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-10-09 22:00

Reported

2023-10-09 22:03

Platform

win10v2004-20230915-en

Max time kernel

135s

Max time network

128s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\core_wrapper.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\core_wrapper.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 254.3.248.8.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-10-09 22:00

Reported

2023-10-09 22:00

Platform

debian9-armhf-20230831-en

Max time kernel

1s

Command Line

[/tmp/libcrashlytics-trampoline.so]

Signatures

N/A

Processes

/tmp/libcrashlytics-trampoline.so

[/tmp/libcrashlytics-trampoline.so]

Network

N/A

Files

N/A