Malware Analysis Report

2025-01-19 06:48

Sample ID 231223-q7c1faehh6
Target 26d31f8346361f1113e3a8c8c080d6c90ef7ad670668a0bc4fd7fe7f0c4c5eb4
SHA256 26d31f8346361f1113e3a8c8c080d6c90ef7ad670668a0bc4fd7fe7f0c4c5eb4
Tags
irata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26d31f8346361f1113e3a8c8c080d6c90ef7ad670668a0bc4fd7fe7f0c4c5eb4

Threat Level: Known bad

The file 26d31f8346361f1113e3a8c8c080d6c90ef7ad670668a0bc4fd7fe7f0c4c5eb4 was found to be: Known bad.

Malicious Activity Summary

irata

Irata family

Irata payload

Requests cell location

Requests cell location

Requests dangerous framework permissions

Acquires the wake lock

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-23 13:53

Signatures

Irata family

irata

Irata payload

Description Indicator Process Target
N/A N/A N/A N/A

Requests dangerous framework permissions

Description Indicator Process Target
Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. android.permission.READ_PHONE_STATE N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-23 13:53

Reported

2023-12-26 21:37

Platform

android-x86-arm-20231215-en

Max time kernel

2819619s

Max time network

157s

Command Line

ir.iut.sand

Signatures

Requests cell location

Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

ir.iut.sand

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 semanticlocation-pa.googleapis.com udp
US 1.1.1.1:53 sdk.cheshmak.me udp
US 199.59.243.225:443 sdk.cheshmak.me tcp
US 1.1.1.1:53 srv.magnetadservices.com udp
IR 178.216.250.25:443 srv.magnetadservices.com tcp
IR 178.216.250.25:443 srv.magnetadservices.com tcp
US 1.1.1.1:53 server.magnet.ir udp
GB 142.250.180.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
US 199.59.243.225:443 sdk.cheshmak.me tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 142.250.187.206:443 android.apis.google.com tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
FR 216.58.201.110:443 android.apis.google.com tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp
BE 74.125.206.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
FR 216.58.201.100:443 tcp
GB 216.58.212.228:443 www.google.com tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp

Files

/data/data/ir.iut.sand/databases/__pushe_base_lib_db-journal

MD5 ce7b791714bc961aaae03cce8a0ed1ef
SHA1 f74490cc286c66c6e61bb400c331b20c20fee46f
SHA256 e0da9af1d5d54ed78ffd5a7c064d9d99f5bc2343a1de122d69ecc67eb9c6b2db
SHA512 8e306ec263f92b836b7527413bca856ded1ba5b8fe523d37dd1f66a9c9d0eb86ecbc53dc21323d115c67f12d157e6e6c981936d15ad88375db69d00a20286660

/data/data/ir.iut.sand/databases/__pushe_base_lib_db

MD5 f2b4b0190b9f384ca885f0c8c9b14700
SHA1 934ff2646757b5b6e7f20f6a0aa76c7f995d9361
SHA256 0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514
SHA512 ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

/data/data/ir.iut.sand/databases/__pushe_base_lib_db-shm

MD5 cf845a781c107ec1346e849c9dd1b7e8
SHA1 b44ccc7f7d519352422e59ee8b0bdbac881768a7
SHA256 18619b678a5c207a971a0aa931604f48162e307c57ecdec450d5f095fe9f32c7
SHA512 4802861ea06dc7fb85229a3c8f04e707a084f1ba516510c6f269821b33c8ee4ebf495258fe5bee4850668a5aac1a45f0edf51580da13b7ee160a29d067c67612

/data/data/ir.iut.sand/databases/__pushe_base_lib_db-wal

MD5 a43e4d866f17e29d75c60ba6868f61d2
SHA1 c2c17f23abce8069c9ab873fffab677032b253c0
SHA256 6fd0af2c620c43aeb25619fe802e89a52e3640a927fea32574b1e1c475c69ad2
SHA512 a8930ff7246b8ccbb5020f355df529e9c26790f6478ea4162e1b9ece358cffbca1b54098a8efd5b066776580c4f2ee04e45b2a0c6d9dc44fa12510ed7fe20d7b

/data/data/ir.iut.sand/app_com_birbit_jobqueue_jobs/files_jobs_default_job_manager/fd067a4a-d854-49a5-a55e-024b95d46bd6.jobs

MD5 de4faea7d2ec8b51c6d298a5b752fcff
SHA1 d145d920e19571c0f209886e1deafd2884ab0b0d
SHA256 21321f56731b3480f75e0c7f0baf1bf64a7c5fe570181079cefc7fe84d160ca7
SHA512 f11c185f37602c1ca53421c523cc93bff2677a3898172a812e7cf65ff175ed66e423659de29300a7de4f9b7440460f989148f0b0f9f65d8e45acb26c90a9ee01

/data/data/ir.iut.sand/databases/evernote_jobs.db-journal

MD5 19ea78d0f1f616ba5dc2c96d77ee5def
SHA1 f42773a2eefd317ebe92047d2720365eecb5692c
SHA256 35198be3bb0c8a2639285fa2fb5fa3a69a0025faffe9976ab8ec00089d2132f9
SHA512 67ba7f5506813df5070405d478d87bce287ec5a87feaf954936e478bb84309f634f2d87c4610ed8d87dfb3327c092cedd9d5ffb66fa7d9590d42b87fb0caa1aa

/data/data/ir.iut.sand/databases/evernote_jobs.db-wal

MD5 809e470f691a9537011d5c18af6c7c45
SHA1 b9301419a8bfbec2abece8bf6afdef9908b8c355
SHA256 c2215d3683a99b47d77fc79f7f8b81da9d3a28bbc39d4b7c3fd9997dabdd3c93
SHA512 1d2489a6d7614a255942c917e622e154f7684b53034099354fab824ced72284969823a52294a671f453cdd84d057661cc6a3090641c8cf3afbaf9050a2fd4462

/data/data/ir.iut.sand/databases/cheshdb-wal

MD5 4e268dcee9eb4ee84dfe9c41d42cc967
SHA1 9d9dfd4519de19b89430f60704d1580bc53b7fa5
SHA256 0e4c287c374c8ef067d7ac2ac2ec5134e6f33c87ead0b126836131596d385a97
SHA512 4ffa579a0a2ff35427121f50f6e513dba8a431cf89cf0d87e1dc434915ea57a638194f40d654cadf2745876e29a8d8f1d6275d36c2b694cc9a4add43974782e8

/data/data/ir.iut.sand/databases/cheshdb

MD5 dfaf93eb37de0cd7e928e085b43e23d7
SHA1 bcd72af3c567e5211af07900326c32fead6fdbb7
SHA256 e17872ea8fda9fdb05e85e03f9596f10f766ed6d7e44d7db85a638a85eff0c46
SHA512 e6bff0ccee23ad4c028e8cfbcd7987f314241694025248aff5e08384a269408a54a18c193b8bb8b5e40f58b4d5dce46cdaeb7060490d937af576fbb83f311f4c

/data/data/ir.iut.sand/app_com_birbit_jobqueue_jobs/files_jobs_default_job_manager/a2850930-323a-4662-8bd6-c4b3ec23d644.jobs

MD5 f56f328eea1d5c96a1b96dbbf59488df
SHA1 440c784cacff61932e2f61580b7cfdc3a4943c95
SHA256 90949c83a3d90fc0128f0d5df662aef3699971ce9e63ab067382f970cbab8918
SHA512 36e370cf16dac8b173fa182960789974d4087a7b607042000118ce518db8f1eaf93cf4f3be42c1c26ab53e87ff54da33b4c57a3a15e5cd47f2c2b66efe8b3edb

/data/data/ir.iut.sand/databases/cheshdb-wal

MD5 84cc1dd3f92e2f477334b5133294ea9e
SHA1 e86c64e8e594e093c7afaa836dfaacff3b91b1d9
SHA256 5cb6ee7ec32285f79a6b1f7130e2fe110d5cbd863a68d748655dda29a8e1b590
SHA512 1ea61c4a2083e6b736965517669446c8bd3fee539382c667445434045ebc38836938cfdf69696d609c40111acbe58f823244d7831efa697177d58f8132709c65

/data/data/ir.iut.sand/databases/cheshdb

MD5 318c6d10cbda58baf624534f94ea559f
SHA1 c6cbb5df68f261834da017dcfe27f2f230775d30
SHA256 b6e61300d683dadf0ac025ee4994adaf1d8c99d959499d972673dad1aa53c70a
SHA512 52475f21e6612c383544bb4f519ac691256adfbcdeec28cf491f64c397accad414be1adf4cc04df6c268c30b4bf3c2cee8a009b0bef82fe596ddf7478e9b59cd

/data/data/ir.iut.sand/no_backup/com.google.InstanceId.properties

MD5 3c6659a2c428c7266e7f460842aedcd0
SHA1 7b5cfacd2a80d68d3fbb4b052533d1fb68edeaf4
SHA256 133e02522e3809708a815f84217f0a2f2feb07b6675c337fb5bcf00ad4541dd2
SHA512 1d37484087d42738f0974206ddd399f74167e37ceae57132102af20a89c4d7a36e4799ea402f9f5a77a0c4b75ffd348d7bf4b06b3305807b58720376a661d803

/data/data/ir.iut.sand/app_com_birbit_jobqueue_jobs/files_jobs_default_job_manager/b8d2f018-9cfb-483d-8096-efd1db64f060.jobs

MD5 f49e3b26ec24b26731b0f92c99a2909b
SHA1 68b15a81567c758251d986faedfe04beb5ca248c
SHA256 8e9f87a51163a7924b8901c18ca8109ae3f4d8207bf793851b07383d004af2d7
SHA512 1b486346c3aee5f262687153ca9d023832c9bf8b2e2571bf8c6106fe24531d653054f48e205ced3e8fb2b8ba409736ac7270cdf2c05603d6d08320ff4a93f516

/data/data/ir.iut.sand/app_com_birbit_jobqueue_jobs/files_jobs_default_job_manager/742d214c-6b06-40c9-9260-58f9ad950114.jobs

MD5 7cc4162a91670dc00095a8c089485596
SHA1 8eebb8e6d17328ed6d7e315aac72595eff3fc861
SHA256 466f6a6e53f76af89d5e449a176c97e7e10e0472f239596fc1c56c2f994e9019
SHA512 4a6ed1215fe5a36d635dea0beea71224f7bec6e7ac30b3a82e55b8c001f1118eb25f7c3928b62de65df38b2b0759ffa27403e03e08103b58d56a74bede313694

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-23 13:53

Reported

2023-12-25 05:38

Platform

android-x64-20231215-en

Max time kernel

2675603s

Max time network

164s

Command Line

ir.iut.sand

Signatures

Requests cell location

Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

ir.iut.sand

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 172.217.169.40:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 sdk.cheshmak.me udp
US 199.59.243.225:443 sdk.cheshmak.me tcp
US 1.1.1.1:53 srv.magnetadservices.com udp
IR 178.216.250.25:443 srv.magnetadservices.com tcp
IR 178.216.250.25:443 srv.magnetadservices.com tcp
US 1.1.1.1:53 server.magnet.ir udp
IR 178.216.250.25:443 server.magnet.ir tcp
GB 142.250.187.238:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
US 1.1.1.1:53 android.apis.google.com udp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp
GB 142.250.180.14:443 android.apis.google.com tcp
IR 178.216.250.25:443 server.magnet.ir tcp
BE 64.233.166.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
GB 142.250.200.36:443 www.google.com tcp
GB 142.250.180.14:443 android.apis.google.com tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp
GB 216.58.213.4:443 tcp
GB 216.58.213.4:443 tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp
GB 142.250.200.36:443 www.google.com tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp
FR 216.58.204.78:443 tcp
FR 216.58.201.98:443 tcp

Files

/data/data/ir.iut.sand/databases/__pushe_base_lib_db-journal

MD5 5d7b1cd6863c5231ed83c009ae443d24
SHA1 de779d1e6f2750bab34a6ddc083682fe91c8d748
SHA256 fbe820610b27cf48d172383646eae74d2233a7ce1f441dee23939b69ceb8983b
SHA512 67558a8baa66b6539bf2bca75d0eae5bf2e8fe90b884a3a304c405a2597ad01fa296be2f2f38b71255d346189eb5030c8ad7c4234ecac910949db6a014bd6ecd

/data/data/ir.iut.sand/databases/__pushe_base_lib_db

MD5 ea628e04765adaf4238a5dcdff4bbd51
SHA1 a801947619ea8c368efe9c006a324dc6339ac60b
SHA256 885e337c2156e4dbf2176a9677ade50418740532d222ccae5ad4aa371b54c6a4
SHA512 c0287b0e7b690a7231a37d1745c49f3d861b22aa65dd769ba6a8b5ab9da55443f749957781ee05a405019c39e1be45d37a971b821bffd62a1d5620bc39119abe

/data/data/ir.iut.sand/databases/__pushe_base_lib_db-journal

MD5 b4ae769697d9b0be73970df2485ce302
SHA1 63409f32feceb956f8d56bfb61e05efb18c5b1b2
SHA256 11c54b4c6d1bf3e84bf2068abf6429669deaa656bc2f9ba5a9064bbff25394ca
SHA512 ea953d89af49b7f6d5806929e5af7d9eed07d9c6ed7277eafe3815002a81d399c485782a2a6aada16859bc5e4774dffe5459067884df13d1efa737da3c949dab

/data/data/ir.iut.sand/databases/__pushe_base_lib_db-journal

MD5 ba63dceefec8556b7906d96cfa9e78a3
SHA1 1335889a2bc32130ebbfb263051be68a7af130ae
SHA256 825f76838da4169d36a7e80a4beb53e09df339081f2a48b9abdc4355cf4c3e6b
SHA512 e8804d67935e6de4f7e96d831c1e9bc8d4fe0ba0f0aba8e196887d0cadb58e36c793ff300d6041800d2efa8a614a2feef90efa4ef9b182a72a643657ac29b692

/data/data/ir.iut.sand/databases/cheshdb-journal

MD5 0ddf9000299d7801b31d29f371c10322
SHA1 0d0f4567aacf6b3607881c82e5720f30adeeb333
SHA256 90cd1354f81b1130f74fd3cf9d598ac9b4ffdf71c2ede0c9fee1af3342714059
SHA512 4c0bc30048d0e4622294db010f0c17b3336f189d90caad7f51c762b501287b1a726bbfb2d376b3da49318bfeff04cf88ea7fd0008c0e439822bdc53b5fce312b

/data/data/ir.iut.sand/databases/cheshdb

MD5 9f9e1b2df18f41200cec8ec5f6907ac3
SHA1 dc9625be0a1a50b9e3b028fa1953ad6aa5b4ec62
SHA256 92f679067dfc3be6979662b4738ed7701edd103a9a6925c7438ee51be3c1d39b
SHA512 3dbe3a529e71b0afef58924f69055c85d36edcca40240f9e9f3c75668fbe8efd8ebfd400d152986d677811bd0a2e0e7b56bfb273d2610c2f31f652ad6f85436d

/data/data/ir.iut.sand/app_com_birbit_jobqueue_jobs/files_jobs_default_job_manager/96cf7b5c-b500-40de-94d6-66c49a59504d.jobs

MD5 f56f328eea1d5c96a1b96dbbf59488df
SHA1 440c784cacff61932e2f61580b7cfdc3a4943c95
SHA256 90949c83a3d90fc0128f0d5df662aef3699971ce9e63ab067382f970cbab8918
SHA512 36e370cf16dac8b173fa182960789974d4087a7b607042000118ce518db8f1eaf93cf4f3be42c1c26ab53e87ff54da33b4c57a3a15e5cd47f2c2b66efe8b3edb

/data/data/ir.iut.sand/databases/cheshdb-journal

MD5 d0778a20978eb48e639e9adbdf71d7d4
SHA1 f54383cf4de99ad2e8b414ae79931d87ff69ed29
SHA256 8705ff4a8ba1e67437979c1b260dc6fb3fac3a1aade964a4e2ee89a20c6df16c
SHA512 a3d357475e44907a2fe694acaa69235c247759b9ab1b8c320081fb25c1370582548c18fbe3b228e1bd4e87078639794ac917c2b21d069404d412705ad2b4f331

/data/data/ir.iut.sand/databases/cheshdb

MD5 f702f300f641659244aa8cb8b8881fbe
SHA1 f06c84529967ee3ec08dcf19be3d4cfe0f462b76
SHA256 949384c243bad5597882a82d238e5c8dd8687d67e921fc5085e7522892fb3f6a
SHA512 f7373bdc62605f7d782bf564c61a538b402ce651b7bc97cb675e04e37da638ee352d028fce81809090e1f52f2628e7109207790bc7343ddcd8451f639f9c9c24

/data/data/ir.iut.sand/databases/evernote_jobs.db-journal

MD5 c541e99786544473f4467304c30d1542
SHA1 8cab76bb38cc0d330389e4e93cd1eadf019a41c9
SHA256 3d339bf74cd30435107745486f6d356d1875bc1eeaa3297a652f8a0efc5081c1
SHA512 a3449fb78bbf2155fbe26100136959a12e9347651eddf807d4b047488a6955004d453dfa9c00314eb931174d7d6110c3f39e197758f9c015dcf2c550978ebbf7

/data/data/ir.iut.sand/app_com_birbit_jobqueue_jobs/files_jobs_default_job_manager/48f4cf83-a250-4339-b89d-e2877c385536.jobs

MD5 d06d28f36dbe37a38b85075860615ae7
SHA1 1973e4bbce45635e5354baeb2ccbfe12b82073af
SHA256 2330555bdc014b7635f6c182850553af34bb8bdb95953e3f12cdd70d066ee655
SHA512 b8ba57016047da5475c61e25cada8616d11d551879a65c6967d9b658ff057d5cb13b6e99f7a5c65a49fef1e59f54bf90aa3706a1ce70092fb4b55e8b809bce01

/data/data/ir.iut.sand/databases/evernote_jobs.db

MD5 12627a2ec645c4a4bc50dba5903afd59
SHA1 504005c938517e61bcf68b65a055c2faba635c2e
SHA256 f177ffae9650eb4f407c2d9a510bb5a5abe1ece2fdfe24effc62478a1bfa5903
SHA512 7ff69589296e02383a217373399e75d8a82fa17146e4273f4c0eb630f096dd9f394a3324d60858b02f7e5cf177c82c6d966f5cbedb68ae6a98df7cc851b79cfd

/data/data/ir.iut.sand/databases/evernote_jobs.db-journal

MD5 d4e1c9a97fde44cb88f353d441544257
SHA1 b24d8edd92b16d006e4773eec84a8ec7489b0402
SHA256 0eab4cd1978f1a8e02b83dc937e6f419eced77d260b1b8e4ddcde38338eb0b81
SHA512 e64fabd99b3ca88014fbae2fdb224558a2dd0bda2d10cb0d1641e159a06e1fa58f8b6e7cd03e10b7a614726fa3d210759fde19a1ef7bc857a7d9f145d33734c6

/data/data/ir.iut.sand/databases/evernote_jobs.db-journal

MD5 96ddd1a75816ff2d9a1b8f9e538b816b
SHA1 2ce58cf6d0705e49c35261fa8c622cb832ed7747
SHA256 3c341fc26022b984c54d190431595a618a33c23e48ef270ad54993d4b9713059
SHA512 f57ef31a2c15a8c84e48848b6c36420b6abda0b8c560f09c5a9dbfd2834411779f6e23469ed196f035d7a005650706cda41508111c72f1d573155dc524fc5af5

/data/data/ir.iut.sand/databases/evernote_jobs.db-journal

MD5 db3074e2fc188a357e76e888b084f0be
SHA1 a161a0c48e3fa0d6ba0801292eebbf2729282c4d
SHA256 bddf13d941441996709717eaf5703197f7289dabe2050ba5c7b671f0a5ae173c
SHA512 e4fa6a687a83e612d996900156be89bbb1dd66be0729a1734441c932161c7d7a4cf5d9d23e4119179694f3548f3f8c38991a8abd39fe8574c7cedc359c8e44dc

/data/data/ir.iut.sand/databases/evernote_jobs.db-journal

MD5 95324cf95e9f1f0d4dbb3037e436a073
SHA1 ce062558ae8ad3decbcba831c1e4006ff1097aec
SHA256 6c7db47d3af01a63dffc16be49afcde858eb4edc242c77c13081f029e3bff13c
SHA512 cb7aff783fba1ccd2f200fd44b2ae2aefaaa0c9961cf2f306f901ea094deb945ea816bcc13469d4ab0e47ff63baaae8522b7a7d59c4f6ae3c9e6ff7f8ab1e3b6

/data/data/ir.iut.sand/no_backup/com.google.InstanceId.properties

MD5 076a18742063352c67afe7da97c8a949
SHA1 0738d02a9de8d174e67966751b709efacbd2f46b
SHA256 cc82ec88551b15804c593c4cef414d17cb68e4495fcfc541689efbb2759c4db0
SHA512 403ea6845ff3e1062c62b2bbce6994d09413d087cec4df8bd8a8e22e2b8bb37f8bfec64f5939fb688fe2d3af502947f13b95ea5b0c28e80b545710dcf79d40e9

/data/data/ir.iut.sand/databases/__pushe_base_lib_db-journal

MD5 c408fac873bfc528b574b6bfb999e4fe
SHA1 33476e6ff68e4c97b116ce57b8fa54f130552df2
SHA256 51e6dc708097238a4119c3835905d96d094df2096e635762a850189cc901aca1
SHA512 02eebed4706d43ce085a5ea09d856f60d23f256482e4148323411abc9eb8f75c241c1cc6b7f49729bd63a8ef03582ef1b9dee4f97dba87769d67c24ee10fda50

/data/data/ir.iut.sand/databases/evernote_jobs.db-journal

MD5 dabe73dbe3d1d52ec51eefd81bf22b5c
SHA1 9e19ec17d5d15f06e9f811895c14f1a5d6627ddf
SHA256 4accfcabb59fafa76b167e83ec801f7062d5a4cefc1f08dda5620a175ed0b8a6
SHA512 3c1953e86e228d1d72690eefd0f9c2053a30bf48584fb84b626a5a9d24fe7f421c5b6f5a0cba63649bd88fe002f28c9d7a663a73b16ee526e4b0a22be360fe95

/data/data/ir.iut.sand/app_com_birbit_jobqueue_jobs/files_jobs_default_job_manager/a8b558e5-d973-42d9-acb1-7b3a03079763.jobs

MD5 ba5612777fdd0104316bdf950299e7da
SHA1 8133ac33e832d9c2ede9e59a712908069932d756
SHA256 15681ca9b25827c7e6602ad4e85b75e7260500d00d9cb6f8bdaf8e651c7bdd4f
SHA512 a49caa1e86c7e1307712f1e4cd9c04a28d675e7724872a6a9318e081913f3d8916af8da547e3c1d067fdecbeb1ecee30eaff288a9798f2ab3d01d74b1dcb1807

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-23 13:53

Reported

2023-12-25 05:38

Platform

android-x64-arm64-20231215-en

Max time kernel

2675557s

Max time network

151s

Command Line

ir.iut.sand

Signatures

Requests cell location

Description Indicator Process Target
Framework service call com.android.internal.telephony.ITelephony.getCellLocation N/A N/A
Framework service call com.android.internal.telephony.ITelephony.getAllCellInfo N/A N/A

Acquires the wake lock

Description Indicator Process Target
Framework service call android.os.IPowerManager.acquireWakeLock N/A N/A

Reads information about phone network operator.

Uses Crypto APIs (Might try to encrypt user data)

Description Indicator Process Target
Framework API call javax.crypto.Cipher.doFinal N/A N/A

Processes

ir.iut.sand

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
GB 172.217.169.10:443 udp
GB 142.250.178.14:443 udp
GB 172.217.169.14:443 tcp
GB 172.217.169.14:443 tcp
US 1.1.1.1:53 android.apis.google.com udp
GB 216.58.213.14:443 android.apis.google.com tcp
US 1.1.1.1:53 ssl.google-analytics.com udp
GB 142.250.187.200:443 ssl.google-analytics.com tcp
US 1.1.1.1:53 sdk.cheshmak.me udp
US 199.59.243.225:443 sdk.cheshmak.me tcp
US 1.1.1.1:53 srv.magnetadservices.com udp
IR 178.216.250.25:443 srv.magnetadservices.com tcp
IR 178.216.250.25:443 srv.magnetadservices.com tcp
US 1.1.1.1:53 server.magnet.ir udp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
IR 178.216.250.25:443 server.magnet.ir tcp
GB 216.58.213.14:443 android.apis.google.com tcp
BE 108.177.15.188:5228 tcp
US 1.1.1.1:53 www.google.com udp
US 1.1.1.1:53 www.google.com udp
US 199.59.243.225:443 sdk.cheshmak.me tcp
GB 142.250.180.4:443 www.google.com tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp
US 199.59.243.225:443 sdk.cheshmak.me tcp

Files

/data/user/0/ir.iut.sand/databases/__pushe_base_lib_db-journal

MD5 ddc3d0345f2c394816b507f39fced8af
SHA1 747e4e3bdcafcba2320aa2f5f0335f33d6f00d6b
SHA256 3c6cf29664d4851cc4e8f6cc22e0921c86b8aac9b21e3e637ffa46db6eb59dfd
SHA512 108c2721c418d012e7d00cb03701475014be6b09f0081f22acd8a9837a6103e0468b1a9ceb5239bbac6faf23e7360618d9bc50ef5287c7d8774db652afa07f28

/data/user/0/ir.iut.sand/databases/__pushe_base_lib_db

MD5 2cdf77d5c14dd3f313b60c691579a0b9
SHA1 6a74a7a3170cabead82152871c90749afdd6f310
SHA256 55ba022e5aa9eb87c256026289112e4c0531a41d0d56380fcf845de71ff99ca0
SHA512 eaf21f0acf8b98ac8bf4bce81e66a07d6a501483b141bfb7a2ef476a8dc9927ccd39971f4e0d1f7969576dbf7abb7befb3bec04e40c5a9b28fa7a2f15ae7a98c

/data/user/0/ir.iut.sand/databases/__pushe_base_lib_db-journal

MD5 3b5568464684567050e069a94ea571ed
SHA1 398a2df808a5b25b6210ef4248c1f15571da2eb0
SHA256 ba717ea45e34806c9bbc903276721655a33a2af266398868ab2ccbe5ce1effef
SHA512 09dee2182555f186f93b871fa5a548b7f03ca3fc5e07479d4d6b87c66245706e964e497d4afdf8a39049448f7e90aefb8339b73f91b53538cefadfaa65163eee

/data/user/0/ir.iut.sand/databases/__pushe_base_lib_db-journal

MD5 6cb896bd5b1abb0d15914dad3d731390
SHA1 ae4be7a4807891c8535257bee1d0e41b7c575c7d
SHA256 aa72423cb1c82c2976842ca62168ae2b3a1dd8815f750482db602b1a1eddea6a
SHA512 1dbdce490015086b7473292f894f490544f2db12b6f003b37e97d11ffee0167dc488e035094bc20ed5045ccf3bd10941461fbeb37407623a28ece95850dc5e70

/data/user/0/ir.iut.sand/files/db.db

MD5 43f310a5f515b3fcf2904590ec54edb6
SHA1 1d0f2fbafcf061cb38778d7bd60d4a2a83b8cf7d
SHA256 41a75a74737ad518b7c81c7630e9a4fd98447d3da295c6ab85edd3d28bbfffbb
SHA512 5179818624dcae7fe084d651a03d42479514dc78741a9e54161f460b29d003623a4095a9b29781cd50e19e15a34d90b104d861ca18a550e7adbff3d643aa2b3c

/data/user/0/ir.iut.sand/databases/evernote_jobs.db-journal

MD5 3b1f78978c5f508a3dfdbf046b40d529
SHA1 bdaf84ee798e206ebcf7cd34f65c6e822e8b43fc
SHA256 2ca89777e47dc2593567b43963fc94c2775da5f9ed562e76585eb678818bb3c4
SHA512 f38090283a03c62ad0d3de0f33dca794c1bf503294bfe3512e830ba2e414325c297f750c5196f9ef608c2f832e37a25b94276846ac5175978a950ea0e7f8a5f2

/data/user/0/ir.iut.sand/databases/evernote_jobs.db-journal

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/data/user/0/ir.iut.sand/no_backup/com.google.InstanceId.properties

MD5 9a0981099b463f8a12b921b287041b64
SHA1 e0a991fd9ae3baee79151380a2f8884aee0cc9ed
SHA256 8f4aa19309e0e9bfa65b6039d0ad1833fd5da4b3a183877ccfc67e98a84d9d15
SHA512 d92a84adc6bac936b19c5c27a8e9ff97dcfbfb09a61deafc92dc06afc2b5726de2868d8c28d1033c286b63992efdfde4e56078e4f2fe3c5feab586004c781bfd

/data/user/0/ir.iut.sand/databases/evernote_jobs.db-journal

MD5 5aaaa984dfe7e3da376ee449d069287e
SHA1 30155009e7108625e646c75b3580cb8fbee9ad22
SHA256 40660d77f3d369a38f5d058a528104b05aafaf564482e00689e1f18ddbec6a89
SHA512 95f7183adb1c3b264f612df62a1e31a5026827d24a6776cf802351126953f6a9f8e9c8c6e45ef555aa38a9faba52444582807810ab74e4e7c8e3adb6635c1704

/data/user/0/ir.iut.sand/databases/__pushe_base_lib_db-journal

MD5 c71f2286b98e8430d3655cfe1dd75040
SHA1 63e9aa929633a2510a7b3fb09f5dbf73eeb851b1
SHA256 1e556026530ff9c36e8ae9be1734664c929ed37fe62435594ea278358c11a84a
SHA512 a391ee0417ebd82921160de35dc51118a775e779963fc2f23661038716d3799ca0574aeebf5bfd1c658faeba4652611a5ca45f31be50398c9f82d2ac1b9f72de

/data/user/0/ir.iut.sand/app_com_birbit_jobqueue_jobs/files_jobs_default_job_manager/7c8f31c7-02ca-4336-b206-fb1a11942d8c.jobs

MD5 ef9659989b3672e778919c970a6961e0
SHA1 7cfc7871b96cc983ff20f501e0ae76006a478c45
SHA256 198ff8475459b499a8f845ecbab3547382b4c79e7070cc7480fb92fa32c4a662
SHA512 98b679066669e33b073bd989bf94bbba4f32b705463291447476f88b17c0abc26fe7de5caeee5a0c1eae5144cf972a387f9436d50344bdbbc6703f7cda6c3da7

/data/user/0/ir.iut.sand/app_com_birbit_jobqueue_jobs/files_jobs_default_job_manager/a857d1a8-3910-4cbc-8556-7096b971460d.jobs

MD5 ba345cc4b3c22c014f07cb67916f3fd6
SHA1 2f418e9d5553478ca0757371f91b9705d96174b3
SHA256 4a8da7bfd28c440b3d13e6abcd9c496055f8ef1987649b7586c7d250db7615db
SHA512 6a49c0d065b6badcc188267ee58b1568f3e113dbd5d796ec6d5eabbe36295706b8a66e6c005c80185413115b1a86de0959ee7905499a299c710ee6267c8e7f10